Category: Vulnerabilities

The OpenSSL Heartbeat Vulnerability: Forgotten Attack Vectors

The web is abuzz with reports of the OpenSSL Heartbeat vulnerability. It’s not an understatement to say that this is the most serious vulnerability to come along in several years. There are many good write-ups about it and I don’t

Developing a Java Management Strategy

I considered many ways to title this blog post: The Scourge That is Java; Die, Java, Die!; or, perhaps Java, it’s time we had a talk. As a security guy, Java has been my nemesis. It has been far more

The Immutable Friday Fav Five for September 30, 2011

Here are the five or more links that I found interesting for this week: PDF-XRAY is a site where you can submit suspect PDFs for analysis. Now you can download the code behind the site and have a go at

The Immutable Friday Fav Five for September 23, 2011

Here are the five or more links that I found interesting for this week: This is just all kinds of awesome. It’s not that I am with the bad guys, but when they get this creative you have to give

Tagged with: ,

Garden Security II: The Bunny Breach

*(&$#@!! I stepped outside tonight to water the garden and what did I find? A fuzzy-tailed rabbit happily hanging out inside my garden–with the gate closed. My perimeter has been breached! How did he get in? I am still doing

Tagged with:

Controlled Worm Outbreak – The EICAR Worm

I have spent the last several days responding to a 0-day worm outbreak. We didn’t have signatures when the you-know-what hit the fan. Fortunately, some tooling we already had in place allowed us to contain the initial spread while we

INSERT Ethics INTO Public Web App Testing

A few of my posts have involved debating the ethics of public web app testing by security professionals. When the good guys poke and prod public web apps it raises a bunch of ethical questions, besides being legally questionable. Rather

Tagged with: ,

The Ethics of Probing Web Applications II

Recently, I blogged about the ethical ramifications of hacking websites by security professionals. They probe the sites, discover vulnerabilities, notify the companies, then blog about their exploits. I haven’t decided yet whether or not I consider this an ethical practice

Tagged with:

WPA Cracked and many others are reporting a new attack against WPA encryption, which is used in wireless networks. While WEP encryption has been proven to be all but worthless, attacks against WPA have mostly been limited to acedemic and brute-force

Tagged with: , ,

The Ethics of Probing Web Applications

I have observed a trend recently that has me internally debating the ethics of the practice. Security professionals are probing public web sites for vulnerabilities, then going through a “responsible” disclosure process with the owners of the site. Then they

Tagged with: ,