Errata Security - Know for Sure

Errata Security

Overview

Errata Security is comprised of industry veterans that have been involved in almost every facet of cybersecurity. This team has made many of the headlines you have read, including predicting new threats and attacker trends to development of cutting edge technology. If you need the best, Errata Security can do product testing to technical consulting and everything in between.

We are the answer for an outsourced research team.

Errata Security Announcements

3.25.2011	Rob Graham's coverage of the Comodo hack on Slashdot From Slashdot: yonk497 writes "A boastful Iranian hacker has claimed sole responsibility for the Comodo security certificate attack, saying it had nothing to do with his government. The 21-year-old claimed via a note on PasteBin, 'I'm not a group of hacker, I'm single hacker with experience of 1,000 hackers.' While some researchers believed his claims, saying the media had accepted Comodo's claims that the attack was from the Iranian government too easily, others said it was impossible to tell if the hacker was real, or a PR move by Iran." Slashdot: "Lone Iranian Claims Credit For Comodo Hack"
3.21.2011	Errata Security becomes an Official Sponsor of the InfoSecMentors Project Errata Security supports the InfoSecMentors Project in their continued goal of increasing the number and value of mentorships in the Information Security industry through volunteers. The mission of ISMP is to grow the social network by introducing fellow InfoSec professionals that would not otherwise ordinarily get a chance to meet, and encourage those relationships to develop into formal mentorships. The InfoSecMentors Project - "Helping mentors find aspiring people to help in the Information Security Community"
12.10.2010	David Maynor to speak at BayThreat in Mountain View, CA David Maynor will be presenting a talk at BayThreat on December 10th, 2011 on "Cheat Codes for the Mobile User." This original content focuses on security research concerning games on mobile devices. Errata Security is an official sponsor of BayThreat. BayThreat - December 10th & 11th - Mountian View, CA - Hacker Dojo
07.31.2010	David Maynor and Dr. Paul Judge to speak at DEF CON Errata CTO David Maynor and Dr. Paul Judge, Chief Research Officer & VP Cloud Services, Barracuda Networks, will speak at DEF CON in Las Vegas July 2010 about malware. In this talk, they will reveal statistical data about the search engines and terms that were most targeted. They will highlight key attacker trends, and examine the ability of traditional security approaches like anti-virus and URL filters to react to the rapid movements by the SEO poisoning attacks. DEF CON: "Searching for Malware: A Review of Attackers’ Use of Search Engines to Lure Victims"
03.31.2010	Errata Security releases the results of the survey on secure coding practices Errata Security is releasing the results of a survey conducted over the week of Security B-Sides and the RSA Conference in San Francisco. The survey found that Microsoft SDL was the most common security development lifecycle chosen of the companies using formal methodologies, but Ad Hoc solutions are still the most popular. Small companies are more likely to be using Agile development, and the corresponding SDL-Agile. The most common reason for not choosing to use a formal methodology was resource requirements. Here are the press links covering the story, and a link to the actual paper: Download the Survey Results (pdf): "Integrating Security Into the Software Development Lifecycle" Dark Reading: "Survey Says: More Than Half of Software Companies Deploying Secure Coding Methods" CSO Security and Risk: "Code Writers Finally Get Security? Maybe" Microsoft SDL Blog: "Survey Results: Microsoft SDL awareness on the rise" Jeff Jones Blog: "SDL AWARENESS AND ADOPTION HIGH AMONG SECURITY PROFESSIONALS" Help Net Security: "Root issues causing software vulnerabilities"
03.03.2010	Errata Security announces survey to measure security practices in the SDLC Errata Security is conducting a survey on the real world usage of software development methodologies such as Microsoft SDL, OWASP's SAMM, and BSIMM. We are interested in learning which organizations are successfully implementing these methods, and also the reasons companies are abstaining from using these methods. If you would like a copy of the results of this survey, there is a request button at the end of the survey where you can enter your email address. In order to encourage participation in this survey, and to explain the reasons behind it, I will be giving a lightning talk at Security B-Sides in San Francisco on March 3 at 12:00 PST. Please share the survey link with software developers, security experts, product managers, or anyone involved in product development. The survey will close on Friday March 12, 2010 at 17:00 PST. Survey: "How do you add security to your software development lifecycle?" Errata Security Blog: Explanation UStream: Video footage "Security & the SDLC" SlideShare: PowerPoint "Security & the SDLC"
