I had the good fortune to attend ShmooCon 2011 last weekend. A new tradition at ShmooCon is evening “firetalks” on Friday and Saturday. Basically, after the conference has ended for the day, a bunch of folks decide to put off parties for a few more hours in order to do a bunch of 15-minute “get right to the point” talks. This year had a good selection of topics and speakers, with one that jumped out to me as a perfect topic for this week’s “Technology & Tool Thursday” post. Armitage was written by Raphael Mudge (not to be confused with Peiter “Mudge” Zatko). It’s a GUI interface for using Metasploit to pwn your targets. Metasploit is a tremendous framework for[…]

I wrote a bit about Stuxnet on my own blog last November, but we’ve not really addressed it here on Security Musings. By most accounts, this is one of the single-most important incidents in 2010, with the possibility to change the game. There has been a lot of discussion this week about attributing the source of Stuxnet, which is particularly interesting. First, for a bit of background, check out Bill Brenner’s post over at CSO Online covering “Three takes on Stuxnet” as he includes a couple of the links I’d originally planned to use here. He links to presentations on Stuxnet from Symantec, Kaspersky, and – my personal favorite – Mikko Hypp√∂nen, Chief Research Officer at F-Secure. Given the scenario[…]

Forget about everything that’s been made of password strength; it’s a red herring. True, you shouldn’t be using one common password across all sites, but that’s not a password selection issue. Should you pick good quality passwords that aren’t easily guessable? Absolutely. That being said, let’s forget about the rest of the rules, with perhaps the exception of length, and talk a bit about what actually happened with Gawker.

The din has increased of late over the “need” for AV on all Macs. Historically, there haven’t been a lot of overt malware threats to the platform, and thus it has persisted as a special case, for better or for worse. Commercial solutions have existed for years, and yet in the past few weeks some of those packages have been released for free (presumably because they’re not making much money anyway). Some cite “Boonana” as the latest “big” threat since Koobface… New Mac Trojan uncovered: “Boonana” New Java trojan attacks Mac OS X via social networking sites Of course, then the threat is downplayed… Intego classifies new Mac trojan threat as “minimal” Nonetheless, it seems that there *is* Mac malware…[…]

The big news of the week, emanating from Toorcon 12, is the release of Firesheep. This tool makes SideJacking – that is, “hijacking an engaged Web session with a remote service by intercepting and using the credentials that identified the user/victim to that specific server” – painfully simple for anybody to use. How easy? Well, let’s see… you download and install Firefox… and then you download and install the Firesheep extension to Firefox… and then you restart Firefox and run the tool to start hijacking sessions… that’s it! Simple enough for ya? SideJacking is not a new concept, nor is the existence of tools. Robert Graham of Errata Security made a bit of a splash with his tool Hamster back[…]

OWASP’s AppSecDC 2010 is less than a month away, running at the Washington Convention Center November 8-11. The first two days provide attendees and locals with an excellent opportunity to attend high-quality training for very little money. In particular, Gemini Security will be delivering KRvW Associates‘ “Software Security Best Practices” curriculum. This course is a 2-day program that only costs $1,495! The curriculum is hands-on in nature, portable to most code bases, and builds on the successes of the OWASP Top 10 list, OWASP Live CD, and several years of quality curriculum from KRvW Associates. We hope that you’ll be able to attend the conference and also take advantage of this, or other, training programs. Sign-up today!