With all the cross-site scripting bugs in Google, I'm surprised our blog (hosted by Google's Blogspot) hasn't been defaced yet.
One way to protect against this is to open separate instances of Firefox, one for Google, and one without Google. This allows you to have GMail up on a separate windows on your desktop, but without the danger of XSS bugs crossing over and hijacking the GMail session.
In order for this, you need to take advantage of Firefox profiles. You need to create two scripts, one that launches the existing "default" profile, and one that launches a "gmail" profile. The following is the script for Windows that launches the "default" profile, just change "default" to "gmail" for the second script.
You need to now launch Firefox using these scripts, because launching it normally will just use whichever of the two profiles you used last.
<?xml version="1.0"?>
<package>
<job id="Firefox:GMail:Loader">
<?job debug="true"?>
<script language="javascript">
var shell = WScript.CreateObject("WScript.Shell");
var env = shell.Environment("User");
var installpath = shell.RegRead("HKLM\\SOFTWARE\\Clients\\StartMenuInternet\\FIREFOX.EXE\\shell\\open\\command\\");
env("MOZ_NO_REMOTE") = 1;
shell.Exec(installpath + ' -P "default"');
env("MOZ_NO_REMOTE") = 0;
</script>
</job>
</package>
Friday, September 28, 2007
Wednesday, September 26, 2007
iPhone Shellcode by Metasploit
HD Moore publishes information on iPhone shellcode at the Metasploit blog. The shellcode combined with the number of bugs present in the iPhone finally make mobile attacks a real threat.
Tuesday, September 25, 2007
An open letter to my CEO
Dear Rob,
Wow, time sure does fly. It just seems like a mere 13 hours ago I made a post asking computer criminals not to attack on Tuesday, September 25th because it was Halo 3 launch day and a lot of Microsoft geeks would be calling into work sick/permanently incapacitated/dead.
You are not going to believe this...
On my way to bible study, after dropping off cookies to orphans and chopping wood for grandma the oddest thing happened. I got sick. My lungs/spleen/stomach/left side of brain/right leg no longer work. It's funny in a painful sort of way. It is so bad that every time I cough I solve an integral. Weird, right? Because I am such a team player I am going to go ahead and stay home, better not to get everyone sick. I know it's ice cream social Tuesday, and darn it, that upsets me but I will do this for the team.
Oh and do not call; I think I might be so contagious that the mere sound of my voice could get everyone sick. And if you do call the sounds you hear in the background are a soothing audio book I got by Eric S. Nylund on something Sci-Fi related, I can’t really remember in my current state.
Thanks for understanding,
David *cough its Halo 3 Tuesday* Maynor
Wow, time sure does fly. It just seems like a mere 13 hours ago I made a post asking computer criminals not to attack on Tuesday, September 25th because it was Halo 3 launch day and a lot of Microsoft geeks would be calling into work sick/permanently incapacitated/dead.
You are not going to believe this...
On my way to bible study, after dropping off cookies to orphans and chopping wood for grandma the oddest thing happened. I got sick. My lungs/spleen/stomach/left side of brain/right leg no longer work. It's funny in a painful sort of way. It is so bad that every time I cough I solve an integral. Weird, right? Because I am such a team player I am going to go ahead and stay home, better not to get everyone sick. I know it's ice cream social Tuesday, and darn it, that upsets me but I will do this for the team.
Oh and do not call; I think I might be so contagious that the mere sound of my voice could get everyone sick. And if you do call the sounds you hear in the background are a soothing audio book I got by Eric S. Nylund on something Sci-Fi related, I can’t really remember in my current state.
Thanks for understanding,
David *cough its Halo 3 Tuesday* Maynor
PS: Ignore the picture above becasue I was actually deathly sick when it was taken.
UPDATE: Forget this, there is framerate slowdown on the first level with MAYBE 10 badguys on the screen. I'm no video gamer developer but it seems like that would be a QA check or something. Halo 3 sucks, I am going to work tommorow.
UPDATE: Forget this, there is framerate slowdown on the first level with MAYBE 10 badguys on the screen. I'm no video gamer developer but it seems like that would be a QA check or something. Halo 3 sucks, I am going to work tommorow.
Monday, September 24, 2007
An open letter to computer criminals...
