First, I'd like to congratulate Billy Rios, Nate McFeters, Rob Carter, and John Heasman as the GIFAR Java attack was selected as the top web hacking attack technique for 2008.  I had the opportunity to meet Nate McFeters at a STLSec event, and I was impressed by how down to earth and knowledgeable he is. 

Second, through the post on Jeremiah's blog I learned of this post by Billy Rios.  It contains a great write-up of a practical attack using GIFARs, using Google as an example.

Finally, Sun has patched this particular attack vector.  The Sun advisory is #244988.  This is patched as of versions JDK and JRE 6 Update 11, JDK and JRE 5.0 Update 17, and SDK and JRE 1.4.2_19.

Security researcher Moxie Marlinspike presented a new vector of attack against HTTPS using Man in the Middle (MitM) attacks against SSL web sites, and an updated version of his sslstrip tool (not yet posted), at BlackHat DC.  You can watch the video of his presentation, and there is also an interview with Moxie and BlackHat organizer Jeff Moss.  Although some journalists have gotten the point of his presentation right - such as this article by George Ou -  many have not, and there is a lot of confusion about what Moxie actually presented.  Below I present my analysis of his presentation and what it means to us as security practitioners.

Researchers at the Chaos Computer Club in Moscow just published results of their research into MD5 collisions for x.509 Certificate Authorities.  By exploiting weaknesses in RapidSSL's certificate request implementation, they were able to successfully create a valid Intermediate CA certificate trusted by 99+% of browsers.  Combined with a man in the middle (MitM) attack such as the Kaminski DNS finding, this would truly break some of the fundamental trust models on the Internet.

Research paper here: http://www.win.tue.nl/hashclash/rogue-ca/

Demo site here: https://i.broke.the.internet.and.all.i.got.was.this.t-shirt.phreedom.org/

There are a couple of interesting related findings from this presentation:

Just saw this today on LifeHacker:
Bypass Network Blocks with Remote Desktop
"In a world of virtual communication, having personal email, Twitter, and access to blogs, etc is critical and necessary for many of us. Therefore, it becomes a nuisance when our employers block us from the sites that we love and hold so close to our virtual-loving-hearts." [. . .] "I recommend this for anyone who has that tight network administrator who has blocked all your favorite sites."

This isn't the first time I've seen bypass the firewall articles, nor is it even the most technically adept (most networks would block tcp/3389 inbound and outbound).  However, I think the language of the article speaks directly to the attitudes of the "digital natives" generation.  People, used to near-ubiquitous connectivity, are willing to bypass restrictions (and rules!) to get their Internet fix.  The following are some ideas for addressing this trend.

I wrote previously about the need to find ways to increase security without (much) spending.  I'd like to use this first post in the series to highlight two areas in which you may be able to find additional server resources, which may be necessary for some of the future ideas in the series.

At the recent 2008 Gartner Symposium, one of the major themes was that many CEOs are cutting back on capital budget in response to the current economic downturn, and projections show that this will continue well into 2009. Because of this, Information Security practitioners need to find new ways to deal with security threats, while reducing spending.

Information Security as an industry has been particularly bad about letting vendors run the show.  For many companies the response to most security challenges has been to spend money to acquire a new product that addresses the problem.  I suggest reading "The New School of Information Security" by Adam Shostack and Andrew Stewart for insight on the reasons for this.  However it came about, in this new economic environment we need to find new solutions to problems that don't always involve purchasing.

I will be writing a series of blog posts on the subject of finding and utilizing capabilities that your company may already have available, but are not using or are under-utilizing.  In general, I think these fall into these three categories:

(ISC)² has announced a certification for application development security called Certified Secure Software Lifecycle Professional (CSSLP).  According to their site, CSSLP seminars will be offered beginning "early 2009" and exams will start June 2009.  There will also be an "experience assessment window" starting September 30th in which candidates may submit "Accomplishment Records" for review - accepted qualified applications will get the $650 USD exam fee waived skip the exam for a $650 fee.  Similar to the CISSP, the CSSLP requires four years of experience in four or more of the topic areas listed below, endorsement from a current (ISC)² certified individual, and a commitment to the (ISC)² Code of Ethics.

I am planning on being at the Gartner ITxpo Symposium in Orlando, FL from October 12th-16th for the Security and Risk Management track.

If you are going to be at ITxpo or live in the Orlando area, please drop me a note at http://riosec.com/contact so hopefully we can meet up at the event or in the evening.

- Christopher

Google has announced a new browser, called "Google Chrome" that aims to improve the way applications are delivered on the web.  In typical Google fashion, they've created a comic book that depicts the features of the new browser.  The browser should be officially released tomorrow at www.google.com/chrome (edit: site is now up!).  Below are a more details I've gathered about the security features of this upcoming browser.

As they say in the comic book "when we started this project, it was a very different landscape from when other browsers started."  This difference in focus is apparent due to the plethora of announced design decisions which, if done as stated, should create a much more secure browser.  Read on for some of the details.

Note: Previously I created a quick post on creating GIFAR files.  This post is to expand on the topic with additional information and a new (and much improved) video.