ISC StormCast for Thursday, January 31st 2013 http://isc.sans.edu/podcastdetail.html?id=3091, (Thu, Jan 31st)
Updated: 2013-01-31 02:39:51
...(more)...
vSphere 5.1 – VDS Feature Enhancements – Port Mirroring – Part 1
Updated: 2013-01-31 01:21:28
Network troubleshooting and monitoring tools are critical in any environment. Especially in data centers where you have many applications or workloads consolidated on server virtualization platforms such as vSphere. When you ask any network administrators, what are the challenges in … Continue reading →Placebos Might Not Be
Updated: 2013-01-30 23:24:10One reason this is so disturbing is that drug companies are allowed to use (and do increasingly use) active placebos in their studies. An active placebo is one that is biologically active, rather than inert. “But wait,” you’re probably saying. “Isn’t the whole point of a placebo that it’s biologically inert, by definition?” You’d think so. But you’d be wrong. Active placebos are designed to mimic the side-effects of drugs under study. So for example, if a new drug is known (or thought by the drug company) to produce dry mouth, the drug company might use a placebo containing ingredients that produce dry-mouth. That way, of course, they can say things in their ads like “[drug name] has a low occurrence of side effects, such as dry mouth, which occurred about as often as they did with placebo.” via asserttrue.blogspot.com Posted via email from danielmiessler.com | posterous Related Posts:MIT Scientists Develop a Drug to Fight Any Viral InfectionThe Strange Powers of the Placebo EffectFuturePundit: Sugar Caffeine Drink Dosage Too High For…FuturePundit: Active Learners Learn More Than Passive…Todd Rider Has a Kill Switch for Viruses –…A New Way of Thinking About Fear | TED
Updated: 2013-01-30 23:11:05Related Posts:The Happy Secret to Better Work | TEDMemoto Begins What Will Become LifecastingSam Harris on the Joe Rogan ShowThinking, Fast, and Slow: Daniel Kahneman | @Google PresentsMichael Smith @rybolov DDoS TalkGetting Involved with the Local Community, (Wed, Jan 30th)
Updated: 2013-01-30 23:03:18Handler Note This diary is part of the path to becoming a handler. Todays peice was writ ...(more)...Pentagon Recruiting Drive Targets Fivefold Increase in Cyber Command
Updated: 2013-01-30 18:00:00The U.S. Department of Defense reportedly plans to boost its cyber-security agency to nearly 5,000, but knowledgeable security professionals remain scarce.
Stop Browser Tracking With Duck Duck Go’s Handy Guide
Updated: 2013-01-30 16:29:48
A few days ago Duck Duck Go, the search engine that advocates privacy and opposes tracking of any sort, released an awesome guide for Data Privacy Day. Their guide outlines how to prevent your browser from tracking you in any way possible.New Nessus Plugins Audit Your Patch Management System Effectiveness
Updated: 2013-01-30 15:05:00: Careers News Events About Tenable Contact Support Enter search text Solutions Solutions Overview Compliance Configuration Auditing Continuous Monitoring Federal Government Log Management Mobile Device Security SCADA Security Compliance SIEM Vulnerability Management Vulnerability Scanning Products Products Overview Nessus Scanner SecurityCenter Log Correlation Engine Passive Vulnerability Scanner Services Services Overview Nessus Perimeter Service QuickStart Services Partners Partners Overview Become a Partner Strategic Partners Enterprise Channel Partners Subscription Channel Partners Professional Services Partners Training Certification Training Certification Overview Become Certified Courses Delivery Methods Training Schedule eLearning Portal Resources Resources Overview Podcasts RSS
Battle of the Secure Remote Access Titans UAG DirectAccess vs WS 2012 DirectAccess (Part 1)
Updated: 2013-01-30 13:30:33This article series takes a look at which form of DirectAccess you should use: UAG DirectAccess or Windows Server 2012 DirectAccess?DDoS Attacks in 2012
Updated: 2013-01-30 03:27:00
ISC StormCast for Wednesday, January 30th 2013 http://isc.sans.edu/podcastdetail.html?id=3088, (Wed, Jan 30th)
Updated: 2013-01-30 02:49:24...(more)...Exposed UPNP Devices, (Wed, Jan 30th)
Updated: 2013-01-30 00:42:08Rapid7 conducted a widely quoted study, scanning the Internet on port 1900/udp to find devices th ...(more)...Wireshark releases v1.8.5 and 1.6.13 - http://www.wireshark.org/download.html and http://www.wireshark.org/docs/relnotes/, (Wed, Jan 30th)
Updated: 2013-01-30 00:22:10...(more)...Network Security Podcast, Episode 301
Updated: 2013-01-29 23:59:24Rich goes missing again (but this time due to work [or so he says]). A slightly shorter show this evening, wherein Martin and Zach discuss upcoming events, like RSA, SOURCE Boston, BeaCon, etc., as well as — oh, look at that, already surpassed a 300th CVE entry for 2013. Oh, and it’s Ruby on Rails! Network [...]"Get Java Fixed Up", (Tue, Jan 29th)
Updated: 2013-01-29 21:24:59This was a quote from a recent conference call hosted by Oracle (details on the call are here htt ...(more)...Networking Vendors Leave Open Backdoors in Products: Security Experts
Updated: 2013-01-29 17:10:00Barracuda Networks left administrative accounts active on the routing products it sold, but many companies leave their products open to such attacks, security experts say.