03.02.2010	Marisa Fagan on password authentication panel at Security B-Sides Marisa Fagan, along with Jennifer Jabbusch and Michael Santarcangelo spoke about the failures of using passwords to authenticate users. "Passwords are the root vulnerability in several identity theft attacks. Users recycle passwords, fall for phishing scams, and choose weak phrases," said Ms. Fagan. Security B-Sides is an alternative to the RSA Conference for participants to share and interact on a more personal level. Links to abstract and video below. B-Sides San Francisco: "So What's the Alternative? A group discussion of the solutions replacing passwords for user authentication" UStream: Video footage
12.07.2009	Robert Graham quoted on new cloud-based service to steal WiFi passwords Robert McMillan of IDG News Service interviewed Errata CEO Robert Graham about the new cloud-based WPA password cracker created by security researcher Moxie Marlinspike. The service could save security auditors time. Graham says "When I show this to management and say it would cost $34 to crack your WPA password, it's something they can understand." ComputerWorld: "New cloud-based service steals Wi-Fi passwords"
11.20.2009	Errata CEO Robert Graham gives a security researcher perspective on the Climate Research Hack Climatologist Phil Jones' email was compromised by an unknown hacker. The politically motivated attack was designed to reveal closely guarded global warming research. Robert Graham explains the current debate on global warming, and explains the relevance of the emails that were published by the hacker. Graham then explores a possible connection between the logs left behind in the attack and the identity of the hacker using open proxies. Errata Security Blog: "Hacker exposes global warming researcher" Errata Security Blog: "Climategate hack used open proxies"
11.17.2009	Robert Graham featured on Dark Reading in response to Brazilian Power Grid Outage After a power outage at a Brazilian power station was attributed to "hackers" in the tv show 60 Minutes, Errata Security CEO Robert Graham investigated the likelihood of these claims. He cited the lack of evidence, and far more likely scenarios. Later, in a feature on the site Dark Reading, he goes on to explore how an attack such as this could happen. Errata Security Blog: "Brazil outage NOT caused by hackers" Dark Reading: "How to Hack a Brazilian Power Grid"
10.14.2009	Elizabeth Wharton and Marisa Fagan to speak at the Atlanta chapter of NAISG The VP of Legal Affairs Elizabeth Wharton and Security Project Manager Marisa Fagan will be speaking to the NAISG group about the anatomy of current Social Networking Hacks and following up on the legal implications for three recent case studies. "Atlanta NAISG Chapter"
08.04.2009	David Maynor interview on Data Security Podcast Ira Victor & Samantha Stone interview Errata CTO David Maynor about the security threats associated with personal WiFi devices. David discussed a flaw in the Verizon MiFi device on a panel at DefCon this year. "Data Security Podcast Episode 64 – Aug 4 2009"
07.31.2009	David Maynor to speak on panel at DefCon 17 Panelists will demonstrate innovative hacking techniques in naked wireless networking, GPS, intranet routing, web based applications and goats. David Mortman (CSO in Residence, Echelon One) Rich Mogull (Securosis) Dave Maynor (Founder & CTO Errata Security) Larry Pesce (PaulDotCom) Robert "RSnake" Hansen (ha.ckers.org) "Defcon Security Jam 2: The Fails Keep On Coming"
07.29.2009	Marisa Fagan and Elizabeth Wharton to speak at Security BSides The Security BSides Conference in Las Vegas has invited Marisa Fagan, Security Project Manager, and Elizabeth Wharton, VP of Legal Affairs and Business Development, to discuss the aspects of Identity Theft that involve a proximity relationship between the attacker and the target. "The EX Factor: Exploring Proximity Based Identity Theft"
07.18.2009	Errata CTO David Maynor speaks at Mobile Bar Camp 2009 At Mobile Bar Camp in Atlanta, GA David Maynor gave a presentation over using the iPhone for testing purposes. "iPhone Security: Bug Hunting on a iPhone"
07.17.2009	iPhone research applied to new botnet threat In the TECH section of New Scientist, Jim Giles referenced last year's research on the iPhone. In combination with SMS viruses, the iPhone introduces a new kind of threat. "Virus may signal first 'zombie' cellphone network"
06.30.2009	CEO Rob Graham quoted on Setuid security hole Dan Goodin interviewed Rob Graham for The Register UK concerning a kernel vulnerability. "Setuid is well-known as a chronic security hole," Rob Graham, CEO of Errata Security wrote in an email. "Torvalds is right, it's not a kernel issue, but it is a design 'flaw' that is inherited from Unix." "Clever Attack Exploits Fully Developed Kernel"
06.30.2009	David Maynor writes editorial blog for Dark Reading David discusses the nature of Internet censorship in Iran, a topic made popular by Twitter users. "Net Parrot Effect"
08.15.2008	Errata DefCon speech illustrating inexpensive pentesting techniques In the DarkReading coverage of DefCon, Errata Security research was mentioned relating to the the iPhone pentest technique. The article is available here.
08.08.2008	Errata to speak at DefCon Errata Security CEO Robert Graham and CTO David Maynor will be speaking at DEFCON in Las Vegas on Friday, August 8th, 2008. They are presenting a talk about penetration techniques and releasing updated versions of the Hacker Eye View Suite. A summary of the presentation is available here
