cross environment hopping

Hello all. Sorry I didn't get yesterday's post out. Today's includes yesterday's stuff and today's so it is a bit long.

From the Blogosphere.

DVLabs put a post up yesterday that is the first in a weekly feature that Cody is starting regarding reverse engineering tips and tricks. The first post takes a look at the Rhapsody Media Player. Interesting stuff.

Rafal gives us a real-world example of XSS. Worth a look.

Frank Cassano has part 2 of his Assessing your Organization's Network Perimiter available. Part 1 is here. Good stuff.

Rich points out that it in the world of SQL injection, it is very important that collaboration occur with our database admins and architects to ensure we are restricting rights appropriately.

Lori points out that dynamic resource obfuscation can help us make the target much harder to find, let alone hit for the evil haxors out there. She is not promoting security through obscurity, but suggesting that we can actively make it very difficult for an attacker to figure out what to attack.

Donald Donzal, the editor in chief at the Ethical Hacker Network has posted a recording and slides of the presentation he gave at the Sans What Works in Pen Testing Summit titled "Remodeling your career for little to no money down". I've got my copies downloaded and will be listening soon.

Via Xavier are /dev/random, Michael Boelen, the creator RootKit Hunter, has released a new tool that should be welcomed by all UNIX folks, Lynis: Security and System Auditing Tool. Go take a look.

Adam Dodge has a post up over at Security Catalyst that reminds us to keep in mind the samples used when reading a report. This applies to every report you might read that has statistical data in it, but he is specifically talking about the number of reports that have come out recently regarding breach statistics.

0x000000 has updated the mod_rewrite signatures used as a poor man's web application firewall to add some banner obsfucation stuff. If you haven't seen the full set, poke around on the site. It is good stuff.

Finally, the folks at wartchfire have an article up talking about cross environment hopping. This is where an XSS vulnerability is exploited to hop to another service hosted on the target client machine. Not cool. Go read it...twice 🙂

I will be posting the interesting bits from news sources a little later today.


Technorati Tags: , , , , , , , , ,