challenge

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Here is a great list of state and country links to privacy information. Via @PrivacyProf
    Links to Privacy Laws
    Tags: ( privacy regulation )
  2. Rsnake has updated his XSS cheat sheet.
    XSS (Cross Site Scripting) Cheat Sheet
    Tags: ( cheatsheet xss )
  3. Per ISC, PacketLife is updating their cheat sheets. Must have stuff.
    Cheat Sheets - PacketLife.net
    Tags: ( cheatsheet )
  4. Want to play around with CRSF? Here is a tool that lets you do so. Don't forget, only use it in your lab or on sites you have permission to test.
    Neohaxor.org >> Blog Archive >> MonkeyFist Fu: The Intro
    Tags: ( tools csrf )
  5. Here is the answer to the hard version of the recent I Smell Packets challenge.
    Solution to The Crypto Kitchen Packet Challenge (Hard Version) << I Smell Packets
    Tags: ( challenge answer )
  6. An interesting exploration of a possible way to detect encrypted sessions.
    Detecting encrypted traffic with frequency analysis << wirewatcher
    Tags: ( encryption detection )
  7. Bill Brenner had the opportunity to interview Robert Carr, the CEO of Heartland Payment Systems Inc., regarding the massive breach that occurred. Mr. Carr's responses have generated quite a bit of conversation. The I find most disturbing about Mr. Carr's responses is that someone is his position would take this approach to dealing with the situation. Seems like a lot of finger pointing and 'it wasn't me' language for an issue which is ultimately his responsibility.  Please read the next few links after you read the interview to see what others, who are much more eloquent than I, have to say.
    Heartland CEO on Data Breach: QSAs Let Us Down - CSO Online - Security and Risk
    Tags: ( heartland )
  8. Rich's response to the Heartland CEO's comments.
    Securosis Blog | An Open Letter to Robert Carr, CEO of Heartland Payment Systems
    Tags: ( heartland )
  9. Alan's take on the Heartland issue.
    StillSecure, After All These Years: Heartland CEO thought QSAs would make him compliant and secure
    Tags: ( hearland )
  10. Mike's take on the Heartland issue.
    One Man's View: Heartland CEO Must Accept Responsibility - CSO Online - Security and Risk
    Tags: ( heartland )
  11. Andy's take on the Heartland issue.
    Will the real leader please step forward >> Andy ITGuy
    Tags: ( heartland )
  12. Jeff tells it like it is! Actually, he does, but read the whole article to know what I mean.
    The Auditor's Prerogative : The Security Catalyst
    Tags: ( audit )
  13. David may call it an incomplete thought, but I don't.
    Incomplete Thought: Compliance, Governance, Audit and Risk aka GRC We're Doing It Wrong << The New School of Information Security
    Tags: ( grc )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. This is pretty nifty. Going to have to play with this one.
    Security Research & Defense : Announcing OffVis 1.0 Beta
    Tags: ( office microsoft )
  2. The inaugural episode of the Cloud Security Podcast is available. Christofer and Craig are looking for feedback. Take a listen and let them know what you think.
    Introducing the Cloud Security Podcast... | Cloud Security
    Tags: ( cloud podcast )
  3. It can't be said often enough. The Riv during Defcon is a dangerous place to be from an information security perspective.
    Malicious ATM Catches Hackers | Threat Level | Wired.com
    Tags: ( defcon )
  4. This is just cool.
    Uncommon Sense Security: Announcing the Warzone Project
    Tags: ( ctf labs )
  5. Twitter is now stopping tweets with malicious urls. Someone mentioned that url shortner services can cause this control to fail, I'm not positive that is the case. Would be interesting to find out though.
