heasman

ZDNet Resources

• sort by:
• Relevance
• Date
• Popularity

On GIFARs

Ever since Rob McMillan of IDG published a story giving a preview of our coming Black Hat talk, specifically a preview of the portion of our talk related to GIFARs, media coverage of the research has swirled a bit out of control and there's been some misconceptions.  My co-presenter John...

Tags: Black Hat, Vector, Applet, Image, Attack, Heasman, Nathan McFeters

Blog posts 2008-08-02

Additional Resources

Researchers demo BIOS attack that survives hard-disk wipe

A pair of Argentinian researchers have found a way to perform a BIOS level malware attack capable of surviving even a hard-disk wipe. The researchers -- Alfredo Ortega and Anibal Sacco from Core Security Technologies -- used the stage at last week's CanSecWest conference to demonstrate methods...

Tags: Hard Drive, Researcher, Attack, BIOS, Rootkits, Security, Hardware, Components, Spyware, Adware & Malware, Ryan Naraine

Blog posts 2009-03-23

Black Hat Las Vegas Day 2

Again, sorry for the late updates.  Vegas is the kind of place that demands a lot of a person.  Too many parties make it difficult to find time to blog on the conference.  Pictures of the even are a bit sparse, due to consistently forgetting to bring my camera, but...

Tags: black hat, microsoft corp., applet, image, vegas, nathan mcfeters

Blog posts 2008-08-09

Black Hat Sneak Preview

Rob McMillan from IDG interviewed John Heasman and I today about the presentation we will be delivering with Rob Carter at Black Hat Vegas next week. The article has a good teaser about one of the more interesting of the many attacks we will cover, namely what we've coined...

Tags: Black Hat, Java Applet, Web Application, Web Browser, Applet, Attack, GIFAR, Java, Programming Languages, Security, Software Development, Software/Web Development, Nathan McFeters

Blog posts 2008-08-01

Kaminsky to discuss DNS flaw at Black Hat sponsored webcast

The Black Hat group on Twitter provided a message today alerting people to a webcast to be put on by Dan Kaminsky on the DNS vulnerabilities that I've heavily covered as follows: Dan Kaminsky breaks DNS, massive multi-vendor patch coming, details at Black Hat Vegas '08 ...

Tags: Black Hat, Webcast, DNS, Flaw, Domain Names, Networking, Internet, Nathan McFeters

Blog posts 2008-07-15

Remote code execution through Intel CPU bugs

Kris Kaspersky, author of numerous books on reverse engineering and software engineering, will be presenting his research on remote code execution through Intel CPU bugs at the upcoming Hack in the Box Security Conference in Malaysia. If his proof of concept code consisting of JavaScript or TCP/IP packet attacks on...

Tags: CPU, Intel Corp., Processors, Security, Semiconductors, Hardware, Components, Dancho Danchev

Blog posts 2008-07-14

Sun releases JRE Version 6 Update 7, 90% of desktops currently at risk*

* The 90% of desktops currently at risk comes from numbers presented at the Java One Keynote in 2008.  If you aren't patched, get the Java control panel up and get updated, or go to Sun's site to download the update, cause this one's big. Yesterday Sun...

Tags: Desktop, Sun Microsystems Inc., JRE, Programming Languages, Java, Software Development, Software/Web Development, Nathan McFeters

Blog posts 2008-07-11

Multiple Facebook vulnerabilities reported on Full-Disclosure

Jouko Pynnonen posted a message to the Full-Disclosure mailing list today, citing multiple "script injection" vulnerabilities within Facebook.  I'm not sure if this is a surprise to anybody out there, it's certainly not to me, as numerous web applications have major problems with Cross-site Scripting vulnerabilities, but I think this...

Tags: Facebook, Vulnerability, XSS, JavaScript, Microsoft Internet Explorer, Web Browser, Sandbox, JS, Canvas Page, Web Browsers, Internet, Nathan McFeters

Blog posts 2008-07-02

McAfee S.P.A.M. experiment and more ridiculous HackerSafe failures

McAfee S.P.A.M. experiment and more ridiculous HackerSafe failuresI get slammed for pronouncing the name wrong, but McAfee is the bestMcAfee is the only true voice on security. I have never once seen a computer with their AV software installed that has be overrun with viruses. If this is...

Tags: SECURITY, McAfee Inc., HackerSafe

Discussion threads 2008-07-02

Researcher keeps 'carpet bomb' attack alive, despite patch

Security research Billy Rios posted an article today about the Apple Safari "Carpet Bomb" attack, discussing a new issue that, despite the patch which prevented a "blended" remote command execution attack when Safari was used in conjunction with IE on a Windows system, keeps the "Carpet Bomb" attack alive and well. ...

