We received a new sample from our submit mecanism. This sample is a botnet HTTP client called HerpesNet. The md5 of the sample is db6779d497cb5e22697106e26eebfaa8. We started the analysis when we found a way to manage the command & control...

Bless is a high quality, full featured hex editor.
It is written in mono/Gtk# and its primary platform is GNU/Linux. However it should be able to run without problems on every platform that mono and Gtk# run.

Some of you out there know that I have been collecting passwords for quite some time. Since 1998 to be exact. Originally I did it just to have big wordlists for password cracking, then I started gathering them for research on my Perfect Passwords book, finally it became like a big ball of string where you just do it because it makes no sense to stop now. My list currently contains about 6 million unique username/password combinations (not counting those from public lists from Gawker, RockYou, and others).
So I thought that some people might be interested in how I collect these passwords. Note that all of these passwords have already been made public and can easily be found by anyone. There are no passwords on my list that have not already been made public. Also note that so far I have never shared this list with anyone.

In this talk from the March 5, 2012 BayJax event at Yahoo!, Douglas Crockford outlines the basic principles of designing secure software, with a focus on web applications. With his usual sardonic wit, he starts at the beginning (almost literally -- with the invention of language itself) and makes a strong case for designing secure software based on fundamental principles rather than specific techniques, tricks, or hacks.

WebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.

Bug report bingo card:

This is insanely critical and needs to be resolved because:

( ) I run an organization with _____ (e.g., 100,000) direct reports which cannot use this until it's resolved

( ) I will switch back to _____ (a different product) if it's not resolved

( ) My enterprise requires this feature (and also N other features which I will only reveal to you one by one as critical issues blocking once the previous one is resolved)

( ) _____ (a different product) has been doing this for N time units (e.g., 500 years)

( ) It's the last issue preventing me from buying this

( ) It's simply unbelievable that this hasn't been addressed

( ) It's useless without this one feature

( ) I agree with the other commenters

( ) I am going to contact all the media outlets if this feature is not added

( ) YOU SAY IT'S FIXED BUT I SAY IT'S NOT BECAUSE OF X

( ) This just totally blows my mind that you say it has been fixed, but this device I bought 2 years ago doesn't have the update installed on it yet and it's been at least 2 HOURS since you posted

( ) STOP BEING ------- LAZY

`smash the stack` [C programming] n. On many C implementations
it is possible to corrupt the execution stack by writing past
the end of an array declared auto in a routine. Code that does
this is said to smash the stack, and can cause return from the
routine to jump to a random address. This can produce some of
the most insidious data-dependent bugs known to mankind.
Variants include trash the stack, scribble the stack, mangle
the stack; the term mung the stack is not used, as this is
never done intentionally. See spam; see also alias bug,
fandango on core, memory leak, precedence lossage, overrun screw.

People keep referring to the htshells project as stealth!?!?!?!? They are very unstealthy, leaving plenty of evidence in the logs, but it did get me thinking, what would a .htaccess stealth shell look like? In order to claim the status of "stealth" the shell would have to meet the following requirements:
No bad function calls
Hidden file
Hidden payload
Hidden url
WAF/IDS bypass
Limited forensic evidence
Looks like a small list, shouldn't be too hard....

Google APIs use the OAuth 2.0 protocol for authentication and authorization. Google supports several OAuth 2.0 flows that cover common web server, JavaScript, device, and installed application scenarios.
OAuth 2.0 is a relatively simple protocol and a developer can integrate with Google's OAuth 2.0 endpoints without too much effort. In a nutshell, you register your application with Google, redirect a browser to a URL, parse a token from the response, and send the token to the Google API you wish to access.
This article gives an overview of the OAuth 2.0 scenarios Google supports and provides links to more detailed content.
Given the security implications of getting the implementation correct, we strongly encourage developers to use OAuth 2.0 libraries when interacting with Google's OAuth 2.0 endpoints (see Client libraries for more information). Over time, more features will be added to these libraries.

Crypto-JS is a growing collection of standard and secure cryptographic algorithms implemented in JavaScript using best practices and patterns. They are fast, and they have a consistent and simple interface.

It's important for programmers to challenge themselves.

Creative and technical stagnation is the only alternative.

In the spirit of the new year, I've compiled twelve month-sized resolutions.

Each month is an annually renewable technical or personal challenge:

Switch to bcrypt for password hashing.
Transparently upgrades passwords on next login.

This is a portable public domain password hashing framework for use in PHP applications. It is meant to work with PHP 3 and above, and it has actually been tested with at least PHP 3.0.18 through 5.3.0 so far.

The preferred (most secure) hashing method supported by phpass is the OpenBSD-style Blowfish-based bcrypt, also supported with our public domain crypt_blowfish package (for C applications), and known in PHP as CRYPT_BLOWFISH, with a fallback to BSDI-style extended DES-based hashes, known in PHP as CRYPT_EXT_DES, and a last resort fallback to MD5-based salted and variable iteration count password hashes implemented in phpass itself (also referred to as portable hashes).

To ensure that the fallbacks will never occur, PHP 5.3.0+ or the Suhosin patch may be used. PHP 5.3.0+ and Suhosin integrate crypt_blowfish into the PHP interpreter such that bcrypt is available for use by PHP scripts even if the host system lacks support for it.

There is only one way to avoid Bobby Tables attacks

Do not create SQL statements that include outside data.
Use parameterized SQL calls.

That's it. Don't try to escape invalid characters. Don't try to do it yourself. Learn how to use parameterized statements. Always, every single time.

The strip gets one thing crucially wrong. The answer is not to "sanitize your database inputs" yourself. It is prone to error.

The purpose of this page is to establish a concise and consistent approach to secure application development of Mozilla web applications and web services. The information provided here will be focused towards web based applications; however, the concepts can be universally applied to applications to implement sound security controls and design.

This page will largely focus on secure guidelines and may provide example code at a later time.

Here are some scripts I gather from the web. Most of them are simple and just do their job, they are great to practice and learn from.
This tools are written for educational purpose only. Use it at your own risk. I will be not responsible for any damage!

With all of the start-ups coming out of YC, I would imagine it's just a matter of time before one falls prey to a successful attack--sql injection, xss, etc. Any start-uppers on here have experience defending their turf? How does a cash-stretched start-up devote enough time to security when a million other things are calling for attention?

This is an article about reverse engineering a part of the prominent "Mac Defender" malware - namely the part that downloads the main malware onto a user's Mac. As mentioned in the title this text is mainly written for people who have no experience with reverse engineering. Thus you will only need very basic understanding of x86 assembly, x86 calling conventions and a little Objective-C (reading the wikipedia article should be enough).

I'm just getting started with Ruby so please forgive the possibly noobish question. The webapp I'm trying to develop is currently based on sinatra and I'm not sure what the best way to implement secure login feature is. I've found this: [1] http://rubygems.org/gems/sinatra-security project which seems good but it isn't listed on the [2] official sinatra extensions site so I'm not sure if it's legit.

Read Technical Tid Bits portion all the way at the bottom