Here we go.
From the Blogosphere.
F-Secure has released their Security Threat Summary for the First Half of 2008.
(IN)SECURE Magazine issue 17 is available. Good stuff as always.
Continuing their week of War on WAF’s (Web Application Firewall), ts/sci security talks about language specificity in WAFs.
Well, looky there, there’s as a new Zero-day flaw in Internet Explorer. Who’d a thunk it? Caveat: It is for version 6.
From the Newsosphere.
Nothing today.
Have a good one folks.
Kevin
Comments Off | 
Interesting Bits | Tagged: ie, insecure, waf | 
Permalink
Posted by Kevin Riggins
I want to preface the following with
I was reading the Firefox’s Super Cookies post on the CERIAS Blog and it made me go hmmm. You should go read Pascal’s post first because it is an interesting bit o’ info, but here are the bits that are germane to my thoughts.
First:
DOM storage allows web sites to store all kinds of information in a persistent manner on your computer, much like cookies but with a greater capacity and efficiency.
Then:
To find out what information web sites store on your computer using DOM storage (if any)
and:
You should find a file named “webappsstore.sqlite”. To view the contents in human readable form, install sqlite3
So, this makes me think there is a sql interface somewhere in Firefox. In light of all the SQL injections issues recently, I just have to wonder what kind of fun might exist here.
Kevin
Photo by annarchy1
Comments Off | Firefox | Tagged: dom, Firefox, sql | Permalink
Posted by Kevin Riggins
Hi there. Here are today’s interesting bits.
From the Blogosphere.
F-secure has posted a notice about two Mac OSX trojans.
Adobe is in the news again with a patch for yet another critical PDF Reader flaw. Head-up provide by Zero Day.
Via TaoSecurity, a post by Pascal Meunier, Virtualization Is Successful Because Operating Systems are Weak, puts forth an interesting way to look at virtualization.
What it looks like is that we have sinking boats, so we’re putting them inside a bigger, more powerful boat, virtualization…
Chris Eng at Veracode has Part 1 of Minimizing the Attack Surface up. Good read.
Security4all points us at a way to get Nessus 3 installed on Backtrack 3. Very cool, but watch that new licensing.
From the Newsosphere.
Verisign has been picked by Microsoft as the OpenID provider for users of HealthVault.
The Marshall Islands, a small country in the South Pacific, was effectively denied access to email by a denial of service attack.
Yahoo! Mail was vulnerable to a XSS attack which allowed access to confidential information. It’s fixed now.
Some HSBC websites are also susceptible to XSS attacks.
Surprise, Surprise, China networks host a large number of the websites pushing malware.
That’s it for today folks.
Have a good one.
Kevin
Technorati Tags: macosx, trojans, pdf, adobe, virtualization, attack surface, nessus, backtrack
Comments Off | Interesting Bits | Tagged: adobe, attack surface, backtrack, macosx, nessus, pdf, trojans, virtualization | Permalink
Posted by Kevin Riggins
Here are today’s bits.
From the Blogosphere.
Marcin has posted a really interesting treatise at the ts/sci security blog about Web Application Firewalls. Some really good stuff to think about.
The Princess of Antiquity continues her series on Cryptography (Non-Technical) with a post titled Earlier Forms of Cyptography. Very well written and easy to understand with really good info.
Didier has given us another tool written in python, apc-pr-log, which uses the AirPcap adapter to log all probe requests with a SSID for easy viewing. Should be fun to play with.
From the Newsophere.
Whitehat Security has raised some VC cash. Congrats Jeremiah.
Sun has released version 8 of Identity Manager.
That’s it for today. Have a good one.
Kevin
Technorati Tags: waf, cryptography, airpcap, iam
Comments Off | Interesting Bits | Tagged: airpcap, cryptography, iam, waf | Permalink
Posted by Kevin Riggins
Hi folks. Lots of stuff today so let’s just get to it.
From the Blogosphere.
Alan over at Security Thoughts answers Dre’s post about the CISSP is on it way out. I tend to agree with Alan more that Dre, but understand Dre’s point also. How’s that for being wishy washy. Go read both.
