Considering how freely i've ranted on our blog over the past few years i found it incredibly hard to to write this post. SensePost has been my home for the better part of a decade and i have been haroon@sensepost.com much more than i have been haroon meer.

In truly boring last post manner i wanted to quickly say thanks to everyone for making it such a fun ride. From the awesome people who took a chance on us when we were scarily young and foolish, to the guys (and girls) who joined us to help make SP elite. From the many customers who tolerated my sloppy dressing to Secure Data Holdings who have been awesome in every interaction we have ever had with them. From the people who have used our tools, read our work and contributed ideas to the people who read this blog (Hi Mom!).

Seriously.. thanks muchly!

It's been an awesome 10 years and with the quality of guys that remain at SensePost, it's a safe bet that the next 10 are going to be even better..

The question that everyone asks me is "what now?". The short answer still has 2 parts..

• I'm going to take a vacation.. (a short one, but im hoping to spend a week or 2 re-introducing myself to family members who vaguely recall me..)
• I'm going to be starting in a new direction, with [thinkst]

I won't go into tremendous detail here on thinkst (for that you will have to read/subscribe to my ramblings on http://blog.thinkst.com) - but the overarching hope is to focus slightly differently..

With Penetration Testing and Research over the past while I've spent a lot of time and energy trying to find new ways to break stuff, and new ways to break into stuff.. (it's been incredibly fun!)

I'm hoping now to be able to aim the same sort of bull-headedness at defending stuff, and at building solutions that give applications and networks a fighting chance.

I'll still pop in occasionally at the SensePost offices (mainly to have the coffee and lose at foosball), and my relationship with Secure Data Holdings also remains intact (Other than our historical relationship, Thinkst is doing some consulting work for SDH, making them our first customer!). Hey.. you might even still find me bending your ear on this blog..

So.. all that remains is to say thanks again.. it's been amazingly fun, incredibly rewarding and "rockingly leet"

Sincerely

/mh

The recent Safari Carpet Bombing bug reported by Nitesh Dhanjani and ignored by Apple had all the makings of an egg-on-face incident. We were discussing it over foosball, and the obvious consensus was "if a line starts with: "thats not exploitable, its only.." then odds are you are wrong.."

But.. lots of people quicker and smarter than me [1, 2, 3] blogged (or twittered) about why this was a silly approach for apple to take..

Interestingly.. Microsoft bloggers were quick to pounce on this PR-Fiasco in the making. Microsoft released a security advisory commenting on the danger of a "blended threat" - Now.. by accident (or by design) that advisory looks a lot like - "This is an Apple screwup!", indeed one of the solutions is: "Restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple."

The advisory (now) also credits "Aviv Raff" for his report. LiuDieYu0

filled in the details, pointing to Avivs 2006 Finding, which is a pure DLL search order bug (which incidentally was published as an IE7 bug). So now the Microsoft folks who were sneering at Safari all end up shuffling their feet a little while looking at the floor. All credit to RHensing from Microsoft, who quickly awarded Microsoft the FAIL open goat award too.. *ouch*

Like sands through the hourglass...

 

 

from the SourceBoston videos i blogged about:

Dr Geer never dissapoints, and kicked it off with the 4 rules on his office wall:

1. Work like hell,
2. Share all you know,
3. Abide by your handshake,
4. Have fun.

If he mentioned anything about foosball or pool.. i woulda sworn blind he was talking about SensePost!

The 2nd quote that was awesome, (during the interview with the l0pht members) was from Dildog.. ex-l0pht, ex-@stake, now Veracodes chief scientist.. The discussion turned to "security companies and snake oil", and the fact that dildog was a "vendor" again.. With a dry smile that could have been at home in a john cleese movie, he replies:

"*nod*..  this time with feeling!"

This was a bit of a catchphrase in our office a few years back, after a QA process kicked back a report to an analyst with those words: "once more with feeling...". The difference between someone going through the motions, and someone doing it with feeling is marked... and i cant imagine why anyone would do it any other way..

