Archive for January, 2009

Black Hat DC 2009 Presentation

Posted in Application Security, Conferences on January 28, 2009 by Matthew Flick

My abstract for this year’s Black Hat DC was picked up. I’ll be presenting the XSS Anonymous Browser tool, or XAB for short. I’m currently hammering out some of the more technical aspects of the tool, but I’ll have a working proof of concept ready for the conference. Plus if there’s time (who am I kidding?), I’ll release a second tool that is a great defense against the attack vectors that XAB utilizes. You can read more about the XAB tool presentation at the Black Hat DC 2009 Speakers Briefings page,

For those of you in the Tampa area, I will be presenting the same tool at the OWASP Tampa meeting on February 18. You can check out the Tampa Chapter’s page here,

I hope to see you at either or both presentations and SafeSurfing…


Who needs defense in depth when you have a CIP firewall?

Posted in Government with tags , , on January 25, 2009 by Tim

For this avid 24 watcher, this season has been hard to watch. Granted, 24 has always pushed the envelope of “believability,” but this season may just force me to succumb to my wife’s Monday night addiction to John & Kate Plus 8.

For those of you who aren’t following the show, basically the US government has a “mother” firewall that protects all of its networks, including the FAA and every public utility. (The official CIP page is located here.) The bad guys have developed a hardware appliance that can bypass the firewall and give them access to any of the networks it protects. (Apparently this hardware appliance has a tendency to overheat, but don’t worry the designer figured out how to fix that! Phew!)

With the bad guys possessing such a powerful piece of technology , the US’ foreign policy is being threatened. I’ll completely ignore the fact that I know that all of these networks are not connected and believe that the clandestine services can’t determine source IP addresses. Then I’ll suspend reality even more, and believe that there is such a “mother” firewall and that the bad guys can do whatever they please to the protected networks.

So…What can we do? Do we have to yield to the demands of the bad guys? Apparently so…

So it’s obvious that I am on a rant, but what irks me the most about this year’s plot is that the President in the show actually stated a viable solution. She said something to the affect of “Isn’t it just technology? Can’t we just unplug it?”

Yes, just unplug it. That’s my recommendation. Weighing the threat of US casualties or succumbing to the demands of terrorists versus down time of the CIP firewall, I would opt with unplugging the brilliant idea known as the CIP firewall.

It’s obvious how frustrated I am with this year’s plot. But hey, if this situation mimics reality, I would hope that Obama’s new Cyber-Security czar would look for both technical and non-technical solutions to such a problem. If not, looks like there may be a lot of money to be made in educating the US government on concepts their own agencies developed.