Jeremiah asks 5 questions about webappsec in order to generate some conversation. Good reading in there.
By way of Zero Day, Sourcefire has released a free tool, OfficeCat, that attempts to scan Microsoft Office files for detection of possible exploits. Very nifty.
Rebecca has an article up that gives us Sixs Ways Organizations Can Lessen Mobile Computing Risks. Good collection of things to think about.
Matasano has some comments available about several vulnerabilities in Ruby. Everybody using Ruby has some patching to do.
Anton is happy about the release of their CEE (Common Event Expression) white paper.
Jeremiah is really on a roll with the asking of interesting questions that spark some great interaction. The question this time, “Day 1: Starting at the beginning“. Your a new hire in charge of security, what are your first steps. BTW – Congratulate him on achieving his purple belt in Brazillian Jiu Jitsu while you are there.
From the Newsophere.
Via Dark Reading, a researcher is going to be demonstrating a remote permanent denial-of-service (PDOS) attack at EUSecWest this week. Should be interesting.
Also from Dark Reading, Fortinet has been awarded four new patents for network virtualization and security related inventions.
Information Week has a Reuters article up that informs us that the bill shielding U.S. telephone companies from lawsuits has passed the House.
Well that’s it. Have a great day.
KevinTechnorati Tags: webappsec, cissp, generalist, specialist, officecat, sourcefire, mobile computing risk, cee, pdos, fortinet
2 Comments | Interesting Bits | Tagged: cee, cissp, fortinet, generalist, mobile computing risk, officecat, pdos, sourcefire, specialist, webappsec | Permalink
Posted by Kevin Riggins
And another Friday dawns. I hope yours goes well. Here we go with today’s bits.
From the Blogosphere.
Via Alan over at StillSecure, the Aberdeen Group is looking for some data on IT Security Patch and Vulnerability Management. To get it, they are asking for us to participate in a survey. We get a shiny report gratis if we do. I probably will.
There is post up over at tssci-security that is taking a look at a several of topics all mashed together, the value of the CISSP certification, specialist or generalist when it comes to InfoSec and a new project being put together by the OWASP group, the People Certification Project. Some interesting thoughts in both the post and comments. BTW – he references Dan Greer’s Source Boston keynote speech. It is well worth reading several times as I believe I have noted before.
Looks like there are some local root shennanegins that can be excersized on a Mac with versions 10.4 and 10.5 of Mac OS X installed. Good old suid fun, but does it really matter? Check out Zero Day’s post and come to your own conclusions.
The Princess of Antiquity is tackling fairly daunting task in bringing a series of articles to us about cryptography that are couched terms the layman can understand. The first is up and is well written. Check it out.
Tom over at Spylogic gave a talk about Online Social Networks: 5 threats and 5 ways to use them safely. He has made his presentaion available here.
JJ has some good guidance for us if we are considering the implimentaion of 802.1x. Very good stuff.
Via Security4All, Backtrack 3 Final has been released.
From the Newsosphere.
Via NetworkWorld, Mitchell Ashley reports to us that Red Hat has decided to develop their own virtualization platform based on the Kernel Virtual Mode which is built into the Linux kernel. Go read his article for the reasons for this decision.
From Hack in the Box and ARN, a new report is out about a skills shortage in IT positions, including security specialists, is causing salaries to rise. Good for those down under.
Have a great Friday and wonderful weekend.
Kevin
Technorati Tags: survey, cissp, owasp, dan greer, macos, cryptography, social networking, 802.1x, backtrack, virtualization, salaries
Comments Off | Interesting Bits | Tagged: 802.1x, backtrack, cissp, cryptography, dan greer, macos, owasp, salaries, social networking, survey, virtualization | Permalink
Posted by Kevin Riggins
Good day all. Got a pretty good bunch o bits to take a look at today. So, without further ado, here we go!
From the Blogosphere.
The Sunbelt blog warns us about some CareerBuilder jobs being emailed out which are scams. Be careful out there. They will get you any way they can.
