parsonsisconsulting

Parsons Software Security Consulting Blog

With Hackathons Taking Center Stage, The Coming Transformation Of The Computer Scientist

leave a comment »

TechCrunch

[tc_dropcap]When Dave Fontenot moved to the University of Michigan from his home in South Florida in the fall of 2011, he brought the standard equipment every freshman college student needs -– clothes, shoes, books, and a backpack. One item, though, was missing.[/tc_dropcap]

“I didn’t own my own laptop,” he said.

That didn’t stop him from attending his first hackathon several weeks later at Hacka2thon, where he built his first website. The experience ignited his enthusiasm, and over the next two years, Fontenot would found and develop MHacks into one of the largest hackathons in the country, last month hosting more than 1,000 students from across the Midwest and the United States to Michigan for a weekend of coding. “#hellyeah,” as Fontenot puts it subtly.

For the first time next semester, more than 10,000 students are expected to participate in one of 10 mega-hackathons, in a discipline that graduated just…

View original post 2,074 more words

Written by mparsons1980

February 16, 2014 at 4:37 am

Posted in Uncategorized

Kickstarter Hacked, Customer Addresses and Other Info Accessed

leave a comment »

TechCrunch

These days, it really seems we can’t go a week without some big site getting hacked. The latest target? Kickstarter.

Kickstarter announced on its blog (and via an email sent to customers) that hackers had found their way into certain parts of their database.

The good news: No credit card information was accessed — and even if it somehow would’ve been, Kickstarter doesn’t store full credit card numbers.

The not-so-good-news: they’ve detected that the hackers were able to access a database that contained usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords. That “encrypted” bit is a bit of a plus — but given that no encryption is uncrackable with the right resources, you should absolutely change your password anyway.

Kickstarter says they were alerted to the breach by law enforcement officials (which law enforcement group, specifically, wasn’t mentioned) on Wednesday night, that they immediately closed the exploit that…

View original post 142 more words

Written by mparsons1980

February 16, 2014 at 4:33 am

Posted in Uncategorized

Secret To Launch A Bug Bounty Program As Soon As Today

leave a comment »

TechCrunch

Today, for a brief time, a post on the secret sharing app Secret and an image on Twitter caused a twinge in the cockles of every user’s heart. The image appeared to indicate that your email — and therefore your identity — could be tied to your Secret posts.

Given that the vast majority of posts on Secret are stuff that would end up being really, really awkward to explain to friends and employers, that’s a genuine concern.

Twitter denizen Barce was one of the first to share a screenshot publicly that showed your own email (but not that of any other user) being passed as part of the stream of data from the app’s internal API.

cdv_photo_001

The fact is that there was a very remote possibility of this being a problem in the long run — as it required that the ‘sniffer’ own the network that the device was…

View original post 276 more words

Written by mparsons1980

February 13, 2014 at 4:47 am

Posted in Uncategorized

White House Unveils Cybersecurity Plan For Big Firms, Looks To Silicon Valley Next

leave a comment »

TechCrunch

The Obama administration unveiled Wednesday a long-awaited plan for bolstering the cybersecurity of critical-infrastructure providers — including big information technology and communications companies — and is gearing up to try to enlist smaller Silicon Valley shops in its battle against hackers.

Top officials at the White House presented the so-called Cybersecurity Framework, a 39-page plan for the federal government and critical-infrastructure providers (both private and public) to share more data with each other about cyber threats. It was spurred by an executive order that President Obama signed in February 2013 calling for the National Institute of Standards and Technology and private firms to craft a voluntary framework for thwarting cyber attacks from nefarious hackers and nation states.

The new framework “provides, for lack of a better phrase, a common language to discuss cybersecurity,” Lisa Monaco, Obama’s counterterrorism adviser, said in an afternoon presentation.

The plan has three main parts, starting…

View original post 550 more words

Written by mparsons1980

February 13, 2014 at 4:41 am

Posted in Uncategorized

IDA pro book review

leave a comment »

IDA pro book review

 

Book Title:  The IDA Pro Book, “The Unofficial Guide to the World’s most popular disassembler”

 

Author: Chris Eagle

 

Publisher: No Starch Press

 

 

Publication Year:  2008

 

 

ISBN-10: 1-59327-178-6

 

 

Number of Chapters: 26

 

 

Number of Pages:  615

 

 

Book Price:  $69.95

Rate Content: Very good

 

 

 The IDA Pro Book, “The Unofficial Guide to the World’s most popular disassembler” is probably the best book on disassembling and reverse engineering.   Chris Eagle, the author, lives and breaths reverse engineering.  This tool discusses the techniques for reverse engineering but uses the tool IDA pro as an example.

