Grey bar Blue bar
Share this:

Sat, 7 Aug 2010

Memcached talk update

Wow. At some point our talk hit HackerNews and then SlashDot after swirling around the Twitters for a few days. The attention is quite astounding given the relative lack of technical sexiness to this; explanations for the interest are welcome!

We wanted to highlight a few points that didn't make the slides but were mentioned in the talk:

  • Bit.ly and GoWalla repaired the flaws extremely quickly, prior to the talk.
  • PBS didn't get back to us.
  • GlobWorld is in beta and isn't publicly available yet.
For those blaming admins or developers, I think the criticism is overly harsh (certainly I'm not much of a dev as the "go-derper" source will show). The issues we found were in cloud-based systems and an important differentiating factor between deploying apps on local systems as opposed to in the cloud is that developers become responsible for security issues that were never within their job descriptions; network-level security is oftentimes a foreign language to developers who are more familiar with app-level controls. With cloud deployments (such as those found in small startups without dedicated network-security people) the devs have to figure all this out.

The potential risk assigned to exposed memcacheds hasn't as yet been publicly demonstrated so it's unsurprising that you'll find memcacheds around. I imagine this issue will flare and be hunted into extinction, at least on the public interwebs.

Lastly, the major interest seems to be on mining data from exposed caches. An equally disturbing issue is overwriting entries in the cache and this shouldn't be underestimated.

Mon, 31 May 2010

SensePost at BlackHat USA 2010

A brief update from South Africa on some recent talks as well as the upcoming BH USA: our talk proposal has been accepted for BH USA 2010 which makes it the ninth year running that SensePost is talking in Las Vegas. One more and we qualify for free milkshakes at the Peppermill. This year we'll be discussing caching in large scale web apps and why exposing caches to the interwebs is a Very Bad Thing. We'll also be looking at caching services, an idea whose time should never come.

This is a follow-on to last year's talk on hacking cloud providers; which was subsequently the topic of invited talks at TROOPERS10, CSI Filter, a BH Webcast and IS Labs. The talk generated much interest and we got fair mileage from it. This year's talk is a natural extension; we're poking at some of the technologies used under the hood to build large apps in the cloud.

Finally, mandatory shameless training plug (or I get fired): we're also training in Vegas. training@sensepost.com for more info.

Fri, 29 Jan 2010

Is the writing on the wall for general purpose computing ?

The Apple iPad announcement set the interwebs alight, and there is no shortage of people blogging or tweeting about how it will or wont change their lives. I'm going to ignore those topics almost completely to make one of those predictions that serve mainly to let people laugh at me later for being so totally wrong..

Heres my vision.. Its not just the Hipsters and college kids who get iPads, its the execs and CEO's. They are happy for a short while using it just as an E-Reader, movie watcher and couch based web browser, but the app store keeps growing to support the new form factor. Apps like iWork for iPad (at only $10) means that sooner or later they are relatively comfortable spreadsheeting or document pushing on their iPad.. It doesn't take too long for them to realize that they don't have much heavier computing requirements anyway and besides.. the instant on experience is what they always wanted..

Now despite the fact that it didn't take people like taviso or charlie miller long to exploit the iPhone, the devices security model does present a security benefit over the traditional end user computing model. Sand-boxed Applications, signed code restrictions and a rudimentary app store check means that the device has not been hammered with malware or exploited en-masse. Now the CEO hears the CFO complaining about his latest desktop virus episode, or patch-day drama. "If only your desktop could work like my tablet..". Apple currently run OS X, and iPhoneOS for iPad and iPhoneOS for Touch/iPhones. Why not a version of iPhone OS that runs on its desktops ?

You get the App store and access to all the apps across all your devices.. and its pretty, and it just works..

At this point i have to mis-quote Martin Niemöller : First they came for the mp3 players, and i did not speak out - because i never really had one before anyway. Then they came for the cell phones, and i did not speak out - because it was really cool. Then they came for the tablets, and i did not speak out - because it was just a tablet. Then they came for our desktops - and it made perfect sense...

Security practitioners have long lamented the fact that we seem to be losing the war. Too much runs on our machines and the surface area is too large to defend and bad code is being written and deployed faster than we can test it.. Moving iPhoneOS to the desktop allows a contained, controlled computing platform that has the potential to be pushed through the organization from the top down. I think this is an important difference. Techies and Geeks can debate the pros and cons of wireless for ages, but it just takes one member of exco to need it and wireless deployments will happen. CEO's and execs with iPads will push cloud and tablet computing at a quick pace too. Despite the relatively tame initial response to the iPad, the stars seem well aligned for this to be an inflection point that leaves us with less computer and more consumer electronic devices.

Of course all this comes at a cost.. You trade some measure of control and surrender to the will of our Cupertino overlords..

-shrug- or maybe im just smoking my socks... :>

/mh

Wed, 16 Dec 2009

We are famous (almost!)

Last week had two "cloud-security" related articles hit the inter-webs.. After our Vegas09 talk on "clobbering the cloud" we had a brief chat to Rob Lemos, who called us up again, so we ended up adding the soundbyte to his piece in Technology review along with guys like Moxie Marlinspike and Danny MacPherson [here]

We also showed up on Read/Write Web, where we were called "security nerds" and "black hats"

Ahhh.. roll on 2010!

Mon, 16 Nov 2009

Defcon-17 - Clobbering the Cloud

Our DC-17 video (of the "Clobbering the Cloud" talk) is now available on the the new look DefCon download site: [here]

All of the other DC17 videos can be found [here]

(if you are a senseposter, you can grab them with descriptions from [here])