The HITB Magazine #6 now available!

As usual, I would like to inform you that the sixth issue of the Hack in the Box Magazine has just been published. Unlike previous editions, the paper is released several weeks after the HITB Amsterdam 2011 security conference – we spent the additional time working on providing you with even more interesting sections and articles. Despite the strictly technical articles (covering Web, Network, Linux, Windows and Application security areas), you can also find two unique interviews: one with the Facebook CSO Joe Sullivan, and the other one with Chris Evans and Adam Mein (members of the Google Security Team), discussing a variety of advantages, disadvantages, issues and benefits related to the famous Vulnerability Reward Program.

What shouldn’t be much of a surprise, the Windows Security section contains an article of mine, called Windows Numeric Handle Allocation In Depth. In the write-up, I have thoroughly described the allocation and deallocation algorithms, used by the Windows kernel to assign numeric identifiers (handles) to various types of hardware and software resources. As it turns out, the research might have a significant impact on an interesting (yet, not very well known) software vulnerability class, called Handle-based use-after-free condition. The details of such a vulnerability were to be made available within one week, however Microsoft has postponed the release date of several of my security advisories. Therefore, a detailed blog entry explaining the intricacies of an example flaw of this type is going to show up at my (MS?) earliest convenience. Well.

Oh and by the way, as some of you may already know, that I am soon moving to Zurich, Switzerland… Wish me luck on my new path of life :-)

Photo by Gynvael Coldwind

The magazine can be currently downloaded from here (HITB-Ezine-Issue-006.pdf, 31,4 MB)

Contents table


HITB 2011 Amsterdam (04)

Random Data Gets In The Box (10)
by Nigel Brik (zkyp)

Web Security

Next Generation Web Attacks – HTML 5, DOM (L3) and XHR (L2) (14)
by Shreeraj Shah, Blueinfy Solutions

Network Security

Botnet-Resistant Coding (24)
by Fabian Rothschild and Peter Greko (Hack Miami), Aditya K Sood and Richard J Enbody (Michigan State University)

Linux Security

The story of Jugaad (34)
by Aseem Jakhar


Social Security (42)
by The Editorial Team with Joe Sullivan

Windows Security

Windows Numeric Handle Allocation In Depth (48)
by Matthew “j00ru” Jurczyk

Application Security

Hardening Java Applications with Custom Security Policies (58)
by Marc Schoenefeld

Professional Development

CISSP Corner – Tips and Trick on becoming a Certified Information Systems Security Professional (68)
by Clement Dupuis

Books: The Linux Programming Interface: Linux and UNIX System Programming Handbook (70)
by Michael Kerrisk

Books: DTrace: Dynamic Tracing in Oracle Solaris, Mac OS X and FreeBSD (Oracle Solaris Series) (71)
by Brendan Gregg & Jim Mauro


Google Vulnerability Reward Program (72)
by The Editorial Crew, with Chris Evans and Adam Mein

As always, enjoy the issue!

Leave a Comment