    Twitter Now Filtering Malicious URLs - F-Secure Weblog : News from the Lab
    Tags: ( twitter )
  6. A good post with some tips on make your internal router and switch fabric not quite so hack worthy.
    Switch hardening on your network
    Tags: ( network-security )
  7. A new packet challenge is up.
    The Crypto Kitchen - Packet Challenge << I Smell Packets
    Tags: ( challenge )
  8. This is a bit scary. Who needs TEMPEST or other remote methods of reading keyboard actions with this type of thing.
    Hacker demos persistent Mac keyboard attack | Zero Day | ZDNet.com
    Tags: ( malware )
  9. Part of being a successful professional, information security focused or not, is the ability to be an effective presenter. You should look at this.
    Make: Online : Tips on "unpresenting"
    Tags: ( presenting )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Raf interviews Andre Gironda.
    Digital Soapbox - Preaching Security to the Digital Masses: 31337 Spotlight: Andre Gironda
    Tags: ( interview )
  2. Here is the solution and winners of the third PandaLabs challenge.
    3rd Panda Challenge solution & winners - PandaLabs
    Tags: ( challenge )
  3. Forcing HTTPS sounds good. It will be interesting to see how this shakes out.
    Locking up the valuables: Opt-in security with ForceTLS at Mozilla Security Blog
    Tags: ( webappsec )
  4. Version 1.0 of Project Quant, a project to develop a patch management framework, has been released along with the survey results.
    Project Quant Version 1.0 Report and Survey Results
    Tags: ( patching )
  5. Part 3 of Ax0n's recipe for evilness.
    HiR Information Report: Evil Wifi Part 3: Hamster & Ferret
    Tags: ( wireless hacking )
  6. Cutaway has a very interesting post up about malware that resides in the registry. He points to a couple other posts that are worth reading too. This is very cool...scary...but very cool.
    Security Ripcord >> Blog Archive >> Malware IN Registry a.k.a If It Can't Be Done, Why Am I Looking At It?
    Tags: ( registry malware )
  7. Be careful what information you are sharing in something as basic as email headers. That stuff can be used against you.
    Looking beyond the surface ... << The Security Kitchen
    Tags: ( data-leakage )
  8. Martin points out some basic truths you should be aware of.
    Incident Response Leadership: Basic Truths : The Security Catalyst
    Tags: ( incident-response )
  9. You should do what Jack says. Go read the post he points you at and then send it to your friends and family.
    Uncommon Sense Security: A good primer on Social Networking and Security Risks
    Tags: ( social-networks )
  10. Folks, regardless of what the NYSE says, details about your infrastructure, patch levels, software versions, etc. is sensitive information.
    Data Detailing New York Stock Exchange Network Exposed on Unsecured Server | Threat Level | Wired.com
    Tags: ( data-leakage )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 1 comment }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Ax0n has started a series on setting up an evil wifi attack type thing 🙂
    HiR Information Report: Evil WiFi Part 1: Jasager/Fonera Setup
    Tags: ( wifi hacking )
  2. Jennifer is pimping the Security B-Sides unconference that is occurring in Las Vegas around the same time as Blackhat. Cool stuff.
    Security Uncorked >> Security B-Sides Conference in Vegas
    Tags: ( conference security-b-sides )
  3. Zach "Quine" Lanier, the @securitytwits herder, is the next up in Raf's interview series.
    Digital Soapbox - Preaching Security to the Digital Masses: 31337 Spotlight: "Quine"
    Tags: ( interview )
  4. Here is the solution to the latest I Smell Packets challenge.
    Solution to Where in The World is Chris? << I Smell Packets
    Tags: ( challenge )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well. Sorry for the missing Bits posts on Friday and yesterday. I took Friday off and just didn't get it done yesterday. Therefore, we have quite a crop today.

Here are today's Interesting Information Security Bits from around the web.

  1. Here is an interesting article on how Mozilla finds bugs that crash their products.
    How Mozilla finds crash bugs at Mozilla Security Blog
    Tags: ( mozilla )
  2. Here is a handy list of on-line malware scanners.
    List of Online Malware Scanners | PenTestIT
    Tags: ( tools malware scanners )
  3. The last of the three Panda challenges is up. I understand some answers have already been submitted, but you never know, they could be wrong.