Finjin came across over half a gigabyte of stolen US Healthcare and airline data. Ouch.
Adam writes that Identity Theft is more than Fraud By Impersonation. He points out than in many cases, the real pain of identity theft is not monetary, but dealing with the tarnishing of you good name as you try to clean things up. He has a good suggestion for trying to help with this issue. Go read about it.
Security4all points us to a couple of white papers that are worth giving a gander. The Extended HTML Form Attack Revisited by Sandro and Enablesecurity and Defeating the Network Security Infrastructure by Philippe at Radarhack.com. They are both on my reading list now.
Irongeek has released a little tool called DecaffeinatID that
“DecaffeinatID is a simple little app that acts as an Intrusion Detection System (more of a log watcher really) to notify the user whenever fellow users at their local WiFi hotspot/ LAN are up to the kind of “reindeer games”
Looks pretty nifty.
Rich has another missive that deserves to be read more than once. He talks about Database connections and Trust. I am not going to attempt to summarize what he puts forth. Go read it.
You may have already heard about this, but a vulnerability exploit has been found in FF 3.0. It was reported to Tipping Point and passed on to Mozilla. They are working on a fix.
Amrit and Hoff both are talking about wheither virtualization security is a technical problem or an operational problem. Both are good reads. I won’t spoil it for you by giving away their conclusions.
F-Secure has released version 3.0 of their Rescue CD. Could come in handy.
From the Newsosphere.
Via cjonline.com, some Kansas state equipment that was to be sold to the public contained confidential information. People, please make sure you have data retention, handling and destruction policies and procedures and that they are adhered to.
From Dark Reading, ICSA Labs Forum has advanced a security standard for IPv6.
Pointed to by Hack in the box and reported by Computer World UK, two laptops without encryption have been lost. This time by the HNS trust in the U.K.
Again via Hack in the box and reported by Wired, it looks like Citibank had an intrusion that allowed a couple of men to grab at least $750,000 from atm machines in New York City. Oops.
That’s it for today. Have a good one.
Kevin
Technorati Tags: scam, breach, data loss, white papers, tools, database, trust, vulnerability, virtualization
Comments Off | Interesting Bits | Tagged: breach, data loss, database, scam, Tools, trust, virtualization, vulnerability, white papers | Permalink
Posted by Kevin Riggins
Hello all. Sorry I didn’t get yesterday’s post out. Today’s includes yesterday’s stuff and today’s so it is a bit long.
From the Blogosphere.
DVLabs put a post up yesterday that is the first in a weekly feature that Cody is starting regarding reverse engineering tips and tricks. The first post takes a look at the Rhapsody Media Player. Interesting stuff.
Rafal gives us a real-world example of XSS. Worth a look.
Frank Cassano has part 2 of his Assessing your Organization’s Network Perimiter available. Part 1 is here. Good stuff.
Rich points out that it in the world of SQL injection, it is very important that collaboration occur with our database admins and architects to ensure we are restricting rights appropriately.
Lori points out that dynamic resource obfuscation can help us make the target much harder to find, let alone hit for the evil haxors out there. She is not promoting security through obscurity, but suggesting that we can actively make it very difficult for an attacker to figure out what to attack.
Donald Donzal, the editor in chief at the Ethical Hacker Network has posted a recording and slides of the presentation he gave at the Sans What Works in Pen Testing Summit titled “Remodeling your career for little to no money down“. I’ve got my copies downloaded and will be listening soon.
Via Xavier are /dev/random, Michael Boelen, the creator RootKit Hunter, has released a new tool that should be welcomed by all UNIX folks, Lynis: Security and System Auditing Tool. Go take a look.
Adam Dodge has a post up over at Security Catalyst that reminds us to keep in mind the samples used when reading a report. This applies to every report you might read that has statistical data in it, but he is specifically talking about the number of reports that have come out recently regarding breach statistics.
0×000000 has updated the mod_rewrite signatures used as a poor man’s web application firewall to add some banner obsfucation stuff. If you haven’t seen the full set, poke around on the site. It is good stuff.
