Scary Beasts Security
JULY 3, 2011
[With thanks to Mathias Kresin for being the first to notice] An incident, what fun! Earlier today, I was alerted that a vsftpd download from the master site (vsftpd-2.3.4.tar.gz) appeared to contain a backdoor: [link] The bad tarball is (sha256sum): 2a4bb16562e0d594c37b4dd3b426cb012aa8457151d4718a5abd226cef9be3a5 vsftpd-2.3.4.tar.gz And, of course, the GPG signature notices: $ gpg.
Elie
NOVEMBER 28, 2011
In this post we are going to take a closer look on what are the current phishing tactics employed in the wild. The trends uncovered by analyzing our new data-set of 5000 recents phishing sites will change the way you think about phishing.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Privacy and Cybersecurity Law
DECEMBER 16, 2011
The Information Commissioner’s Office (ICO) has sent a clear message to UK website owners to “try harder” on compliance with the […].
Scary Beasts Security
APRIL 27, 2011
Over the past few years, there have been various high-profile incidents and concerns with the Certificate Authority-based infrastructure that underpins https connections. Various different efforts are underway to tackle the problem; many are enumerated here: [link] And in terms of things baked directly into the browser, we have things like Firefox's Certificate Patrol add-on: [link] My colleague Adam Langley summarized some features and directions we've been exploring in Chromium recently, it's
Advertisement
How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.
Scary Beasts Security
MARCH 5, 2011
This is fixed in the recently released Foxit PDF Reader v4.3.1.0218. That release is marked as an important security update , although this file bug is not mentioned. Recently, I've been playing around with the various JavaScript APIs available in various different PDF readers. In case you wanted to do the same, I made some little tools, including a simple one to execute PDF-based JS via an URL: [link] The serious bug I found in Foxit PDF Reader permits arbitrary files to be written with arbitra
Scary Beasts Security
MARCH 9, 2011
It's not often that I find a bug that affects multiple different codebases in the same way, but here is an interesting info-leak bug that is currently unpatched in Firefox, Internet Explorer and Safari. I'm releasing it now for a few reasons: The bug was already publicly noted here. This bug cannot damage anyone in and of itself; it's a low severity info-leak that does not corrupt anything.
Cyber Security Informer brings together the best content for cyber security professionals from the widest variety of industry thought leaders.
Scary Beasts Security
MAY 25, 2011
I'm just back from the fun that was HiTB Amsterdam 2011. (Plug: you should check out one of the HiTB series if you haven't yet; Dhillon and crew invariably put a good, intimate conf together). I sat on the day 2 keynote panel on "The economics of vulnerabilities". As usual, talking about this topic was great fun and the audience asked some great questions.
Scary Beasts Security
MARCH 8, 2011
I did a bunch of fairly interesting things with my corporate hat on today (not to be confused with any of my personal research ;-) Firstly, Chrome 10 went out with a record $16k+ series of rewards. It's continually humbling to see such a wide range of researchers and a wide range of bug categories! [link] Also, there are some nice new security pieces in Chrome 10.
Scary Beasts Security
FEBRUARY 24, 2011
The story of Chromium security bug 48733 , with guest Cris Neckar, part I It has been a long time now, but the story of Chromium security bug 48733 deserves to be told. It involves intrigue in glibc and even gcc; and notably I accidentally executed arbitrary code whilst playing with this bug! The bug was reported in July 2010, and there were instantly some WTF aspects.
Scary Beasts Security
FEBRUARY 16, 2011
HSTS , standing for HTTP Strict Transport Security, is a relatively new standard that aims to bolster the strength of HTTPS connections. Hopefully it's about to catch on. Google Chrome has supported HSTS for a while now, and Firefox support is imminent. The stated benefits of HSTS include: Defenses against sslstrip-like attacks. The initial navigation to blah.com is automatically upgraded to HTTPS.
Advertiser: Revenera
In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.
Scary Beasts Security
JANUARY 19, 2011
How do you execute code in a turing complete language via the tag? Why, by combining an XSL transform into an SVG image of course! I stumbled across this old file in my archives: [link] If you run it e.g. in Chrome, it'll consume a load of CPU (and subsequently memory if you let it crank). I expect it'll do the same in any WebKit browser, and Opera's error message implies it has all the pieces to follow suit if I tweaked the file a bit.
Elie
NOVEMBER 17, 2011
Since the introduction of HTTPS by Netscape, the lock icon have been the indicator of choice to tell users that their communication is secure. Over the years, this “prestigious” icon shape and position kept changing from browser to browser and from version to version so I made a couple of infographic to illustrate this. I hope you will enjoy them.
Elie
JULY 28, 2011
EDIT (Tuesday 2nd August) Microsoft Statement is available from here EDIT (Sunday 31th July) The flaw is fixed: I had a phone call with some people from Microsoft yesterday (yes on a Saturday) and they told me they fixed the problem. I will update this post with their response as soon as it is out.
Elie
JULY 21, 2011
While the standard technique to track users across multiples sites / visits is to use cookies this is by no means the only way to do this. Last year Samy, with his famous evercookie application, showed that in fact many browser storages (Flash, locale storage) can be used to store a unique identifier.
Advertisement
The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.
Elie
MARCH 8, 2011
Since I started doing research on CAPTCHA security two years ago, I have relentlessly collected samples of all the different schemes I have encountered. In this blog post, I want to share with you five of the most crazy, funny, and interesting schemes I collected.
Elie
FEBRUARY 20, 2011
Today, I would like to share with you some insights that I discovered about password “shapes.” More specifically, I will discuss some of the interesting metrics I computed from the RockYou database, which is, as far as I know, the largest password database ever leaked, with 32 million passwords!
Privacy and Cybersecurity Law
NOVEMBER 15, 2011
European cloud users are expressing increasing concern over the effect of the USA Patriot Act. The Act entitles US authorities […].
Privacy and Cybersecurity Law
MAY 19, 2011
On 26 May 2011, new rules on the use of website cookies will come into force and threatens to drastically […].
Speaker: Blackberry, OSS Consultants, & Revenera
Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?
Elie
DECEMBER 23, 2011
While their is a huge hype surrounding.xxx domains and companies rushing to buy them to protect their brand, it seems that registration data disagree with this. My analysis of the 50000 most popular websites in the world shows that only 24% of them actually registered their.xxx domain.
Expert insights. Personalized for you.
79 
Let's personalize your content