Over the past while we have been getting emails from people trying to figure out why they had entries like this in their http log files:

10.10.1.136 - - [32/Dec/2007:25:61:07 +0200] "GET //admin/dat_Gareth_at_sensepost_hackslikeagirl_.asp HTTP/1.1" 404 - Recently a concerned Wikto user figured out that this was linked to him using Wikto (our Win32 Nikto Replacement + Directory / File / Back-End Miner). A snippet from his email read:

-snip-

I sniffed the traffic going out from my host going to the target host and infact this is the result: HTTP GET /admin/dat_Gareth_at_sensepost_hackslikeagirl_.asp HTTP/1.0 All the requests are full of this... Well, at this point the questions are two: 1) You have a strange sense of humor. 2) You have been compromised. Waiting for a feedback,

-snip-

We replied to his email to allay his concerns, but the question comes up often enough, so i figured i would paste our response here:

-snip-

Hi XXXXX..

The quick short answer is: a strange sense of humour..

As you probably know, part of Wikto's advantage over other scanners is that it doesnt rely on the HTTP response code coming back from the server to make its decisions. This is why an HTTP server that responds with "friendly 404" messages (a 200 with an error) throw simple scanners off..

Instead Wikto asks for a resource that does not exist (but that looks similar to your request.. i.e. if you wanted login.asp we first look for [strange_file_that_will_never_be_there].asp and then we compare the response to looking for login.asp

if both pages return a similar result, even if its not a 400 message, we can conclude that the resource isnt there.. During the last build our lead developer (ian@sensepost.com) had a minor turf war with one of our lead analysts (gareth@sensepost.com) that probably started over some life and death matter like coffee, pool or foosball..

Gareth used a host name of ian.devs.like.a.girl in some article/chapter he wrote on penetration testing, so when ian needed a [strange_file_that_will_never_be_there] he came up with the obvious choice.. now everyone who scans using wikto loudly testifies to: a) our strange sense of humour b) that ian won that round! :> -snip-

(In the new build this string is user configurable, so you can insult members of your team while pen-testing too..)

So there you have it.. If you have seen it in your logs:

a) Congrats! - The fact that you even check your logs is admirable

b) Dont worry (unless you have hidden directories, backup files, etc lying around - cause chances are Wikto will find it)

/mh

Oh.. for the "windows_sucks_and_i_dont_want_to_boot_a_vm_image_to_run_this_tool" brigade, i have it on good authority that ian's Java port of Wikto (wiktoJ ?) is being dusted and polished.. so watch this space..

while waiting around for the PSW guys last night, it seemed like a good time to test our mettle on the foosball table. we've witnessed rapid development of general foos skills in the office since the introduction of the table a few weeks ago, and the improvement in shot speed has been noticeable. of course, questions always remain as to the difference between actual and perceived velocity of shots, and the only way to answer the questions is by a clean, scientific, test.

here's the test apparatus:

"

observe the high quality microphone inserted into the table's feeder. bonus points if you noticed a bottle of Q20, the fooser's friend (of course, given that the Q20 was highlighted reduces the significance of those bonus points. but they're still yours, to love and cherish.)

so, by combining a microphone, audacity, calc.exe, a ruler and primary school physics (barely keeping my head above water here), we get a test rig that can roughly determine shot velocity. the waveform below is a recording of a "snake" from the 5-man middle bar. the shot occurs at t₀ and the ball hits the back of the goal at t₁; we're ignoring a whole bunch of factors but the numbers matter more than their accuracy in this case as its all about boasting rights.

the easy calculation is 2.628/(t₁ - t₀)

where t₀ and _t1 are times in fractional seconds

" ok, so all that aside, who are the speed freaks? bradleyj is providing page-filler with a respectable 19km/h, i'm sitting on 33km/h but haroon is currently leading with a 34km/h.

its interesting to see that the "snake" is almost twice as fast as regular shots, however we're still finding it a little unpredictable when playing the shot. no mention yet as to what the effect (if any) the table is having on productivity... wait remind me again, was i on a project this week?