Dienstag, 30. Juni 2009
Maddin, 30. Juni 2009 um 11:45:30 MESZ NoScript now includes LocalRodeo-like functionality Giorgio Maone just announced that NoScript now includes ABE (a framework for CSRF protection) by default. Among others, ABE contains rules which enforce LocalRodeo's intranet protection functionality. Also, Mozilla has apparently finally fixed Firefox's DNS rebinding issues with the release of 3.5 (at least Kanatoko's testcase fails now). Hence, if you are already a NoScript user, there should currently be no need for additionally installing LocalRodeo. ... Link Dienstag, 21. Oktober 2008
Maddin, 21. Oktober 2008 um 17:41:46 MESZ OWASP Germany Conference Just in case you haven't noticed yet: On November the 25th the first OWASP Germany Conference will take place in Frankfurt. It will be a one-day (mostly) two-track event organized by the German chapter. The program looks pretty great. I am especially curious to see fukami's new talk. Furthermore, [shameless plug] Jeremias and I will give a presentation on our XSS detection work (featuring noXSS and XSSDS). So if you are free on that day, come and join the fun. ... Link Mittwoch, 10. September 2008
Maddin, 10. September 2008 um 13:56:17 MESZ LocalRodeo (beta) for Firefox 3 People that follow me on Twitter probably already noticed: I have started to work on LocalRodeo again. The old version of the extension broke on Firefox 3 and fixing took longer then expected. However, better late then never, finally a FF3 compatible version is available. I will not use the legacy extension's auto-update functionality until I am positive that the recent changes won't affect people still using Firefox 2. Therefore, please refer to this page to get a current version for Firefox 3 (and send us feedback). ... Link Montag, 19. Mai 2008
Maddin, 19. Mai 2008 um 16:35:26 MESZ Travel ahead I am traveling this week. First I will attend the OWASP Europe conference in Ghent to give a talk with Moritz on our static-analysis-evaluation-project. Then on Friday I will fly from Bruessels to Berlin for ph-neutral. If one of the three readers of this blog is at one of these events, let me know so that we can hang out and talk web sec. ... Link Donnerstag, 29. November 2007
Maddin, 29. November 2007 um 17:05:13 MEZ DeepSec 2007 Roundup Last friday I had the honour of giving a talk at DeepSec2007 in Vienna. Due to other obligations I unfortunately could only attend the final day of the conference. The day started with a keynote presentation by Jeff Moss, the founder of BlackHat. He gave a really entertaining talk on responsible disclosure using the Mike Lynn/ISS/CISCO-debacle of 2005 as an example. Jeff was followed by Halvar Flake who talked about (semi-)automatic malware classification using his tool BinDiff. BinDiff looks fantastic. I am always intrigued by tools that combine clever algorithms with a good looking and usable GUI. While I don't necessary completely agree with Halvar's assessment why his technique is significantly better than the competing approaches, I learned a lot from his presentation. Then I had to to some last minute refinements on my slides and meet some people, therefore I skipped most of the trailing presentations. The next talk I attended was my own, which went fine. Once again (a probably for the last time) I presented on CSRF. This time I skipped most parts concerning our protection mechanisms and concentrated more on the various exploiting aspects using real life examples and demoing Justus's CSRF-exploit-o-mat, which allows the automatic creation of a working exploit in less the 5 seconds. I got some good questions and had a couple of nice conversations in the hallway. The conference ended for me with Melanie Rieback's presentation on RFIDGuardian. The RFIDGuardian is a small wearable appliance which is able to intercept, alter, or block communication between RFID-readers and RFID-tags (e.g., your passport, tags in your clothing, or tags you didn't even know you had). The appropriate action which the guardian should execute can be selected on a per tag basis, thus allowing a rather fine-grained control. The feature I liked the most is, that the tool provides auditing/logging capabilities which enable the user to exactly establish when and where somebody tried to access RFID-tags during the day. Right now, only prototypes exist but Melanie's research group is trying to get some funding for mass production, which would result in a possible end-consumer price around 200 €. As all the basic information (software, hardware design) is open and free (GPL, CC) it is also possible to build your own device at home, provided you have a soldering iron and know what you are doing ( a note to my stundents: If anybody wants to do this as a part of his master's thesis, drop me a line). In the evening fukami, Stefan Esser, and I attended Monochrome's fantastically entertaining Taugshow. The show's talk-guests on stage were (among others) Cory Doctorow, Tim Pritlove and Jeff Moss. The secret highlight of the show was a friendly american who almost chocked when he was trying to eat a dollar-bill (which he did to support the US economy). In summary, DeepSec was a very pleasant and inspiring experience. My only regret is that my time was to limited so that I missed the first day and neither had the time to check out the Meta-Lab nor visit the Roböexotica-event. ... Link Mittwoch, 19. September 2007
