Our Blog

Happy New Year! (No predictions.. promise..)

Reading time: ~1 min
It’s the last few hours of 2009 here in South Africa so i wanted to take the opportunity really quickly...

26th Chaos Communication Congress..

Reading time: Less than a minute
is currently on in Berlin. As usual [it] looks like a blast, and as usual, media [is online] before the...

We are famous (almost!)

Reading time: Less than a minute
Last week had two “cloud-security” related articles hit the inter-webs.. After our Vegas09 talk on “clobbering the cloud” we had...

Criticism, Cheerleading, and Negativity

Reading time: ~1 min
[Alex Payne] has an excellent post up titled “Criticism, Cheerleading, and Negativity“. It’s a 2 minute read, but its worth...

ZaCon – A con in need of a better tagline…

Reading time: Less than a minute
ZaCon came and went, “and a fun time was had by all!” The first run was a semi-cosy affair held...

Defcon-17 ��� Clobbering the Cloud

Reading time: Less than a minute
Our DC-17 video (of the “Clobbering the Cloud” talk) is now available on the the new look DefCon download site:...

Twitter killed the (infosec) Blogging Star ?

Reading time: ~1 min
Like it, hate it or just plain struggling to understand it, Twitter has made a huge impact across a wide...

Spammers need love too..

Reading time: ~2 min
-snip- From: Haroon Meer <haroon@sensepost.com> To: Marc Schneider <marcs@mplw.net> Subject: Re: http://www.sensepost.com – Contact needed Hi Dr Schneider. * Marc...

Dvorak, on Windows 7, Microsoft and attention to details..

Reading time: ~1 min
The other day i tweeted a link from John Dvorak reviewing Windows 7. He basically said that Microsoft was dying,...

Sensepost’s Developer and Bootcamp Security courses (November)

Reading time: ~2 min
Hi All SensePost will be running their next Developer and Bootcamp courses for 2009, scheduled for November. Please drop me...

*sigh* alas poor kindle…

Reading time: Less than a minute
my wife might have a kindle, which i might have bought in the US, which she might have loved dearly.....

SensePost again accredited as a PCI ASV

Reading time: Less than a minute
SensePost is proud to announce that they have retained their status as an Approved Scanning Vendor for PCI DSS purposes....

MS Threat Modeller

Reading time: ~2 min
Just arbitrary coolness regarding Microsoft’s Threat Modeller.  It’s XSS-ible… Since this all works in file:///, not overly sure what the...

2 pieces of coolness…

Reading time: ~1 min
a) was the politely dropped kaminsky firefox bug [http://lists.grok.org.uk/pipermail/full-disclosure/2009-September/070620.html] It still requires a click for command execution, but considering its...

Fasm2009 – Videos online..

Reading time: Less than a minute
The “Fasm conference is an informal meeting of coders interested in x86 assembly programming.” Some of the videos can be...


Reading time: Less than a minute
Sure it only cost $29, but when you consider the number of people bowing down and thanking our Cupertino overlords...


Reading time: ~1 min
I was recently playing with a Wingate Proxy server, came across some arbitrary interestingness. So, WinGate proxy includes a remote...

John Viega’s “the myths of security”.. Really??

Reading time: ~4 min
i go through a ton of books. Over the past 10 years, this has been dominated by books on computer...

BlackHat presentation demo vids: MobileMe

Reading time: ~3 min
[part 5 in a series of 5 video write-ups from our BlackHat 09 talk, summary here] Goal The final installment...

BlackHat presentation demo vids: Amazon

Reading time: ~8 min
[part 4 in a series of 5 video write-ups from our BlackHat 09 talk, summary here] Goal In the fourth...

BlackHat presentation demo vids: SalesForce Sifto

Reading time: ~5 min
[part 3 in a series of 5 video write-ups from our BlackHat 09 talk, summary here] Goal Our third video...

BlackHat presentation demo vids: SalesForce ClickJacking

Reading time: ~2 min
[part 2 in a series of 5 video write-ups from our BlackHat 09 talk, summary here] Goal The premise behind...

BlackHat presentation demo vids: SugarSync

Reading time: ~4 min
[part 1 in a series of 5 video write-ups from our BlackHat 09 talk, summary here] Goal We wanted to...

BlackHat presentation demo vids: Summary

Reading time: Less than a minute
Our BH09/DC17 presentation relied heavily on videos for the demos, and they’ve been blogged separately. Links below (will be made...

Clobbering the cloud slides

Reading time: Less than a minute
[updated: videos will be made available on this page] 140 slides in 75 minutes. They said it couldn’t be done…...

Wishlist for graduates

Reading time: ~4 min
We were invited to speak at the recent ISSA2009 conference in Joburg, a local mostly academic security conference and I...

