IT Trenches » hacking

DLL hole also affects EXE files

Troy Tate — Fri, 10 Sep 2010 15:56:05 +0000

According to a Heise Media report, the DLL binary planting vulnerability is not just limited to DLL files but affects EXE files.

The example given: An HTML file is saved along with a copy of a file called EXPLORE.EXE. The HTML file is opened and has a URI link embedded with the address file://. This will cause the browser to attempt to open EXPLORE.EXE from the local folder.

The current Microsoft workarounds for the DLL vulnerability only apply to DLL’s, not EXE’s.

See this news posting for additional information.

Information security continues to be a struggle against function, features and stopping bad things from happening. What are your thoughts about where this is going?

Thanks for reading & let’s continue to be good network citizens!

8-character passwords are so 1999 – 12 characters is 21st century

Troy Tate — Tue, 17 Aug 2010 17:48:34 +0000

Today’s computers and add-on processors (think graphics processing units – GPU‘s) are extremely powerful. The GPU of today offers about 2 teraflops (10^12 floating operations/sec) of parallel processing power. In 2000, a supercomputer yielded computing performance of just over 7 teraflops and costs $110 million. This computing power has increased the automated password cracking (brute force attacks) threat. In a recent research project reported by the BBC, computer scientists at Georgia Tech Research Institute say that passwords of less than 7 characters with special characters will soon be “hopelessly inadequate”. They recommend passwords of 12 characters or more.

Well, time to pull out my PasswordCard and begin using my 29-character password. What other suggestions do you have for other ITKE readers? Thanks for reading and let’s continue to be good network citizens!

Follow Twitter “How to become a hacker in 15 minutes”

Troy Tate — Wed, 12 May 2010 14:48:58 +0000

Well, it looks like it might be time for me to join the “twitterpated“. Until now I did not see much value in this additional information source. With regards to Twitter, I tend to agree with President Obama’s recent observation about technology and misinformation overload. Today my perception of the value of Twitter propagated content is challenged by the announcement that Liggatt Security is going to beginning sending tweets to followers about How to be a hacker. As an EC-Council Certified Ethical Hacker, I have already been trained to think like a hacker to improve an organization’s security posture. Now Liggatt is offering similar advice using 140 characters to anyone who can receive a Twitter feed.

I agree that information security awareness is a great thing, but how much valuable content can you communicate in such short bursts? Is the information communicated going to make a difference in the ability of a consumer to protect themselves and their systems? Is it going to improve or degrade the ability of information security professionals to do their jobs of protecting assets against threats and reduce risk? Is this similar to all of the medical websites available on the internet, has it improved the health of patients and their ability to speak with doctors?

Your thoughts are welcome. Please share them with me and other ITKE readers. Thanks for reading and let’s continue to be good network citizens.

Security news – Videos from Hack In The Box 2008 Malaysia available for download

Troy Tate — Wed, 21 Jan 2009 16:36:59 +0000

The videos from HITBSecConf2008 – Malaysia are now available for download!

Day 1

=====

http://thepiratebay.org/torrent/4654588/HITBSecConf2008_-_Malaysia_Videos___Day_1

Keynote Address 1: The Art of Click-Jacking – Jeremiah Grossman Keynote Address 2: Cyberwar is Bullshit – Marcus Ranum

Presentations:

- Delivering Identity Management 2.0 by Leveraging OPSS

- Bluepilling the Xen Hypervisor

- Pass the Hash Toolkit for Windows

- Internet Explorer 8 – Trustworthy Engineering and Browsing

- Full Process Reconsitution from Memory

- Hacking Internet Kiosks

- Analysis and Visualization of Common Packers

- A Fox in the Hen House – UPnP IGD

- MoocherHunting

- Browser Exploits: A New Model for Browser Security

- Time for a Free Hardware Foundation?

- Mac OS Xploitation

- Hacking a Bird in The Sky 2.0

- How the Leopard Hides His Spots – OS X Anti-Forensics Techniques

Day 2

=====

http://thepiratebay.org/torrent/4654974/HITBSecConf2008_-_Malaysia_Videos___Day_2

Keynote Address 3: Dissolving an Industry as a Hobby – THE PIRATE BAY

Presentations:

- Pushing the Camel Through the Eye of a Needle

- An Effective Methodology to Enable Security Evaluation at RTL Level

- Remote Code Execution Through Intel CPU Bugs

- Next Generation Reverse Shell

- Build Your Own Password Cracker with a Disassembler and VM Magic

- Decompilers and Beyond

- Cracking into Embedded Devices and Beyond!

- Client-side Security

- Top 10 Web 2.0 Attacks

===

On a related note, the registration for HITBSecConf2009 – Dubai (20th – 23rd April) is now open!

http://conference.hitb.org/hitbsecconf2009dubai/

The Call for Papers (CFP) for HITBSecConf2009 – Malaysia (October 5th -

8th) will open in March 2009.