Welcome to the aforementioned slinky and sultry Web 2.0 crap.
Navigation
Tags
attrition: advisory errata archive vendor_fail news charlatan lazlo security_comp_fail going_postal rant box_of_shit movie_review book_review music_review contest buy_shit
twitter: technical_difficulties unsolicited_updates foursquare wefollow musings imdb dmfail
hobbies: critter_of_the_day squirrel guinea_pig stalking
related: osf datalossdb conference osvdb
type: quote screenshot photo video tweet audio question chat link
Links
Tools
-
Tenable Network Security XSS Vulnerability
Tenable Network Security provides a suite of solutions that unify real-time vulnerability, event and compliance monitoring into a single, role-based, interface for administrators, auditors and risk managers to evaluate, communicate and report needed information for effective decision making and systems management. maybe :)
1 year ago -
Security Company Fail: eEye confesses their business model should be a crime
On the heels of Verizon calling many researchers “Narcissistic Vulnerability Pimps”, Morey Haber of eEye Digital Security has written a silly piece declaring his feelings that penetration testing is like “a kind of crime”. This of course betrays the history of his company and how they broke into the market (selling vulnerability scanners). It is clear that Haber is disconnected from his company and industry, or just pandering for attention.
eEye:
We enjoy freedom of speech, even if it breaks the law or license agreements. Websites cover techniques for jailbreaking iPhones even though it clearly violates the EULA for Apples devices. Penetration tools clearly allow the breaking and entering of systems to prove that vulnerabilities are real, but clearly could be used maliciously to break the law.
1 year ago -
Defacement: Kaspersky Knowledgebase
While updating an older errata entry, we noticed that Kaspersky Knowledgebase (kasperskykb.com) was defaced again on April 30, 2010 by “Dr.HaCkEr”.
1 year ago -
XSS: Cyber Security Challenge UK
A cross-site scripting vulnerability has been uncovered on the Cyber Security Challenge UK website, before the site has even been made ready for candidates to register.
Ironically, the programme has been established by a management consortium of key figures in cyber security, and is designed to identify and nurture the UK’s future cyber security workforce.
1 year ago -
Splunk warns that it exposed users' passwords
It’s not clear from the warning sent out by Splunk how long passwords were exposed for, but there’s obviously a concern that if hackers had managed to stumble across the login details they could have tried to use them on other wesbites where users might use the same password.
In this case that could have been particular bad for enterprises, as Splunk’s typical users have key roles inside an organisation’s IT infrastructure and may have access to a number of critical systems and sensitive data.
Of course, it’s bad practice to use the same password on different websites - but that doesn’t stop far too many people from doing it.
Splunk’s action of changing affected users’ passwords was probably the right one - rather than waiting for users to do it themselves.
Update: Splunk’s blog has been updated to include information about the security incident. Splunk claims that it is demonstrating an “abundance of caution” by resetting its users’ passwords.
1 year ago -
1 year ago -
Redefining "Security Researcher"
Have you ever heard of a terrorist referred to as a “demolition engineer?” How about a thief as a “locksmith?” No? Well, that’s because most fields don’t share the InfoSec industry’s ridiculous yet long-standing inability to distinguish the good guys from the bad guys. Perhaps we’re just in one of those moods lately but it seems to be getting worse. It’s far too easy for anyone who has anything to do with information security to be labeled (by themselves or by others) a “security researcher” without regard to their behavior. “Security Researcher Breaks This” and “Security Researcher Exposes That” say the headlines. Ugh; we really need to clean up our language. This begins with setting a few principles and regularly using more accurate descriptors in our publications and daily conversations.
Verizon Business Security Blog:
[The inability to distinguish can be attributed to both the media and security companies using, abusing and re-using terms interchangeably. The age-old “hacker vs cracker” debate for example, when some would use those terms to distinguish morals and motives. Regardless of motives, “security researcher” is an accurate term for the act of testing a product and finding a vulnerability.]
