ZDNet Resources
- Can I interest you in a glass of Berry Blue Kool-Aid?: A recap of Microsoft Blue Hat v7
- Hey all, I was fortunate enough to be invited to attend Microsoft Blue Hat v 7 as I had some research that Microsoft was interested in bringing me in to talk about. Microsoft got to have co-worker and fellow researcher Rob Carter and I in to talk...
- Tags: Microsoft Corp., Blogging, Team Management, Internet, Management, Nathan McFeters
- Blog posts 2008-05-06
- Hot off the wire: Windows XP SP3 available from Windows Update
- From Paul Miller at Engadget: "At last the moment you've been waiting for. Microsoft wants to hit your version of Windows with an update, and this time you don't have to go rummaging around the internet to find it: just fire up Windows Update and let Microsoft do all...
- Tags: Security, Microsoft Windows Update, Microsoft Windows Vista, Microsoft Corp., Microsoft Windows, Microsoft Windows Vista (Longhorn), Microsoft Windows XP, Operating Systems, Software, Nathan McFeters
- Blog posts 2008-05-06
- House of Hackers social community opens up
- PDP, the leader of the Gnucitizen White Hat Hacker outfit announced the opening of the House of Hackers social community yesterday. The House of Hackers is intended to enable its members to exchange ideas with each other, communicate, form groups, elite circles and tiger/red teams, conglomerate around projects, and participate in...
- Tags: Community, Network, Member, Hacker, Gnucitizen White Hat Hacker, House, Hacking, Social Networking, Networking, Security, Online Communications, Marketing, Advertising & Promotion, Nathan McFeters
- Blog posts 2008-05-06
- Hacking NASA: One small step for man, one giant leap for hackers?
- The CORE Security Team released an advisory to the Full-Disclosure mailing list today that documented a stack overflow in NASA's Common Data Format libs. Looking at this bug, the tech details aren't overwhelming, I think I'm mostly excited about it due to the high profile of hacking NASA libs. One...
- Tags: NASA, Vulnerability, Hacker, Exploitation, Common Data Format 3.2.1, Security, Patches, Hacking, Nathan McFeters
- Blog posts 2008-05-05
- Morse Code Rickroll 0-day... no, seriously, I mean it
- In the security research world, getting Rickrolled has become a global epidemic. If you've been to any of the recent conferences, you're sure to have been Rickrolled at least once... if you were fortunate enough to be at ToorCon Seattle, then you got Rickrolled about 300 times by Dan Kaminsky....
- Tags: Morse Plc., I/O, XSS, Encryption, Security, Nathan McFeters
- Blog posts 2008-05-04
- More bad news for McAfee, HackerSafe certification
- Dan Godin posted a great article that was picked up by The Register a couple days ago about continued challenges for McAfee's newly purchased HackerSafe division. I find the article interesting as HackerSafe uses a scanning tool that probes for web application security flaws... of course, tools are limited in...
- Tags: McAfee Inc., Security, Certification, Vulnerability, XSS, HackerSafe, Godin, Goodin, Nathan McFeters
- Blog posts 2008-05-01
- Apple and AT&T providing free Wi-Fi access to iPhone users and oops... to everyone else as well!
- You have to love security through obscurity... A friend of mine on a private mailing list passed me a link to a story on macrumors.com, which was quite interesting. Apparently, Apple and AT&T has decided to provide free wireless access to iPhone users at places like Starbucks. ...
- Tags: Apple iPhone, Wi-Fi Access, AT&T Corp., Apple Inc., Starbucks Corp., User Agent, MacRumors, Wireless LANs, Wi-Fi, Wireless, Nathan McFeters
- Blog posts 2008-05-01
- Word up to Linux fan boys: Multiple Linux flaws show that Linux also has kernel issues
- Not to defend Microsoft, as kernel exploits that provide privileged access are terrible flaws, but we had an interesting discussion in the talkbacks where several people acted as if Microsoft was the only place that could've made such mistakes. Well, the proof is in the pudding that this is a common flaw...
- Tags: Denial Of Service, Microsoft Word, Kernel, Debian, Flaw, Linux, Security, Operating Systems, Open Source, Software, Nathan McFeters
- Blog posts 2008-05-01
- Novell GroupWise 'mailto' URI handler buffer overflow vulnerability
- Researcher Juan Pablo Lopez Yacubian has reported another URI abuse exploit. From Security Focus: Novell GroupWise is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. Successfully exploiting this issue will allow an attacker to execute...
- Tags: Novell Inc., Researcher, Vulnerability, Buffer-overflow, Novell GroupWise, E-mail Servers, E-mail Clients, Groupware, Viruses And Worms, Security, Enterprise Software, Software, Nathan McFeters
- Blog posts 2008-04-29
- MS08-025: Microsoft Windows kernel vulnerable to local privilege escalation flaw
- From Microsoft: A local attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts. This is an important security update for all supported editions of Windows 2000, Windows XP, Windows Server...
- Tags: Window, Microsoft Corp., Kernel, Flaw, Updates, Microsoft Windows, Security Administration, Operating Systems, Security, Software, Nathan McFeters
- Blog posts 2008-04-29
- Developers at fault? SQL Injection attacks lead to wide-spread compromise of IIS servers
- There's been a lot of noise and violent thrashing over the last couple days regarding a flaw that was originally believed to be a flaw in Microsoft's IIS (Internet Information Server), but has since been pointed out as simply a well thought out SQL Injection attack. For those of...