Dear Computer Criminals,
I would like to have a word with you about an event this week. As you might know from the commercials, advertising tie-ins, and reviews, Microsoft’s latest entry in the Halo series becomes available at midnight. In fact, many stores will be opening at midnight to support the expected rush for Master Chief goodness.
Now it may seem that, with the flood of people developing the flu or strep throat or other non-diagnosable aliments resulting in Tuesday being a sick day, that it would be a great time to launch a new worm or add a new attack to your botnet. Its almost like Microsoft fan boys will be leaving the doors to the castle open due to the number of cellphones and blackberries that will be ignored in pursuit of unlocking Halo achievements.
I would, on behalf of these dorks, like to ask you to let this day pass. It is like shooting fish in a barrel; where is the glory in that.
Thank you for your time,
David
I would like to have a word with you about an event this week. As you might know from the commercials, advertising tie-ins, and reviews, Microsoft’s latest entry in the Halo series becomes available at midnight. In fact, many stores will be opening at midnight to support the expected rush for Master Chief goodness.
Now it may seem that, with the flood of people developing the flu or strep throat or other non-diagnosable aliments resulting in Tuesday being a sick day, that it would be a great time to launch a new worm or add a new attack to your botnet. Its almost like Microsoft fan boys will be leaving the doors to the castle open due to the number of cellphones and blackberries that will be ignored in pursuit of unlocking Halo achievements.
I would, on behalf of these dorks, like to ask you to let this day pass. It is like shooting fish in a barrel; where is the glory in that.
Thank you for your time,
David
Response to some Bloggers
Analogies are a funny thing; much like statistics, they are often warped to support any point of view. A few Mac bloggers came up with analogies around why they were not show our exploit work from last year. Of course, their conclusion is that we made it up. Forget the fact that if you were to follow the instructions from our presentation you would have found these bugs, they still write that it was a fraud.
I have my own analogy. Wait, it is less of an analogy and more of a statement. Why would I show them anything I do? Are these bloggers a responsible party at any affected vendor, a third party agency, or either Jon’s employer or mine? After Blackhat 2006, numerous driver developers contacted us across a variety of platforms for things they could do to make their code better that ranged from defensive coding techniques to better ways to test for vulnerabilities. This was the point of the presentation. Proving ourselves to bloggers was not.
To be very honest I had never heard of any of these people before they start yelling about me being a fraud last year. Their demands and “contests” for me to show them my work is literally the equivalent of me making a blog post challenging the governor of Georgia to a debate on fiscal responsibility then claiming victory when I am ignored.
That’s the dirty secret thought, it is hard to claim to be an authority on a subject when the newsmakers mostly ignore you. In order to combat that you have to set yourself up in such a position that even if a person ignores you, you can claim victory.
Let’s look at the reasons why the “macbook” contest was ignored.
-John Gruber’s approval means nothing in the security community.
That is pretty much it. Oh and he made the challenge after we were gagged. Nothing like waiting until someone is in handcuffs to take a swing at them. I could be childish and offer a contest to prove that they would have even understood our work. Hell, with all the Apple 0day we are sitting on I could even offer to go double or nothing on their absurd Macbook challenge. But in the end things like that are utterly stupid because they really prove nothing.
I have my own analogy. Wait, it is less of an analogy and more of a statement. Why would I show them anything I do? Are these bloggers a responsible party at any affected vendor, a third party agency, or either Jon’s employer or mine? After Blackhat 2006, numerous driver developers contacted us across a variety of platforms for things they could do to make their code better that ranged from defensive coding techniques to better ways to test for vulnerabilities. This was the point of the presentation. Proving ourselves to bloggers was not.
To be very honest I had never heard of any of these people before they start yelling about me being a fraud last year. Their demands and “contests” for me to show them my work is literally the equivalent of me making a blog post challenging the governor of Georgia to a debate on fiscal responsibility then claiming victory when I am ignored.
That’s the dirty secret thought, it is hard to claim to be an authority on a subject when the newsmakers mostly ignore you. In order to combat that you have to set yourself up in such a position that even if a person ignores you, you can claim victory.
Let’s look at the reasons why the “macbook” contest was ignored.
-John Gruber’s approval means nothing in the security community.
