xss

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. The title says it all. SAINT 7 has been released.
    SAINT 7 released
    Tags: ( saint scanner tools )
  2. Anue Systems interviews Jack Daniel.
    Security Pros on Twitter (SPoT): Jack Daniel/@Jack_Daniel - The Network View
    Tags: ( infoec interview )
  3. Lenney Zeltser, who teaches a popular malware analysis course for SANS, has made one of his slide decks available online. The cool part, the speaker notes are included. Note: You can also watch the recorded webcast.
    Introduction to Malware Analysis - Free Webcast by Lenny Zeltser
    Tags: ( malware analysis )
  4. The T2'09 challenge is up.
    T2'09 Challenge - F-Secure Weblog : News from the Lab
    Tags: ( challenge )
  5. This is the second half of a post pointed to recently. Interesting stuff.
    >> The Internet After Dark (Part 2) * Security to the Core | Arbor Networks Security
    Tags: ( general )
  6. So, um, all those wonderful security cameras...basically worth bupkiss in stopping or solving crime. There goes that argument for why Big Brother is your friend.
    Schneier on Security: On London's Surveillance Cameras
    Tags: ( surveillance privacy cameras )
  7. An interesting exploration of free security products.
    Plausible Deniability >> Freegan-ism: how free product might upset the anti malware space
    Tags: ( anti-virus anti-malware opinion )
  8. If you are running an FTP server on top of IIS 5 or 6 on Windows 2000, you will want to check this out and put in some extra logging if you can't turn that puppy off.
    IIS5&6 FTP Stack Overflow Zeroday : Liquidmatrix Security Digest
    Tags: ( iis ftp win2k )
  9. The author has a very good point. Worth a read.
    stop the alert(); - The HP Security Laboratory Blog | HP Web Application Security -
    Tags: ( xss )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Here is a great list of state and country links to privacy information. Via @PrivacyProf
    Links to Privacy Laws
    Tags: ( privacy regulation )
  2. Rsnake has updated his XSS cheat sheet.
    XSS (Cross Site Scripting) Cheat Sheet
    Tags: ( cheatsheet xss )
  3. Per ISC, PacketLife is updating their cheat sheets. Must have stuff.
    Cheat Sheets - PacketLife.net
    Tags: ( cheatsheet )
  4. Want to play around with CRSF? Here is a tool that lets you do so. Don't forget, only use it in your lab or on sites you have permission to test.
    Neohaxor.org >> Blog Archive >> MonkeyFist Fu: The Intro
    Tags: ( tools csrf )
  5. Here is the answer to the hard version of the recent I Smell Packets challenge.
    Solution to The Crypto Kitchen Packet Challenge (Hard Version) << I Smell Packets
    Tags: ( challenge answer )
  6. An interesting exploration of a possible way to detect encrypted sessions.
    Detecting encrypted traffic with frequency analysis << wirewatcher
    Tags: ( encryption detection )
  7. Bill Brenner had the opportunity to interview Robert Carr, the CEO of Heartland Payment Systems Inc., regarding the massive breach that occurred. Mr. Carr's responses have generated quite a bit of conversation. The I find most disturbing about Mr. Carr's responses is that someone is his position would take this approach to dealing with the situation. Seems like a lot of finger pointing and 'it wasn't me' language for an issue which is ultimately his responsibility.  Please read the next few links after you read the interview to see what others, who are much more eloquent than I, have to say.
    Heartland CEO on Data Breach: QSAs Let Us Down - CSO Online - Security and Risk
    Tags: ( heartland )
  8. Rich's response to the Heartland CEO's comments.
    Securosis Blog | An Open Letter to Robert Carr, CEO of Heartland Payment Systems
    Tags: ( heartland )
  9. Alan's take on the Heartland issue.
    StillSecure, After All These Years: Heartland CEO thought QSAs would make him compliant and secure
    Tags: ( hearland )
  10. Mike's take on the Heartland issue.
    One Man's View: Heartland CEO Must Accept Responsibility - CSO Online - Security and Risk
    Tags: ( heartland )
  11. Andy's take on the Heartland issue.
    Will the real leader please step forward >> Andy ITGuy
    Tags: ( heartland )
  12. Jeff tells it like it is! Actually, he does, but read the whole article to know what I mean.
    The Auditor's Prerogative : The Security Catalyst
    Tags: ( audit )
  13. David may call it an incomplete thought, but I don't.
    Incomplete Thought: Compliance, Governance, Audit and Risk aka GRC We're Doing It Wrong << The New School of Information Security
    Tags: ( grc )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. You probably already are aware of this. Monster.com has indicated that they have suffered a breach. The evil doers have pretty much everything you ever put into Monster that you would consider sensitive.
    Monster.com suffers database breach deja vu * The Register
    Tags: ( breach monstor )
  2. Andrew has a nifty little script you can use to remotely check the time on your windows boxen.
    Andrew Hay >> Blog Archive >> Quick Script to Remotely Check Windows System Time
    Tags: ( tools windows scripts time )
  3. Sensepost has a challenge up regarding reverse engineering an FTP server. Give it a go.
    QoW: Software Reversing and Exploitation
    Tags: ( challenge exploit software reversing )
  4. Alex calls PCI security through obscurity.
    The Source of PCI DSS "Failure" | RiskAnalys.is
    Tags: ( pci )
  5. Chris disagrees with Alex's notion that PCI is security through obscurity.
    PCI-DSS Is Not About "Security by Obscurity" << Risktical Ramblings
    Tags: ( pci )
  6. A nice set of links to good articles on cloud computing. Includes some security related info too.
    Hat Tip: http://rationalsecurity.typepad.com/blog/2009/01/cloud-security-link-love-monk-style.html
    System Advancements at the Monastery >> Blog Archive >> Recent Cloud Postings
    Tags: ( cloud )
  7. Part 2 of Erik's series on Security Your Linux Host is available.
    Art of Information Security >> Secure Your Linux Host - Part 2: Secure SSH
    Tags: ( linux securing )
  8. Nice walk through of an XSS attack.
    Hat tip: @lbhuston
    Anatomy of an XSS Attack
    Tags: ( xss )
  9. A nice exploration of Skype and its use in your environment.
    Skype, is it right for you?
    Tags: ( skype )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