Watch out Amazon…

Reading time: Less than a minute
’cause theres some serious cloud computing competition on the horizon.. A google search for Cloud Provider returns the following paid...

Apple vs Microsoft as a malware target.. stop saying market share..

Reading time: ~6 min
I really enjoy listening to Mac Break Weekly.. Leo Laporte is an excellent host and i would tune in just...

Excellent paper from MSFT Research on inline proxies vs. SSL

Reading time: ~1 min
Ron Auger sent an email to the [WASC Mail list] on some fine work presented recently by Microsoft Research. The...

Two quick links on “how your app got hacked, even though it looked ok”

Reading time: Less than a minute
The first one from hacker news, aptly titled “How I Hacked Hacker News (with arc security advisory)” and the 2nd,...

Open Patch Management Survey

Reading time: ~2 min
Rich Mogull (who’s stuff I really quite dig) has launched an ‘Open Patch Management Survey’ via the SecurityMetrics blog. Its...

How Good Companies Fail..

Reading time: ~3 min
In early 2002 i recall reading and falling in love with Jim Collins book: “From good to Great“. I recall...

Apple gets some clue points?

Reading time: ~1 min
At [DeepSec] last year i had the pleasure of hearing Ivan Krsti? speak. While some of his arguments had (small)...

Episode 9 of the ITSecurity Pubcast..

Reading time: Less than a minute
Yvette Du Toit (E&Y – UK/ZA) featured on the latest ITSecurity Pubcast and spoke about her role in CREST. SensePost...

Zappos number 1 priority

Reading time: ~1 min
[Zappos.com] is one of those companies people love to write about. They make headlines for their use of new media...

Chris Eng 1 – 0 Verizon DBIR Cover

Reading time: Less than a minute
Chris Eng over [at the Veracode blog] documents how he approached, and decoded the info behind the [2009 Verizon Data...

Virtualization as an answer to backward compatability?

Reading time: Less than a minute
Part of the problem Microsoft bumped into with Vista, was hordes of people who had grown too attached to XP.....

BiDiBLAH Case Study (Part 2)

Reading time: Less than a minute
With our recent release of BiDiBLAH 2.0, we’ve decided to revisit some real world scenarios, and ways BiDiBLAH can deal...

SPUD reminder(s)

Reading time: Less than a minute
After some queries regarding SPUD, I thought it would be a good idea to blog this reminder: * Spud can...

The power of data

Reading time: Less than a minute
We recently introduced some neat blizzards onto a PoC Broadview client. On tha back of Conficker, our Broadview Dashboard sports...

Comments have been broked :(

Reading time: ~1 min
Comments on the blog have been suprisingly quiet and we should have realised this when more and more people started...

Sensepost’s HBN Extended Edition course 11-15th May

Reading time: ~1 min
We have scheduled our next training course, Hacking By Numbers – Extended Edition (Bootcamp) in May 11-15th . The course...

reDuh reVisited…

Reading time: Less than a minute
We’ve had a number of issues with reDuh and the various server versions published.  Some clients worked with some versions...

Should InfoSec companies be betting on PCI ?

Reading time: ~3 min
The United States committee on Homeland Security’s Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology recently held a hearing...

#include fakeNewsStory.h

Reading time: Less than a minute
what? on April 1st???? Never!

Ranum Reloaded..

Reading time: ~4 min
A little while back i commented on Marcus Ranums HiTB talk “Cyberwar is Bullshit!“. I ended the post with the...

Hello World (With an LED)

Reading time: ~1 min
Way back when i was a sysadmin, i recall reading a quote from one of the ATT greybeards who said...

HBN Developer Edition Training

Reading time: Less than a minute
Hi All We have scheduled our first Developer course for April in Pretoria, should you know of anyone in your...

!exploitable [Vuln finding freebie from MSFT]

Reading time: Less than a minute
Microsoft released !exploitable at CanSecWest this year. The debugger extension, and the accompanying slide deck can be found [here]. I...

Jack C. Louis: Jan 5, 1977 – March 14, 2009

Reading time: Less than a minute
Truly tragic. We are all poorer for it.. It really was an honor and a privilege to have known him.....

Like deja-vu (all over again)

Reading time: ~1 min
Those of you who were around in 2001 will recall http://anti.security.is (anti-sec f.a.q).. The sentiment pops up periodically (in different...

Hack Like You Mean It – we’re taking PCI to Vegas

Reading time: ~1 min
We’ve been busying ourselves with the PCI DSS in one way or another for more than a year now here...

Only an idiot will install a beta os on his primary phone..

Reading time: ~1 min
and i am that idiot… Developers signed up with Apples Dev Program get to take iPhoneOS3.0 out for a spin,...

