Subscribe: Jeremiah Grossman
Added By: Feedage Forager Feedage Grade A rated
Language: English
address  day  email address  email  hack  hacking  i’m  i’ve  jeremiah grossman  people  security  web  whitehat security  whitehat 
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: Jeremiah Grossman

Jeremiah Grossman

Chief of Security Strategy (SentinelOne), Professional Hacker, Black Belt in Brazilian Jiu-Jitsu, Off-Road Race Car Driver, Founder of WhiteHat Security, and Maui resident.

Updated: 2016-09-23T04:47:10.581-07:00


I'm joining the fight against malware and ransomware with SentinelOne


Today is a big day for me. I’m contributing to a company called SentinelOne, but I really don’t think of it as a job. I’ve accepted an opportunity to work side by side with other brilliant and highly motivated people where we’re all helping to solve important and challenging InfoSec problems. In this case, malware and ransomware. You see, more than anything, I want to make a positive impact on InfoSec. As I’ve said many times, we who work InfoSec are responsible for protecting the greatest invention we’ll see if our lifetime — the Web, the Internet, and the billions of people using it every day. That’s our mission, our calling. As such, I’ve always kept a evolving list of our industries biggest challenges, which I include in most of my slide decks.Intersection of security guarantees and cyber-insuranceExplosion of RansomwareVulnerability remediationIndustry skill shortageMeasuring the impact of SDLC security controlsThe only problem on the list I haven’t gotten the chance to work on is ransomware, an incredibly effective and fast-growing form of malware that’s taking over. I’ve long railed hard about the crap antivirus products on the market and the billions of dollars people and companies spend annually to effectively make themselves less secure. Yes, that’s right, I said LESS secure. The FBI recently published that ransomware victims paid out $209 million in Q1 2016 compared to $24 million for ALL of 2015. Some non-trivial percentage of those ransom dollars will be used for R&D, so the smart money says ransomware will quickly get even more sophisticated and out of hand. And to that point, in recent and well publicized news, ransomware is also responsible for disrupting the care of patients in a few hospitals. This can’t be allowed — lives are at risk!In my life after WhiteHat, I looked at ton of companies and interesting opportunities where I could lend a helping hand, of which there was no shortage. My inbox was crushed with many worthy projects, but I knew I had to choose wisely. Then out pops a company with some super cool tech and few have heard of them, SentinelOne. SentinelOne is right smack in the middle of the malware/ransomware war, for which Gartner calls next-generation endpoint protection (NG EPP). I met with the founders, the team, all super cool and passionate people. A real gem of a start-up. I felt strongly that I needed to join this fight. Plus, I’ll be working on some exciting stuff behind that scenes that I can’t wait to share with world. Good things take time, so please, standby! Hack Yourself First: Jeremiah Grossman [...]

Life is Better without Username Reuse (email aliases FTW!)


Facebook, LinkedIn, Amazon, PayPal, Yahoo, Google. We keep accounts with many of these websites. They and many others use email addresses as the first half of the classic username and password combo. They do this because email addresses are unique and double as a reasonably secure communication channel with the user. And of course we often sign-up for things online to receive information by entering our email address. All this email address sharing, while technically nothing being wrong with it, unfortunately causes several highly annoying problems. These problems can be solved, or at least made far easier to deal with, by leveraging email address aliases. An email alias is where you create one or more email addresses that all send to the same account, vaguely similar to desktop folder shortcuts.

With email address sharing / username reuse, by far the biggest problem we run into is spam. And the more we share and reuse our email addresses across systems, the bigger the spam problem becomes. Sometimes websites sell our email addresses. Other times they share them with third-partie business partners, and from time to time they get leaked in a data breach. Whatever the case, once an email address is out there, it’s out there. No taking it back and no amount of mailing list opting out will help. I know. I’ve tried.

There are other problems too. Anyone who knows your email address can easily determine what systems you’re using (i.e. “This email address is already registered.”). This issue is not only a privacy issue, but a potential security issue as it makes it easier to target your account via brute force, phishing, password recovery hacks, etc. And of course when you have several online accounts, you’re constantly notified via email, which explodes your inbox. Creating rules in your email app using strings in the subject or content body helps, but doing so isn’t easy and never comprehensive. When all these problems are tied to your email email address, there is no escape. You can’t easily kill or change your main email address because all your friends, family, and business contacts use it too.

My solution to these problems, which has been working great, is by using email address aliases based on custom domain name. For example, my personal domain is So as an example, I create a new email alias that’s just for Facebook, like Or on Paypal it would be pp@jeremiahgrossman. You can technically use any email alias for this purpose, even a random one. When email is sent to these aliases they automatically forward to my main email address. I never reuse these email address aliases for any other than their intended use, and never use my main email address to register for anything if I can help it.

It does cost a few bucks to pay for domain name and email hosting, but it ain’t much these days and the value is WAY worth it. When things are set up this way, I can be reasonably sure that any email to these aliases, that is supposedly from them, is legit and not a phishing scam because no one else knows the email address / username I used. And since the particular website is only using the email address alias I gave them, inbox rules are way easier.

Then if the email address is leaked, gets spammed out, or whatever, I can just kill it off, create another, and change the account email address / username. The up front work is a little tedious, but again, worth it. And the best part, when you have your own domain name, email aliases are essentially free — I’ve about 100 now. And there is no reason you can’t use any old crap domain name either.

Good luck!

Millions experience serious computer security problems and have no one to call for help


A couple times a week, people I may or may not know reach out to me for help because they’re experiencing some kind of computer security catastrophe. Sometimes the situation is serious, other times not. They might be dealing with an online bank account takeover, online scam, data breach, malware infection, identity theft, and the list goes on and on from there. Whatever the circumstance, a great many people often find themselves thrust into the deep end of this technology driven world, without the know-how to solve the problem on their own, and no one to call for help. These experiences are especially painful for the elderly and small-business owners, whose livelihood are disrupted, and the stress takes a toll on them. Personally, I hate it when good people get taken advantage of.In the most recent case, I was introduced to the founder of a TV and movie production company through a mutual friend. They explained that someone is messing with their website and actively using their company name to scam their business contacts. They said ‘hacked,’ but that could mean anything these days. The situation was causing them real brand damage, and with over a dozen show titles to their credit, the business impact is severe. Even over the impersonal medium of email, you could sense a deep feeling of helplessness and desperation. As you might expect, I tend to keep myself happily occupied with family, work, and martial arts and don’t have a lot of time to spare for things like this. But, this plea originated from a good friend, the victim didn’t have anyone else to turn to, and helping out felt like the right thing to do.After taking a call and exchanging a few emails, I got the real story. Someone, a scammer, registered an incredibly similar domain name to the legitimate one used by the production company. The fake domain name was being used to create a clone of the real website. The scammer then subtly changed the names and photos of the staff and updated the contact information so that any incoming communication would instead go to them. Through email, phone calls, or search results visitors would be contacted by the scammer, who pretended to be with the production company, and would proceed to con their victims out of money. This is a simple, inexpensive, and effective scam that could happen to basically anyone – and it does.The near-term plan was to get the scam website taken down. Long-term, try to take ownership over the look-a-like domain name. To start, the first thing I needed to know is who owns the offending domain name. A quick WHOIS lookup revealed the registrar is GoDaddy, but the domain owner itself was masked by Domains By Proxy, a popular service for those wishing to preserve their online privacy. I often use this service myself! This means without going through a legal process, obtaining the real domain owner information isn’t going to happen. Still, in the event the production company would like to try and get ownership over the domain using ICANN’s and trademark law, they have the registrar info to further that process. Next, I needed to identify where the website is being hosted. The ‘dig’ command easily gets me the IP address of the cloned website and an ARIN lookup tells me who the IP address belongs to — the name of the hosting provider. For those curious, collectively performing these tasks took me far less time than writing this paragraph.Let’s pause our story for a moment to consider the technical knowledge required to get this far, which includes a set of skills many techies take for granted and forget that the vast majority of people simply don’t have. Few people can explain what a domain name is, have any idea what a domain registrar or an IP address is, what’s WHOIS, or even ICANN. They’ve certainly never heard of ARIN, and only a vague familiarity with hosting providers for that matter. And thus far, we’ve only collected purely public information and in doing so reached a point where most can’t get to on their own.[...]

