REcon 2010

This last weekend I took a trip up to Montreal for REcon.  If you’re unfamiliar with REcon, it’s a small security conference focused on topics most interesting to reverse engineers.  As such, the talks are more technical than you will find at other more mainstream conferences like BlackHat or DEFCON, and generally require a certain level of expertise as a baseline.  If you don’t understand assembly language, you’ll probably not [...]

MD5? Really?

First let me say that this article is not meant to diminish the work that Alexander Sotirov et. all have been doing for the past 6 months.  It’s good work, has brought about some awesome results, and has demonstrated what was once a theoretical attack on PKI certificates based on MD5 hash collisions.  What I’m amazed at is that it had the impact that it actually did. […]

The Folly of a Scheduled Patch Release Cycle

A number of years ago, Microsoft led the charge by moving away from a dynamic patch release schedule to a monthly patch release schedule, essentially creating an imposed monthly patch cycle for their customers.  Since then, many other vendors have followed suit.  There are opinions and arguments supporting both a release schedule philosophy as well as a release upon completion philosophy, and today I’m going to outline where I stand [...]

Configuring DNSSEC in BIND

DNSSEC, which I mentioned in my previous post about mitigation for Kaminsky’s recent DNS cache poisoning flaw, are the SECurity extensions for the Domain Name System (DNS). It essentially adds cryptography to DNS, allowing authoritative nameservers to cryptographically sign their zones and resource records, which in turn allows caching/recursive nameservers to verify them. This prevents attacks against the recent cache poisoning flaw by allowing the nameserver under attack to verify [...]

How to Really Fix Your DNS

Obviously the first thing everyone should be doing is to apply the patches that the major vendors rolled out, and do it quickly.  It is no longer the time for debate in regard to whether or not you really do need to patch… the answer to that question is quite clear; Yes.  Yes you do. Stop reading this, go to your vendor right now, and get the patches. Then apply [...]