1 year ago -
How To Wreck Your Reputation: John McAfee Edition
John McAfee suspected Fast Company would portray him as a con artist. Which is why it’s so bizarre the software kingpin proceeded to act like one, publicly blabbing about the people he’s misled and the fun he had doing so.
We wrote about McAfee last week, outlining Fast Company’s argument that the anti-virus software maker may have greatly exaggerated his financial losses and then moved to Belize as part of a ploy to dodge potential liability in a wrongful death suit.
1 year ago -
Clear Skies Security doesn't know history of vulnerabilities
Researchers from Clear Skies Security have identified a flaw that negates the protection provided by certain Imperva Web Application Firewalls (WAF). This attack essentially bypasses security controls provided by the Imperva device and allows malicious requests to pass through the device unfiltered, allowing for potential application exploitation remotely over the Internet.
1 year ago -
Security Company Fail: Trend open CC's hosted security clients
1 year ago
-
Innovative Marketing Inc. sold fake anti-virus software for years before finally being noticed and punished by the FTC.
ONE day in March 2008, Kent Woerner got a disturbing phone call from a teacher at an elementary school in Beloit, Kansas. An 11-year-old student had triggered a security scan on a computer she was using, revealing that the machine contained pornographic images. Worse still, the images had appeared on-screen as the scan took place.
Woerner, who manages the computer systems for the local school district, jumped in his car and drove to the school. Repeating the scan, he too saw the images, alongside warnings that the machine was infected with viruses and spyware that were surreptitiously monitoring the computer’s users. Yet a search of the hard drive revealed nothing untoward. Switching to another machine, Woerner visited the security website that provided the scan, and ran it again. Exactly the same number of pornographic images popped up.
1 year ago -
One Security Firm's Monster Fake Out
A year ago January we heard news that Monster.com notified users that it had been breached. Although the details surrounding the incident are murky, hackers apparently made their way into one of Monster’s databases and reached some users’ personal data.
This morning, I received an email from the public relations manager at a security firm named Application Security, Inc. citing a report that said Monster had been breached for the second time in 18 months. This is utterly incorrect, according to Monster’s VP of public relations.
“We have not had any issues with a security breach,” Matthew Henson tells us. “This is just a reprint of a story from 2009.”
1 year ago -
RSA Conference Wrapup
Well another RSA Conference has come and gone. Lots of vendor noise about their product being the only secure one on the market, and other nonsense, as is to be expected. Although I did notice a bit of realism this year. It did seem like everyone had eaten a big helping of humble pie, which was refreshing. Even the sales guys weren.t making as hard as a pitch as I.m accustomed to. So all in all, it was a good time. Lots of drinking, lots of good conversation, and I even managed to sneak in and see Jeremiah.s presentation on the top 10 new webappsec vulns from 2009 (how he managed to fit that all into 50 minutes still boggles the mind). I didn.t make it to as many parties as I would have liked to this year - maybe I.m getting old, or maybe I started drinking too early. Either way.
1 year ago -
Security Company Fail: Security And Privacy Certification Service Nailed For Misleading Customers
ControlScan, a company that consumers have relied on to certify the privacy and security of online retailers and other Websites, has agreed to settle Federal Trade Commission charges that it misled consumers about the steps it took to verify their privacy and security practices.
The settlements will bar future misrepresentations. The founder and former CEO has entered into a separate settlement that requires him to give up $102,000 in ill-gotten gains.
1 year ago -
Bad ISACA Password Reset Email
For those that have asked, here is the example of the bad password email issue from http://www.isaca.org.
To reset your password, or as in this case, to cause an email to go to someone you are targeting for interception, go here:
https://www.isaca.org/Template.cfm?Section=Home&Template=/Security/NoPassword.cfm
Then, you can simply guess their user name, (ISACA tells you if your wrong…) and get the password sent in PLAIN TEXT EMAIL to you/your victim if you have access to sniff, capture or view the email.
2 years ago