7 Tips to Get the Absolute Best Price from Security Vendors


Security budgets are always extremely tight, so it’s smart to get the absolute best price possible from your security vendors. Never ever pay full price, or even take the first quote vendors give you. That price just sets the stage and it’s best to think of it as the ‘dummy price,’ so don’t pay it! I’ve spent nearly two decades sitting at the price negotiation table in the security industry and seen all manner of techniques customers use successfully to win discounts, and more people should use them. Customers, even small ones, can exercise a ton of leverage over their security vendors if they only knew how. And, more often than not, vendors themselves don’t really mind. It signals that a deal is likely to be made and to a vendor, that’s what’s most important.While it’s common for large companies to have negotiations handled by a separate department, typically called ‘Procurement,’ many leave the responsibility to whomever is actually making the purchase. In either case, security practitioners can personally say, do, and offer things the procurement department can’t to help obtain the best possible price. Remember, security product margins can range anywhere from 40-60% or even higher. I’ve seen discounts well over 50% of the originally quoted price. Some vendors will even take a loss to win your business, depending on the size of your brand and the reference you’ll provide. Note: I’m not a big fan of this as you risk not being treated well as a customer long-term. The vendor may decide to drop you later because you’re unprofitable. So, allow vendors to make a profit, just not an obscene one.Below you’ll find my ranked list of the most powerful negotiating techniques I’ve come across in the purchasing process, many of which are applicable beyond security purchases…1. Negotiate Price at Quarter End / Year EndMore than anything, businesses want financial predictability. They want to be able to plan out, with a high degree of accuracy, precisely how much business is expected to close at least two quarters into the future. Sales forecasting is largely a Sales department function. So when end of the quarter is just a few weeks away, and overall sales volume isn’t where it needs to be, the sales rep (and their bosses) scramble and make concessions to bridge the gap and hit their forecast. The larger the sales forecast gap, and the closer to quarter end, the more desperate they become and more open they’ll be to deep discounts or throwing in additional products / services to sweeten the pot.Smart customers simply ask sales reps when their quarter or fiscal year ends, just after the vendor asks the customer what their budget range is. So, if you like the product, and you’re likely to buy it, let them know you’ll commit to the purchase in the current quarter, before the end, if they give you a good deal. Vendors will routinely knock 10-30% (or more) off the price, just with the ability to accurately forecast a deal closing. If the vendor is unwilling to work with you and the purchase isn’t urgent, let them know you’re more likely to purchase next quarter, which ads uncertainty to their forecast and they’ll have a decision to make. Rinse. Repeat. 2. Multi-Year DealsAs previously mentioned, businesses love predictability. For this reason, subscription-based businesses, like Software-as-a-Service, love predictable renewals rates. Security vendors know that just because you’re a customer this year, it doesn’t automatically mean you’ll be a customer next year — as the market is highly competitive. They know they’ll likely have to negotiate price with existing customers before the contract expires, which comes at a cost of time and sales forecast uncertainly. To reduce this uncertainly, subscription-based businesses will often give attractive discounts to customers willing to sign up for multi-year deals. Two to three year deals are typical, likely fetching a 5-10% discount, possibl[...]

From 300 lbs to 200 lbs


Did you know that one point in my life I was just over 300 pounds? Most don’t, but I was. Then after considerable effort, I got to the 250 pounds range and remained for several years. At the time of this writing, I’m about 210 pounds. My goal is to stabilize at around 200 pounds with a body fat of ~10%. If all goes as planned, maybe in 6 months or so I’ll be about where I want to be. At 6’2”, it’s a pretty solid physique. Upon witnessing my physical transformation, many friends and family ask how I’m doing this. “What’s your secret?” Spoiler: I don’t have one. Before going any further, let me clearly state that I’m NOT a personal trainer. I’m NOT a nutritionist. And I’m certainly NOT trying to sell anything. This post simply answers the question people ask by listing out my nutrition and exercise regiment. Additionally, while everything I’ve done has undoubtedly improved my overall health, the goal is primarily focused towards improving my performance in combat sports, such as particularly Brazilian Jiu-Jitsu and Mixed Martial Arts. Competing at a high-level requires that I’m very strong, fast, flexible, with good cardio and balance. A lean and muscle-toned physique is most ideal.NutritionFood is what fuels my body to perform at my best during each training session. My daily consumption maps as best as I can to the planned physical activity. If I break down and eat something I shouldn’t, it happens, my performance noticeably suffers and I get my butt kicked as a consequence. It sucks. As it turns out, not wanting to get punched in the face, choked, or arm hyper extended is a great motivator!Each week I have 4 very hard training days, 2 lighter training days, and 1 rest day. And that’s how I plan out my meals. For most of the last year, I was predominantly eating lean meats, vegetables, and fruit. The Paleo diet is the closest example. Then for the last ~3 months I shifted to a whole-food Vegan diet with some minor exceptions. Additional nutrition rules I follow:No caffeineNo alcoholLiquid is primarily water (occasionally iced tea, tea, or carbonated water with lime)No dairyNothing friedVery little processed foodNo vitamins or supplements (I may include them later at some point)Hard Training DayPaleo: To get through my training sessions, 2300 - 2400 calories feels about right. Under 2100 and I would gas out early. Over 2400 and body fat wouldn’t come off. I targeted my protein intake at just under 1g per pound of body weight, which is a good zone according to what many bodybuilders suggest to build muscle. Fat intake at no more than 50g. And of course the rest being the carbs for energy I need for training.Reaching these macros requires several full meals during the day, and timed so my belly isn’t too full during class.  And honestly, if you look at the meal plan, its been really hard physically eating so much food. On the upside, while [bad food] cravings are certainly an issue, I was never, ever hungry!Vegan: On the outset, I didn’t know how my body would react to being Vegan. I didn’t know what the cravings would be like, if I’d have the necessary energy needed, etc. So, I got rid of the whole calorie and macro counting thing. Instead decided to start by simply eating whatever I wanted, whenever I wanted, as long as it was whole-food and vegan, and then fine tune from there. Note that I routinely replace many of the ingredients on the list with suitable replacements as I want to eat a wide variety of food in order to get all the recommended vitamins and minerals. While the calorie counts on my Vegan diet are higher than the Paleo version, the weight / fat has been coming off with similar speed. And honestly, I feel notably better being vegan so far and my physical performance has improved. My mind is a bit clearer, joints move easier, and my recovery is faster. Cool eh!?Light TrainingPaleo: Take my hard training day meal plan, then drop the calo[...]

