GNUCITIZEN

2008 is gone! Let’s welcome the brand new 2009. Happy New Year!

The GNUCITIZEN team wishes everybody a happy new year full of happiness and laughter. To all the security community we wish a successful and productive new 2009.

It was quite interesting to watch the presentation of Jacob Appelbaum, Dag Arne Osvik, Arjen Lenstra and several other academic and independent researchers (for the complete list go here), especially when I thought their work will be related to breaking BGP.

So it is not BGP. [...]

Twice! First it was Dan Kaminsky and now it is Jacob Appelbaum and Alexander Sotirov. I am quite interested to get further details of their research titled Making the theoretical possible which should take place tomorrow at this year’s CCC event.

Their proposal is heavily censored but based on what I’ve read so far, my feeling is that they will be talking about breaking a routing protocol, perhaps BGP. It just makes sense and I can already see what they might have in mind. [...]

Magic tricks are all about suggestion, psychology, misdirection and showmanship (see Tricks of the Mind), or as Cutter perhaps will say, every magic trick has tree parts: the pledge (where the magician shows you something ordinary), the turn (where the ordinary becomes something extraordinary), and the prestige (where the extraordinary turns into something you have never seen before). [...]

You may have already heard of this, but there is a malware which goes around disguised as a Firefox extension. I have no details regarding the malicious code but to be honest, I am not surprised at all. In fact, I wonder why it took so long for the bad guys to figure that Firefox is an excellent malware delivery platform. Usually they are quicker.

A couple of months back, just before my BlackHat talk, I was planning to launch yet another of my experiments. [...]

HoH has a new extension site code-named V2. V2 is essentially a wiki which we are planning to use for most of our projects. We are even thinking to port the GNUCITIZEN labs there. Right now, V2 is also the home of the Agile Hacking Project.

The purpose of V2 is to provide the HoH community, but not only, a common space for sharing work, research and developing projects and ideas. We’ve got tones of ideas which we hope to implement with the help of V2. [...]

Those of you who frequently use our tools on secapps.com are probably aware of the existence of a brand new application called WebAcid. This post is all about the WebAcid framework and what are my plans and hopes for this project.

I have to say that the market is already saturated with web application security testing frameworks. We’ve got nikto, jikto, burp, paros proxy, rat proxy, w3af, Metasploit’s wmap, a bunch of commercial tools and tones of browser extensions. [...]

This is a quick announcement regarding the Agile Hacking project. For those of you who are not familiar with this project, there is a post that you can go through over here.

So, the Agile Hacking project has found a new home in the newly established House of Hackers V2 initiative, which is essentially the House of Hackers‘ wiki. We plan to use V2 as our main project repository. [...]

Clickjacking is one of these types of attacks which are incredible simplistic to perform, yet very powerful in today’s web-driven world. In this post I would like to draw you attention to one more technique that can be used to perform successful clickjacking.

Basically the browser slowly becomes a quite powerful graphical environment. This is due to two relatively new features such as the canvas and support for SVG (Simply Vector Graphic). [...]

I woke up today to realize that GNUCITIZEN’s web server is bombarded with requests. Good that we are running from a scalable infrastructure. The reason for the storm was a recent disclosure of apparently new Gmail bug similar to the one which I partially and than fully disclosed here, of course after working with the vendor to resolve the problem, which is always the right thing to do.

ReadWriteWeb has a time line on the history of this attack here. Very nice summary I must say. [...]