    Panda Challenge: Hard Level - PandaLabs
    Tags: ( challenge )
  4. Wow. Just wow.
    I Can Has UR .htaccess File
    Tags: ( twitter )
  5. Raf's next interview. This time he talks to Mike "mckt" Bailey.
    Digital Soapbox - Preaching Security to the Digital Masses: 31337 Spotlight: "mckt"
    Tags: ( interviews )
  6. RSnake finds some interesting things you can do with/to wget.
    wget DNS-rebinding and Weak Intranet Port Scanning ha.ckers.org web application security lab
    Tags: ( wget )
  7. Here some information for you if you are interested in hacking your Defcon 17 badge.
    DC17 Badge Pre-Release Information - Defcon Forums
    Tags: ( defcon17 )
  8. Answers to the 2nd Panda Challenge.
    2nd Panda Challenge solution & winners - PandaLabs
    Tags: ( challenge )
  9. Raf interviewed Mubix for the first of a series of interviews of security folk.
    Digital Soapbox - Preaching Security to the Digital Masses: 31337 Spotlight: Mubix
    Tags: ( interview )
  10. An interesting article which brings up some good points. I would add password age to this type of consideration also, provided compensating controls are in place like lockouts as presented in the paper.
    Do Strong Web Passwords Accomplish Anything? (PDF)
    Tags: ( passwords )
  11. Inferno put together a couple things and came up with a fairly scaring attack on CRSF tokens.
    Hacking CSRF Tokens using CSS History Hack | SecureThoughts.com
    Tags: ( hacking crsf )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. The videos from Source Boston 2009 are available. Good stuff.
    Source Boston 2009 Videos
    Tags: ( source )
  2. A very nice example of data leakage.
    Firefox 3.5 DNS LEAKS like a waterfall | The Edge of I-Hacked
    Tags: ( firefox dns )
  3. Panda's second challenge is up.
    Panda Challenge: Medium Level - PandaLabs
    Tags: ( challenge )
  4. Keydet89 answers the questions "What is the worst thing an incident response team internally will do?"
    Windows Incident Response: SANS Summit Question
    Tags: ( incident-response )
  5. Not security related, but it's bugged me for a while. I love Firefox, but the molasses slow start time is a real joy killer. Finally an explanation why. Hopefully a fix will come out soon.
    Slow Firefox 3.5 start up time - News - The H Security: News and features
    Tags: ( firefox )
  6. I strongly suggest you read this post before you test out the OpenOwn.c code that is running about. In other words, you will hurt yourself if you don't.
    Secdev - Thierry Zoller: 0pen0wn.c - Shellcode "dissasembled"
    Tags: ( hacker dont-do-that )
  7. As @id084895 says, "wow, just discovered Robtex.com !!! Your src for whois, bgp, AS, RBL checks and lost more: simple & fast => i like ;-)"
    robtex
    Tags: ( tools on-line )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 2 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Infocon to yellow for 24 hours.
    * Infocon raised to yellow for Excel Web Components ActiveX vulnerability
    Tags: ( infocon )
  2. I knew it was not going to end well when I first heard that ATMs were going to be armed with pepper spray.
    Pepper Spray-Armed ATM Misfires, Shoots Workers | Threat Level | Wired.com
    Tags: ( general )
  3. Didier gives us a nifty little tip on hiding the fact that our laptop is encrypted.
    Quickpost: TrueCrypt's Boot Loader Screen Options << Didier Stevens
    Tags: ( encryption truecrypt )
  4. The solution and winners for the first Panda Labs challenge are up.
    1st Panda Challenge solution & winners - PandaLabs
    Tags: ( challenge answer )
  5. This is cool. One of the teams that participated in the Defcon 17 CTF qualifiers made a comic of how they answered one of the challenges. (Hat tip: @mubix)
    http://hackerschool.org/DefconCTF/17/B300.html
    Tags: ( ctf defcon )
  6. Rafal talks about a comment spam toolkit. The comments are very interesting too.
    Digital Soapbox - Preaching Security to the Digital Masses: Devastated by a Link-Spam Tool?
