White Hat
The CFP for HITBSecConf2008 - Dubai is now open.
Our 2008 event is expected to attract over 300 attendees from around the
EMEA region and will see keynote speakers Bruce Schneier (Founder and
CTO, BT Counterpane) and Jeremiah Grossman (Founder and CTO, White Hat
Security). The event is supported and endorsed by the UAE
Telecommunications and Regulatory Authority.
Being a deep-knowledge technical conference, talks that are more
technical or that discuss new and never before seen attack methods are
* DNS with WebInspect
* Encription Limited
* HP Application Security Center with WebInspect
* Positive Technologies with MaxPatrol
* Veracode with Veracode Security Review
* WhiteHat Security with WhiteHat Sentinel
The statistics includes data about 12186 sites with 97554 detected
vulnerabilities.
http://projects.webappsec.org/Web-Application-Security-Statistics
- Cenzic with Hailstorm and ClickToSecure
- dblogic.it
- HP Application Security Center with WebInspect
- Positive Technologies with MaxPatrol
- Veracode with Veracode Security Review
- WhiteHat Security with WhiteHat Sentinel
The overall statistics includes analysis results of 32,717 sites and
69,476 vulnerabilities of different degrees of severity. The detailed
information can be found here:
The CFP for HITBSecConf2008 - Dubai is now open.
Our 2008 event is expected to attract over 300 attendees from around the
EMEA region and will see keynote speakers Bruce Schneier (Founder and
CTO, BT Counterpane) and Jeremiah Grossman (Founder and CTO, White Hat
Security). The event is supported and endorsed by the UAE
Telecommunications and Regulatory Authority.
Being a deep-knowledge technical conference, talks that are more
technical or that discuss new and never before seen attack methods are
> -Roman
Not reference, not white paper, not tool. I am talking about the real
internet, where things aren't talked about but actually happen.
Hackers have been using methods similar to this for years, it's about
time a white-hat discovered this.
Regards,
Razi Shaban
BugCON can offer work tables for continuing your talk); the conference
language can be spanish (prefereably) or english. Remeber that BugCON
is totally uncensored, so the public can start a discussion about your
conference, and it's totally acceptable.
BugCON has two lines, “white hat” topic and “black hat” topic the
technical reviewers going to collocate your conferences in the most
adecuate clasification. BugCON reserves the right to accept or reject
any paper.
All proposals should be sent to secretary@bugcon.org with a little
Much thanks to Jeremiah Grossman and Jeff Williams for taking the time
to
review my idea and providing their insights. Jeremiah told me that he
has
seen such injections from time to time at WhiteHat and these do exist in
the
wild.
Jeff confirmed that some documentation changes will fix this. I agree
that
Thomson Speedtouch routers including the BT Home Hub. Kevin noticed
that all the public vulnerability research conducted in the past for
the BT Home Hub had been released [1] by GNUCITIZEN, so he decided to
share his findings and work with us in this fascinating project. As
you might already know, at GNUCITIZEN we're committed members of the
white-hat community who feel that it's our responsibility to inform
the public when a security issue exists.
* Confirmed suspicions *
Many of us involved researching the security of wireless home routers
well established experts in the Information Security, Black Public
Relations (PR) Industries and Hacker Circles with widely recognized
experience in the government and corporate sectors and the open source
community.
GNUCITIZEN is an ethical, white-hat organization that doesn't hide
anything. We strongly believe that knowledge belongs to everyone and
we make everything to ensure that our readers have access to the
latest cutting-edge research and get alerted of the newest security
threats when they come. Our experience shows that the best way of
protection is the mass information. And we mean that literally!!! It
* Informatic legislation
* Reverse Engineering
BugCON accepts your participation in the form of conference and workshop, with a duration of 1 to 2 hours for the conference and in the case of workshops you can tell us how many time would you like need(if you need more time BugCON can offer work tables for continuing your talk); the conference language can be spanish (prefereably) or english. Remeber that BugCON is totally uncensored, so the public can start a discussion about your conference, and it's totally acceptable.
BugCON has two lines, “white hat” topic and “black hat” topic the technical reviewers going to collocate your conferences in the most adecuate clasification. BugCON reserves the right to accept or reject any paper.
All proposals should be sent to secretary@bugcon.org with a little description about the conference and a little curriculum about the author, from February 17th to August 31th (no extensions). The final schedule will be published on September 18th. Once your conference is accepted you should send a confirmation, a telephone number for contacting you and details about your arrival.
Regards
talks:
- mu-b : disk crypto stuff (the technical one)
- even + others : white hat rally (the non-technical one)
as mu-b may be late, and the rally talk may be quite short, we will also
have:
- Bonus: Major Malfunction will show the latest build of
35. </body>
36.</html>
Much thanks to Jeremiah Grossman and Jeff Williams for taking the time to
review my idea and providing their insights. Jeremiah told me that he has
seen such injections from time to time at WhiteHat and these do exist in the
wild.
Jeff confirmed that some documentation changes will fix this. I agree that
no esapi code change is required, because function themselves are not
insecure.
to the liveperson.net robots that are not having these problems.
The XSS used is not a simple <script>alert(foo.bar) thingy, it's
slightly more complicated.
If some of you are able to contact a whitehat over there then please
let them contact me if
they need more information, I am not wasting money calling abroad for
something that is not a problem for me. A university tricking
students to graduate in security should be
able to secure their own sites.
Keynote Address - 29th & 30th October 2008
==========================================
KEYNOTE 1 - "The Art of Click-Jacking" - Jeremiah Grossman (Founder &
Chief Technology Officer, White Hat Security.)
KEYNOTE 2 - "Cyberwar is Bullshit" - Marcus Ranum (Chief Security
Officer, Tenable Network Security)
KEYNOTE 3 - "Welcome to the 0wned World" - Dr. Anton Chuvakin (Chief
+------------------------------------------------------------------------+
| Commentary | We would like to thank Javantea for notifying us of this |
| | problem; however, we note that he posted exploit code |
| | prior to that notification, which is considered |
| | irresponsible behavior in the whitehat security industry. |
| | In the future, advance notice of any such release would |
| | be appreciated. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
Thomson Speedtouch routers including the BT Home Hub. Kevin noticed
that all the public vulnerability research conducted in the past for
the BT Home Hub had been released [1] by GNUCITIZEN, so he decided to
share his findings and work with us in this fascinating project. As
you might already know, at GNUCITIZEN we're committed members of the
white-hat community who feel that it's our responsibility to inform
the public when a security issue exists.
* Confirmed suspicions *
Many of us involved researching the security of wireless home routers
Thomson Speedtouch routers including the BT Home Hub. Kevin noticed
that all the public vulnerability research conducted in the past for
the BT Home Hub had been released [1] by GNUCITIZEN, so he decided to
share his findings and work with us in this fascinating project. As
you might already know, at GNUCITIZEN we're committed members of the
white-hat community who feel that it's our responsibility to inform
the public when a security issue exists.
* Confirmed suspicions *
Many of us involved researching the security of wireless home routers
3.II. Disclosure Timeline
2009/06/29 Vendor contact.
2009/06/30 Public Disclosure.
4. Thanks
all of Whitehat Community's friend && Great Milw0rm!
2009/06/30 by cnbird
Sorry my bad english!
Apparently the concept has been known to white hats as well, for some time.
Dennis Hurst from HP has this blog entry from December 2007:
http://www.communities.hp.com/securitysoftware/blogs/dennis/archive/2007/12/07/Project-Management-Institute-meeting-in-Alpharetta-GA-_2D00_-4-Dec-2007.aspx
In it, there's a link to a presentation he gave at Project Management
Institute meeting on December 6th, 2007. The link to the presentation
is:
http://www.communities.hp.com/securitysoftware/blogs/dennis/attachment/72396.ashx
>>
>> Anyone that knows how to contact responsible persons at uat.edu?
>> root@ and security@ do not seem to work.
>>
>
> If some of you are able to contact a whitehat over there then
> please let them contact me if
> they need more information, I am not wasting money calling abroad
> for something that is not a problem for me. A university tricking
> students to graduate in security should be
> able to secure their own sites.
BugCON can offer work tables for continuing your talk); the conference
language can be spanish (prefereably) or english. Remeber that BugCON
is totally uncensored, so the public can start a discussion about your
conference, and it's totally acceptable.
BugCON has two lines, “white hat” topic and “black hat” topic the
technical reviewers going to collocate your conferences in the most
adecuate clasification. BugCON reserves the right to accept or reject
any paper.
All proposals should be sent to secretary@bugcon.org with a little
FileReference.download() allows ActionScript programs to execute the
methods without user interaction (CVE-2008-4401).
* The Settings Manager controls can be disguised as normal graphical
elements. This so-called "clickjacking" vulnerability was disclosed
by Robert Hansen of SecTheory, Jeremiah Grossman of WhiteHat
Security, Eduardo Vela, Matthew Mastracci of DotSpots, and Liu Die Yu
of TopsecTianRongXin (CVE-2008-4503).
* Matthew Dempsky reported a null-pointer dereference flaw when
loading two SWF files compiled with different Flash versions from the
Thomson Speedtouch routers including the BT Home Hub. Kevin noticed
that all the public vulnerability research conducted in the past for
the BT Home Hub had been released [1] by GNUCITIZEN, so he decided to
share his findings and work with us in this fascinating project. As
you might already know, at GNUCITIZEN we're committed members of the
white-hat community who feel that it's our responsibility to inform
the public when a security issue exists.
* Confirmed suspicions *
Many of us involved researching the security of wireless home routers
well established experts in the Information Security, Black Public
Relations (PR) Industries and Hacker Circles with widely recognized
experience in the government and corporate sectors and the open source
community.
GNUCITIZEN is an ethical, white-hat organization that doesn't hide
anything. We strongly believe that knowledge belongs to everyone and
we make everything to ensure that our readers have access to the
latest cutting-edge research and get alerted of the newest security
threats when they come. Our experience shows that the best way of
protection is mass information. And we mean that literally!!! It is in
|