That is pretty much it. Oh and he made the challenge after we were gagged. Nothing like waiting until someone is in handcuffs to take a swing at them. I could be childish and offer a contest to prove that they would have even understood our work. Hell, with all the Apple 0day we are sitting on I could even offer to go double or nothing on their absurd Macbook challenge. But in the end things like that are utterly stupid because they really prove nothing.
Saturday, September 22, 2007
I am art
OH MY GOD, this is such a coincidence. You might not know this about me but I am an artist. I created a piece of art to remind people about our troops serving overseas. I am sure glad I saw this article before going to the airport. Boy life sure is rough on us artists.
A pic of my art:
In addition, I added a disclaimer so no one gets confused:
I would like to point out that this is a work of satire designed to point out how crazy it is somebody would walk into an airport with something that looks like plastic explosives and a detonator.
A pic of my art:
In addition, I added a disclaimer so no one gets confused:
I would like to point out that this is a work of satire designed to point out how crazy it is somebody would walk into an airport with something that looks like plastic explosives and a detonator.
Monday, September 10, 2007
Past...Present...Future...
So I am done with my month long project and although parts of it will be public later this week, all I can say is its a 3 part research project entitled "Past...Present...Future..."
UPDATE: The "Past" portion of the 3 paper arch was just published at Uninformed.
We have "Present" and "Future" looming...
Here is a pick of the home office I have been working from, this setup is mostly duplicated everywhere else I would work from, I thought you might just want to see what the fuss is about.
Now that the project is done I gotta get back on the blogging track: I gotta post my Blackhat Vegas writeup, publish my pwnie acceptance speech, and what we are working on next.
UPDATE: The "Past" portion of the 3 paper arch was just published at Uninformed.
We have "Present" and "Future" looming...
Here is a pick of the home office I have been working from, this setup is mostly duplicated everywhere else I would work from, I thought you might just want to see what the fuss is about.
Now that the project is done I gotta get back on the blogging track: I gotta post my Blackhat Vegas writeup, publish my pwnie acceptance speech, and what we are working on next.
And now...Comedy...
Friday saw the quarterly official Errata Security team building, offsite, management meeting held in at the Regal Cinemas in Atlantic Station. The Errata Security founders viewed Shoot’em Up with Clive Owen. Shoot’em Up provided an opportunity to do something I have wanted to for a while: discuss security products designed by committee. First my short review of Shoot’em Up.
Shoot’em Up as a movie exists in a place that would make Schrodinger's cat envious: it is both crap and brilliant in a constantly fluctuating state. On one hand, you have Clive Owen portraying a reluctant hero who has to shoot, stab, and generally dismember his way through a constant stream of bad people who cannot hit the broadside of a building with automatic weapons. The reluctant hero holds a special place in the hearts of action moviegoers everywhere since Bruce Willis’ iconic character, John McClane, blasted his way into the hearts, minds, lower intestines, and limbs of faux terrorists all over the world. Clive Owen keeps the basic rules of the reluctant hero alive by being able to hit what he is shooting at in ways that us mere mortals could not imagine while spending the entire time looking like who would more enjoy sitting in the waiting room at the local dentist. The movie is quiet satisfying if that is all it was but there is a strong anti-gun message throughout the entire film. The anti-gun sentiment accompanies a strong anti-company message and some good old-fashioned politician hate thrown in as well. For a movie that targets an audience of males 17-34, this is an odd choice. I do not mean to sound crass but it is almost like a porno movie preaching abstinence. I am sure what we watched was not the initial directors vision, but yet a perversion during a pitch meeting in Hollywood.
In fact, I am sure it went something like this:
Director: I wanna make a mindless action movie where a reluctant hero runs around for two hours and shoots bad guys.
Studio: That is awesome we want to make it. We have a few suggestions…
Director: Suggestions? About what, it’s a pretty straight forward movie. A guy runs around and deals death in the form of a wall of lead to bad guys. What more is there, unless you are talking about marketing tie-ins with people like Glock…
Studio: Well, we want the hero to have a heart of gold, our testing shows that most audiences like a heart of gold. In addition, mothers get upset about gun violence so we need to add a strong anti-gun message or we might be looking at protests. Also let us give our hero a sidekick, maybe a love interest, to help draw in the women. Also when I was a child a worker from a large company took my ice cream cone, so I want to add in an anti corporate message.
