Robert Hensing's Blog

Software Security . . . and stuff.

May, 2008

  • All your SSH keys are belong to HD Moore

    Today's Fail Open Goat Award goes to the Debian / Ubuntu distros (a friend assures me that Ubuntu is derived from Debian and as such is also vulnerable?). HD Moore has decided to completely rape the Debian predictable RNG bug by generating all of the...
  • Safari "carpet bombing" Fail Open Goat Award

    So last week Nitesh and Billy Rios found a vuln in Safari that lets a remote attacker / malicious web site drop any file(s) they want on a users desktop if you're using Safari on Windows. Apple doesn't see this as a security vulnerability and thus isn...
  • F-Response

    So I admit I'm a bit out of date on the 'incident response' scene since I don't really do it for a living anymore. Well fortunately Harlan Carvey isn't and he has a blog post up with a mini-review of some bad-ass new software that could be *really* interesting...
  • Live.com video search!

    Whoa - check this out: http://search.live.com/video/results.aspx?q=ferrari&form=QBVR Use Live.com to search videos . . . hover the mouse over a video and see what happens. Wow. I'm so easily amused. :)
  • Dear China, I can haz power now plz? okthxbai

    Interesting read: http://www.nationaljournal.com/njmagazine/cs_20080531_6948.php Some interesting parts: A second information-security expert independently corroborated Bennett’s account of the Florida blackout. According to this individual, who...
  • MediaDefender DDoS's Revision3

    So Revision3 seems to be using BitTorrent to distribute legitimate / legal content that they either own or properly license. They found some folks using their Torrents without permission and blocked them . . . then they came under attack from a fairly...
  • Gmail - Fail Open Goat Award

    Gmail is this month's winner of the Fail Open Goat Award: http://arstechnica.com/news.ars/post/20080510-security-flaw-turns-gmail-into-open-relay-server.html
  • SensePost blog on arbitrary file downloads in a Juniper AX

    Fascinating blog over @ SensePost about a Juniper AX control that allowed arbitrary file downloads to a predictable location ala Apple/Safari: http://www.sensepost.com/blog/2237.html Haroon makes some excellent points about the inability of standard...
  • Microsoft Research - World Wide Telescope

    This is the official unveiling of the app that made Scoble cry . . . now available to anyone on the Internets. http://www.worldwidetelescope.org/ So what is it? MSR has essentially used something like Photosynth (I'm guessing) to stitch together...
  • Security news feed

    Here's a great RSS feed to subscribe to if you're into getting interesting securtiy news: http://www.team-cymru.org/News/
  • Adobe (non)0-day

    Nice blog from Adobe laying some authoritative smack down: http://blogs.adobe.com/psirt/2008/05/more_information_on_recent_fla.html Yeah I know this is old news - I'm on the road . . . I was pretty sure the day that this released that this was Dowd...