My last days at WhiteHat and setting sights on the future


I’ve said it many times; the Web is probably the greatest invention we’ll see in our lifetime. The Web touches the lives of everyone we know, every family member, every child, every friend, and everyone we meet. The Web connects over two billion people and fuels entire economies. It’s a place where we learn, communicate, and share our closest kept secrets. Something as important as the Web must be protected and I’ve always felt it was a privilege to do so. For the last 15 years, as founder of WhiteHat Security, I’ve done exactly that every single day. WhiteHat has not just changed my life, it has been my life — wholly inseparable. Bittersweet as it is, the end of March will be my last day. Right now, I’d like to take a moment to reflect. While it’s impossible to measure, I sometimes think about how many hacks didn’t happen — how many people and companies were not hacked — as a result of the work we did at WhiteHat. People have often shared how much we’ve helped them and how important our work is. It’s an amazing feeling knowing that what you do matters. Everyone should be so fortunate. In that sense, WhiteHat is not just another company. It’s something more, much more. WhiteHat represents a mission, an ideal, a state of being. I’ve strived to embody these attributes since Day 1. I’ve always worked tirelessly to be the best at what I do and have had a personal passion for innovation. WhiteHat was the first company to adopt a Software-as-a-Service model in Application Security. Though our statistics report that thousands rely upon, we were the first to bring measurable data to the industry. We pioneered the founding of two industry groups, OWASP and WASC. We led the creation of the first AppSec lexicon, the Threat Classification, and the language everyone uses when speaking AppSec. We’ve released much of the most cutting-edge and foundational security research to date, which has raised awareness globally. And we were the first vendor to offer a security guarantee. I’m sure sure I’m missing several other firsts, but already no other company has such a record of industry contribution and market success.While I have a lot to be proud of, none of this would have been possible without a great many amazing people and lifelong friends. I’d like to personally thank the hundreds of WhiteHat employees, both past and present, for helping protect the Web and making WhiteHat the success that it is. They are what I’m most proud of and grateful for. Working with you all has been a singular honor. I would also like to send a very special thank you to the over 1,000 customers who believed in me, believed in WhiteHat, and entrusted us to protect them. Your trust and support always meant everything to me. Thank you to our partners all over the world who brought us to their customers and championed our cause. And thank you to the security community, the lifeblood of the entire industry, and who carry us all.Of course many will be curious about what I’m going to do next. While I’m not yet ready to reveal those details, what I can share is that I remain genuinely excited about the future of the security industry. I’m not going anywhere. Every day I see new and interesting problems that I’d like an opportunity to solve and expand my horizons. More than anything, that’s why I’m leaving WhiteHat, but its spirit will always be with me and continue to influence my life. Any of us has the capacity to change the world, we just have to allow ourselves the chance to do so.Hack Yourself First. Hack Yourself First: Jeremiah Grossman [...]

Aaron's suicide: System Contributed, Society Perpetuated


If you are unfamiliar with the circumstances surrounding Aaron Swartz's suicide, the rest of what I have to say will not make any sense to you. Aaron Swartz, an inspired and inspiring fellow hacker, left us by his own hand at the age of 26. This story, his story, is nothing less than tragic. The world is lesser without him. For his [alleged] 'computing hacking crimes,’ he faced 35 years in prison, 3 years of supervised release, and fines of up to $1 million. This degree of punishment is more than someone would receive if found guilty of providing direct support to terrorists in the acquisition of nuclear weaponry. Think about that. Angry? So am I, but that's not enough.If you believe the actions of the Massachusetts U.S. Attorney’s office, and that of prosecutors Carmen Ortiz and Stephen Heymann were atrocious, reprehensible, despicable even, and think, as Aaron's father does, their actions contributed to his sons death, I'm with ya. At least 43,666 share similar outrage with you, well, us. A White House petition is calling for Ortiz's removal from office. Burn the witch! But be careful here, if you think this will change a damn thing, that societies usual focus of rage will somehow save a future young life, and lead to some kind of social justice, that’s where we part ways.You see, many will look at the circumstances and correctly conclude, “something is wrong here” and “something needs to change!” Unfortunately, they'll focus their rage on the wrong things, things they are told to get upset about, and mistakenly serve to protect the system that contributed to Aaron's suicide. They'll focus rage on the prosecution's behavior. They’ll focus rage on “appropriate punishment” of the crime. They’ll focus rage on amending or removing a defective CFAA law and supposed intent of that law. They’ll focus rage on obtaining social “justice.” Bzzz, wrong! Fake out!I concede that these are normal, natural, yet systemically trained responses. Rage focused this way guarantees that more similarly minded political appointees get, well, appointed. Rage focused this way guarantees we’ll get no justice. Aaron’s story was never, ever about “the law” or that pesky word, “justice.” Like ~90% of cases, this was NEVER going to get to a trial. You know, the visual you get where you have rights to a judge, jury of your peers, call witnesses, opportunity to confront your accusers, articulate lawyers and everything else you see on Law & Order. Like "justice," getting a trial was never on the negotiating table, where justice is supposedly decided. The prosecution didn’t want it. Aaron and his lawyers didn’t want it. This entire charade was about plea bargaining, a place where you have none of these "constitutional rights.” This case all was about the manufacturing of yet another felon, about career advancement. Look, one of Aaron's prosecutors admitted as much right here:“I must, however, make clear that this office's conduct was appropriate in bringing and handling this case.”Carmen Milagros Ortiz, United States Attorney for the District of MassachusettsPlease don’t waste time debating whether or not you feel the prosecution was going too far. That’s the fake out. The same fake out you’ll see in the headlines that protects the system. That answer doesn't matter. Instead, ask yourself WHY the prosecution thought their “conduct was appropriate.” That's the dangerous question few are willing entertain. They do really think that, you know. They’re not lying. Prosecutors are trained to think that way. We train them to think that way. And from the system's perspective, it was! Appropriate.You don’t agree? I don't blame you. If this was anything about justice, please explain to me why on the same website, in the Office of the US Attorneys’ own mission statement, does the word “justice” appear [...]

