Category: Vulnerabilities

The OpenSSL Heartbeat Vulnerability: Forgotten Attack Vectors

The web is abuzz with reports of the OpenSSL Heartbeat vulnerability. It’s not an understatement to say that this is the most serious vulnerability to come along in several years. There are many good write-ups about it and I don’t

Posted in Encryption, Incident Response, Risk Management, Vulnerabilities

Developing a Java Management Strategy

I considered many ways to title this blog post: The Scourge That is Java; Die, Java, Die!; or, perhaps Java, it’s time we had a talk. As a security guy, Java has been my nemesis. It has been far more

Posted in Risk Management, Secure Design, Systems Hardening, Vulnerabilities

The Immutable Friday Fav Five for September 30, 2011

Here are the five or more links that I found interesting for this week: PDF-XRAY is a site where you can submit suspect PDFs for analysis. Now you can download the code behind the site and have a go at

Posted in Research, Risk Management, Secure Design, Vulnerabilities

The Immutable Friday Fav Five for September 23, 2011

Here are the five or more links that I found interesting for this week: This is just all kinds of awesome. It’s not that I am with the bad guys, but when they get this creative you have to give

Posted in Computer Crime, Intrusion Detection, Log Analysis, Secure Design, Vulnerabilities Tagged with: ,

Garden Security II: The Bunny Breach

*(&$#@!! I stepped outside tonight to water the garden and what did I find? A fuzzy-tailed rabbit happily hanging out inside my garden–with the gate closed. My perimeter has been breached! How did he get in? I am still doing

Posted in Incident Response, Intrusion Detection, Risk Management, Secure Design, Vulnerabilities Tagged with:

Controlled Worm Outbreak – The EICAR Worm

I have spent the last several days responding to a 0-day worm outbreak. We didn’t have signatures when the you-know-what hit the fan. Fortunately, some tooling we already had in place allowed us to contain the initial spread while we

Posted in Incident Response, Intrusion Detection, Research, Vulnerabilities

INSERT Ethics INTO Public Web App Testing

A few of my posts have involved debating the ethics of public web app testing by security professionals. When the good guys poke and prod public web apps it raises a bunch of ethical questions, besides being legally questionable. Rather

Posted in Ethics, Research, Vulnerabilities Tagged with: ,

The Ethics of Probing Web Applications II

Recently, I blogged about the ethical ramifications of hacking websites by security professionals. They probe the sites, discover vulnerabilities, notify the companies, then blog about their exploits. I haven’t decided yet whether or not I consider this an ethical practice

Posted in Ethics, Vulnerabilities Tagged with:

WPA Cracked

PhysOrg.com and many others are reporting a new attack against WPA encryption, which is used in wireless networks. While WEP encryption has been proven to be all but worthless, attacks against WPA have mostly been limited to acedemic and brute-force

Posted in Encryption, Research, Vulnerabilities Tagged with: , ,

The Ethics of Probing Web Applications

I have observed a trend recently that has me internally debating the ethics of the practice. Security professionals are probing public web sites for vulnerabilities, then going through a “responsible” disclosure process with the owners of the site. Then they

Posted in Dialogue, Ethics, Research, Secure Design, Vulnerabilities Tagged with: ,