Luckily I was able to escape Washington DC’s 3rd round of snow to enjoy the tropical 40 degree weather here in Tampa today and write this post. Despite the blizzard and its many names, the ShmooCon faithful came out in full force to make another great conference. As usual, ShmooCon featured interesting presentations, shenanigans, and a chance to hang out with those friends you usually only see at Cons. I want to thank everyone who attended the Stealing Guests…The VMware Way talk, especially since no one threw shmooballs at us.
Justin and I will be on the [Security Weekly] (https://wiki.securityweekly.com/Episode187) podcast tonight to discuss the latest developments with GuestStealer and the Smart Grid book. For more information, check out tonight’s episode guide and join the live discussion tonight. Also, GuestStealer v1.1 is now available for download. This is a bug fix release that improves the error handling and prevention of downloading the same vmdk file twice (when that vmdk self-references itself).
I will be giving a presentation on XAB (Cross Site Scripting Anonymous Browser) at the University of South Florida’s Whitehatters Computer Security Club’s next meeting on January 29th at 5:00PM. If you are a student at USF interested in learning about computer security, I highly encourage you to get involved with the club. See you there!
Back in November, I had the opportunity to take part in the Great American Teach In. This event takes place at schools around the Tampa, FL area and invites local volunteers to come into the classrooms to teach kids about their job. The objective is to familiarize kids with differing careers and hopefully get them excited so that they do well in school. For my experience, I spoke to a group of 4th graders regarding online safety and security.
ShmooCon 2010 will be taking place in a few weeks and I am excited to make the annual trek up to D.C. to co-present the “Stealing Guests… The VMware Way” talk. I am also pretty excited about the activities and contest setup at our booth. Make sure you stop by before you start drinking.
FYRM Associates is proud to announce our new AppTrust offering that enables organizations to produce secure applications in Agile environments, in a cost-cutting manner. The typical, flawed approach to application security is based on the network security model of “when we find a vulnerability, we patch it.” This forces your organization into a never-ending game of catch-up with attackers that is nothing more than a costly and time-consuming strategic failure.
A new release of XAB, the framework that allows one to browse the web via XSS has been updated. This release will now accommodate all content-types, thus allowing any file format to be transferred through the framework. The latest release can be found at sourceforge: [xab.sourceforge.net] (https://sourceforge.net/projects/xab/). We’re seeking volunteers to help out with development. We’d like to take this from a small research project to a community driven effort to expand the possibilities of what can be done with XSS.
I will be giving an update on XAB (Cross Site Scripting Anonymous Browser) with Jeff Yestrumskas at the OWASP DC Chapter’s next meeting on September 2 at 6:30PM. More details can be found [here] (http://www.owasp.org/index.php/Washington_DC). See you there!
OWASP just launched the official AppSec DC 2009 site @ [http://appsecdc.org] (http://appsecdc.org). We’ll be out in force and will most definitely have some type of party/event. Check back here often or follow us on Twitter (getFYRM) for updates. We’ll see you there!
On April 21, 2009, the Bluetooth 3.0 specification was adopted by the Bluetooth Special Interest Group (SIG). This new specification includes new attributes such as: *High speed data transfer of large files (~24 Mbps) *Bluetooth low energy The new specification achieves these new attributes by including an 802.11 radio, aka Wi-Fi, that allows lower energy usage when attempting to transfer large amounts of data. While ultra-wideband (UWB provides ~480Mbps) was widely rumored to be included in the upcoming specification, it was absent from the final release.