Written Speech: TEDxMaui -- Hack Yourself First


Earlier this year I was fortunate enough to give a presentation at TEDxMaui. Previously I discussed what getting the opportunity was like and the overall experience of being on stage -- nothing short of amazing -- life changing. While the Hack Yourself First video recording was recently posted, no amount of preparation would allow me to really say everything that I wanted to and in the order necessary. Everything I really wanted to say, in the written version...-----Every day, every day the life-blood of our nation, the fuel of our economic prosperity, is being sucked away, invisibly and without our knowledge. Every day, our country’s innovation is being stolen, our national security jeopardized, and your most personal information is being robbed – by computer hackers – malicious hackers. Hackers, who are located both domestically and abroad, are getting away with data by the terabyte daily and are profiting in the billions annually. And do you know why?Because hacking is easy. Because hacking works.I know this because I am a hacker – no, not THAT kind. My kind is like the Jedi as opposed to the Sith. You know, are the good guys and there is also the dark side. In the world of hacking it’s no different.More than being a hacker, I teach other people how to hack. In fact, I teach a lot of people how to hack -- all sorts of ways to hack into banks, retail websites, social networks, government systems, … into computers just like yours and your online accounts. I teach people how this can be done from anywhere across the Internet. I’ve been invited to teach these skills, publicly, for the past decade -- to businesses, to government agencies, to university students, and industry groups, across six continents. I share stories about precisely how every day people, just like you, and businesses, just like those you own or work for, governments too, have been hacked into, often and with ease.I bet many of you wondering why this is a good thing, teaching people how to hack. I know hacking is often stereotyped with illegal or nefarious activity. I also know teaching people how to hack, building up our cyber-offense skills, and focusing these skills inward at ourselves, are critical to our national security and helping ensure the economic well-being of us all. I call this approach, Hack Yourself First, a concept that can, and must, be used as a means to defend ourselves.I feel so strongly about this that I built a company, WhiteHat Security, around this idea. At WhiteHat, we get paid by companies, who do business online, to hack into them and explain how we did so. And they pay us a lot of money to do this work. On the average website, our team can identify one or more security gaps, usually in under 20 minutes.In under 20 minutes we’re able locate digital doorways to take over some or all of their the systems, steal whatever sensitive data they have, access their customers accounts, or steal data they have on the system -- all the things that could have made headlines like those you’ve probably seen a lot of in recent years. This is actually what they are doing right now back at headquarters. This is the work we do every day.And let me make something else perfectly clear. These are systems owned by the largest and most well known organizations in the world. You know them. You do business with them.These companies pay us to hack them because they know, as we know, that anything and everything connected to the Internet will endure some type of cyber-attack, likely several a day. They want to avoid being another headline, another cyber-crime victim. They want to know what the bad guys know, or eventually will, so overlooked problems in their security can be fixed. And all this, so you can remain confident in doing business with them. So, Internet security can be thought of as a race between t[...]

TEDxMaui -- Hack Yourself First


Update 04.12.2012: Video of the presentation embedded below.                                                  Ten years ago if you would have told me that I'd be back living in Hawaii, founder of a fast growing technology company, and a TED speaker -- I would've said, "What's a TED?" Preparing for TEDxMaui was extremely difficult. The presentation format is completely different than anything I’ve ever done before. It was limited to just 18 minutes as opposed to 50, and given to an audience of every day people eager to see something amazing, instead of security professionals and high-tech workers. The message had to be crystal clear. Since TEDxMaui videos won’t be published until late February, you’ll have to settle for my substandard textual description for now.I wanted everyone, both the viewers in the audience and those who would eventually watch the video, to deeply appreciate the crucial importance of Internet security. I want everyone to know that to discuss Internet security is really to discuss our economic well-being and our national security, and I want everyone to know that both are under attack -- every single day. Most of all I wanted everyone to know that hacking, and people learning how to hack, is absolutely essential to defend ourselves. I labelled this concept Hack Yourself First, the title of the presentation. Hack Yourself First advocates building up our cyber-offense skills, and focusing these skills inward at ourselves, to find and fix security issues before the bad guys find and exploit them.Before presenting Hack Yourself First I had to first imagine how the audience would respond. Most watching undoubtedly have only had negative experiences with the words “hacking” and “hackers.” All they likely knew of hacking is in relation to viruses infecting their computers, stealing money out of (their) bank accounts, TV interviews of shadowy characters wearing Guy Fawkes masks, salacious articles featuring cyber villains, and of course bad hollywood movies. Whether we like it or not, these are the ambassadors of hacking, so the idea of teaching cyber-offense skills might be considered akin to illegal activity. Just the same, there I was on stage revealing that, “Yes, I am a hacker -- but not like them.” I don’t know what precisely it was that I said, but the message of Hack Yourself First undoubtedly resonated in a big way. No less than a hundred people introduced themselves to me afterwards excitedly asking, “How do I learn to hack myself first?” Perhaps I shouldn’t have been, but I was blown away. And not just the very young or student age, I’m talking about people 45 up to 70 years old with zero technology background. Maybe it was because I taught them a simple hacking trick, a simple hacking trick they could grasp, and even do, like those from my “Get Rich or Die Trying” presentation. Suddenly the fascinating subject of hacking, which they previously assumed was too complicated to learn, was suddenly approachable. I taught a TED audience how to hack! How cool is that!? :)Many in the information security industry have been trying desperately and in vain to raise Internet security awareness among the masses. We repeatedly give people laundry lists of what not to do, and it isn’t helping. Better awareness, better overall Internet security, could be accomplished through Hack Yourself First. Teach anyone and everyone who wants to learn how to do the actual attacks the bad guys use against them, perhaps packaged up in a Capture-the-Flag format.  That would be a lot of fun for everyone. When people know precisely how hacking works, they’ll be in a better position to spot attacks against them and be on their guard.I came to[...]



Over my career I’ve given exactly 295 public presentations, to audiences as small as a table full and up to many thousands. Audience members have said countless times that they really enjoy my speeches. Conference organizers always invite me back, and my feedback scores are always amongst the highest. These are accomplishments I’m proud of and a level of success only achieved with the help of a lot of dedicated people. You might think that after all this experience that I’m extremely comfortable on stage. The reality is that you’d be wrong, very wrong. What most don’t know is that each and every time I’ve present, to this day, I suffer from extreme anxiety, commonly known as stage fright. In my case, terrified would be a more accurate description.

I’ve been known to physically shake, have shortness of breath and a strained voice, speak far too quickly, be statuesque on stage almost like I’m hiding, and feel just overall completely stressed out. Early on I decided that no matter how terrified I was, my message needed to get out there, and it was more important than letting fear stop me. I think my #1 skill as a public speaker is hiding my fear, my terror. My theory was the more experience I gained the faster I’d overcome it. In the meantime in order to cope I developed a pre-presentation ritual.

I’d prepare heavily for each event, pour over the content in every slide, and seek candid feedback from those I trusted. I’d also commonly ask event organizer for details on audience demographics to specifically tailor my comments. I’d then practice ahead of time for small private groups in order to get the timing and flow down. If something or all of it sucked, I’d throw it out. With the assistance of my wife, I’d even get a plan down for precisely what I was going to wear during at show day. Nothing was left to chance. Finally, I block out an hour before each presentation to check out the stage, be alone with time to center, prepare and calm myself down, and of course continue tweaking slides. Being prepared helped take the edge off my anxiety a lot.

The problem was, or is, that no matter how many times I presented, the anxiety, the fear, and terror never really lessened. That is until this last year. Something changed, but what!? Had I finally overcome? I’m not an introspective person so it wasn’t until very recently that I think I figured it out. In 2011 my public presentations weren’t pushing the envelope as much as in years past. The content was good to be sure, but it also focused on “safe” business level subjects and incrementally advancing work from previous years. In short, I really wasn’t putting myself out there as far as I’m used to. In my case, the feeling or fear and terror arises when pushing forth an idea or a concept and unsure if people will think its uncompelling or totally idiotic. A chance you take.

