There’s been a surprising amount of discussion about the recent Windows DLL hijacking vulnerability, often focusing on whether this is a Big Deal or something stupid. I won’t bother linking to anything or even joining in any further except to expound on my post earlier.

The DLL hijacking is interesting because, well…it’s like walking up to someone you have no reason to mistrust. You shake his hand, but while you do so, someone (maybe his evil twin who was following him) wings a hook beyond your peripheral vision and WHAM! kidney punch. Now, good twin had no idea evil twin was around, and was sincere in his greeting and handshake. But you left yourself open by shaking that hand, and evil twin dropped you to a knee for it.

We can often curse ourselves for shaking hands with the app/guy/file that throws the hook. You run an exe and that’s your problem. You run a streamed media file with malicious code, and that’s still mostly your problem (and partly the fault of the vulnerable app you used to open it). But in this case, you could open a completely innocent file, and get kidney punched.

That’s the important gist of the hijacking vuln, to me. That and the importance this places on patching 3rd-party Windows apps that are vulnerable to this method.

Ever solve a problem, then 6 months later need to solve it again but don’t recall how you solved it previously? That is the sort of housekeeping I’m doing with this post. I make no guarantee that the site or tool mentioned below is safe/secure for your use. Always take necessary precautions.

Have an Excel file that has password protected sheets or workbooks? I found a handy set of macros to facilitate unprotecting such files over at straxx.com. To be safe, I’d suggest unlocking the files, copying the contents out to a new file, and make sure no strange macros get carried over. I didn’t witness any, but better to be safe. And do this all on an expendable system. [excel password crack unprotect]

As if there isn’t already enough uncertainty about browsing the web in general, take a read on recent posts from Armorize about some (to put it lightly) malware being served via widgets…with a large exposure base on Network Solutions’ parked domains. Part 1: the infection delivery; part 2: more on the malware; part 3: follow-up.

As the years go by, I have become less interested in the workings of malware on the desktop (call me jaded, but I consider it a total loss once it starts) and more interested in the delivery mechanisms and how malware gets injected into servers; or how servers get popped either directly or as unwitting facilitators (I work more with servers than desktops, so maybe this interest is natural). These reports by Armorize are a bit confusing to read in this regard, but from the sounds of it, either a widget server is being subverted or Network Solutions still has problems with someone owning (to some degree) their systems (or both). NetSol has been beleaguered this year with attacks.

Hosting someone else’s code. Including widgets from other people that consume content from other sites. Reduced budgets and increased cost-cutting. These are the sorts of things that demonstrate our unintended expansion of the trust we need to have in others and other code for our own security. Complexity doesn’t make things easier!

As much to remind myself as point out to anyone else, Google’s hackable website, Jarlsberg, has been renamed to Gruyere. Yes, there is a pronunciation note on the front page (btw, it’s a cheese).

(Look out, the cynical bus is driving by!)

The big elephant in the PCI room is simply how fucking expensive truly meeting the requirements is (for SMBs and others). Between capital costs and process changes and slowing down business and staff knowledge/training and manhours…it’s not nearly as small a pill to swallow as ya might think. And even if you get it done, the people behind it have a few more grey hairs, have burned plenty of political credit, and have new drinking problems! (Or you work in a large enterprise so it’s slightly easier to swallow.) More than likely they also now have dire staffing issues.

Mike Richardson has a great blog post about implementing PCI DSS standards in a web hosting environment. The end result? It’s dishearteningly expensive and not in demand.

What really sucks about admitting PCI is expensive? I’m also saying *security* is expensive. And it is! Then again, pressing 150lbs is tough, too, but you’ll get there if you start at 75lbs and work at it. (Don’t mock me in regards to my analogy!)

Compliance is still just part of what I call the big gamble in security (and enterprises). You know you should do more, you know you should look at that log today, you know your staff should be properly checking their controls, you know you’re not allowing your QSA to see the whole picture…but you gamble that things will be fine and continue on as you otherwise do, following the path of least resistance that you can get away with. Entire organizations operate that way, let alone executives, managers, and employees.

Strange naming choice aside, Giorgio Maone (of NoScript fame) posted about some Classic ASP ASCII conversion oddities, namely the tendency to replace unknown characters with homoglyph or homophone characters. This is an interesting little piece that has value for client browsers trying to prevent XSS attacks, or those attacking Classic ASP sites.

Chuvakin has a great post over at his blog where he talks about what skills you should be focusing on, such as skills that help land you jobs or skills that help you do jobs. I think I agree with all the points made.

Getting past an HR filter to land a job is a sort of small-time thing. You can apply for 20 jobs and you just need to get through and hired once. After that, you have, usually, several years to either prove your worth or get booted out for not being able to do the work. The bottomline is you need to be able to do the work.

I also believe that the deeper and more versed one becomes with the “skills that help you do your job” the easier it is to demonstrate those skills to someone else. For instance, it might seem hard to demonstrate a web app weakness to a manager…unless you’ve done it so much you can pretty much spot them on sight (insert some allusion to MagicEye pictures that often take a lot of work to see the first time, but once you get it, you can get it faster and faster).

You know you’re good with a router or firewall or load balancer when someone throws you a strange question and you figure out some interesting way to do it that wouldn’t have been obvious without a few years of experience. That skill might not get you a new job, but it will certainly cement your place in a current job!