Reblog this post [with Zemanta]

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. This is interesting. I would say some of the guidance appears a bit more tactical that I would expect for a CSO, but still worth a gander.
    ASIS releases standards detailing CSO role @ The Latest for Security Executives SecurityInfoWatch.com
    Tags: ( cso )
  2. This is a good article to put in front of anybody that thinks that cross-site scripting vulnerabilities are minor and don't really need to be worried about.
    SecuriTeam Blogs >> Cross Site Scripting can cause your stock to tank
    Tags: ( xss )
  3. A very nice article about the recent patching of a flaw in the SimpleDB api.
    What's New in the Amazon Cloud?: Security Vulnerability in Amazon EC2 and SimpleDB Fixed (7.5 Months After Notification) | Cloud Security
    Tags: ( vulnerability patches amazon simpledb )
  4. Martin has a post asking us what we are doing to keep our skills current. Several, including me, have offered some input. There is some good stuff there. Go check it out and add your own ideas.
    Network Security Blog >> Investing in my career
    Tags: ( career education )
  5. Nifty tip on how to mount a filesystem using the alternate superblock when it won't mount normally. Of course, this is from a forensic perspective, but useful from a general perspective also.
    Mounting Images Using Alternate Superblocks << SANS Computer Forensics, Investigation, and Response
    Tags: ( forensics mount superblock )
  6. The bad guys are not in this for fun and games. There is value in the data they are taking from you.
    Hundreds of Stolen Data Dumps Found - Security Fix
    Tags: ( data breach )
  7. Looks like there might be some clarification coming regarding PCI and virtualization in 2009. Keep you eyes open.
    http://www.networkworld.com/news/2008/121808-crystal-ball-pci.html
    Tags: ( pci virtualization )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

Reblog this post [with Zemanta]