That’s about when I got a call from the TED offering a speaking slot in TEDxMaui. We got to talking about my work and discussing an idea worth spreading. It didn’t take long. Then all of a sudden I’m thrust right back into fear and terror mode, but now that I understand it, the feeling is almost comforting. It signals that I have an opportunity to take things in my industry, in our industry, to a new level --- or of course drive right off a cliff. Either way it’ll be a good show!  :)

How I got my start -- in Brazilian Jiu-Jitsu


I’ve been a UFC fan for years, even before it was acquired by Zuffa. I was fascinated by the anything goes, hand-to-hand form of combat. I suppose it reminded me of growing up in Hawaii. :) The UFC was also enjoyable because it helped answer the question, “What martial-art or fighting style was most effective?” Karate? Kickboxing? Boxing? Wrestling? Ninjutsu? What matters more, size or technique?The UFC provided a forum, the octagon, to settle the long-standing fight-world debate. Everyone had a theory, but no one really knew for sure. What became crystal clear even today is that every fighter must have a background in Brazilian Jiu-Jitsu or they WILL lose. It’s just that simple. My background was mostly striking, so I wanted to try out this ground fighting stuff.A co-worker, also interested in the UFC, and I found a local BJJ academy in San Jose taught by black belt instructor Tom Cissero. Tom has a passion for the martial arts and, more importantly, for his students, as he deeply feels that they are a direct reflection upon his life and value as a person. Yes, he takes his craft that seriously, and serious he is. Tom is abrasive, aggressive, and combative, attributes covering up a heart of gold. In the academy Tom will push you hard, harder than any place else, to make you good. Whether you like it or not, and he cares enough to do so. That’s why I stayed with him the better part of a decade.Anyway, my 6’2” - 300lbs, and let’s face it, seriously fat and way out of shape frame walks in -- admittedly with a little bit of big man ego. I see Tom instantly trying to size me up. Of course he had me figured out in all of 5 seconds as you’ll read in a moment. After signing the waver, doing some drills, and learning a couple of submissions I began to familiarize myself with the basic rules and gym etiquette. Then came sparring time. Tom loves the sparring sessions more than anything else. Probably because it measures your progress in stamina and skill.Tom pairs me up with, and I kid you not, a 150 lbs or less woman in her mid 40’s and says let’s see what you can do. She’s a purple belt with several years of BJJ experience, but I’m thinking to myself WTF!? She’s half my size! I’m going to squash her! Then of course the whole situation is running counter to my internal man moral code, never fight girls. Not being given a choice, but also not wanting to be disrespectful, I decided to go really easy as I didn’t want to hurt her or anything.The bells sounds, I come slowly forward towards her, she quickly closes the distance, spider monkeys to my back, chokes me, and forces me to tap out inside of 10 seconds flat. I was shocked and a little upset. Here I am going light and she takes advantage of me. Clearly she’s not playing around. To hell with this, no way I’m going to let that happen again! No more Nr. Nice Guy.We touch hands, signaling to begin again, but I go harder this time trying to put her back on the mat. She again somehow sneaks around under my arm, like an octopus, and chokes me with the same damn move! To my credit, I lasted a few more seconds that time. This scenario repeats for about 4 to 5 minutes in the session, and for the life of me, as big strong guy, I could not keep this tiny older woman off my back and robbing the oxygen from my brain. Oh, and all the while she is speaking to me in a calm instructive voice. Humiliation is the best word to describe.At the end of class I’m thinking to myself, there is something to this Brazilian Jiu-Jitsu stuff. However, that wasn’t the most important thing to me at that particular moment. There was no way I could go on about my life happily knowing that a such a women could kick my butt so easily. Call it machoism if you like, I don’t care. It was clear to me that I h[...]

Web security content moving to new WhiteHat Security corp blog


Many of you have noticed I haven’t been blogging in several weeks. The truth is I have been blogging, just not here! For those that missed the announcement, WhiteHat Security recently launched a new corporate blog, featuring over a half dozen other WhiteHat bloggers in addition to myself. To support and intermingle with other exceptionally solid posts, I’ve been directing my Web security content over there. If you review the archives you'll find cool stuff on scaling CSRF identification, DOM-based XSS, Bypassing CSRF tokens with a Flash 0-day, etc.

Here are some of my most recent posts that you may have missed:
See! I have been blogging. :) Consider updating your RSS feeds.

I'll continue posting here, only at a much lower volume, and exclusively about personal things like my adventures in Brazilian Jiu-Jitsu.

Sentinel SecurityCheck


Have you been hearing about WhiteHat Sentinel for a while, but never had the opportunity to try out the service for yourself? We'd like to change that and make Sentinel accessible to more people. We've recently announced a new promotion, for those who are interested and qualify, to receive the full customer experience for 30 days -- for FREE. This is way more than just finding vulnerabilities. If you like it, great sign-up! If not, which is extremely rare, you owe nothing. Follow the link below for additional details.

WhiteHat Security Announces No Cost Website Vulnerability Assessment Program

Sentinel SecurityCheck offers organizations 30 days of continuous assessment to identify all website vulnerabilities and mitigate leading risk for data breaches; Participating companies gain access to WhiteHat Security's verified vulnerability results and personalized guidance on website risk management

11th WhiteHat Website Security Statistic Report: Windows of Exposure


WhiteHat Security's 11th Website Security Statistics Report, presents a statistical picture gleaned from over five years of vulnerability assessment results taken from over 3,000 websites across 400 organizations under WhiteHat Sentinel management. This represents the largest, most complete, and unique dataset of its kind. WhiteHat Security makes this report available specifically for organizations that aim to start or significantly improve their website security programs, prevent breaches, and data loss.

Top 3 Key Findings (Full list available in the report)
  • Most websites were exposed to at least one serious* vulnerability every day of 2010, or nearly so (9–12 months of the year). Only 16% of websites were vulnerable less than 30 days of the year overall.
  • During 2010, the average website had 230 serious* vulnerabilities.
  • In 2010, 64% of websites had at least one Information Leakage vulnerability, which overtook Cross-Site Scripting as the most prevalent vulnerability by a few tenths of a percent.

(image) Window of Exposure is an organizational key performance indicator that measures the number of days a website has at least one serious vulnerability over a given period of time.

Download the Full Report...

Robert “RSnake” Hansen, age 34, has passed away, on Facebook


Facebook encourages people to keep up with friends and family through those familiar little website reminders notices. In some cases the person suggested in the reminder has passed away, which would explain the account inactivity, and this might obviously be taken as offensive and emotionally distressing. Facebook recognizes this and offers a process where they allow accounts to be “Memorialized” on the recommendation of a “friend” by filling out the appropriate form.

“When a user passes away, we memorialize their account to protect their privacy. Memorializing an account sets the account privacy so that only confirmed friends can see the profile or locate it in search. The Wall remains, so friends and family can leave posts in remembrance. Memorializing an account also prevents anyone from logging into the account.”

As many readers might recall, a couple months ago Robert “RSnake” Hansen, best known for his contributions to Web security, bid his farewell in a final 1,000th blog post. Since RSnake has departed “the scene,” he is effectively dead in an online sense. As such some felt it only fitting that his Facebook persona follow a similar path and shake off its digital coil. To get RSnake’s page memorialized all that was required was finding a person who shared the same name, who had a recent obituary published somewhere online, lived in roughly the same area, and then fill out the necessary form. Not to long after...

If you are a Facebook friend of RSnake, you may still pay your last respects to him on his wall. Rest assured that while he can no longer reply himself, he is indeed smiling (or LHAO) down on us all from above.

