pentesting

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Here is some interesting data. I haven't run through it completely yet, but it takes the results of a bunch of scans and then does some mapping against PCI DSS. Fun with numbers 🙂
    Web Application Security Consortium (WASC) 2008 Statistics Published | Darknet - The Darkside
    Tags: ( metrics webappsec )
  2. This article discusses the decision to ship Windows 7 with a default UAC setting of medium-high.
    Windows 7's security 'time bomb' | The Last Watchdog
    Tags: ( windows-7 uac )
  3. An interesting post by Chris on risk/threat vs risk issue. When does a risk or threat become a risk issue for your organization?
    Risk / Threat vs. Risk Issue << Risktical Ramblings
    Tags: ( risk )
  4. Paul offers a couple thoughts on social networking and data leakage.
    Social networking in the antipodean spotlight | Paul Ducklin's blog
    Tags: ( social-engineering data-leakage )
  5. SynJunkie has another story based post up. This time about the dangers of dual-homing, specifically with a wired connection and a wireless one.
    Syn: Bobs Double Penetration Adventure - Part 1
    Tags: ( pentest )
  6. The Whitehouse has moved their website from an internally developed CMS to Drupal. Rsnake offers up some thoughts on why this might be both good and bad.
    Whitehouse Drupal and The Open Source Security Model ha.ckers.org web application security lab
    Tags: ( drupal cms whitehouse )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good evening again. I just returned from Secure360 where I had a great deal of fun meeting and talking with people. I also gave my first conference talk today and that was also a lot of fun.

Here are today's Interesting Information Security Bits from around the web.

  1. Michael points out some more pre-configured targets for you to practice your pen testing skills on.
    lampsecurity hosting vulnerable vm images to attack (terminal23)
    Tags: ( education pentesting )
  2. I love this. Very simple, but very profound.
    Securosis Blog | The Data Breach Triangle
    Tags: ( data-leakage )
  3. Rich is looking for a little help in reviewing some survey questions related to Project Quant.
    Securosis Blog | Project Quant: Draft Survey Questions
    Tags: ( quantitative metrics )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Beware of visiting sites that contain sensitive information on public networks. SSLStrip makes it even easier for the bad guys to get you.
    Hacker pokes new hole in secure sockets layer * The Register
    Tags: ( ssl mitm )
  2. Yup, another vulnerability in Adobe Reader. This one has active exploits and won't be patched until mid-March. Be careful out there.
    New in-the-wild attack targets fully-patched Adobe Reader * The Register
    Tags: ( exploit vulnerability adobe reader )
  3. Kees talks to us about some issues we need to be aware of when thinking about access to sensitive information.
    Handling sensitive information - Kees Leune Information Security Blog
    Tags: ( access control )
  4. Don tells us to ask why. Good stuff in here.
    Security Ripcord >> Blog Archive >> Incident Response Lessons Learned
    Tags: ( incident response )
  5. Some good questions to consider when you are selecting you next vendor for a pen test.
    How to choose a Pen Tester << Steven Branigan's Blog
    Tags: ( pentesting )
  6. It's coming up. If you are in the heartland, this is a good option, particularly if cost is an issue.
    Carnal0wnage Blog: ChicagoCon 2009s is coming up!
    Tags: ( conference chicagocon )
  7. An interesting paper about Banking Trojans.
    Bank details uncovered - PandaLabs
    Tags: ( malware )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. This is nice to see.
    Yahoo to anonymize user data after 90 days | Security - CNET News
    Tags: ( privacy )
  2. Time to update Flash Player on Linux.
    Critical Flaw in Flash Player...For Linux! - Security Watch
    Tags: ( flash linux )
  3. Part 3 of SynJunkies' tale is ready for your perusal.
    Syn: The Story of an Insider - Part 3. Playing at CSI
    Tags: ( incident-response stories )
  4. New version. Haven't played with this one yet. Going to have to check it out.
    /dev/random >> Blog Archive >> OpenVAS 2.0.0. is out
    Tags: ( vulnerability openvas )
  5. Mike is getting involved it what appears to be a great new effort in training for penetration testers.
    Getting Information Security Training Right | Episteme
    Tags: ( training pentesting )
  6. Nifty new features.
    New Zenmap adds feature that does topology mapping | SecViz
    Tags: ( nmap zenmap )
  7. Done't forget folks. Firefox 2 is at end-of-life with 2.0.19 and you lost your safe-browsing capabilities too.
    Firefox 2 Users Will Get No More Security Updates - Security Fix
    Tags: ( firefox patches )
  8. I just like this post and Kees's approach.
    Making the world a little better - Kees Leune Information Security Blog
    Tags: ( awareness education )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Hiya all. I know I have been less than vigilant in my posting here. I am not going to promise I will get better since that hasn't worked so far, but things might get a little more regular around here in the near future. Anywho, on with the show.

From the Blogosphere

Nathan McFeters has penned a nice post about responding to the DNS vulnerability and attacks. He also points to a post on The Frequency X Blog which also talks about the same topic.

Tom points to 0x0e's post that puts forward a list of skills that a good pentesting team should have. It is a good list and worth keeping in mind when both building a team and when contracting for a team to do work.

Rich has written an interesting post about spies and infosec and self-interest. He also asks, Security Operations: Do you CAER? (Collection, Analysis, Escalations and Resolution.) A very intersting read.

Dave Lewis points out that NIST has revised several security guidelines.

Billy explores what can happen when your browser is registered to handle several protocols.

I didn't get a chance to look at the Newsosphere, so this is it for the 29th.

Have a great day.

Kevin

Technorati Tags: , , , , ,

{ 0 comments }