webappsec

Good morning everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Looks like some new developments in the continuing saga of Conficker.
    Conficker wakes up, updates via P2P, drops payload | Security - CNET News
    Tags: ( conficker malware )
  2. This is a nice resource. You should check it out.
    Security Technical Implementation Guides (STIGS) : Liquidmatrix Security Digest
    Tags: ( guides )
  3. You really need to be aware of this. Google has made available the option for a bi-directional encrypted tunnel to app engine which allows you apps in the cloud to access information on your internal systems. Be very careful here.
    Rational Survivability >> Google's Updated App Engine - "Secure" Data Connector: Your Firewall Means Nothing (Again)
    Tags: ( cloud google )
  4. Portswigger has posted a quick how-to on getting Burp Extender working.
    PortSwigger.net - web application security: Using Burp Extender
    Tags: ( webappsec )
  5. The latest Security Intelligence Report from Microsoft is available. It was released yesterday. The post below also has a pointer to the official website that has the key findings published.
    Jeff Jones Security Blog : Security Intelligence Report v6
    Tags: ( reports )
  6. Nessus Version 4 has been released. For those who follow and use my Backtrack 3 and Backtrack 4 how-tos, they will be updated this weekend, hopefully 🙂
    Tenable Network Security: Nessus Version 4 Released
    Tags: ( nessus )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Time to patch your Cisco routers.
    Cisco security updates squash router bugs
    Tags: ( cisco patches vulnerabilities )
  2. Didn't we just go through this in India?
    Canadian cops cry for BlackBerry wiretap * The Register
    Tags: ( surveillance blackberry )
  3. FileFix, malware that encrypts files on your system,  can be beat without having to shell out any cash. The article points to places where you can get utilities to decrypt your content.
    New ransomware holds Windows files hostage, demands $50
    Tags: ( malware ransomware )
  4. Rory shares some thoughts on input validation and output normalization. Good stuff.
    Thoughts on Secure Data Handling in web applications... - Rory.Blog
    Tags: ( webappsec filtering )
  5. A nice piece by Andy on the value of information security certifications. It can actually be applied to just about any industry.
    Opinion: Do industry certifications matter? - Security
    Tags: ( certification )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Looks like the Downadup worm may be setting up to cause some mischief.
    Downadup worm may hammer Southwest Airlines URL March 13 - Network World
    Tags: ( malware botnet )
  2. This is just down right scary.
    Survey: Most Oracle Shops Don't Mandate Security Patches - Network World
    Tags: ( patches oracle )
  3. This could definitely create some onerous logging and reporting requirements for those who choose to provide public internet access in their places of business.
    Bill takes aim at anonymous hot spots, like coffee shops - Network World
    Tags: ( privacy )
  4. A report by the Brown-Wilson Group is out ranking outsourcing locations on security. By security, they don't just mean information security either.
    The IT Security Guy: The Dangerous Back Alleys of Outsourcing
    Tags: ( risk outsourcing )
  5. Irongeek has updated his list of deliberately vulnerable applications on which you can practice your web application security testing skills.
    Deliberately Insecure Web Applications For Learning Web App Security (WebGoat, BadStore, Hacme, SecuriBench, WebMaven)
    Tags: ( webappsec hackme )
  6. A nifty tool that gives you the ability to view log files in some interesting and different ways.
    Highlighter
    Tags: ( tools logfile )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Tricky. Very, very tricky and easy to fall for.
    BBC NEWS | Technology | Parking ticket leads to a virus
    Tags: ( malware social-engineering )
  2. Julie has a great post up on the Security Forum. Moving outside of your comfort zone goes hand-in-hand with the never stop learning tenet that I live by.
    Running Outside the Zone : The Security Catalyst
    Tags: ( general )
  3. Rich and Alane have released the full paper "The Business Justification for Data Security." I gotta tell ya, my reading pile is getting taller and taller. This one, however, will go near the top.
    The Business Justification for Data Security- Version 1.0 | securosis.com
    Tags: ( security justification model )
  4. Jeremiah takes a stab explaining what a number of the organizations that produce web app sec guidance are and also talks about the lists they produce. A good read.
    Jeremiah Grossman: Who's who and what's what
    Tags: ( webappsec )
  5. The public draft for "Recommended Security Controls for Federal Information Systems and Organizations" is available for review and comments.
    Recommended Security Controls for Federal Information Systems and Organizations (PDF)
    Tags: ( nist 800-53 )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Damn Vulnerable Linux 1.5 is Out!

by kriggins on January 26, 2009

in Uncategorized

I first talked about Damn Vulnerable Linux here. Well, @mubix announced that version 1.5 has been released.

You can grab the torrent here.

The discussion groups are here.

The website is here.

I can't wait to see what changes have been made.