- Tags: Developer, Password, Web Application, Server, SQL, Site, SQL Injection, Microsoft IIS Server, Attack, Programming Languages, Security, Databases, Software Development, Software/Web Development, Enterprise Software, Software, Data Management, Nathan McFeters
- Blog posts 2008-04-28
- More URI handler issues to come
- Rob Carter, Billy Rios, and I have been blogging about and speaking at conferences like Black Hat and ToorCon all year on the subject of URI handler abuse. One might think these types of flaws are soon to go away, but one look at SecurityFocus and FullDisclosure today and you can see...
- Tags: Flaw, Security, Nathan McFeters
- Blog posts 2008-04-25
- SlideShare: Another DDoS victim surfaces
- In an email to me, Dancho Danchev reported another victim of the same type of DDoS attack mentioned as hitting CNN. We'll keep our ears open for other instances. The following links to the SlideShare blog which discusses the attack: http://blog.slideshare.net/2008/04/18/slideshare-experiencing-ddos-attack/ ...
- Tags: Victim, Distributed Denial Of Service, Security, Nathan McFeters
- Blog posts 2008-04-24
- Recent CNN Distributed Denial of Service (DDoS) attack explained
- According to Netcraft: "The CNN News website has twice been affected since an earlier distributed denial of service attack last Thursday. CNN fixed Thursday's attack by limiting the number of users who could access the site from specific geographical areas. Subsequently, an attack was purportedly organised to...
- Tags: Denial Of Service, Distributed Denial Of Service, CNN, Attack, Danchev, Security, Nathan McFeters
- Blog posts 2008-04-23
- ToorCon Seattle 2008: Nuke plants, non-existent sub domain attacks, muffin diving, and Guitar Hero
- *** Updated: ToorCon images uploaded. Click here! Alright, that title probably sounds pretty random... well, welcome to ToorCon! ToorCon has long been one of my favorite conferences for the easy atmosphere, laid-back presentations, and parties. This year's Seattle-based ToorCon was the best I've been to. ...
- Tags: Researcher, XSS, Domain, Microsoft Corp., Conference, Attack, ToorCon Seattle 2008, John, Security, Nathan McFeters
- Blog posts 2008-04-21
- PCI Compliance gets clarified and neutered (further)
- At one point, I thought that PCI certification was a great thing. Now I realize that it's not really about security at all... it's about money and responsibility and transferring ownership of risk. The PCI certification just got a clarification: "6.6 Ensure that all web-facing applications...
- Tags: Web, XSS, PCI, Web Application, TV, Attack, PCI Compliance, Web Application Firewalls, WAF, Security, Nathan McFeters
- Blog posts 2008-04-17
- Crossing over to the dark side: Consultant pleads guilty to identity theft
- Darth Vader: You underestimate the power of the Dark Side. If you will not fight, then you will meet your destiny. An article on the IOL Technology website discusses a consultant who pleaded guilty on Wednesday to raiding hundreds of thousands of computers. The article states: John Schiefer,...
- Tags: Computer, Productivity, Identity Theft, Online Communications, Security, Nathan McFeters
- Blog posts 2008-04-17
- Targeted spear phishing attacks
- A colleague of mine, Dave Wong, from Ernst & Young's Advanced Security Center in New York, pointed me to a really interesting article on targeted spear phishing attacks by John Markoff of the New York Times. Phishing has been really interesting to me lately, as I've seen a wave of discussions,...
- Tags: E-mail, Attack, Phishing, Cyberthreats, Spam, Viruses And Worms, Security, Spam And Phishing, Nathan McFeters
- Blog posts 2008-04-16
- Mark Dowd's null pointer dereference exploit and advanced Flash ActionScript techiques proove definitively: Aliens Do Exist!
- Alright, I'm just going to start out with a little background before I start, this particular research was so cool that I've been talking about it all day. Reading this whitepaper, written by Mark Dowd, was as exciting to me as watching highlights of Michael Jordan sinking that winning shot,...
- Tags: Research, Adobe Systems Inc., Blog, Blogging, Team Management, Internet, Management, Nathan McFeters
- Blog posts 2008-04-16
- Taking ownership (pwnership) of content: Cross-site Scripting Google
- My good friend Billy Rios (pictured to the right) published another interesting exploit recently. It's a cross-site scripting exposure in spreadsheets.google.com, which is interesting because it's exploited by using the content-type returned by spreadsheets.google.com and a caching flaw on the part of Google. Here's some details from Billy's blog: I was...
- Tags: Security, Google Inc., HTML, XSS, Domain, Billy Rios, Rios, Nathan McFeters
- Blog posts 2008-04-16
White Papers and Webcasts
Test drive Sun products in your IT environment free for 60 days. Get up to 45% off list price when you purchase your trial system. Returns? No problem. We pay shipping both ways.
Designed specifically to address the concerns of senior IT managers at organizations with more than 100 employees, the Intel Premier IT Professional Program provides best practices via local and e-Seminars and a members-only Web site.
Harnessing the power of waves
3:13
Planting solar gardens
5:06
Fill your car for $1.10 a gallon?
1:43
