 This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.
List Archives
Latest Posts
MITM Attack on Smartphones whitepaper
Mayank Aggarwal (Nov 05)
SMobile has released a detailed report on research indicating that smartphone users are just as susceptible to
man-in-the-middle (MITM) attacks as PC users. This report details the results of attempts to produce MITM attacks to
determine whether it is possible to intercept SSL encrypted communications between various smartphone devices and
servers. Of the devices that were tested, each of the major smartphone operating systems appeared to lack...
Re: PrevX and other projects
Shane Macaulay (Oct 30)
The chart on their main page would be a lot more compelling if they had
conversely applied whatever method they used to collect that information.
""""These statistics are provided to show that all vendors miss threats
and cannot be interpreted to compare the effectiveness of one product to
another."""""
That seems to indicate they would show us their failure rate when
compared to these vendors? And...
PrevX and other projects
dave (Oct 28)
So you can read one Immunity deliverable linked here:
http://www.prevx.com/ (look for "Independent Review").
Likewise, if you have wondered where all the Immunity Debugger scripts
ran off to, they were on the old Immunity Forum. We ripped the old forum
content out of the old database and imported into the new hotness, so
you can seem them all here:
https://forum.immunityinc.com/. I don't think Google spiders HTTPS sites
for some reason...
B. Aggressive. B. E. Aggressive. (or "One 0day is enough")
dave (Oct 27)
When you go into security consulting engagements with a new business
unit you usually face a few questions from the developers and business
owners. "What is it exactly that you're going to tell us?"
We always answer this the same way: "Things that will surprise you."
Most developers have read a lot about security these days - they
understand SQL Injection, Cross Site Scripting, access control, not to
use their own...
Last mile || InfoSys 2010 [ICAS, ICNS, INTENSIVE, LMPCNA] March 7-13, 2010 - Cancun, Mexico
Jaime Lloret Mauri (Oct 26)
Last mile || InfoSys 2010 [ICAS, ICNS, INTENSIVE, LMPCNA] March 7-13,
2010 - Cancun, Mexico
INVITATION
Note that we are entering the last few days of submission for the events
collocated in Cancun, Mexico
Please consider to contribute and encourage your team members and fellow
scientists to contribute to the following federated events.
The submission deadline has now been moved to November 1, 2009.
Publisher: CPS ( see:...
Re: Friday afternoon RAND fail. :>
dave (Oct 26)
In related news, VulnDisco has Solaris 0day this month.
https://forum.immunityinc.com/board/thread/63/vulndisco/?page=1#post-63
One of the people who did peer review for that RAND paper emailed me.
I'll leave what he said private though. I'm sure the author (Martin C.
Libicki) has had enough people annoying him over it this morning. :>
-dave
Gunter Ollmann wrote:
...
Re: Friday afternoon RAND fail. :>
Travis Carelock (Oct 23)
From Rand's new whitepaper on Cyberwarfare (pg. 73):
http://www.rand.org/pubs/monographs/2009/RAND_MG877.pdf
"""
The following hints may be indicative. Private hackers are more
likely to use techniques that have been circulating throughout the
hacker community. While it is not impossible that they have managed
to generate a novel exploit to take advantage of a hitherto unknown
vulnerability, they are unlikely to have...
Re: Friday afternoon RAND fail. :>
Gunter Ollmann (Oct 23)
From Rand's new whitepaper on Cyberwarfare (pg. 73):
http://www.rand.org/pubs/monographs/2009/RAND_MG877.pdf
"""
The following hints may be indicative. Private hackers are more
likely to use techniques that have been circulating throughout the
hacker community. While it is not impossible that they have managed
to generate a novel exploit to take advantage of a hitherto unknown
vulnerability, they are unlikely to have more...
Friday afternoon RAND fail. :>
dave (Oct 23)
From Rand's new whitepaper on Cyberwarfare (pg. 73):
http://www.rand.org/pubs/monographs/2009/RAND_MG877.pdf
"""
The following hints may be indicative. Private hackers are more
likely to use techniques that have been circulating throughout the
hacker community. While it is not impossible that they have managed
to generate a novel exploit to take advantage of a hitherto unknown
vulnerability, they are unlikely to have more...
Re: Exploits matter.
security curmudgeon (Oct 22)
Based on discussion from this thread and internal chat:
http://blog.osvdb.org/2009/10/22/classification-exploit-status-overhaul#
Classification: Exploit Status Overhaul
Posted by jericho 31 minutes ago
OSVDB's classification system is designed to categorize certain attributes
of a vulnerability. This facilitates custom searches by a specific
attribute, helps researchers develop metrics and gives a better picture of
the vulnerability...
Re: Solvers!
nnp (Oct 22)
The architecture and design of the basic algorithm behind most solvers
we use for input generation was first described in 1960 (the DPLL
algorithm) so I think we're safe from the patent mongers there ;-) As
for the logic-specific parts of the solvers, most are described in
academic papers spanning the last 40 years so I presume that
constitutes 'prior art'.
I don't know of anybody working on designing or implementing the
modern crop of SMT...
Solvers!
dave (Oct 21)
I'm trying to get a django app built so I can demo some of our new tech,
but it's slow going. In the meantime today's extra credit reading and
viewing:
http://seanhn.wordpress.com/ (solver->exploits blog and paper)
http://media.blackhat.com/bh-usa-06/video/2006_BlackHat_Vegas-V7-Halvar_Flake-Need_New_Tools.mp4
That's probably Halvar's best talk - in it he chats about solving input
crafting issues with large equation solvers (from 2006 so...
SOURCE Boston 2010 Call for Papers
Christien Rioux (Oct 19)
SOURCE Boston 2010 Call for Papers is Now Open!
SOURCE Boston 2010
April 21-23, 2010
Seaport Hotel
www.sourceconference.com
SOURCE is the first and only conference combining advanced technology
and security practices with the business of security. With thoughtful
attention to detail and emphasis on high quality and compelling
technical content, SOURCE is committed to delivering valuable
information in a high energy and fun environment.
SOURCE...
CanSecWest 2010 CALL FOR PAPERS (deadline Nov 30, conf. Mar22-26) and PacSec (Nov 4/5) Selections
Dragos Ruiu (Oct 19)
We extend our apologies if you are inconvenienced by multiple copies of this messages.
We would like to announce the PacSec 2009 Paper Selections, and
the opening of the 2010 CanSecWest Call For Papers. Given
the proximity of the Winter Olympics in Vancouver one month
before the conference, we would advise all planning to attend
to make travel preparations well in advance for next year...
PacSec 2009 Presentations
Keynote Presentation...
[NPA] Call for Papers: International Journal of Network Protocols and Algorithms
Jaime Lloret_Mauri (Oct 10)
********************* Call for Papers for Vol 1, Issue 2 *********************
Network Protocols and Algorithms
ISSN 1943-3581
http://www.macrothink.org/journal/index.php/npa/
Network Protocols and Algorithms is a free online international journal, peer-reviewed and published by Macrothink
Institute. It publishes papers focused on the design, development, manage, optimize or monitoring any type of network
protocol, communication system,...
More Lists
Dozens of other network security lists are archived at
SecLists.Org.
| 
Intro
Current Quarter
RSS Feed
About List
All Lists