Top Ten Web Hacking Techniques of 2011


Update 02.14.2011: Open voting for the final 15 is now underway. Vote Now!This post will serve to collect new attack techniques as they are published. If you think something should be added, please comment below and I'll add them."Every year the Web security community produces a stunning amount of new hacking techniques published in various white papers, blog posts, magazine articles, mailing list emails, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and so on. Beyond individual vulnerability instances with CVE numbers or system compromises, we're talking about actual new and creative methods of Web-based attack. The Top Ten Web Hacking Techniques list encourages information sharing, provides a centralized knowledge-base, and recognizes researchers who contribute excellent work."Current 2011 ListBypassing Flash’s local-with-filesystem SandboxAbusing HTTP Status Codes to Expose Private InformationSpyTunes: Find out what iTunes music someone else hasCSRF: Flash + 307 redirect = Game OverClose encounters of the third kind (client-side JavaScript vulnerabilities)Tracking users that block cookies with a HTTP redirectThe Failure of Noise-Based Non-Continuous Audio CaptchasKindle Touch (5.0) Jailbreak/Root and SSHNULLs in entities in FirefoxTiming Attacks on CSS ShadersCSRF with JSON – leveraging XHR and CORS Double eval() for DOM based XSSHidden XSS Attacking the Desktop & Mobile PlatformsRapid history extraction through non-destructive cache timing (v8)Lotus Notes Formula Injection Stripping Referrer for fun and profitHow to upload arbitrary file contents cross-domain (2)Exploiting the unexploitable XSS with clickjackingHow to get SQL query contents from SQL injection flawXSS-Track as a HTML5 WebSockets traffic snifferCross domain content extraction with fake captchaAutocomplete..again?! JSON-based XSS exploitationDNS poisoning via Port ExhaustionJava Applet Same-Origin Policy Bypass via HTTP RedirectHOW TO: Spy on the Webcams of Your Website VisitorsLaunch any file path from web page Crowd-sourcing mischief on Google Maps leads customers astrayBEASTBypassing Chrome’s Anti-XSS filterXSS in Skype for iOSCookiejackingStealth Cookie Stealing (new XSS technique)SurveyMonkey: IP SpoofingUsing Cross-domain images in WebGL and Chrome 13Filejacking: How to make a file server from your browser (with HTML5 of course)Exploitation of “Self-Only” Cross-Site Scripting in Google CodeExpression Language Injection(DOMinator) Finding DOMXSS with dynamic taint propagationFacebook: Memorializing a UserHow To Own Every User On A Social Networking SiteText-based CAPTCHA Strengths and WeaknessesSession Puzzling (aka Session Variable Overloading) Video 1, 2, 3, 4Temporal Session Race Conditions Video 2Google Chrome/ChromeOS sandbox side step via owning extensions Excel formula injection in Google Docs Drag and Drop XSS in Firefox by HTML5 (Cross Domain in frames)CAPTCHA Hax With TesserCap Multiple vulnerabilities in Apache Struts2 and property oriented programming with JavaAbusing Flash-Proxies for client-side cross-domain HTTP requests [slides]Previous Winners2010 - 'Padding Oracle' Crypto Attack2009 - Creating a rogue CA certificate2008 - GIFAR2007 - XSS Vulnerabilities in Common Shockwave Flash Files2006 - Web Browser Intranet Hacking / Port Scanning Hack Yourself First: Jeremiah Grossman [...]

BINGO! for Application Security


In case you need something fun to do during an RSA 2011 or OWASP Summit 2011 presentation.


Web Browsers and Opt-In Security


The last decade has taught us much about computer and information security. We’ve learned the importance of Secure-By-Default because people rarely harden their “security” settings as standard practice. We’re also painfully aware that security is often a trade-off between functionality and usability, which requires a balance be made. Ideally this balance is decided between what level of security a product claims and the customer’s expectations. Operating systems and Web servers have taken a strong supporting stance with regards to Secure-By-Default. Web browsers, well, I think there is much room for improvement.Let’s look at recent outcomes shall we. According to CA Technologies, "Browser-based exploits accounted for 84% of the total actively exploited known vulnerabilities in the wild." Other industry reports support these findings including, "Of the top-attacked vulnerabilities that Symantec observed in 2009, four of the top five being exploited were client-side vulnerabilities that were frequently targeted by Web-based attacks." 2010 wasn’t much different. This is typically the result of a combination of imperfect software and not keeping browsers & plug-in patches up-to-date.Even in this context the browser vendors (Google, Microsoft, and Mozilla) should still be given a lot credit for having been vastly improved the overall security of their software in the last two or so years. They have better development practices, publish regular and timely patches, included easy scheduled update mechanisms, added anti-malware/phishing features, sandboxes, and bounty programs. Collectively speaking anyway, but that's where it ends. All great benefits that users receive automatically and/or enabled by default. That is, Secure-By-Default. Memory handling issues aside, where these protections mainly focus, are still many extremely devastating attack classes where users have practically zero ability to defend themselves.I'm talking about Intranet Hacking, DNS Rebinding, Clickjacking (UI Redressing), Cross-Site Scripting, Cross-Site Request Forgery, CSS History Leaks, and WiFi Man-in-the Middle. I see these as being the most pressing. They break the back of the Same-Origin-Policy, the very foundation of browser security, and there’s evidence that most of these have been used maliciously in the wild. A malicious website can easily detect what websites a visitor is logged-in to, what sites they’ve recently visited, take over their online bank/email/socialnetwork/etc accounts, hack into their DSL router or corporate intranet. Or maybe the attacker wants to get the victim in legal trouble by forcing them to attack other systems, post spam, download illegal content, and so on.Sure, an individual user can defend themselves with add-ons like NoScript, Adblock Plus, LastPass, Better Privacy and so on, of which I’m a fan and user. To reiterate though, this is in no way a demonstration of Secure-by-Default! Users have to first be aware, download the application, install, and finally configure. The reality is most users don’t know these attackers are possible and even easy to perform. Only the readers of this blog and the browser vendors themselves do. So from a 10,000ft view of Web security, if a protection feature is not enabled by default then it doesn’t matter. Case in point...To combat these issues, keep the security-minded elite mildly happy, and show that "something" is being done, there’s a mile long list of well intentioned security features that extremely few people outside of out tiny Web security sphere have heard of let alone implemented. HTTP St[...]

Remote participation for the 2011 OWASP Summit


(image) The OWASP 2011 Summit looks like it shaping up to be quite an event! From across the globe the top Web application security minds, practitioners, vendors, and influencers are showing up to help shape things to come. Check out the working sessions. As mentioned in an earlier post, I'm unable to attend due to a scheduling conflict. However, our own Arian Evans (VP, Operations) will be carrying the WhiteHat Security flag.

Fortunately for the rest of us, it looks they are organizing a professional video/audio feed for remote participation. Dinis Cruz is asking those interested to fill out a form to help accommodate the broadcast scheduling. I did just that.

Do-Not-Track (How about piggybacking on the User-Agent?)