Director: So wait, lemme get this straight, you want to turn my 2 hours of shooting into an anti-gun campaign that also targets large companies while we just throw in sidekicks…
Studio: It is only going to be 80 minutes and it is that or we can give somebody else the money to make his or her movie…
You may be wondering what this has to do with security. I have seen some products that actually seem to get the same design by committee process.
Developer: I would like money to build the ultimate security product that everybody needs. It will work by stopping attacks by inspecting traffic into a network device and determining if its an attack.
VC: That’s awesome, we would like to give you money to do this, but we have a few suggestions…
Developer: Ok, I would love to hear them…
VC: Is there anyway you could make this product more buzzword friendly, like ASLR?
Developer: Address randomization really does not apply to network products…
VC: So we would have a great breakthrough if you made it work. We would also like you to add in stuff like anomaly detection and content filtering…
Developer: Does anybody want to buy a product like this?
VC: Sure, plus we can charge more, any way just sign on the dotted line in blo…err...ink.
Developer: Its kind of weird, its almost like you were about to say “sign in blood”…is it really necessary to tell me to sign in ink?
VC: Yes…Have a cookie.
Shoot’em Up as a movie exists in a place that would make Schrodinger's cat envious: it is both crap and brilliant in a constantly fluctuating state. On one hand, you have Clive Owen portraying a reluctant hero who has to shoot, stab, and generally dismember his way through a constant stream of bad people who cannot hit the broadside of a building with automatic weapons. The reluctant hero holds a special place in the hearts of action moviegoers everywhere since Bruce Willis’ iconic character, John McClane, blasted his way into the hearts, minds, lower intestines, and limbs of faux terrorists all over the world. Clive Owen keeps the basic rules of the reluctant hero alive by being able to hit what he is shooting at in ways that us mere mortals could not imagine while spending the entire time looking like who would more enjoy sitting in the waiting room at the local dentist. The movie is quiet satisfying if that is all it was but there is a strong anti-gun message throughout the entire film. The anti-gun sentiment accompanies a strong anti-company message and some good old-fashioned politician hate thrown in as well. For a movie that targets an audience of males 17-34, this is an odd choice. I do not mean to sound crass but it is almost like a porno movie preaching abstinence. I am sure what we watched was not the initial directors vision, but yet a perversion during a pitch meeting in Hollywood.
In fact, I am sure it went something like this:
Director: I wanna make a mindless action movie where a reluctant hero runs around for two hours and shoots bad guys.
Studio: That is awesome we want to make it. We have a few suggestions…
Director: Suggestions? About what, it’s a pretty straight forward movie. A guy runs around and deals death in the form of a wall of lead to bad guys. What more is there, unless you are talking about marketing tie-ins with people like Glock…
Studio: Well, we want the hero to have a heart of gold, our testing shows that most audiences like a heart of gold. In addition, mothers get upset about gun violence so we need to add a strong anti-gun message or we might be looking at protests. Also let us give our hero a sidekick, maybe a love interest, to help draw in the women. Also when I was a child a worker from a large company took my ice cream cone, so I want to add in an anti corporate message.
Director: So wait, lemme get this straight, you want to turn my 2 hours of shooting into an anti-gun campaign that also targets large companies while we just throw in sidekicks…
Studio: It is only going to be 80 minutes and it is that or we can give somebody else the money to make his or her movie…
You may be wondering what this has to do with security. I have seen some products that actually seem to get the same design by committee process.
Developer: I would like money to build the ultimate security product that everybody needs. It will work by stopping attacks by inspecting traffic into a network device and determining if its an attack.
VC: That’s awesome, we would like to give you money to do this, but we have a few suggestions…
Developer: Ok, I would love to hear them…
VC: Is there anyway you could make this product more buzzword friendly, like ASLR?
Developer: Address randomization really does not apply to network products…
VC: So we would have a great breakthrough if you made it work. We would also like you to add in stuff like anomaly detection and content filtering…
Developer: Does anybody want to buy a product like this?
VC: Sure, plus we can charge more, any way just sign on the dotted line in blo…err...ink.
Developer: Its kind of weird, its almost like you were about to say “sign in blood”…is it really necessary to tell me to sign in ink?
VC: Yes…Have a cookie.
Subscribe to:
Posts (Atom)
