Blog Posts - Tejeddine Mouelhi

Successful XSS attack against Apache Infrastructure

4/14/2010

Apache was hit by a an attack that combined XSS and brute force. The hacker attack was impressive, they were able to take control of server machines and to get passwords and logins of admin users.
Full report of the attack was published by Apache team here.

Google under attack from China

1/14/2010

A sophisticated attack against Google coming from china. It is interesting to see how this was done.
It was based on phishing and on installing malware on victim computer to access to their gmail attack. The victims are chinese human right activists. And they were able to access two gmail accounts.

Update.
A demo of the attack using Metasploit tool can be watched here.

The first iphone worm in the wild

11/23/2009

The first worm target iphone is in the wild. I think we will here more about new worms targeting smartphone from now on.

Is it possible to trust the compiler ?!

9/2/2009

An interesting post from veracode blog about trusting compilers.
To sum up the issue is that kaspersky and F-Secure labs published a sample of a new kind of viruses that target compilers in order to modify them to make them inject malicious code when compiling sources.
The overall approach is interesting. However, as I have posted in response to the post.
It is clear that compilers cannot be trusted anymore. However, I don't think that it is hard to detect that the compiler is malicious.
An easy and simple way would be to take a simple program, say the HelloWorld program and a compiled version, a trusted one. For this, the binary code should be reviewed (this is possible, even manually because the code is simple).
Then we compare the compiled version we get using the compiler (to be tested) with the other 'trusted one'.
No need to go with complex binary analyses, as suggested by Chris's paper.

Facebook and twitter DDOS

8/9/2009

The two popular social networking (and other websites) websites have been targeted by distributed denial of service DDOS attacks.
The attack was against only one user, a georgian blogger, to "keep his voice from been heard".
With millions of users connected to these social network websites, how many times will they be targeted by DDOS to target only one user account.

Mcfee XSS vulnerabilities

5/28/2009

Mcfee websites were found to be vulnerable to XSS. It is funny because some of these websites are certified secure by Mcfee. We can wonder how they were tested.

What is new in Windows 7?

3/2/2009

If you want to know what is new in the new version of windows you should check this out. It is listing the main chage since the beta version.

It seems MS will not change many things, except some performance optimization and some improvements of the interface.

Office 14 going into the cloud

2/26/2009

The next release of Office, which is expected in 2010 will be a cloud based apps, offering access to word, excel etc. from the internet.

Bespin, or how to rethink code editors

2/20/2009

Cloud apps are starting to be everywhere these days.
Mozilla is realeasing Bespin an online code editor based only on HTML 5 technologies (mainly Javascript).
You can play with it here or grab the code to see how it is done.

I think that this kind of software is very interesting. I played with it a little bit and I think that it is well done and includes some very nice features (it is pretty fast, scales well etc...).

But still, from a security point of view, I remain pessimistic about the privacy issue. The files are stored and modified in the cloud.

Cloud-based Apps

2/19/2009

A very interesting post explains the security issues of Cloud-based apps.
It is the new emerging internet application architecture. Microsoft is one the main actor promoting cloud apps, with its new Office Live online tools. Another good example of cloud app is the google apps.
The post explains the cloud computing security issues, discussing what are the security aspects applied to web application that cannot be applied to cloud apps.

It is interesting to see that cloud apps require a deep modification/adaptation of security tools and methods.
Another important problem is I think the privacy. We will end up with having a 'big big brother', more than any other one before. Cloud apps allow the files (data) to be stored in server database, and the applications; like word or excel etc. to be launched from the internet. i am not sure how much we are able to trust the servers storing all these information and able to monitor the user access to these apps.

I think that, privacy is a very important problem to tackle when discussing about cloud apps.