OWASP podcast #56 with Jim Manico interviewing Adar Weidman.
Good coverage of interesting aspect of regex parsing that can lead to
DOS at server and browser.
Http://www.owasp.org/index.php/Podcast_56
David Kadow
--
Thursday, December 10, 2009
Monday, September 21, 2009
Data Forensics and New State Laws
According to an interview by Networkperformancedaily, with Matt Miller of the Institute for Justice, "Last year ( 2007 ), the state of Texas passed a law that basically said that to perform a lot of types of data analysis; you have to have a private investigator's license. And, if you perform that analysis without a license, or if you are a customer and you seek to have that analysis performed by somebody without a license, it is punishable by up to one year in jail and up to $14,000 in fines."
ThiSo this is not a new case, but it's important, and it's not over, and you should follow this and similar cases in other states, as it could severely limit your ability to do parts of your job.
As IT professionals, security and related operations have always been part of the job of designing and administering systems, maintaining uptime, and investigating problems.
The summary statements of the laws we discuss here sound sensationalist, and indeed, the devil is in the details. However I'm not going to dissect the related laws from every state. I will review the important aspects, and try to avoid exaggeration. I will also provide POV from the Private Investigator, through interviews.
For now, some good resources are :
http://legal-beagle.typepad.com/wrights_legal_beagle/computer-forensics-license/
http://hack-igations.blogspot.com/2008/12/digital-forensics-private-eye-pi.html
http://www.networkperformancedaily.com/2008/07/interview_with_matt_miller_w_i.html
ThiSo this is not a new case, but it's important, and it's not over, and you should follow this and similar cases in other states, as it could severely limit your ability to do parts of your job.
As IT professionals, security and related operations have always been part of the job of designing and administering systems, maintaining uptime, and investigating problems.
The summary statements of the laws we discuss here sound sensationalist, and indeed, the devil is in the details. However I'm not going to dissect the related laws from every state. I will review the important aspects, and try to avoid exaggeration. I will also provide POV from the Private Investigator, through interviews.
For now, some good resources are :
http://legal-beagle.typepad.com/wrights_legal_beagle/computer-forensics-license/
http://hack-igations.blogspot.com/2008/12/digital-forensics-private-eye-pi.html
http://www.networkperformancedaily.com/2008/07/interview_with_matt_miller_w_i.html
Thursday, September 17, 2009
New SANS and WebSense reports point to where we should focus our defense.
NY Times picked this up with the headline that "Security Pros Are Focused on the Wrong Threats" ( By Riva Richmond )
Not really alarmist, considering the facts.
SANS:
Summary:
Point 1. PATCH!!!!!! What are you waiting for ?!?!?!?
because
Point 2. 60% of attacks are against legit websites, many of which are open to being sql-injected. This means unpatched users hitting those sites can easily be exploited while doing legitimate browsing. Point 2 was really FIX YOUR WEBSITES!, but the dual message is because so many sites are broken, patch your clients!
Websense:
Highlights:
• Websense Security Labs identified a 233 percent growth in the number of malicious Web sites in the last six months and a 671 percent growth during the last year.
• 77 percent of Web sites with malicious code are legitimate sites that have been compromised. This remains unchanged from the last six-month period.
• 87.7 percent of email messages were spam. This represents a three percent increase over the last six months.
• 37 percent of malicious Web/HTTP attacks included data-stealing code. This remains unchanged from the last six-month period.
• 57 percent of data-stealing attacks are conducted over the Web. This number has stayed consistent over the six-month period.
Not really alarmist, considering the facts.
SANS:
Summary:
Point 1. PATCH!!!!!! What are you waiting for ?!?!?!?
because
Point 2. 60% of attacks are against legit websites, many of which are open to being sql-injected. This means unpatched users hitting those sites can easily be exploited while doing legitimate browsing. Point 2 was really FIX YOUR WEBSITES!, but the dual message is because so many sites are broken, patch your clients!
Websense:
Highlights:
• Websense Security Labs identified a 233 percent growth in the number of malicious Web sites in the last six months and a 671 percent growth during the last year.
• 77 percent of Web sites with malicious code are legitimate sites that have been compromised. This remains unchanged from the last six-month period.
• 87.7 percent of email messages were spam. This represents a three percent increase over the last six months.
• 37 percent of malicious Web/HTTP attacks included data-stealing code. This remains unchanged from the last six-month period.
• 57 percent of data-stealing attacks are conducted over the Web. This number has stayed consistent over the six-month period.
Thursday, September 10, 2009
Online Security Conference - 6->8 Nov 2009
For those of us whose companies still have limited to no funding for travel and training "investment", this may be a welcome development.
Quality will be interesting, with one parameter being "no rejection" of papers and talks.
http://securitytubecon.org/cfp.html
Quality will be interesting, with one parameter being "no rejection" of papers and talks.
Friday, August 21, 2009
Cisco Team Infiltrates Botnet.
A great quote from the story is "Typically, administrators patch vulnerable machines or deploy some sort of intrusion prevention system (IPS) to protect against exploits. Both approaches are effective the majority of the time, but neither approach protects systems against the uneducated user." It's such a polite way of saying something I've heard several times a week since becoming responsible for infosec..."you can't secure 'stupid' ".