07.14.2008	AxBan signature list version 4 available Errata Security released the latest list of vulnerable signatures for the XML file on AxBan 1.5 today. This version will be auto-updated by AxBan 1.5 or later. This updated list covers the Yahoo Messenger and Microsoft Access Snapshot Viewer Active X Controls AxBan 1.5 is available to download here.
06.27.2008	Errata releases AxBan 1.5 Errata Security released AxBan 1.5 today. This version has an auto-update feature for the most up-to-date bad ActiveX Control list. Brian Krebs of the Washington Post Security Fix blog covered the release with an article about the dangers of lurking ActiveX functions. AxBan 1.5 is available to download here.
05.31.2008	Errata CTO speaks at SummerCon Errata Security will be represented at SummerCon in Atlanta, GA with a speech on smartphones and cellular networks. A summary of the talk can be found on the SummerCon site.
05.22.2008	Errata releases AxBan 1.0 AxBan is a tool to kill bit bad ActiveX controls.
04.11.2008	Errata releases LookingGlass 1.1 LookingGlass is a tool designed to help software developers test to see what OS security features are being used. LookingGlass 1.1 is available at the Errata Research page, here.
04.10.2008	CTO David Maynor contest winner in Tipping Point's PWN to OWN contest Computer World blogger Gregg Keizer covered the PWN To OWN contest held March 26-28 at the CanSecWest security conference. David Maynor was one of three researchers that independently found the Flash bug used to compromise a laptop running windows Vista. They are presenting a talk about penetration techniques and releasing updated versions of the Hacker Eye View Suite. The article is available here.
01.10.2008	Errata releases Ferret 1.1 Errata Security is proud to release the latest version of the Data Seepage detection tool, Ferret. Ferret 1.1 is available at the Errata Research page, here.
09.19.2007	Errata CTO David Maynor release OSX research paper David Maynor published a paper detailing the infamous Apple 802.11 flaw that allows a remote attacker to take control of a victim machine. The paper is availble from Uninformed here.
03.11.2007	Metasploit N800 Step by step instructions, including a link to a working Ruby package, have been added to the Research page. Check out the Research page here.
03.02.2007	Blackhat wrapup: Ferret 1.0 The tools and slides from the Errata Security talk on data seepage have been added to the Research page. Check out the Research page here.
02.17.2007	Hacker Eye View report: Cisco Security Update The initial HEV for new Cisco vulnerabilities has been released to customers. More detailed HEV information for individual vulnerabilities including packet captures of exploits will be shipping early this week. Errata Security is one of less than a handful of vendors that can provide in-depth information on Cisco vulnerabilities.
02.16.2007	Errata Security founders to speak at Blackhat Europe 2007 Robert Graham and David Maynor will make the trip to Amsterdam to brief European security professionals on the dangers of Data Seepage and how to stop it. Blackhat Europe Information here.
02.14.2007	Hacker Eye View report: Microsoft Patch Tuesday Feb 2007 Complete brief analysis of all vulnerabilities announced today has been released to customers. This also includes in-depth analysis and working exploits for all critical vulnerabilities.
01.24.2007	Hacker Eye View report: Cisco security update Security briefs regarding critical Cisco vulnerabilities are now available to customers. A Hacker Eye View report on each of the vulnerabilities will be available soon. Read some of our analysts thoughts at the Erratasec blog.
01.24.2007	Errata Security founders set to speak at Blackhat DC 2007 Errata Security founders Robert Graham and David Maynor will be speaking in Washington DC at the Blackhat Briefings Feb 28th and March 1st. They will be speaking about a threat called data seepage and how it can affect the security of enterprises internal networks. David Maynor will also be giving an updated version of the popular device driver talk with new demos and new targets. For more information visit Blackhat's site for both talks.
01.16.2007	Hacker Eye View report: Oracle quarterly update Analysis briefs on critical vulnerabilities on Oracle patch vulnerabilities have begun to be shipped to customers. Due to the number of issues briefs will be shipped all week with a target of Friday, Jan 19th, for competition of all 51.
01.09.2007	Hacker Eye View report: Microsoft Patch Tuesday Complete brief analysis of all vulnerabilities announced today has been released to customers. This also includes in-depth analysis and working exploits for all critical vulnerabilities.
01.01.2007	Hacker Eye View report: Month of Apple Bugs Errata Security released an in-depth analysis of the first release of the Month of Apple Bugs (MoAB) project. Customers received a detailed analysis including protection and mitigation suggestions a mere 4 hours after the release. A report will be completed for every one of the MoAB issues.
01.01.2007	Errata Security site launched Do you want in-depth information on security vulnerabilities? Do you have a product you want tested by experts? Errata Security is the answer.