Maddin, 19. September 2007 um 15:31:06 MESZ Why I do not like taint tracking While I was giving a talk yesterday on our dynamic and language based approaches concerning the avoidance of code injection vulnerabilities at Laboratory for Dependable Distributed System at the University of Mannheim, I came up with a nice description, why I dislike dynamic taint tracking: (Nonetheless, I think taint tracking obviously has a valid place in the defender's arsenal) ... Link Donnerstag, 9. August 2007
Maddin, 9. August 2007 um 12:47:14 MESZ DNS rebinding at CCS'07 This year's ACM conference on Computer and Communication Security (CCS) features two excellent papers on DNS Rebinding (the attack formerly known as "anti-DNS-pinning"). Besides discussing DNS rebinding for firewall circumvention, Protecting Browsers from DNS Rebinding Attacks by Jackson et al. also covers DNS-rebinding-based IP-hijacking, which can be used to commit click-fraud (an malicious application of the attack I have not thought of before). Furthermore, the authors propose a couple of defensive strategies, of which two have especially caught my attention: Dynamic Pharming Attacks and the Locked Same-Origin Policies for Web Browser by Karlof et al. shows how pharming attacks can employ DNS-rebinding to subvert strong authentication mechanisms like client-side SSL (another malicious application I had not thought of before). To counter this threat the propose a "locked same-origin policy" that does not only take domain, port, and protocol into consideration but also requires that the private keys of the web page's respective SSL-certs match (an approach that obviously only works for web pages served via https). I think this solution is a pointer in the right direction. Making the security properties of a web application depended on something that is not directly controlled by the application itself (DNS) was a bad idea in the first place. In the future we should work replacing this policy by something more appropriate and fine-grained. Update: Giorgio Maone announced that the next major version of NoScript will include the stanford paper's "same subnet" anti-rebinding policy (both in IPV4 and IPV6). ... Link Freitag, 15. Juni 2007
Maddin, 15. Juni 2007 um 21:36:42 MESZ CfP: NordSec 2007 - The 12th Nordic Workshop on Secure IT Systems The 2nd Call for Paper for the 12th Nordic Workshop on Secure IT Systems (NordSec 2007) has been published a while ago. I am very proud to be one of the members of the program committee and would love to see many submissions to the workshop. Important dates: The workshop will be held from October 11 - 12 2007 in Reykjavik, Iceland About NordSec NordSec 2007 is organized by Reykjavik University, in Iceland, with a special
focus on Language-based Techniques in Security. Since 1996, the NordSec
workshops have brought together computer security researchers and
practitioners from the Nordic countries, Northern Europe, and elsewhere. The
workshop has an emphasis on applied computer security and is intended to
encourage interaction between academic and industrial research. Confirmed invited speakers are: The workshop is linked to a special issue of the Journal of Logic and
Algebraic Programming. Authors of selected technical papers may be invited
to submit revised versions for consideration in this special issue. For a list of applicable topics please refer to the CfP webpage. A special focus of the 2007 NordSec workshop are Language-based Techniques
in computer security and their applications; papers and extended abstracts
on this topic are especially welcome. Students, researchers, and industry
professionals working in this area are encouraged to submit to the workshop. ... Link Dienstag, 12. Juni 2007
Maddin, 12. Juni 2007 um 10:25:53 MESZ 2nd Rule: You do blog about Bar Camp I attended the first BarCamp in Hamburg which took place last weekend. The lack of technical content was somewhat disappointing to me. However, the content of a BarCamp is a reflection of the interests of the attendee so I am not complaining. The Hamburg crowd seems to be hungry for business, as most sessions revolved around starting companies, getting users or making money. I gave a short session on web security with a focus on issues that may arise due to the specific characteristics of the web2.0. While I had comparatively few participants we still had a nice and rewarding discussion. ... Link Mittwoch, 18. April 2007
Maddin, 18. April 2007 um 17:21:20 MESZ New LocalRodeo Version We just released a new version of LocalRodeo, our little anti-JavaScript-malware Firefox extension. Release notes: So, if you are interested please take LocalRodeo for a testdrive and let us know if anything breaks. ... Link Nächste Seite |
online for 8406 Days
last updated: 09.04.14, 16:14 Youre not logged in ... Login
click:
Martin Welt martinjohns.com Tumbling Nerd Alert Blogroll doomicile foobla simonox Podroll IT Conversations The Podcast about nothing |