Tags: Software, Apple Safari, Apple Inc., Ecosystem, Attack, Billy Rios, Security, Nathan McFeters

Blog posts 2008-06-21

2008 Pwnie Awards

Don't forget to go and vote on the Pwnie Awards, which will happen at Black Hat Vegas again this year.  I don't want to campaign for votes, but I wouldn't be pissed if some of my loyal readers out there voted for me, Billy Rios, Rob Carter, and John Heasman and...

Tags: Category, Nomination, Security, Nathan McFeters

Blog posts 2008-06-19

Black Hat '08 preview webcast on its way

Ladies and gents, For those who hadn't heard, I will be presenting at Black Hat Vegas '08 this year with Rob Carter, John Heasman, and Billy Rios.  Our presentation is called "The Internet is Broken: Beyond document.cookie - Extreme Client Side Attacks", which may sound like a...

Tags: Black Hat, Webcast, Nathan McFeters

Blog posts 2008-06-15

Hacking SCADA for terrorism and destruction

SCADA scares me, and I've seen enough things on the Internet to be desensitized to many things, but attacks against SCADA threaten our national security in a very real and topical way by attacking power grids, water treatment plants, nuclear plants, etc.  Hacking networks that SCADA devices reside on and...

Tags: Device, Hacking, Internet, Network, SCADA, Terrorism, Attack, Enterprise Software, Software, Nathan McFeters

Blog posts 2008-06-12

Another bug your tools won't find and your WAF won't prevent

First off, I want to apologize to our readers for not being here as much last week.  I had a rough week involving a random ear infection and the loss of an aunt to cancer, so it was not a week where I was very concerned about computer security or...

Tags: Juniper Networks Inc., Blog, Bug, ActiveX, Tool, Productivity, ActiveX/COM/COM+/DCOM, Software Development, Software/Web Development, Nathan McFeters

Blog posts 2008-06-09

Black Hat Vegas '08: Sneak peek at some of the interesting attacks we will unveil

John Heasman posted a sneak preview of our Black Hat presentation, which will happen in August in Las Vegas today.  This particular attack is extremely interesting, multi-stage nastiness involving the use of Java to steal domain credentials.  John describes this as: "I'm going to revisit an old...

Tags: Attack, Black Hat, Nathan McFeters, Security

Blog posts 2008-06-06

Motorola RAZR vulnerable, what's up with Motorola's update process?

Motorola RAZR vulnerable, what's up with Motorola's update process?Apparently AT&T Razrs are not affected?When I click on the Motorola link you provideit allows me to use my computer to download theupdate ... BUT ... AT&T is not listed under the"carrier type" selection. Only T-mobile is asimilar network type selection...

Tags: Text messaging/SMS/MMS, Cellular phones, Blogging, Motorola Inc., MMS, image, Motorola Razr

Discussion threads 2008-05-27

RSnake picks on Google Health... yes, Google wants your medical records, too!

Interesting article from Robert "RSnake" Hansen yesterday on one of Google's new innovations, the Google Health application.  Yeah, imagine that, Google wants to own the content of your medical records, too!  You'd think that Google would want to avoid this due to HIPPA complications, as this is a true example of...

Tags: Google Inc., Health Care, Medical Record, RSnake, Hipaa, Vertical Industries, Benefits, Healthcare, Regulatory Compliance, Security, Regulations, Government, Enterprise Software, Software, Human Resources, Policies And Procedures, Nathan McFeters

Blog posts 2008-05-22

Zoho Writer flaw highlights disclosure problem in Web 2.0 world

Zoho Writer flaw highlights disclosure problem in Web 2.0 worldNice, I love pwning Word 2.0Very interesting Ryan! Look for more like this at my Black Hat presentation with Rob Carter, John Heasman, and Billy Rios. Heasman and Rios have both been terrorizing Word 2.0 apps.-Nate

Tags: Microsoft Word, Word processors, Web, disclosure problem, John Heasman, Word 2.0, Zoho Writer, Web 2.0 World, Web 2.0

Discussion threads 2008-05-19

Aviv Raff drops an 0-day for IE 7.0 and 8.0b on XP

I've been busy all day and just haven't been able to get to it until now, but Aviv Raff is a seriously bad man.  I follow his blog religiously as he always has some cool stuff going on and a lot of it tends to be thought provoking for other...

Tags: HTML, Microsoft Windows XP, Microsoft Internet Explorer 7, Blog, Microsoft Internet Explorer, Aviv Raff, Blogging, Web Browsers, Internet, Nathan McFeters

Blog posts 2008-05-14

ToorCon Seattle 2008: Nuke plants, non-existent sub domain attacks, muffin diving, and Guitar Hero

*** Updated: ToorCon images uploaded.  Click here!  Alright, that title probably sounds pretty random... well, welcome to ToorCon!  ToorCon has long been one of my favorite conferences for the easy atmosphere, laid-back presentations, and parties.  This year's Seattle-based ToorCon was the best I've been to. ...

Tags: Attack, Conference, Domain, Microsoft Corp., Nathan McFeters, Researcher, Security, ToorCon Seattle 2008, XSS

Blog posts 2008-04-21