In this story, that goes both ways. Read on.
http://www.cisco.com/web/about/security/intelligence/bots.html
In this story, that goes both ways. Read on.
http://www.cisco.com/web/about/security/intelligence/bots.html
Friday, August 14, 2009
Blackhat Papers
In case you didn't go or didn't know....
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html
Friday, August 7, 2009
Personal Safety. Personal Responsibility.
Look, it's BAD out there. Trust me. ( OR start reading any of the material linked here on a regular basis ) Being aware of how to compute securely is no less important than knowing how to drive a car. For that you need to be a certain age and pass a couple exams. It's too bad we can't enforce this for computing yet. But to be truly safe you really need to internalize and live the information you learned in driver's ed. Plus practice quite a bit ( every day for the rest of your life, eh ? ). Otherwise you can get really hurt, and your actions can hurt others.
Computing is very much the same. If you're not operating with certain basic awareness and protections, you will definitely get pwned, and in getting pwned, your system will be used by "the dark side" as part of a botnet to conduct attacks on others. Millions of home systems are "serving two masters" every day.
Do the right things and you can lower your risk.
At Home
1. Sign up for OpenDNS, and configure your home router ( you DO use a router, don't you ?!?!?!? [ Linksys, Netgear, etc...] ) with OpenDNS DNS Servers in place of your ISP's DNS servers.
2. Configure your router and it's clients with AT LEAST WPA2 security.
On the road, or at the coffee shop
1. If you really must join someone else's wireless, first disable all sharing on your laptop and turn on the firewall.
2. DO run some comprehensive endpoint protection ( this is MORE than just anti-virus ). And yes, do this even on a Mac. ( Here's why )
In General, everywhere1. Patch your systems !!!! Windows, MacOS, Ubuntu...they all need it ! Do it! Daily!
2. Whenever possible browse the web only with Firefox loaded with the essential add-ons NoScript and WOT ( Web of Trust )
This is key because 90% of the way you'll be pwned on the web will be through malicious javascript hidden in legit websites ( and definitely on illegit sites ! Shame on you ! )
3. Be careful links, attachments in email, and all content. Where is it from? Who is it from? Do you really need to open it ?
Do you have other tips ? Add-'em ! C'mon!
Computing is very much the same. If you're not operating with certain basic awareness and protections, you will definitely get pwned, and in getting pwned, your system will be used by "the dark side" as part of a botnet to conduct attacks on others. Millions of home systems are "serving two masters" every day.
Do the right things and you can lower your risk.
At Home
1. Sign up for OpenDNS, and configure your home router ( you DO use a router, don't you ?!?!?!? [ Linksys, Netgear, etc...] ) with OpenDNS DNS Servers in place of your ISP's DNS servers.
2. Configure your router and it's clients with AT LEAST WPA2 security.
On the road, or at the coffee shop
1. If you really must join someone else's wireless, first disable all sharing on your laptop and turn on the firewall.
2. DO run some comprehensive endpoint protection ( this is MORE than just anti-virus ). And yes, do this even on a Mac. ( Here's why )
In General, everywhere1. Patch your systems !!!! Windows, MacOS, Ubuntu...they all need it ! Do it! Daily!
2. Whenever possible browse the web only with Firefox loaded with the essential add-ons NoScript and WOT ( Web of Trust )
This is key because 90% of the way you'll be pwned on the web will be through malicious javascript hidden in legit websites ( and definitely on illegit sites ! Shame on you ! )
3. Be careful links, attachments in email, and all content. Where is it from? Who is it from? Do you really need to open it ?
Do you have other tips ? Add-'em ! C'mon!
Tuesday, July 21, 2009
The-DCNYC-Hacking-Meetup-Group- 22-July meeting
The-DCNYC-Hacking-Meetup-Group-announce@meetup.com
( from Marco ) Hi All,
This Wednesday (tomorrow) we have a great meetup with 2 powerful presentations, The first is Scapy... If you use nmap, hping, tcpdump, wireshark, tracert, icmp or any of your favorite tools chances are Scapy can replace it. Why learn so many tools and there flags when you can just use Scapy. We are also having R3L1k the creator of Fast Track he will give a small presentation and a demo. We also have alot of giveaways, anyone who RSVP's receives a free domain name and we will be raffling away alot of goodies like last month.
( from Marco ) Hi All,
This Wednesday (tomorrow) we have a great meetup with 2 powerful presentations, The first is Scapy... If you use nmap, hping, tcpdump, wireshark, tracert, icmp or any of your favorite tools chances are Scapy can replace it. Why learn so many tools and there flags when you can just use Scapy. We are also having R3L1k the creator of Fast Track he will give a small presentation and a demo. We also have alot of giveaways, anyone who RSVP's receives a free domain name and we will be raffling away alot of goodies like last month.
myinfo sources
These are the sites I check out frequently. It's a ton, so I'm moving more to pulling all of these that have rss into google reader. But the original sites are always a richer experience anyway, so listing them here. Bill Blunden has a great listing at belowgotham, organized by subject. I'll get around to doing that here. For now though.....
Risk
http://www.NIST.org/news.php
http://www.riskinfo.com/
Risk
http://www.NIST.org/news.php
http://www.riskinfo.com/
Security
Subscribe to:
Posts (Atom)