CodeGate – 2009

Reading time: Less than a minute
[beistlabs] [CodeGate] has come and gone.. A nice writeup of the event can be found [here] with a pdf of...

Attack Vector based Risk Management?

Reading time: ~1 min
Interesting post by Michael Dahn at pcianswers.com discussed (again) the difference between compliance and security. Do you know the joke about...

Defcon 16 Videos Available..

Reading time: Less than a minute
Ok.. So The Dark Tangent announced this [a few days ago], but i felt it deserved mention because i was...

BiDiBLAH Case Study (Part 1)

Reading time: Less than a minute
With our recent release of BiDiBLAH 2.0, we’ve decided to revisit some real world scenarios, and ways BiDiBLAH can deal...

MacBook Pro – Battery RIP

Reading time: Less than a minute
About 2 weeks ago the battery performance on my machine took a sudden nose dive. Worse than the fact that...

VMWare enters the cloud computing foray

Reading time: Less than a minute
BusinessWeek reports that VMWare has launched a new product aimed at establishing it as a competitor in the cloud computing...

Top Ten Web Hacking Techniques of 2008

Reading time: Less than a minute
(aka – Whoot! we are almost famous!!) Jeremiah Grossman’s panel of judges (Rich Mogull, Chris Hoff,  HD Moore and RFP)...

Cebit Expo 2009

Reading time: Less than a minute
SensePost have once again been invited to join the South African Department of Trade and Industry at Cebit, as one...

BiDiBLAH / SPUD.. Quick feedback

Reading time: Less than a minute
We’ve had some feedback from some BiDiBLAH / SPUD users regarding a few changes… Firstly, SPUD seems to be crashing...

HITB08 – Marcus Ranum Keynote on CyberWar..

Reading time: ~1 min
I just managed to pull the HackintheBox torrents for their [2008 talks]. (SensePosters can grab a local copy [here]).  I...

FW: HBN Extended Edition 9-13 March

Reading time: ~1 min
Yes, it is time to offer some technical input by way of our HBN Extended Edition training. There will be...

Joe Grand (Kingpin) gets famouser!

Reading time: Less than a minute
  This is probably really old news (to some), but was in the company of sattelite TV this weekend and...


Reading time: Less than a minute
An additional issue has been discovered in the ASPX version of reDuh.  Although the script did work as expected, it...

ASPX and reDuh

Reading time: Less than a minute
We’ve received a number of queries regarding folkses unable to get the ASPX version of reDuh to work. In truth,...

Vanilla SQL Injection is oh-so-90’s…wait…is it? (Jackin the K)

Reading time: ~1 min
aka.. Someone put the hurtski on Kaspersky.. The Twitters (via XSSniper and others) and the Interwebs were ablaze with news on...

On Hiring Staff – The T-Shirt Method..

Reading time: ~2 min
Anyone who has honestly reflected on what they know about hiring, will tell you that no matter how locked-down you...

Turn of the century deja vu?

Reading time: ~3 min
The recent widespread carnage caused by the Conficker worm is astounding, but is also comforting, in a strange way. It...

EDoS is the new DDoS ?

Reading time: ~1 min
Over at [Rational Survivability] beaker as coined the term EDoS. To describe how “the utility and agility of the cloud...

RFP Spotting..

Reading time: Less than a minute
Not the boring pile of papers kind.. the shiny pants and sunglasses kind: Turns out you can find him blogging...

QoW: Software Reversing and Exploitation

Reading time: ~1 min
I’ve developed a FTP like multi-threaded server application as a target for this challenge of the month. It has been...

When missing a good hire works out well..

Reading time: ~1 min
A few years ago, Mohamed Nanabhay was considering joining SensePost and i was trying hard to convince him it was...

So so senseless…

Reading time: Less than a minute
haroon :(

ITWeb Security Summit 2009 – CFP Deadline

Reading time: Less than a minute
I just wanted to remind everyone that the CFP for the 2009 ITWeb Security Summit closes on 26 Jan. We’re...

BiDiBLAH 2.0 Released!

Reading time: Less than a minute
Yup, that’s right, BiDIBLAH 2.0 has finally been released and is available for purchase at an incredibly low US$500!! You...

SensePost Training @ Black Hat DC

Reading time: Less than a minute
So… Black Hat DC is rushing at us like a speeding big… speeding thing. This is just a friendly a...

“Hooker” approach to break-in!

Reading time: Less than a minute
Interesting post on cost/benefit analysis of  hacker and hooker attacks…. behrang

Hacking By Numbers Online – your thoughts?

Reading time: ~4 min
We often get asked by students of our Hacking By Numbers courses if the course environments or at least the...

Headhunter: Employers Hate World Of Warcraft Players

Reading time: Less than a minute
This is an old post, regurgitated because it yielded some spirited discussion. Apparantly headhunters are being told to avoid World...