For a cool R32mil (approx $4.5millon), what a bargain. I give them 6 months before they all start wearing suits and start using terms like "governance maturity model" ;)

But seriously, congratulations to the SensePost team. They have done spectacularly well in a short time and with a small team (this works out to over a million or two per employee I think).

A few weeks ago a post on our internal list pointed me at a tool called Evolution put together buy some company named Paterva. I've been playing with it quite a bit, and have even used it to demo some stuff to germalists.

Then today I say that there will be a 27dinner in Pretoria tomorrow. To my surprise Roelof Temmingh (previously of Sensepost) will be speaking, and what's more he is the founder of Paterva and one of the authors of Evolution!

I have high hopes this may be one of the best 27dinners yet (no offense to the marketing types) and if you will be in the Pta region tomorrow, come check it out.

If you won't be in the Pta region, then go check out Evolution anyway. The second beta of the standalone GUI was released last week and I am about to start playing with it. If it's anything like the last one, the web version is more functional (unless you decompile the java classes and modify the static search terms, but I would *never* do that), but the GUI gives you a good idea of it's functionality. A company and a tool to keep your eye on.

(P.S. Is it just me, or is South Africa rocking the information security party?)

Kris Budnik, my director, and myself recently did a presentation in Durban as part of a breakfast hosted by Tip-offs Anonymous. In the presentation I provided three demonstrations; the first on privacy attacks and concerns with the Web 2.0; the second on Web 2.0 attacks, in particular an XSS Proxy demo; the third, and last on bluetooth attacks with mobile phones. It got great press coverage:

All sorts of hype has been made about the big talks at Blackhat, but for those of us that weren't there, check out the side-channell coolness from the SensePost guys (straight out of SA). They have released a tool called Squeeza which provides a nice functional shell-like overlay for your SQL injections. Additionally, the demo'ed some very cool DXSRT which takes the JavaScript 'logged on' timing attacks to a new level.

However, what I thought was awesome were the side channel data leaks via DNS. Basically, by getting a machine behind a firewall to do a DNS lookup to <encoded data>.attackersdomain.com you can leak data out from behind a firewall. Simple and very cool.

While I'm at it, check out their blog, it's shaping up to be a great regular read.

Facebook has started to allow users to create their own apps. If you're a member, you may have noticed this by the massive number of application requests you have started receiving. The problem is, these apps by default won't go through much of a vetting process. This allows sites such as this one, to find all of the nasty holes each new app pokes into Facebook. If this doesn't worry you because you aren't using any of the broken apps, it should, because many of these apps can be abused to direct attacks against people who don't use the apps. Given that much of Facebook involves sending content from one user to another (i.e. propagation), this has the potential for a self-propagating malware ala the MySpace "Samy" worm.