Skip to main content


Showing posts from October, 2010

Application Security Challenges

Assume that all your application security challenges are conquered. You've got smart people and you've trained them well. They catch all their exceptions, they bound their arrays, they else their if's and sanitize their inputs and outputs.Congratulations. You've solved your biggest security problem.Maybe.How about your crufty old apps?
You’ve got de-provisioning down pat, right? No old apps laying around waiting to be exploited? Nobody would ever use the wayback machine to find out where your app used to be, would they?
An associate of mine did the forensics on one like that. Yes, you can upload a Unix rootkit to a blob in a SQL server, execute it directly from the database process and target a nearby Unix server. Heck – you can even load a proxy on the SQL server, poison the Unix servers ARP cache, and proxy all it’s traffic. No need to root it. Just  proxy it. Network segmentation anyone?
Any old libraries laying around?
Yech. I have no clue how someone who downloads…

Log Reliability & Automotive Data Recorders

When are logs reliable? Toyota's official answer seems to be either It depends or "The data retrieved from the EDR is far from reliable", unless the data exonerates them, in which case "the EDR information obtained in those specific incidents is accurate".There’s got to be a blog post somewhere in that. Accuracy:Did the log record what actually happened. Did the log record when something actually happened? Do the logs represent the events in the order that they occurred? Are the time stamps accurate? Time syncing all you systems is fundamental, obvious and a best practice for the last fifteen years or so, but unless you log time sync failures, you don't necessarily know if the time stamp on a logs is accurate. I like syslog capable systems that time stamp the logs at the source and syslog servers that time stamp them again as they are caught and written. That helps verify the accuracy of time stamps.

Completeness:Are there gaps in the logs? If so, can we d…

I’m not sure what it is, but I’m sure it’s rootable

I have no clue why anyone would still run RealPlayer. I’ve pretty much forgot that it existed.  But I know that those who know what it is and still run it are screwed. If they even know they are running it. They probably don’t. That makes them extra screwed. If you accidently configure RDS in your Linux kernel, you’ve got something to fix.  From what I can see, we can blamethank Oracle for RootableReliable Datagram Sockets. You’d think that be now we’d be able to introduce something new and interesting without making the old & stable rootable.I guess not.If obscure media players and Infiniband protocols are rootable, the most popular OS in the world must be rootable, right? Yep, it’s rootable. Again. Damn. It’s probably also running Java, which makes it double-extra rootable. Speaking of Java, Microsoft thinks that there is an unprecedented wave of Java exploitations. I wonder who wrote the operating system that allows itself to be exploited by such an unprecedented wave. Waves ar…