Recently the buzzword-du-jour has shifted in some circles from "Threat Intelligence" to "Information Sharing", with policy being proposed or enacted to drive companies to share breach and breach attempts with other entities to hopefully assist in their network defenses. One challenge I see to free information sharing between willing and . . .
Accepting LangSec into your heart (or SDLC)
To err is human; to be caught at compile-time, divine— Jacob Torrey (@JacobTorrey) March 2, 2016
Next week at TROOPERS I am acting as a TA for Tamas on our VM Introspection training as well as giving a talk aimed at developers and their managers to augment their software development life-cycle (SDLC) with LangSec principles. . . .
Why we need to focus on capacity building
Watching the InfoSec industry change over the last few years leaves little doubt in my mind that the majority of players jump onto what is hot, either through a re-branding campaign, acquisition, or legitimate shift. At RSA this spring, the buzzword du jour was threat intelligence; of late however, the hype-machine has been focusing on bug . . .
Virtual memory break-out with PCIe
TL;DR After noticing a trend of conference talks with posted slides or videos being overlooked and hard to search through, I've decided to write an overview blog post for most of my conference talks in order to create a searchable and easy-to-skim jumping-off point. I will link to slides, video and paper if there is one at the end of each . . .
TL;DR Domas' "Memory Sinkhole" is a clever attack, but in today's OS landscape, can be mitigated via a small software update.
Yesterday at Black Hat USA, I watched as Christopher Domas shed some light on a very exciting/terrifying vulnerability. He discovered that SMRAM accesses can be duped to read/write from the LAPIC . . .
Posted in: x86
Or: Check your ego at the door
While watching Haroon Meer's TROOPERS keynote, I was struck by the major, structural shortcomings in the InfoSec industry; and how little impact it really had on the world. I was left asking myself, even with the sorry state of security, and today's endless parade of bugs and breaches, who is feeling the pain? Haroon highlights that . . .