And we’re off.

From the Blogosphere

Via F-Secure’s blog, a discussion of what needs to happen to exploit the Microsoft Access Viewer vulnerability under a couple of different scenario’s. Worth a look.

Gunnar Peterson has an pointed view of outside vs. inside as it applies to our enterprise networks. I won’t spoil it for you since it is a good read.

Jeramiah has survey up for Web Application Security Professionals. He will be releasing the results in the near future. I took it and so should you if you have anything to do with WebApp security. Good questions.

Via Wesley McGrew, Princeton released their tools for dumping and retrieving keys from memory after a cold boot. There was a bit of twittering going on about these tools during The Last Hope conference. Intersting stuff.

Via DevCentral, a new Google tech talk is up. This time covering SQL injection, XSRF, and XSSI. Good stuff.

LearnSecurityOnline has released Crackme 0×04 for us to solve.

TaoSecurity has a perspective on the recent DNS vulnerability that is worth reading.

The tisecurityguy brings to our attention an open source tool for tracking your laptop should it be stolen. As he says, “best of all, it’s open source, which means free.”

From the Newsosphere

DarkReading: The U.K.’s Ministry of Defence lost some USB sticks….with secret information on them.

DarkReading: Damballa Inc. is to release and new tool for malware analysis at Black Hat 2008 in Las Vegas. Free to enterprises and vendors.

Information Week: RIM has fixed the BlackBerry Enterprise Server pdf vulnerability.

That’s all folks. Have a great day.

Kevin

Technorati Tags: vulnerablity, perimeter, web appsec, memory, keys, google tech talk, crackme, laptop

Here ya go.

From the Blogoshpere

0×000000 has the first of a series of pieces that cover Mozilla malware, how to write it and how to detect it, posted. Interesting stuff.

CG has a post up about a tool called Metagoofil and how it can be used to develop an email list. Very interesting stuff. I haven’t played with it yet, but will be soon.

Tenable has setup a way for charities and classrooms that provide information security training to get a full professional feed for free. Way to go Tenable.

Have a good one.

Kevin

Technorati Tags: malware, mozilla, pentest, nessus

Hello all. I apologize for the lack of posts over the last couple of weeks. Life and death have taken up all my time. Things should be back to normal now. So without further ado, here’s are some things to take a look at today.

From the Blogosphere

Wesley over at McGrewSecurity has collected a bunch of links and embedded a bunch of videos of Dan Kaminsky talks. Very cool.

Craig at SecurityWannabe gives us a link to a video of Lee Kushner and Mike Murry’s talk about a career in Information Security. I attended their session at Defcon 15 and the informal Q&A after. Really good stuff. Go watch the video or even better attend their session at this year’s Defcon.

Rich Mogull writes on Securosis that he will be giving a webcast entitled Using Data Leakage Prevention and Database Activity Monitoring for Data Protection on July 29th. Register here. I’ll be watching. You should too.

Via security4all, VMWare has released an updated paper on hardening ESX 3.5 and VirtualCenter 2.5. It can be found here.

From the Newsosphere

Via Dark Reading, Half of Financial Firms Don’t Investigate. That’s not good.

Via Tech Republic, When your network admin hijacks your system. Talks about the San Fransisco situation you have already heard about.

Via Search Security, Blackberry server faced with critical zero-day. There is a flaw in the PDF handling function of the BlackBerrty Attachement Service. Bad stuff.

Via Dark Reading, MessageLabs Reveals Most Spammed States. Illinois apparently has the largest bulls eye painted on its forehead.

Via Information Week, Gmail Privacy Hole Shows User Names. Be careful with Google calendar.

That’s it for today’s bits. Have a great day.

Kevin

A quick note about something that @cji tweeted about.

Fortify has a taxonomy of coding errors that affect security. The really cool thing is the examples in many different languages.

Its right here, go check it out.

Here we go.

From the Blogosphere.

F-Secure has released their Security Threat Summary for the First Half of 2008.

(IN)SECURE Magazine issue 17 is available. Good stuff as always.

Continuing their week of War on WAF’s (Web Application Firewall), ts/sci security talks about language specificity in WAFs.

Well, looky there, there’s as a new Zero-day flaw in Internet Explorer. Who’d a thunk it? Caveat: It is for version 6.

From the Newsosphere.

Nothing today.

Have a good one folks.

Kevin

Technorati Tags: insecure, waf, ie

I want to preface the following with

1. I am probably late to the party and everybody already know all about this and
2. There probably isn’t any issue here.  Just got me to thinking.

I was reading the Firefox’s Super Cookies post on the CERIAS Blog and it made me go hmmm. You should go read Pascal’s post first because it is an interesting bit o’ info, but here are the bits that are germane to my thoughts.

First:

DOM storage allows web sites to store all kinds of information in a persistent manner on your computer, much like cookies but with a greater capacity and efficiency.

Then:

To find out what information web sites store on your computer using DOM storage (if any)

and:

You should find a file named “webappsstore.sqlite”. To view the contents in human readable form, install sqlite3

So, this makes me think there is a sql interface somewhere in Firefox.  In light of all the SQL injections issues recently, I just have to wonder what kind of fun might exist here.

Kevin

Photo by annarchy1

Hi there. Here are today’s interesting bits.

From the Blogosphere.

F-secure has posted a notice about two Mac OSX trojans.

Adobe is in the news again with a patch for yet another critical PDF Reader flaw. Head-up provide by Zero Day.

