Congrats to UNC Charlotte



I had the chance to hang out at the SECCDC yesterday at Kennesaw State Univ.  For those not familiar with these events (I wasn’t either, until yesterday), you have colleges who bring in teams to defend against a ‘red team’.  UNC Charlotte defended their network better than the other colleges.  It was interesting to see these schools throwing in block filters, redirects, etc. on the fly.  Impressive from a bunch of college students.  The red team was equally impressive.  There wasn’t a box that they didn’t, at some point, root thoroughly…


One interesting note.  During the competition, there was a full power outage.  UPSes died.  Images were lost.  Router configs were killed.  It generally set the entire competition back a few hours (at least).  Just a reminder that physical security is every bit as important as the logical security….




New tool for your toolbox

Actually, the title of this blog is a bit misleading.  It should read “a new toolbox for your toolbox collection” :)

If you’ve ever done a web app pen test, you know that it gets messy really quick.  Add in source code auditing, screen shots, movie shots, reporting, etc. etc. and you end up with tons and tons of tools running, large folders of data, and a headache when it comes time to put all this data into a presentable format.

Dinis Cruz is hoping to relieve some of this headache with his new OWASP O2 platform.  This single interface ties together source code auditing, some penetration testing tools, integration with 3rd party scanners (in the future), windows productivity tools, movie editor, and a whole lot more.

I installed it and have been playing with it.  As with any toolbox, there will always be things you would like to see, but this beta release (1.2) has a ton of features and hooks for many more.

So, go and try it!  You can get the code from


More email fun

I love parsing public data.  I blogged about it here  about 4 years ago (wow, how time flies)

Now, there is a new set of email data from Supreme Court Justice nominee Elena Kagan which the Sunlight Foundation folks put into a nice gmail interface here:

Unfortunately, the dump from the archives looks to be in PDF format.  I’m hoping there is a way to get the plain text dump of these emails.  I’ve contacted the Sunlight guys and hope to get a chance to run some parsing algorithms shortly 😉

Update: Tom Lee and Jake Brewer quickly responded and shared their methodology with me (thanks guys!)…I’m downloading now and will be parsing shortly 😉

Last update:  After getting everything converted over to text, I ran a series of checks for different things like checking/saving accounts, ssn, credit card, pr0n, etc.  The only hits were a password to a non-existent site and some pr0n hits in the received box.  All in all, very tame stuff.

network scanners and flash

So, obviously, network and application scanners are targeting flash ‘.swf’ (swiff) files.  These scanners decompile and then do static analysis on the code.  Very cool stuff.  There are several that I know of that are handling swiff code in this manner.

1) SWFScan  (sorry for linking to a forum search, but there is no nice clean URI for this product)

2) Ratproxy which uses  Flare

If I had the time, I’d like to see how these automated scanners handle malformed swiff files (hack-a-hack attacks).

A quick question for those more familiar with flash security tools: is there an open source lib for decompiling flash swiff files?  Comment here or shoot me an email at