-Kevin

Reblog this post [with Zemanta]

{ 0 comments }

In today's crop of Bits we have more FAIR analysis, a couple articles about surveillance in the US, a patch for Win 7 Beta and other Microsoft products, a great visualization of application security relationships, virtualization security info and some helpful data recovery advice.

  1. Part 2 is up. The more I read about and see FAIR (Factor Analysis of Information Risk) in action, the more I like it.
    Risk Scenario - Hidden Field / Sensitive Information (Part 2 of 4) << Risktical Ramblings
    Tags: ( risk assessment fair )
  2. A new project over at Electronic Freedom Foundation. Very interesting information.
    The SSD Project | EFF Surveillance Self-Defense Project
    Tags: ( privacy surveillance eff )
  3. This article contains links to some really interesting information. If you are concerned or curious about surveillance in the U.S., you should give it a gander.
    Report: U.S. Surveillance Society Running Rampant | Threat Level from Wired.com
    Tags: ( surveillance )
  4. The first patch is out of Windows 7 Beta. Be warned that it does not address the SMB issue which does exist for Windows 7 Beta. Read the article for the details.
    Microsoft issues first Windows 7 beta patch
    Tags: ( vulnerability microsoft patches )
  5. Some good information about Microsoft's January patches.
    Inside the MSRC: Microsoft describes Server Message Block update
    Tags: ( vulnerability microsoft patches )
  6. I'm going to print this out and hand it on my wall. Great visualization of application security and how the different pieces relate and interact.
    Jeremiah Grossman: The World of Web Security
    Tags: ( appsec webappsec taxonomy )
  7. Continuing a series on virtualization security, Ryan points out some of the risks inherent in server virtualization.
    Virtualization Security Part 2 - PandaLabs
    Tags: ( virtualization )
  8. A nice post with some really good advice on being prepared for hard drives which are having problems.
    Data Recovery from Dead Drives | Forensics, Security, Auditing | Enclave Forensics
    Tags: ( data recovery )
  9. Another tool that builds a focused word list for brute force password attacks.
    The Associative Word List Generator (AWLG) - Create Related Wordlists for Password Cracking | Darknet - The Darkside
    Tags: ( password wordlists )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

Reblog this post [with Zemanta]

