VMware has just released new versions of their VMware ACE, VMware Player, VMware Server, and VMware Workstation products to fix several security issues. The updates to VMware ACE, Player, Server, and Workstation are: Setting ActiveX killbit Starting from this release, VMware has set the killbit on its ActiveX controls. Setting the killbit ensures that ActiveX [...]

Last week the Office of Management and Budget released memoranda M-08-23, titled Securing the Federal Government’s Domain Name System Infrastructure. The document states that all US government top level .gov domains will use DNSSEC starting in January 2009. This is in response to the DNS cache poisoning attack that Dan Kaminsky made public a few [...]

WhiteHat Security released their 5th website security statistics report yesterday. They also held a webinar to go over the results, and the website security statistics slides are also available on slideshare. Total Websites: 687 Identified vulnerabilities: 11,234 Unresolved vulnerabilities: 3,541 (66% resolved)  Websites HAVING HAD at least one serious issue: 82% Websites CURRENTLY WITH at [...]

Rob Fuller yesterday did an excellent guest post on the Zero Day ZDNet blog on the tools released at DEFCON 16. Here is the list of DEFCON 16 tools: Beholder: An open source wireless IDS program by Nelson Murilo and Luis Eduardo The Middler: The end-all be-all of MITM tools by Jay Beale ClientIPS: An [...]

Some videos from The Last Hope are now online via bittorrent. I hope more videos will come online soon, as many of the presentations sounded interesting. At the least, The Last Hope audio is all online at the offical The Last Hope site. Here is the list of videos currently being distributed: A Hacker’s View [...]

Because the presenters have to submit their slides before the conference (so they can make the presentation discs), often the slides are outdated by the time the conference comes around. Thankfully a few presenters are posting their updated slides online, and here is a list of those that did. NTLM is Dead by Kurt Grutzmacher [...]

Black Hat USA is over, and I think everyone is still in recovery mode. There were tons of presentations, and here are some posts from various people recapping the event. Once I recover, I will be posting my overall thoughts on the conference as well. Day 1: BlackHat 2008 LiveBlog: Day 1 by Security Monkey [...]

Michael Boman is hosting the Black Hat USA 2008 presentations on his site. Here is a direct link to the Black Hat USA 2008 zip file, with a file size of 198,756,461 bytes, and a MD5 of a5551435ccce85d3fb26b90bc899c080. Thanks Michael!

Here are my notes from the Black Hat USA 2008 presentation called ‘MetaPost Exploitation‘ by Val Smith and Colin Ames. The MetaPost Exploitation slides are now online, as well as demo movies at offensivecomputing.net. If you do any sort of enterprise level penetration testing, you should definitely check it out. Credential Management Wordpad and paper [...]

Yesterday Jeremiah Grossman and Trey Ford from WhiteHat Security gave a very interesting and fun presentation called ‘Get Rich or Die Trying – Making Money on The Web, The Black Hat Way‘. They went over several real world examples of business logic flaws, and in some cases profited (a lot) from those flaws. The Get [...]