billy rios Resources on ZDNet

Sponsored White Papers, Webcasts, and Downloads

ZDNet Resources

Taking ownership (pwnership) of content: Cross-site Scripting Google: My good friend Billy Rios pictured to the right published another interesting exploit recently. It's a cross-site scripting exposure in spreadsheets.google.com, which is interesting because it's exploited by using the content-type returned by spreadsheets.google.com and a caching flaw on the part of Google. Here's some details from Billy's blog: I was...; Tags: Security, Google Inc., HTML, XSS, Domain, Billy Rios, Rios, Nathan McFeters; Blog posts 2008-04-16
Taking ownership of content: Billy Rios covered a very interesting flaw in Google's code.google.com site on his blog today. The issue involves taking ownership of content of a third party by an application and relates to research that Rios and I originally presented at DEFCON 15 last year. Before...; Tags: Domain, Applet, JVM, Billy Rios, Class File, CODE, Java, Programming Languages, Software Development, Software/Web Development, Nathan McFeters; Blog posts 2008-04-04
Black Hat Europe 2008: Nate McFeters' pictures of Black Hat Europe 2008 in Amsterdam. by Nate McFeters; Tags: Black Hat, Nate McFeters, news, Black Hat Europe 2008, Amsterdam, tech action, hackers, Dafydd, Marcus, Rob Carter, Billy Rios, Nitesh; Image galleries 2008-03-26
More Firefox URI handling security hiccups: Mozilla has not quite fixed the security hiccups with URI protocol handling in Firefox. According to Billy Rios and Nate McFeters, the two security researchers behind the exposure of protocol abuse in popular Web browsers, Firefox is still vulnerable to a remote command injection flaw that...; Tags: Security, Mozilla Firefox, Mozilla Corp., Ryan Naraine; Blog posts 2007-09-04

Additional Resources

Safari "Carpet Bomb" attack information released: Nitesh Dhanjani released information about some of his newest research on the Safari web browser this morning, and interestingly enough, Apple has decided NOT to fix some of the issues he presented. Dhanjani reported three issues, as follows below from his blog: 1. Safari Carpet Bomb.It...; Tags: HTML, Apple Safari, Apple Inc., Issue, Safari Carpet Bomb.It, Security, Nathan McFeters; Blog posts 2008-05-15