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Time to patch Apple owners.
    21 OS X Vulnerabilities Patched By Apple - Security Watch
    Tags: ( patches apple vulnerabilities )
  2. Even Google can get taken in by ad-based malware.
    Google sponsored links caught punting malware * The Register
    Tags: ( malware google ads )
  3. Be careful on Facebook. Well, you should always be careful on Facebook, but there are a few specific reasons you should be until they get them fixed.
    Four XSS flaws hit Facebook | Zero Day | ZDNet.com
    Tags: ( exploit vulnerability xss facebook )
  4. Andy points to an article by Rebecca Herold about the importance of vetting your 3rd party service providers information security stance. He then offers his opinion which agrees with Becky's and mine for that manner.
    3rd Party Security
    Tags: ( security vendor review )
  5. Look out folks. It appears that India is being targeted by Chinese hackers. With significant out sourcing going to India, we need to be very aware of this situation.
    The Dark Visitor >> Chinese hackers stealing Indian InfoTech data
    Tags: ( breach india )
  6. The invitations for the RSA Security Blogger's Meet-up. Better get your RSVP in soon. Only 200 will get to attend.
    Network Security Blog >> Look for your invite
    Tags: ( rsa meetup )
  7. This is just nifty.
    ITSec Non-Hypocritical Oath
    Tags: ( creed )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Hello all. Sorry I didn't get yesterday's post out. Today's includes yesterday's stuff and today's so it is a bit long.

From the Blogosphere.

DVLabs put a post up yesterday that is the first in a weekly feature that Cody is starting regarding reverse engineering tips and tricks. The first post takes a look at the Rhapsody Media Player. Interesting stuff.

Rafal gives us a real-world example of XSS. Worth a look.

Frank Cassano has part 2 of his Assessing your Organization's Network Perimiter available. Part 1 is here. Good stuff.

Rich points out that it in the world of SQL injection, it is very important that collaboration occur with our database admins and architects to ensure we are restricting rights appropriately.

Lori points out that dynamic resource obfuscation can help us make the target much harder to find, let alone hit for the evil haxors out there. She is not promoting security through obscurity, but suggesting that we can actively make it very difficult for an attacker to figure out what to attack.

Donald Donzal, the editor in chief at the Ethical Hacker Network has posted a recording and slides of the presentation he gave at the Sans What Works in Pen Testing Summit titled "Remodeling your career for little to no money down". I've got my copies downloaded and will be listening soon.

Via Xavier are /dev/random, Michael Boelen, the creator RootKit Hunter, has released a new tool that should be welcomed by all UNIX folks, Lynis: Security and System Auditing Tool. Go take a look.

Adam Dodge has a post up over at Security Catalyst that reminds us to keep in mind the samples used when reading a report. This applies to every report you might read that has statistical data in it, but he is specifically talking about the number of reports that have come out recently regarding breach statistics.

0x000000 has updated the mod_rewrite signatures used as a poor man's web application firewall to add some banner obsfucation stuff. If you haven't seen the full set, poke around on the site. It is good stuff.

Finally, the folks at wartchfire have an article up talking about cross environment hopping. This is where an XSS vulnerability is exploited to hop to another service hosted on the target client machine. Not cool. Go read it...twice 🙂

I will be posting the interesting bits from news sources a little later today.

Kevin

Technorati Tags: , , , , , , , , ,

{ 0 comments }

Good afternoon everyone or at least those who share my timezone. We have a good bunch of interesting things to look at that were posted over the weekend. So here we go!

Mike Rothman posted some thoughts on the rapidly evolving Manage Security Services space. He likens it to the process banking went through. It's an interesting read.

Jennifer Jabbusch shares a really good analogy with us regarding Logging, Correlation and IT Search. Very helpful for those times when you are trying to get across an inherently technical topic to a group of non-technical people.

Via Xavier at /dev/random a free and nifty looking tool.

HijackThis™ is a free utility which quickly scans your Windows computer to find settings that may have been changed by spyware, malware or other unwanted programs. HijackThis creates a report, or log file, with the results of the scan.

Security4all points us towards a video that gives us a introduction to XSS using Webgoat. The video is hosted at securitydistro.com.

By way of John M Willis, a pointer to an article on Network World, 20 great Windows open source projects you should get to know.

Richard Bejtlich shares his experience attending a Edward Tufte class on Presenting Data and Information. I have not read Edward's stuff, but it is on my list to check out.

Jeff Lowder has an article up on BlogInfoSec.com about Agility and Risk Compensation. He has some interesting points about perceived risk and the actions that people take in light of their understanding of risk as it pertains to agility in business. He also points to a good article on wikipedia about Risk Compensation Theory. Both are worth a gander.

Well that's it for now.

Have a good day.

Kevin

Technorati Tags: , , , , , , , , , ,

{ 0 comments }