 

 IDA pro is the world’s most popular disassembler and allows users’ to reverse engineer binary and executable files without access to the source code. 

 

I purchased the tool last year for around 600 dollars US.   I have been using Eagle’s book as both an in depth reference guide and a step-by-step manual.  I have mastered most areas in Internet Security but have not quite grasped reverse engineering.  Eagle explains very complex computer algorithms in an easy to understand way without insulting the reader’s intelligence.  

 

Reverse engineering is a bleeding edge technology and the author keeps on updating the book with new advances in the reverse engineering space.   The book that I read was the 2008 edition but there is also a 2011 edition with more up to date information.  

 

For the beginner in reverse engineering, the author explains disassembly and reverse engineering in the first few chapters allowing and even telling more advanced user’s to skip these chapters.  

 

The IDA Pro Book, “The Unofficial Guide to the World’s most popular disassembler” gives a very good high level overview of reverse engineering by having a getting started section and lot’s of excellent high resolution pictures to help explain the topics.

 

It is also very helpful that Eagle has actual screen shots from IDA pro and a website with exercises on it to help the user learn in a more interactive way.   http://www.idabook.com/ 

 

 

 

            The website even includes the Conficker virus for user’s to review actual exploit code.  Reverse engineering is important when corporations want to analyze the what and how viruses work.  

 

            I think the real golden nuggets in this book, is Part III Advanced IDA Usage.   This allows the user’s to customize their version of IDA with configuration files.  

 

            The book also explains some very technical details on library recognition and FLIRT signatures, extending IDA’s Knowledge, Patching binaries and other IDA Limitations, scripting with IDA, The IDA software development kit, the IDA Plug-in architecture, binary files and IDA loader modules, IDA processor Modules, compiler variations, Obfuscated code analysis, vulnerability analysis, debugging and other operating systems that you can use IDA pro on. 

 

            I personally purchased IDA pro for my Mac Book pro.   If I didn’t have this book I would be completely lost on how to use IDA pro effectively.  The actual help inside of IDA is sparse and this bridges the gap and allows the user to become a beginner to expert with a lot of blood sweat and tears saved.  

 

            My only real recommendation before buying this book is to make sure that you are serious about reverse engineering and have invested the 600 dollars into the full version of the tool.  That is the only way you will get the full value of the book.  IDA offers a free version of the tool but you will only scratch the surface of reverse engineering if that is the only copy of IDA you have.  

 

            In short this is the Bible of reverse engineering and Eagle is the expert on the domain.  If you want the best and have the time to put into it I recommend you buy IDA and the book.  

 

 

 

 

 

Matt Parsons, CISSP, MSM mparsons@parsonsiconsulting.com 

 

Written by mparsons1980

February 12, 2014 at 3:20 pm

Intel’s Vision: Wearables Everywhere In A Post-Windows World

leave a comment »

TechCrunch

At its CES-opening keynote, Intel laid bare its vision for computing in the future. If Microsoft is remembered for the once quixotic goal of ‘a computer on every desk,’ Intel has taken up the mantle of ‘a computer in every thing.’

Touting new hardware, new computing chips, and operating system agnosticism, Intel talked its way through gaming, sensors, smart gadgets, and more to draw the picture of its take on what is next for the technology industry.

At the core of its view is the idea of ‘smart,’ which is to say a regular item made intelligent through a firm dose of computing power. Its catalyst for this trasmorgification is the Edison, a full computer the size of an SD card. Available in the middle of this year, the Edison runs Linux, and can bring the power of computing into a plethora of new environments.

During its keynote, Intel showed…

View original post 828 more words

Written by mparsons1980

February 12, 2014 at 1:59 am

Posted in Uncategorized

Apple: $10B In App Store Sales In 2013, $15B Paid Out To Developers To Date

leave a comment »

TechCrunch

CES? What CES? Apple never goes to the great big noisy consumer electronics show-off in the desert. But all the non iDevice-makers do — which is one reason it’s chosen today to make some noise of its own. In a release just put out, Cupertino said customers of its App Store spent more than $10 billion in 2013, including more than $1 billion shelled out on digital goodies for iOS devices in December alone.

The festive month also saw App Store customers download almost three billion iOS apps — which Apple said makes it the most successful month in the history of its App Store. Cumulative payouts from Apple to iOS app developers are now $15 billion, it added.

Another reason for Apple to want to loudly blow its own trumpet right now is to draw attention to smartphone profits vs marketshare. Yesterday data put out by marketshare watcher Kantar underlined…

View original post 189 more words

Written by mparsons1980

February 12, 2014 at 1:53 am

Posted in Uncategorized