Finally, the folks at wartchfire have an article up talking about cross environment hopping. This is where an XSS vulnerability is exploited to hop to another service hosted on the target client machine. Not cool. Go read it…twice 
I will be posting the interesting bits from news sources a little later today.
Kevin
Technorati Tags: reverse engineering, xss, perimiter, sql injection, resource obfuscation, career, lynis, breach reports, mod_rewrite, cross environment hopping
Comments Off | Interesting Bits | Tagged: breach reports, career, cross environment hopping, lynis, mod_rewrite, perimiter, resource obfuscation, reverse engineering, sql injection, xss | Permalink
Posted by Kevin Riggins
Good morning all. Here are today’s bits.
From the Blogosphere.
Via Alex Eckelberry, Brian Krebs has a note up about a nasty trojan that can change the DNS settings on your home router. Make sure you change those default passwords.
Adam shares with us that the Department of Justice has release a new report “Data Breaches: What the Underground World of “Carding” Reveals.”
Jeff Jones brings to our attention a new installation option available in Windows Server 2008, Server Core. Based on his first analysis, this type of install significantly reduces the vulnerability footprint of Windows Server. He will be providing further guidance. Very interesting stuff.
Shrdlu gives us Information Security in 60 Seconds. Succinct and to the point.
The Guerilla CISO has some observations on security services as commodities and the implications of such how those services are provided. Something to think about.
Paterva has released a community version of Maltego v2. I found out via CarnalOwnage.
From the Newsosphere.
From Networkworld and The Times of India, looks like there has been a case of an Indian outsourcer stealing client data and selling it to competitors. It was only a matter of time before it happened.
From The Register, looks like the XSS monster has raised its ugly head at McAfee, Symantec and VeriSign. Orginal article at XSSed.
Informationweek informs us that a network engineer in San Diego has been sentenced to more than five years in prison. Another reminder about the insider attack.
CIO brings us a discussion about whether or not virtualization can improve security or not.
Via Dark Reading, PGP has added pre-boot authentication to their full-disk encryption solution.
The Register tells us that there is a security flaw in a populare piece of software used to manage SCADA systems. Not good.
That’s it for today. Have a great Friday.
Kevin
Technorati Tags: trojan, dns, router, data breach, carding, server core, windows server 2008, maltego, information gathering, outsourcing, xss
Comments Off | Interesting Bits | Permalink
Posted by Kevin Riggins
Howdy folks.
We are going to try something a little new today.
As you have all probably realized, these posts have all been built from blogger sources to date. I am going to start expanding them to include things I see in the news and from other sources that have infosec applications. As we go forward, I am interested in knowing if you would prefer to have two separate posts or if you like the combined format.
As always, leave a comment with your opinion or email me kriggins _at_ infosecramblings.com. On with the show.
From the Blogosphere.
Jennifer Leggio has a post up on her new blog Feeds at ZDNET (congrats Jennifer) about privacy concerns with Company Groups on Linked. She points out some very real privacy and data leakage concerns for this type of automated grouping.
Richard Bejtlich has a good summary of the Verizon Business 2008 Data Breach Investigations Report which you should go ahead and read.
From the newsosphere.
Via Dark Reading, RSA is introducing a flexible card shaped authenticator.
Via SearchSecurity, The PCI council is launching an assessor quality assurance program. Kinda have to wonder why it has taken this long for something like this to happen.
The Register brings us an interesting article about fraudsters gaming the address verification system in use in the UK for charges.
From Comcast.net congressmen are saying that China is hacking their computers. Of course China is denying it.
Have a great day and remember, let me know which format you prefer, combined or separate.
Kevin
Technorati Tags: linkedin, privacy, data leakage, data breach, verizon, rsa, pci, assessors, china, congress
1 Comment | Interesting Bits | Tagged: assessors, china, congress, data breach, data leakage, linkedin, pci, privacy, rsa, verizon | Permalink
Posted by Kevin Riggins
You are currently browsing the Infosec Ramblings blog archives for June, 2008.