I think I’ve read just about every white paper, article, blog post, and tweet about Do-Not-Track (DNT), including the FTC’s recent 121 page preliminary staff report that thrust the concept into public consciousness. For those unfamiliar with what DNT is exactly, not to worry, it is really very simple.The idea behind DNT is providing online consumers, those sitting behind a Web browser, an easy way to indicate to third-parties that they do not want to be "tracked" -- they opt-out. DNT would hopefully replace todays system of having to register with dozens of different provider websites to obtain “opt-out” cookies.As the FTC pointed out, the out-out cookie approach proved unscalable and could never have been effective with the spirit of its intent, consumer privacy. Adding insult to injuring, anyone seeking to improve their privacy by deleting all their cookies would simultaneous delete their opt-out cookies too. They’d have to perform opt-out registration all over again. No wonder the advertisers and tracking companies support this model.The FTC report gave no real technical guidance on how DNT should be implemented. Not that they should have. What you must first understand about DNT is that in all models, there is NO real technical privacy enforcement. Basically the consumer is asking (buried somewhere invisible in the HTTP protocol) anyone who is listening, “please do not track me.” It is then on the honor of the tracking companies across the Internet to support the DNT system and comply with the request when they have no legal obligation to do so. Which is not to say DNT is without value. It would be helpful to have a legal remedy available when all technical self protection mechanisms eventually breakdown.Since DNT started making headlines Google, Microsoft, Mozilla, and various browser plug-in developers have been experimenting with different approaches to DNT in their respective Web browsers. The one seeming to get the most traction at the moment is adding a special 'DNT' header to each HTTP request. For example:"DNT: 1" - The user opts out of third-party tracking."DNT: 0" - The user consents to third-party tracking.[No Header] - The user has not expressed a preference about third-party tracking.At first glance this does appear to be the logical and superior model over all others I’ve seen so far. Then I got to talking with Robert “RSnake” Hansen about this and we came to a slightly different conclusion to where DNT would best go. First remember that there are a lot of great big powerful corporate interests that really don’t like DNT and what it represents. If effective and widely adopted, business models are odds with consumer privacy choice would be seriously threatened. Opponents to DNT will seek to confuse, sabotage, derail, downplay, and stall progress at every opportunity. The final accepted protocol must be resilient to a large portion of the Internet hostile to its very existence.DNT data must be able to traverse the Internet to its destination unaltered and be logged on the other end (the Web Server) for auditing / statistical purposes. If DNT ends up being a new HTTP request header, those headers like most others are rarely logged and never by default. It would be far too easy for a tracking company to ignore DNT headers and claim they never got them. Proving otherwise would be difficult for a plaintiff.An alternative is piggybacking DNT onto an already well established header. A header one that no one in the connection stream would typically think of touching and that is alr[...]

Travel the World, Meet new People, and Fight them


I’ve been training Brazilian Jiu-Jitsu for a little over 5 years now, sprinkled in with a little Muay Thai and Boxing to complement the ground game. I’ve average a two hour class about 4 days a week, which has resulted in a loss of 60lbs (kept off) and a respectable brown belt. I’m currently working my butt off to earn black. While being a BJJ black belt would be unbelievably cool, honestly the belt color isn’t all that important to me. I’ll be training for as long as I’m physically about to for life regardless. The power of this martial art is simply amazing.Right now I’d prefer to be training BJJ (MMA) twice a day 4-5 days a week, but between WhiteHat and family commitments there is just no way. When vacationing in Maui that’s pretty much what I do with all my down time, in between going to the beach of course. My BJJ game skyrockets to new levels super fast because guys out there are no joke. Everyone is in shape and train all the time. You’ll even find private MMA cages in people back yards that provide “something to do” when there’s no waves.My job requires me to travel a lot. I’ve been to 5 continents, about two dozen countries, and 35 or so US states. Fortunately there has been an explosion in the number of BJJ academies thanks in large part to the UFC and MMA phenomenon. There’s at least one academy in every major US city I’ve been to and make a point to visit as many as I can. I always fly with my gi, rash guard, mouth guard, and fight short. Trained in about 20 academies across the US and abroad, including in Brazil where of course BJJ all began. I don't do this to try and prove how tough I am or anything, mostly just looking for a good workout (way better than the gym), learn a new move or two, and benchmark my progress. So if see me on stage with what looks like mascara, you’ll know why.In 99% of the academies I’ve had lots of fun and amazing an experience. Got to meet some really cool people outside of the security industry and keep perspective on things. I’ve also learned a couple of important lessons on what NOT to do:1) Don’t visit an unfamiliar academy as an out of town traveler unless you are a solid blue belt level or above, which equates to at least a year or more of hard training experience. Not everyone, instructor and students, are nice people so you must be able to truly protect yourself from serious injury in the rare case that someone is actually trying to hurt you. I’ve never had a problem in a strict BJJ (Gi) academy, but some “MMA” (No-Gi) places do have a level of “fighter” attitudes where some try to prove themselves outside of the cage. I’ve only had to deal with this kind of ego twice before. Both times it didn’t end up good for the other guy. They slept, I left.2) As a sign of respect, call ahead and speak with the instructor. Introduce yourself and your training background. This lets the instructor know where to place you with their students skill wise and tell you if the place isn’t right for you for whatever the reason. Again, I’ve had two moderately bad experiences showing up to a martial arts academy unannounced. One was a primarily an Aikido place and the other Taekwondo, both advertising some BJJ classes on their site. Apparently the instructors in those disciplines also taught the BJJ class, but weren’t highly skilled. I asked if they do full speed sparring, to which they nodded. Once they found out my level, they wanted no part of me and asked that I leave. I think they were concerned [...]

Top Ten Web Hacking Techniques of 2010 (Official)


Every year the Web security community produces a stunning amount of new hacking techniques published in various white papers, blog posts, magazine articles, mailing list emails, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and so on. Beyond individual vulnerability instances with CVE numbers or system compromises, we're talking about actual new and creative methods of Web-based attack. Now it its fifth year the Top Ten Web Hacking Techniques list encourages information sharing, provides a centralized knowledge-base, and recognizes researchers who contribute excellent work.Since inception of the Top Ten Web Hacking Techniques list, the diversity, volume, and innovation of security research has always been impressive. 2010 produced 69 new attack techniques! This years point-position voting system worked well and the results showed exceptionally strong competition throughout all the entries. In fact, only two entries did not gain any points.I’d like to take a moment again to thank everyone who took the time to fill out the voting surveys including those who were on this years expert panel. Ed Skoudis (InGuardians Founder & Senior Security Consultant), Giorgio Maone (Author of NoScript), Caleb Sima (CEO, Armorize), Chris Wysopal (Veracode Co-Founder & CTO), Jeff Willams (OWASP Chairman & CEO, Aspect Security), Charlie Miller (Consultant, Independent Security Evaluators), Dan Kaminsky (Director of Pen-Testing, IOActive), Steven Christey (Mitre), and Arian Evans (VP of Operations, WhiteHat Security). Also a big thanks to our sponsors BlackHat, OWASP, various Web security authors, and WhiteHat Security.Today the polls are close, votes are in, and the official Top Ten Web Hacking Techniques of 2010 has been finalized! For any researcher simple the act of creating something unique enough to appear on the complete list is itself an achievement. To make it on to the top ten though, is well, another matter entirely. These researchers receive special praise amongst their peers who selected them and take their place amongst those highlighted in previous years (2006, 2007, 2008, 2009).Top honors go to Juliano Rizzo and Thai Duong for their work on the “'Padding Oracle' Crypto Attack” They’ll receive a free pass to attend the BlackHat USA Briefings 2011! (sponsored by Black Hat) and a library of autographed Web security books.In second place is Samy Kamkar for his work on “Evercookie.” He’ll receive a free pass to OWASP Conference Pass (sponsored by OWASP).And finally, everyone appearing on the top ten will receive custom designed t-shirt (sponsored by WhiteHat Security).Top Ten Web Hacking Techniques of 2010!1) 'Padding Oracle' Crypto Attack (poet, Padbuster, demo, ASP.NET)Juliano Rizzo (@julianor), Thai Duong (@thaidn)2) EvercookieSamy Kamkar (@samykamkar)3) Hacking Auto-Complete (Safari v1, Safari v2 TabHack, Firefox, Internet Explorer)Jeremiah Grossman (@jeremiahg)4) Attacking HTTPS with Cache Injection (Bad Memories)Elie Bursztein (@ELIE), Baptiste Gourdin (@bapt1ste), Dan Boneh5) Bypassing CSRF protections with ClickJacking and HTTP Parameter PollutionLavakumar Kuppan (@lavakumark)6) Universal XSS in IE8 (CVE, White Paper)Eduardo Vela (@sirdarckcat), David Lindsay (@thornmaker)7) HTTP POST DoSWong Onn Chee, Tom Brennan (@brennantom)8) JavaSnoopArshan Dabirsiaghi (@nahsra)9) CSS History Hack In Firefox Without JavaScript for Intranet PortscanningRobert "RSnake" Hansen (@rsnake)10) Java [...]

