Moxie presented at Blackhat this year about his discovery of a vulnerability enabled by the automatization of CA certificate assignments and failures by X.509 encryption implementations to handle null bytes. Video has a recap of his last presentation and then the new stuff starts at 15min.

Blackhat Presentations Archive

Basically all the big names in browsers, SMIME mail clients, IRC clients, and VPN are vulnerable. Also, sky is falling.

I know this is totally old news, but it’s some pretty heavy stuff that really kind of happened and then everyone went back to business as usual.

SSLStrip is a tool for MITM attacks where the attacker can intercept information to be transmitted between a user and the server such as login credentials.

Any information security professional worth their salt needs to see the video embeded at [Moxie's SSLStrip page].

The good news is that token keys and user/client certificates is the easy fix, though it makes for more cost/work than just your standard SSL connection. Also, web developers can help the problem by not embeding https links into an http page or translating those with HTTP/redirects.

An awesome new product showed up on [Hackaday] a couple weeks ago. The [SheevaPlug] is an extremely ultra-small computing device that opens up numerous opertunities for portable and nonintrusive (IE: covert) computing. Obviously, my initial impression of the device was “Cool” but when you look at it from the perspective of a penetration tester then it really has some possibilities.

Read more…

[Update: I've accepted a job at EDS so for at least the short term I'm done looking. Thanks to those who contacted me.]

My current employment’s end date is approaching a little faster than I like. It’s unfortunate that a lot of the really interesting projects I’m not going to get to see the completion of, but I have good confidence that they’ll make good progress without me. If anyone knows of openings in the Arlington VA / Washington DC area for information security professionals feel free to drop me a line, everything relevant can be found in the [About Me] page.