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Lavasoft has jumped into the anti-virus market. We'll have to keep an eye on this one.
    Ad-Aware gets an antivirus cousin | The Download Blog - Download.com
    Tags: ( free anti-virus )
  2. Some interesting situation that lead to a need for data recovery. Hat tip to Xavier at /dev/random (blog.rotshell.be)
    Kroll Ontrack Top Ten Data Mishaps and Recoveries - Press Release
    Tags: ( amusing general )
  3. The workarounds section for the recent 0-day for IE has been updated. This blog post goes into some further detail about the workarounds.
    Security Vulnerability Research & Defense : Clarification on the various workarounds from the recent IE advisory
    Tags: ( exploit vulnerability microsoft ie workarounds )
  4. Part 2 of SynJunky's fictional story about detection of and incident response to an insider attack.
    Syn: The Story of an Insider - Part 2. The Sys Admins Story
    Tags: ( insider )
  5. This is a nifty way to get the job done.
    Writing a web services fuzzer in 5 minutes to SQL injection | tssci security
    Tags: ( webappsec injection sql )
  6. Woot! Version 1.2 of Burp Suite has been released.
    PortSwigger.net - web application security: Burp Suite v1.2 released
    Tags: ( webappsec burp )
  7. Just go read it. You won't regret it.
    Rational Survivability: GigaOm's Alistair Croll on Cloud Security: The Sky Is Falling!...and So Is My Tolerance For Absurdity
    Tags: ( cloud )
  8. Rory is writing a series of posts on penetration testing. The first is up.
    Rory.Blog: What is Penetration Testing?
    Tags: ( pentest )
  9. Here is a very cool idea for a low/no cost way to implement DLP.
    /dev/random >> Blog Archive >> Simple DLP with Ngrep
    Tags: ( dlp ngrep )
  10. Looks like nifty tool to add to the arsenal.
    Jeremy's Computer Security Blog: JPEG Fuzzer has ARRIVED
    Tags: ( fuzzer jpeg )
  11. Watch out folks, SkyNet is just around the corner.
    Schneier on Security: Killing Robot Being Tested by Lockheed Martin
    Tags: ( skynet )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. I mentioned this white paper when I did my RSA Europe recap back in October. It is worth a read. * the link goes directly to the PDF
    Web 2.0 Security and Privacy
    Tags: ( privacy enisa )
  2. Here are some things you can do to protect yourself against the 0-day exploit that works against IE7.
    Microsoft talks up countermeasures to fend off new IE attacks
    Tags: ( vulnerability microsoft ie7 )
  3. Adding to the growing pile of recent 0-day exploits for Microsoft products, there appears to be one for SQL Server.
    Security pros groan as zero-day hits Microsoft's SQL Server * The Register
    Tags: ( exploit vulnerability 0day sqlserver micrsoft )
  4. Some good general guidance for how to react in the event you have a data breach. I would offer that it is good advice for everybody involved and not just the CIO.
    How a CIO should deal with aftermath of a data breach
    Tags: ( data breach )
  5. looks like Cisco is in for a legal fight.
    Cisco sued by Free Software Foundation for copyright infringement - Network World
    Tags: ( general )
  6. Innismir weighs in on the recent meme of penetration testing being dead. He, like most of us involved in the discussion, doesn't think its dead either.
    innismir.net -- Pentration Testing - Not Quite Dead Yet
    Tags: ( pentest )
  7. Rich brings up some good points. Worth reading and thinking about.
    How The Cloud Destroys Everything I Love (About Web App Security) | securosis.com
    Tags: ( cloud webappsec )
  8. WhiteHat Security's quarterly report on website security statistics is available for download. This is the sixth one they have put out. Good stuff in there.
    Jeremiah Grossman: Sixth Quarterly Website Security Statistics Report
    Tags: ( general reports )
  9. Jeremiah offers some really good guidance for justifying your budget for web application security spending.
    Jeremiah Grossman: Budgeting for Web Application Security
    Tags: ( webappsec )
  10. Here's a framework for SAP pen testing.
    sapyto v0.98 Released - SAP Penetration Testing Framework Tool | Darknet - The Darkside
    Tags: ( pentest sap )
  11. You can't make this stuff up. Remember folks, you have to make sure that all data is removed form devices before you get rid of them.
    Liquidmatrix Security Digest >> McCain Campaign Sells Off... Data?
    Tags: ( data leakage )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 2 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. If any of these apply to your organization you have some work to do.
    http://www.networkworld.com/news/2008/121008-the-seven-deadly-sins-of.html
    Tags: ( program )
  2. Looks like there is another 0-day out.
    Microsoft looking into WordPad zero-day flaw | Security - CNET News
    Tags: ( vulnerability microsoft wordpad )
  3. Shrdlu offers some good suggestions on preparing for next year.
    Layer 8: Out with the old, in with the new.
    Tags: ( general )
  4. Nifty. Five security related distributions in one.
    Ask and you shall receive - SumoLinux - Room362.com
    Tags: ( tools linux distro )
  5. Rich puts to paper (work with me) the same thoughts I had when I read about the direction China is thinking of taking in regards to technical information of products entering China.
    A Good (Potential) Risk Management IQ Test For Management | securosis.com
    Tags: ( general )
  6. Google gives a nifty resource.
    Google's Browser Security Handbook | Security4all - Dedicated to digital security, enterprise 2.0 and presentation skills
    Tags: ( security browser google books )
  7. Part 5 of this great series is now available. If you haven't read the previous parts, they are linked in the first paragraph.
    Building a Web Application Security Program, Part 5: Secure Development | securosis.com
    Tags: ( webappsec program )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Hi folks. Lots of stuff today so let's just get to it.

From the Blogosphere.

Alan over at Security Thoughts answers Dre's post about the CISSP is on it way out. I tend to agree with Alan more that Dre, but understand Dre's point also. How's that for being wishy washy. Go read both.

Jeremiah asks 5 questions about webappsec in order to generate some conversation. Good reading in there.

By way of Zero Day, Sourcefire has released a free tool, OfficeCat, that attempts to scan Microsoft Office files for detection of possible exploits. Very nifty.

Rebecca has an article up that gives us Sixs Ways Organizations Can Lessen Mobile Computing Risks. Good collection of things to think about.

Matasano has some comments available about several vulnerabilities in Ruby. Everybody using Ruby has some patching to do.

Anton is happy about the release of their CEE (Common Event Expression) white paper.

Jeremiah is really on a roll with the asking of interesting questions that spark some great interaction. The question this time, "Day 1: Starting at the beginning". Your a new hire in charge of security, what are your first steps. BTW - Congratulate him on achieving his purple belt in Brazillian Jiu Jitsu while you are there.

From the Newsophere.

Via Dark Reading, a researcher is going to be demonstrating a remote permanent denial-of-service (PDOS) attack at EUSecWest this week. Should be interesting.

Also from Dark Reading, Fortinet has been awarded four new patents for network virtualization and security related inventions.

Information Week
has a Reuters article up that informs us that the bill shielding U.S. telephone companies from lawsuits has passed the House.

Well that's it. Have a great day.

KevinTechnorati Tags: , , , , , , , , ,

{ 2 comments }