How-to send HTML email, XSS testing WebMail systems


If you come across a WebMail system that supports HTML email (no JavaScript) like GMail, Y! Mail, and Hotmail, then it's extremely helpful to know how exactly to send HTML email to test those anti-XSS filters. I don’t recall seeing a how-to on the subject anywhere in the webappsec circles. To send arbitrary HTML email, laced with filter evading JavaScript, requires only a specially crafted text file and a *unix command line. Copy / Paste the following into a plain text file (email.txt):
MIME-Version: 1.0

Content-Type: text/html; charset=us-ascii

Content-Transfer-Encoding: 7bit



The trailing dot is not a typo, it terminates the end of the message so make sure the file always ends with it. Second, leave the Content-Type, Content-Transfer-Encoding, and MIME-Version headers as they are. Beyond that, you are free to modify and insert your HTML/JavaScript injections wherever you’d like including the email subject and content body. You can also spoof the return email address and add arbitrary email headers using the same format. Once you got something to want to send, well email, type this Unix command:

> sendmail -t < email.txt

The -t flag is where you want to send the email to and redirect in whatever you named your email text file to sendmail. That’s it! Happy XSS hunting!

The Application Security Spending Conundrum


Recently I needed to purchase automobile insurance. To obtain a quote, the online insurer asked my age, where I lived, how much I drive and where, the year, make, and model of my cars, about my driving record, and how much coverage I wanted. Behind the scenes, they likely took these data points, applied them to some vehicle claim actuarial data, and presented me with a rate based upon MY effective overall risk score. The process made sense, the price was fair, and I ended up buying.This got me thinking. What if instead the insurer had said, “We’ll give you the same coverage as everyone else who applied, add some protection for a new, obscure, scary-sounding road hazard, and bill you 15% over last year.” Without taking anything about at all about ME into account, it would seem that there was no real risk management involved in their decision-making. As a consumer, I would reject this offer. Clearly this makes zero sense. Ridiculous as this scenario sounds, isn’t this fairly similar to the process of creating information security budgets?Gunnar Peterson explains it best, “Security budgets are often based on a combination of last year's spending, this year's threat(s) du jour, and "best" practices, i.e. what everyone else is doing. None of these help to address the main goal of information security which is to protect the assets of the business. The normal security budgeting process results in overspending (as a percentage) on network security, because that's how the budget grew organically starting from the 90s.” I agree and I think this is precisely why we see so many organizations spending a larger percentage of their budgets protecting their networks and infrastructure, as opposed to their applications, where the largest chunk of IT dollars are invested. In Gunnar’s words, “...they are spending $10 to protect something worth $5, and in other cases they are spending a nickel to protect something worth $1,000. If you look at the numbers objectively, you see why it is out of control...” Worse still, this budget misallocation persists despite real-world data revealing where the real threats are (at the application layer, Verizon’s DBIR) and in stark contrast to the infosec pros’ own stated priorities.A survey conducted by FishNet Security of IT pros and C-level executives from 450 Fortune 1000 companies found that: “45% say firewalls are their priority security purchase, followed by antivirus (39%), and authentication (31%) and anti-malware tools (31%)." The report goes on to say, "Nearly 70% [of those surveyed] say mobile computing is the biggest threat to security today, closely followed by social networks (68%), and cloud computing platforms (35%). Around 65% rank mobile computing the top threat in the next two years, and 62% say cloud computing will be the biggest threat, bumping social networks." This is pretty funny because Mobile, Social Networking, and Cloud attacks specifically bypass those firewall investments.To resolve this spending conundrum, and begin closing the application security gap, I see two option:1) Information security professionals must align their investments with business priorities, which is what Gunnar wisely advocates. He says, “the biggest line item in [non-security] spending should match the biggest line item in security.” In almost every enterprise, this would mean redirecting network security dollars to application security. Even if this approach[...]

Final Fifteen - Web Hacking Techniques


Open community voting completed last week. From the ~67 Web hacking techniques, we’ve gotten down to the final fifteen (see below). Congratulations to all the researchers whose work made it. Also, thank you very much to all those who took the time to complete the survey. There were a total of 74 respondents, 63% of which were“Breakers” and the other 37% “Builders.” Good representation.Now it’s time for the final phase where our panel of security experts vote on the list (same position point system) to determine the Top Ten Web Hacking Techniques of 2010. All those on the panel have substantial industry technical experience, domain knowledge in application security, and do not have entries on the list.This year we’re very pleased to have:Ed Skoudis (InGuardians Founder & Senior Security Consultant)Giorgio Maone (Author of NoScript)Caleb Sima (CEO, Armorize)Chris Wysopal (Veracode Co-Founder & CTO)Jeff Willams (OWASP Chairman & CEO, Aspect Security)Charlie Miller (Consultant, Independent Security Evaluators)Dan Kaminsky (Director of Pen-Testing, IOActive)Steven Christey (Mitre)Arian Evans (VP of Operations, WhiteHat Security)Final FifteenA Twitter DomXss, a wrong fix and something moreAttacking HTTPS with Cache InjectionBreaking into a WPA network with a webpageBypassing CSRF protections with ClickJacking and HTTP Parameter PollutionCSS History Hack In Firefox Without JavaScript for Intranet PortscanningCross Site URL Hijacking by using Error Object in Mozilla FirefoxEvercookieHTTP POST DoSHacking Auto-Complete (Safari v1, Safari v2 TabHack, Firefox, Internet Explorer)Java Applet DNS RebindingJavaSnoopNAT Pinning: Penetrating routers and firewalls from a web pageNext Generation Clickjacking'Padding Oracle' Crypto Attack (poet, Padbuster, demo, ASP.NET)Universal XSS in IE8 (CVE, White Paper) Hack Yourself First: Jeremiah Grossman [...]