Aviv Raff drops an 0-day for IE 7.0 and 8.0b on XP: I've been busy all day and just haven't been able to get to it until now, but Aviv Raff is a seriously bad man. I follow his blog religiously as he always has some cool stuff going on and a lot of it tends to be thought provoking for other...; Tags: HTML, Microsoft Windows XP, Microsoft Internet Explorer 7, Blog, Microsoft Internet Explorer, Aviv Raff, Blogging, Web Browsers, Internet, Nathan McFeters; Blog posts 2008-05-14
Why do Macs need so much fixing?: Why do Macs need so much fixing?My point exactly ntntI guess we're both the luckiest people in the world.All of my systems (Windows, OS X, Linux, and Solaris) work fine. No muss, no fuss, no problems. It's good to be me.Come come nowRoss2000: [i]Am I the luckiest guy in the...; Tags: Operating systems, UNIX, Macs need, Microsoft Windows, Apple Macintosh; Discussion threads 2008-05-09
More URI handler issues to come: Rob Carter, Billy Rios, and I have been blogging about and speaking at conferences like Black Hat and ToorCon all year on the subject of URI handler abuse. One might think these types of flaws are soon to go away, but one look at SecurityFocus and FullDisclosure today and you can see...; Tags: Flaw, Security, Nathan McFeters; Blog posts 2008-04-25
Microsoft outlines its BlueHat briefing schedule: Microsoft's 7th BlueHat conference--which features external and internal security researchers--will focus on web applications and architecture. The invitation only conference kicks off May 1 and runs through May 2. Among the notable talks from the schedule: Alex "Kuza55" K. of SIFT in which he...; Tags: Microsoft Corp., Conference, Phishing, BIOS, Cyberthreats, Spam, Web Browsers, Security, Viruses And Worms, Spam And Phishing, Hardware, Components, Internet, Larry Dignan; Blog posts 2008-04-25
Upcoming panel on exploiting the social graph: At a conference I attended last month on social media law (I have some interesting notes I'll post soon), I was struck by how lawyers for social media giants such as Facebook, MySpace, Google, find speedy ways to accommodate powerful copyright holders on infringement issues. When it comes to...; Tags: Social Media, Denise Howell; Blog posts 2008-04-23
Recent CNN Distributed Denial of Service (DDoS) attack explained: According to Netcraft: "The CNN News website has twice been affected since an earlier distributed denial of service attack last Thursday. CNN fixed Thursday's attack by limiting the number of users who could access the site from specific geographical areas. Subsequently, an attack was purportedly organised to...; Tags: Denial Of Service, Distributed Denial Of Service, CNN, Attack, Danchev, Security, Nathan McFeters; Blog posts 2008-04-23
ToorCon Seattle 2008: Nuke plants, non-existent sub domain attacks, muffin diving, and Guitar Hero: *** Updated: ToorCon images uploaded. Click here! Alright, that title probably sounds pretty random... well, welcome to ToorCon! ToorCon has long been one of my favorite conferences for the easy atmosphere, laid-back presentations, and parties. This year's Seattle-based ToorCon was the best I've been to. ...; Tags: Researcher, XSS, Domain, Microsoft Corp., Conference, Attack, ToorCon Seattle 2008, John, Security, Nathan McFeters; Blog posts 2008-04-21
Comscore: The Google fallout: Comscore: The Google falloutYes, MS does wich they could shut-up all of the analyzers talking about thedirty tricks, and problems with Vista, MS Office, etc. Ain't a gonna happen. Do we feel sorry for Billy and Stevie having their feet held to the fire?????Microsoft paid Comscore to lower forecastsfor paid...; Tags: Financial accounting, ComScore Networks Inc., Google Inc., fallout; Discussion threads 2008-04-18
PCI Compliance gets clarified and neutered (further): At one point, I thought that PCI certification was a great thing. Now I realize that it's not really about security at all... it's about money and responsibility and transferring ownership of risk. The PCI certification just got a clarification: "6.6 Ensure that all web-facing applications...; Tags: Web, XSS, PCI, Web Application, TV, Attack, PCI Compliance, Web Application Firewalls, WAF, Security, Nathan McFeters; Blog posts 2008-04-17
Yahoo may go nuclear vs. Microsoft: Close to Google ad deal: Yahoo may go nuclear vs. Microsoft: Close to Google ad dealanything is better than being assimilated by M$M$ brings only waste, death and slavery to what it aquires!Google must step in and save the day.Fire at willNext shot is MS taking it to the streets.. watch.RE: Yahoo may go nuclear...; Tags: advertisement, Yahoo shareholder, Yahoo! Inc., Microsoft Corp., Google Inc., Legg Mason Inc., shareholder; Discussion threads 2008-04-09
Black Hat Europe, Day 4 (Finally): Early wake-up calls always lead to long days: For those of you who had been reading my Day 1, Day 2/Day 3, and Day 2 revisited stories about Black Hat Europe here on ZDNet, I'm sure you were wondering what happened to Day 4, the second day of conferences. Well, after a long delay, here it is! Basically, I got caught up...; Tags: Black Hat, Phishing, Cyberthreats, Spam, Viruses And Worms, Security, Spam And Phishing, Nathan McFeters; Blog posts 2008-04-07
"How do I?" videos for security: While checking out Billy Rios's XS-Sniper blog today, I noted that he had included an interesting link to some videos produced by Microsoft. I haven't had a chance to check them all out yet, but they are quite interesting. These "How do I?" videos provide video tutorials to address certain...; Tags: Security, Video, Corporate Communications, Marketing, Nathan McFeters; Blog posts 2008-04-03
Interview with the Vista Pwn2Own contest winners: Interview with the Vista Pwn2Own contest winnersSo NO, we did not duplicate it on any other platform.What Nate states is this is a compiler issue with a polymorphism/name mangling bug. Therefore, it is not a Adobe coding issue. So my questions still remain:1) Have you duplicated this on...; Tags: Microsoft Windows Vista (Longhorn), data execution prevention, Vista Pwn2Own, Nate, flaw, Microsoft Windows Vista; Discussion threads 2008-04-02
Black Hat Europe, Day 2: The day that wasn't and Black Hat Europe, Day 3: Begin the presentations: If you haven't seen it yet, you can check out Day 1 of my coverage of Black Hat Europe 2008 here. So, for those of you looking forward to a Black Hat Day 2 update with some more from the training sessions... I'm afraid it didn't happen. I had...; Tags: Black Hat, Antivirus, Buffer-overflow, Attack, Breese, Security, Viruses And Worms, Nathan McFeters; Blog posts 2008-03-29
Microsoft OOXML standardization bid: The clock is ticking: Microsoft OOXML standardization bid: The clock is tickingRe:IMHO, it should get standardized as technically it's superior again anyone will argue so I'll say it's supports a superset of features than ODF and can accomodate all the features Office offers. But I doubt it will be standardized by ISO. Foolish Governments...; Tags: OpenDocument Format (ODF), ISO standards, Process improvement, Open XML, FUD, Microsoft Corp., OpenDocument Format, ISO; Discussion threads 2008-03-28