It’s been quite a while since I’ve posted anything here other than the occasional conference report, and there are many more of those in draft form from the past two years that I didn’t even get around to finishing up and actually posting… This is due to a variety of reasons, some of which include a complete change in career focus a couple years ago involving going into business for myself, to having very little free time due to the myriad of things I’ve got going on. This however needs to change, as I need at least one outlet for my thoughts that isn’t constricted to 140 characters or the no-frills formatting that most of the social networks provide. That said, it is my intention to write here more often, beginning with this post and continuing with more to follow over the next few weeks, mostly about the various ventures I’ve begun or have become involved in over the past few years.
Archive for the ‘employment’ Category
While working for TippingPoint’s DVLabs, I was fortunate enough to not be held to any kind of regular work schedule. Working in an almost pure research role, without the requirement of regularly interfacing with customers or even the rest of the DVLabs group, I had the opportunity to explore something that I’ve never really had the opportunity to before, at least not for extended periods of time; my body’s natural sleep cycle.
Since last Tuesday (Microsoft Patch Tuesday), I’ve taken a break from coding Application Protocol Simulators (the hot-button item at BreakingPoint right now) and worked on the Security side of the product. I’ve spent almost exactly one week working on a Strike-set for the ms08-033 AVI/MJPG vulnerability. The Strike-set includes 8 Strikes all which generate dynamic, randomized, malicious AVI files to attack and trigger the vulnerability. If you’re into vulnerability exploitation technology, you should check out the details over at my employer’s blog.
My second Microsoft Patch Tuesday at the new employer was fairly uneventful. This Tuesday there was only one patch rated critical, MS07-061, and as it turns out it was the bug that I had already worked on last week. Essentially all I had to do was update my strikes from last week with the new reference and rename them, and our team was essentially done. You can read the details about the patched vulnerability over at the BreakingPoint BreakingPoint blog.
Today I stepped into a new role as a Security Researcher for BreakingPoint Systems. I will be working with the team that handles the security component of the flagship product, the BPS-1000, which is a load and security testing appliance used to test network devices such as switches, firewalls, and the types of products my previous employer produces, Intrusion Prevention (or Detection) Systems. For the most part I’ll be developing “strikes”, which are essentially attacks and exploits packaged in such a way that the product can launch them and verify whether or not the device under test has properly blocked or otherwise handled the offensive traffic. It’s a welcome change to move over to the offensive side of the game again, which is really where I’m most comfortable.
Apparently, my employer launched the new TippingPoint DVLabs website when I wasn’t looking. Click through and check it out, it’s pretty slick. Not only do they have bios of all the team members, but each member page pulls data from all the other areas of the site like upcoming and published advisories, appearances, blog posts, etc. in an aggregated list specific to that team member. And of course, the site has yet another blog for me to write for…
Cody Pierce, a colleague of mine at TippingPoint’s DVLabs, was recently profiled in an article by Dennis Fisher over at SearchSecurity.com. The article basically describes how Pierce went about discovering and disclosing an 0-day vulnerability in the Internet Help Control ActiveX component last April, which resulted in a patch from Microsoft last August.
To do this, he built a custom fuzzer to test large numbers of ActiveX controls and separate the wheat from the chaff. He wrote the fuzzer using the Python and Ruby programming languages and began looking for remotely exploitable vulnerabilities that posed a serious threat to Internet users.
“There are 4,000 ActiveX controls on a typical XP machine and I looked for the ones that could be loaded in Internet Explorer,” Pierce said. “Then I looked for the ones with problems and then the ones that were critical. I wanted to see what was exploitable and what was just a denial of service.”
The article then goes on to hint at a paradigm shift in vulnerability research that targets web and hosted software, noting that as more and more software packages are provided solely on the web or by ASPs it’s increasingly difficult for 3rd party researchers to target those pieces of software. Due to the fact that such software generally isn’t available outside of the ASP or company hosting the web application for testing in a controlled environment, targeting such applications for vulnerability research can be construed as an active and malicious attack.
Kudos to Pierce and TippingPoint for the excellent press coverage!
Today I’ve begun working for a new employer, TippingPoint, a division of 3Com. Essentially TippingPoint is a recent acquisition of 3Com’s and has become 3Com’s Security Research group. While working for TippingPoint, I’ll be doing a number of different things, primarily working with the TippingPoint Security Research (TSR) team who do product vulnerability assessment and verify Zero Day Initiative submissions. I’ll also be helping the Digital Vaccine team design IPS signatures to match said vulnerabilities and will be doing other various forms of original research. This also means I’ve moved from Dallas to Austin. Exciting (:
Last week, shortly after returning from the BlackHat / DefCon conferences in Vegas, I resigned my current position with Citadel Security Software to take a Vulnerability Research position with a start-up in the Internet Telephony industry called Sipera Systems. At Sipera I’ll be doing much more actual research than I was doing for Citadel, as I was in a multi-use group at Citadel who’s other responsibilities fairly regularly trumped doing security research. I’m looking forward to the change and tearing apart some Internet Telephony products and protocols!