Via TaoSecurity, a post by Pascal Meunier, Virtualization Is Successful Because Operating Systems are Weak, puts forth an interesting way to look at virtualization.

What it looks like is that we have sinking boats, so we’re putting them inside a bigger, more powerful boat, virtualization…

Chris Eng at Veracode has Part 1 of Minimizing the Attack Surface up. Good read.

Security4all points us at a way to get Nessus 3 installed on Backtrack 3. Very cool, but watch that new licensing.

From the Newsosphere.

Verisign has been picked by Microsoft as the OpenID provider for users of HealthVault.

The Marshall Islands, a small country in the South Pacific, was effectively denied access to email by a denial of service attack.

Yahoo! Mail was vulnerable to a XSS attack which allowed access to confidential information. It’s fixed now.

Some HSBC websites are also susceptible to XSS attacks.

Surprise, Surprise, China networks host a large number of the websites pushing malware.

That’s it for today folks.

Have a good one.

Kevin

Technorati Tags: macosx, trojans, pdf, adobe, virtualization, attack surface, nessus, backtrack

Here are today’s bits.

From the Blogosphere.

Marcin has posted a really interesting treatise at the ts/sci security blog about Web Application Firewalls. Some really good stuff to think about.

The Princess of Antiquity continues her series on Cryptography (Non-Technical) with a post titled Earlier Forms of Cyptography. Very well written and easy to understand with really good info.

Didier has given us another tool written in python, apc-pr-log, which uses the AirPcap adapter to log all probe requests with a SSID for easy viewing. Should be fun to play with.

From the Newsophere.

Whitehat Security has raised some VC cash. Congrats Jeremiah.

Sun has released version 8 of Identity Manager.

That’s it for today. Have a good one.

Kevin

Technorati Tags: waf, cryptography, airpcap, iam

Hi folks. Lots of stuff today so let’s just get to it.

From the Blogosphere.

Alan over at Security Thoughts answers Dre’s post about the CISSP is on it way out. I tend to agree with Alan more that Dre, but understand Dre’s point also. How’s that for being wishy washy. Go read both.

Jeremiah asks 5 questions about webappsec in order to generate some conversation. Good reading in there.

By way of Zero Day, Sourcefire has released a free tool, OfficeCat, that attempts to scan Microsoft Office files for detection of possible exploits. Very nifty.

Rebecca has an article up that gives us Sixs Ways Organizations Can Lessen Mobile Computing Risks. Good collection of things to think about.

Matasano has some comments available about several vulnerabilities in Ruby. Everybody using Ruby has some patching to do.

Anton is happy about the release of their CEE (Common Event Expression) white paper.

Jeremiah is really on a roll with the asking of interesting questions that spark some great interaction. The question this time, “Day 1: Starting at the beginning“. Your a new hire in charge of security, what are your first steps. BTW - Congratulate him on achieving his purple belt in Brazillian Jiu Jitsu while you are there.

From the Newsophere.

Via Dark Reading, a researcher is going to be demonstrating a remote permanent denial-of-service (PDOS) attack at EUSecWest this week. Should be interesting.

Also from Dark Reading, Fortinet has been awarded four new patents for network virtualization and security related inventions.

Information Week has a Reuters article up that informs us that the bill shielding U.S. telephone companies from lawsuits has passed the House.

Well that’s it. Have a great day.

KevinTechnorati Tags: webappsec, cissp, generalist, specialist, officecat, sourcefire, mobile computing risk, cee, pdos, fortinet

And another Friday dawns. I hope yours goes well. Here we go with today’s bits.

From the Blogosphere.

Via Alan over at StillSecure, the Aberdeen Group is looking for some data on IT Security Patch and Vulnerability Management. To get it, they are asking for us to participate in a survey. We get a shiny report gratis if we do. I probably will.

There is post up over at tssci-security that is taking a look at a several of topics all mashed together, the value of the CISSP certification, specialist or generalist when it comes to InfoSec and a new project being put together by the OWASP group, the People Certification Project. Some interesting thoughts in both the post and comments. BTW - he references Dan Greer’s Source Boston keynote speech. It is well worth reading several times as I believe I have noted before.

Looks like there are some local root shennanegins that can be excersized on a Mac with versions 10.4 and 10.5 of Mac OS X installed. Good old suid fun, but does it really matter? Check out Zero Day’s post and come to your own conclusions.

The Princess of Antiquity is tackling fairly daunting task in bringing a series of articles to us about cryptography that are couched terms the layman can understand. The first is up and is well written. Check it out.

Tom over at Spylogic gave a talk about Online Social Networks: 5 threats and 5 ways to use them safely. He has made his presentaion available here.

JJ has some good guidance for us if we are considering the implimentaion of 802.1x. Very good stuff.

Via Security4All, Backtrack 3 Final has been released.

From the Newsosphere.

Via NetworkWorld, Mitchell Ashley reports to us that Red Hat has decided to develop their own virtualization platform based on the Kernel Virtual Mode which is built into the Linux kernel. Go read his article for the reasons for this decision.

From Hack in the Box and ARN, a new report is out about a skills shortage in IT positions, including security specialists, is causing salaries to rise. Good for those down under.

Have a great Friday and wonderful weekend.

Kevin

Technorati Tags: survey, cissp, owasp, dan greer, macos, cryptography, social networking, 802.1x, backtrack, virtualization, salaries