    Tags: ( spam )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. A Panda Labs challenge is up. This is the first of three this month.
    Panda Challenge - "All that glitters is not gold" - PandaLabs
    Tags: ( challenge )
  2. Someone asked Lee what he should be looking for when seeking a recruiter to help him find employment. Lee's response is golden. Check it out.
    Career Advice Tuesday - Selecting a Recruiter | Information Security Leaders
    Tags: ( career recruiter )
  3. Part 4 of Wesley's story about catching a hacker.
    GhostExodus, the ETA, and a Control System Incident at Carrell Clinic (Part 4) << McGrew Security Blog
    Tags: ( hacker )
  4. Hoff has some words on the cloud, security, and enterprises.
    Rational Survivability >> These Apocalyptic Assessments Of Cloud Security Readiness Are Irrelevant...
    Tags: ( cloud )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. The solution to the latest packet challenge from I Smell Packets.
    Solution to the Name That Exploit Packet Challenge << I Smell Packets
    Tags: ( challenge packet )
  2. Rich is tackling costs associated with a data breach. He is approaching it from a hard vs. soft costs perspective. Those familiar with FAIR will recognize these as primary and secondary loss factors.
    Securosis Blog | Creating a Standard for Data Breach Costs
    Tags: ( breach costs )
  3. It wouldn't be Blackhat/DefCon season without at least one cease and desist order. The first one this year stops a talk about hacking ATMs.
    ATM Vendor Halts Researcher's Talk on Vulnerability | Threat Level | Wired.com
    Tags: ( atm blackhat )
  4. Thus declareth @hevnsnt. Change your Twitter password on July 1st. Actually a good idea for several reasons which he shares in this blog post.
    July 1st is #twittersec Day | The Edge of I-Hacked
    Tags: ( twitter )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well. Sorry for missing yesterday. I had a brutally busy day and then we had a power outage at home to boot.

Here are today's Interesting Information Security Bits from around the web.

  1. A new packet challenge is up at I Smell Packets.
    Packet Challenge - Name that Exploit << I Smell Packets
    Tags: ( challenge packet-capture )
  2. This is an interesting post with some thoughts that can be extended well beyond virtualization.
    View Yonder >> Free the Gladiators!
    Tags: ( virtualization )
  3. This time a peak at php and sessions.
    AppSec Street Fighter - SANS Institute >> Session Attacks and PHP
    Tags: ( session )
  4. Anton opines on the contents of the letter sent to the PCI council by the National Retail Federation and other retail associations.
    On "PCI Letter"
    Tags: ( pci letter )
  5. Mozilla has been at work to come up with a method of getting rid of XSS problems. They believe they have it with Content Security Policy.
    Shutting Down XSS with Content Security Policy at Mozilla Security Blog
    Tags: ( csp mozilla )
  6. Christofer has a nice couple of graphics that help describe cloud computing from a high level perspective.
    Rational Survivability >> Incomplete Thought - Cloudanatomy: Infrastructure, Metastructure & Infostructure
    Tags: ( cloud )
  7. The ISC diary points out some ways to protect your webserver from being DOSed by the tool released by Rsnake recently.
    Apache HTTP DoS tool mitigation
    Tags: ( apache dos )
  8. RSnake take a look at detecting man-in-the-middle proxies.
    Detecting MITM/Hacking Proxies Via SSL ha.ckers.org web application security lab
    Tags: ( mitm )
  9. Lori offers some thoughts on IPv6 that you should also be thinking about.
    You are the new number 3ffe:1900:4545:3:200:f8ff:fe21:67cf
    Tags: ( ipv6 )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }