Advances in HTTP encapsulated payloads – a presentation about Metasploit using outbound connections. Nothing too revolutionary, but a good reminder that just because you only allow outbound HTTP traffic, it doesn’t mean that you are safe.
IE8 has issues with a lot of sites in the restricted zone list – this wouldn’t be an issue, but apparently Spyware S&D uses this method to block sites. While in some sense adding 10 000+ sites is excessive, but in the same time if this worked acceptably with older versions, it is a regression (along the same lines: having a lot of entries in the hosts file – for the same reason – to block certain sites – makes the DNS service spike an 100% for several seconds. as a sidenote Ubuntu doesn’t seem to have this problem :-)).
Via Security Balance: the Microsoft Azure “cloud” went down for 22 hour because of patching. Last year Amazon EC2 want offline for a couple of hours. On average these services probably have a much better SLA level than 99% of the companies, yet still people point to these incidents as risks...
- An update to Network Monitor, Microsoft’s version of Wireshark (if you have to install a software, why not use the better product, ie. Wireshark? :-))
- DD in Windows Forensics [PDF]
- Solving the This driver is not signed problem – ok, this is bad from a security standpoint. This means that any malware with administrator privileges (which it already must have to install rootkits) can simply do a two-step process to install the rootkit: (a) install its own certificate and (b) install the rootkit. Why not require all drivers to be signed by a central authority? For legal reasons I assume...
- Is Windows Forensic Edition Forensically Sound? – yes if you know what settings to change. But for the love of the all mighty: these settings should have been set by default! I know that it is more convenient to have the partitions mounted auto-magically, but then don’t call it “forensic” edition
Protocol coverage metrics – it got me thinking: wouldn’t it be nice to have a formal grammar for the protocols, so that we can check if the implementations conform to them?
From taint.org: Ts'o: Delayed allocation and the zero-length file problem – essentially ext4 changed the commit delay from 5 to 60 seconds, so if your application crashes, though.
The Metasploit performance can be improved considerably by a simple patch – this is really needed, because it is slooow. Also, memory reallocation is slow, no matter in what language you do it.
Via ReverseEngineering Reddit: The Beginners Guide to Codecaves. A nice article. It also talks about TSearch, a useful tool for quickly localizing and editing variables in the applications memory space.
Retro Computing presentation – what you can use an older computer for.
Freshmeat.net has a new design – very Web 2.0 :-)
Dan Kaminsky’s slides from CanSecWest – interesting stuff, as always. I very much liked the method of using faked FTP connections to set up port forwarding at the router.
Picture taken from Hamed Saber's photostream with permission.