Archive for December, 2008

MD5 considered harmful today: Creating a rogue CA certificate

December 30, 2008

At the Chaos Communication Congress in Berlin, right around NOW, a presentation is being delivered,“MD5 considered harmful today: Creating a rogue CA certificate

More details, slides,  and other goodness  here at

a Live video stream will be available, check in at

The talk will be delivered by Alexander Sotirov, Marc Stevens and Jacob Appelbaum.

Update: Rich Mogull has a very solid overview and briefing here.  (and for the record, any references to Chuck Norris are aces in my book).  His article – What Regular Users Need To Know about the SSL/Root Certificate Authority Exploit


Merry Christmas from RFP….

December 29, 2008

For those of you who don’t know who RFP is, you should. 10 years ago, he gave us a fun little Christmas present… SQL injection.

We have come a LONG WAY.  The problem has evolved.  I just thought I would take a moment to look back at the last decade… how far we’ve come, and how quick we are to forget.  What were *you* information security folks doing, playing with, and worrying about 10 years ago?

XSS History Hack == ‘legit’ Business Plan??

December 21, 2008

Interesting new way for an attacker to monetize based on XSS Browser History Attacks. (Jeremiah’s hack with java or RSnake’s hack without java).

This holiday season might be the right time to have that little talk with mom and dad about practicing ‘safe-browsing’

Sounds like contextual advertising based upon reviewing cookies stolen from your browser… well- just read this snippet from their Terms and Conditions page
(creative spelling and grammatical goodness preserved for all intents and purposes)

“2.d. Wozad Matching Ads are choosed as a result of your each visitor browsing history, you are the sole responsable for informing and let your visitors agree that their browsing history will be analyzed for targeting purposes. You are also the sole responsable about any privacy-issue that may arise between you, your site, Wozad and/or Wozad Advertisers, and a third party (visitor).”

Before I give you the site, let me remind you that you really need to be running FireFox with something like NoScript <; and it better be on and blocking….

www <dot> wozad <dot> com

Through a hack, maybe you don’t need referral networks to glue together contextual based ads.  Maybe you don’t really need privacy… and they don’t need ethics…

I saw this on one of my RSS feeds, but I had to offer this up if you hadn’t seen it.  The post was only the URL.  Have fun, safe browsing!