Archive | Secure Coding

View all postings from the Secure Coding category in “Security to the Core,” the Arbor Networks Security Engineering and Response Team Blog.

The Heartburn Over Heartbleed: OpenSSL Memory Leak Burns Slowly

Marc Eisenbarth, Alison Goodrich, Roland Dobbins, Curt Wilson Background A very serious vulnerability present in OpenSSL 1.0.1 for two years has been disclosed (CVE-2014-0160). This “Heartbleed” vulnerability allows an attacker to reveal up to 64kb of memory to a connected client or server. This buffer-over-read vulnerability can be used in rapid succession to exfiltration larger […]

Continue Reading

More AS4_PATH Triggered Global Routing Instability

For those of you not paying attention, a slew of new instabilities in the global routing system are occurring – again.  These are presumably being tickled by another ugly AS4_PATH tunnel bug where someone [read: broken implementation] erroneously includes AS_CONFED_* segments in an AS4_PATH attribute – a transitive optional BGP attribute that’s essentially ‘tunneled’ between […]

Continue Reading

MS08-067: Server Service Vulnerabilities Redux and Wormability

Yesterday was all abuzz about a new vulnerability patch from Microsoft, released out of their normal schedule of Patch Tuesday. MS08-067: Vulnerability in Server Service Could Allow Remote Code Execution (958644) was released at 1pm US Eastern to address very major issues. Everyone should review the patch, do some testing, and update ASAP. We’re hearing […]

Continue Reading

Botconomics: The Monetization of YOUR Digital Assets

A decade ago IF your PC was compromised it was usually just taken for a joy ride. Today, with the monetization of bots, ease of compromise, prevalence of malware, and increasing connectedness of endpoints on the Internet, WHEN your assets are compromised they’re subjected to something more akin to a chop shop. To follow this […]

Continue Reading

Death by a Thousand Little Cuts

It is not uncommon for seasoned (or heavily burdened) information security (infosec) professionals to look at the mornings’ security alerts and see a flood of the same old-same old. A few years ago, it was buffer overflows, and now in 2006 it is SQL injection attacks and cross-site scripting (XSS) vulnerabilities. Typically, the deluged infosec […]

Continue Reading