Can Bug Hunters Keep the Internet Safe Infographic
Updated: 2013-01-29 14:58:04The Success of Introverts vs. Extroverts | The Washington Post
Updated: 2013-01-29 06:59:03.Women and Makeup | The Last Psychiatrist
Updated: 2013-01-29 06:24:18In this case, you are seeing a shift of power be repackaged as a gender battle. And it’s quite apparent that power is a generation or so ahead of you, so in 1990 a 40 year old who grew up around successful lawyers then says to his 5 year old, “daughter, you should become a lawyer!” and she probably at one point collaborates to decry the lack of female role models, and then by the time she graduates law school she discovers she’s a dime a dozen, power has been withdrawn, one step ahead; and at this rate I fully expect 2013′s Aspirational 14% to nudge their 5 year old daughters towards investment banking so they can be part of the big Women In Investment Banking conference of 2033. Don’t bother, it’ll be in Newark.I can’t predict the next field of power, I’m happy to hear your projections, the point for now is that while power moves ahead of you and your family, it leaves behind the appearance of a gender (or racial) struggle; and the immediate result of this is that people consider it a societal achievement that they are merely playing, even if what they are doing is ultimately meaningless. So while women (appropriately) fought for, and got, equal access to college educations– and now women even outnumber men in colleges– today we find that college is irrelevant. Huh. NB: what women did not fight for, and this is to my point, is the specific power of being taken seriously without a college education. “But how will the world know we’re equal?” via thelastpsychiatrist.com This author is one of the most observant and piercing people I’ve ever read. Ignore the title; read the whole thing. Posted via email from danielmiessler.com | posterous Related Posts:Are All Drug Reps Hot? | The Last PsychiatristBlack Women and DatingThis is an Epic ParagraphYou Must Read This EssayLabelass | Scott Adams</divGoogle Explains Its Policies on Data Privacy Day
Updated: 2013-01-29 04:25:00Google commemorates the day by giving more details on how it reacts if a government seeks user data.
nCloud PureCloud has multiple vulnerabilities
Updated: 2013-01-29 03:43:00ISC StormCast for Tuesday, January 29th 2013 http://isc.sans.edu/podcastdetail.html?id=3085, (Tue, Jan 29th)
Updated: 2013-01-29 02:48:08...(more)...Be Careful What you Wish For!, (Tue, Jan 29th)
Updated: 2013-01-29 01:58:36I was working on an ESX upgrade project for a client last week, and had an incident (lower case &qu ...(more)...iOS 6.1 Released, (Mon, Jan 28th)
Updated: 2013-01-28 20:43:10Apple today released iOS 6.1 as well as an update for Apple TV (5 ...(more)...High-Bandwidth DDoS Attacks as Much About Cyber-Crime as 'Hacktivism'
Updated: 2013-01-28 17:15:00Criminals looking to extort money from financial institutions continue to hit firms. Even the "hacktivists" have questionable motives, say security firms.
vCloud Networking and Security 5.1 Manager and Edge Deployment
Updated: 2013-01-28 17:00:45
In order to deploy Edge Gateway(s), we need to first deploy vCloud Networking and Security Manager (formerly known as vShield Manager) and connect it with vCenter. Manager virtual appliance is deployed using the OVA file as shown below. After … Continue reading →Security a Rising Concern for Cloud-Based Application Usage
Updated: 2013-01-28 13:30:00A survey indicates unsafe password management continues to be a challenge, as is the usage of applications not sanctioned by the company.
A Review of Zero Dark Thirty by Steven Harms
Updated: 2013-01-28 13:18:42I believe in years to come, “Zero Dark Thirty” will be held in reverence with other great war movies like “Das Boot,” “The Battle of Algiers,” and “Saving Private Ryan.” All of these movies, while ostensibly about a battle or campaign were actually about something deeper: the human condition whilst under the bloody sky of war. Kathryn Bigelow’s film is special because its real task is not to visually portray events bookended by September 11, 2001 and the killing of Osama bin Laden, as the trailer or synopsis would have one believe, but rather to show a series of scenes to the audience which lead it to undergo the emotions that those who lived in that time period felt. via stevengharms.com My friend Steven Harms wrote an excellent review of Zero Dark Thirty. If you liked the movie, or you like movies or reviews in general, have a look. Posted via email from danielmiessler.com | posterous Related Posts:Submarine, a Review and Recommendation by Steven HarmsBlogging Using MacVim and JanusThe Afterlife Is A Fairy Tale For People Who Are Afraid Of…Two Presidents, Smoking and Scheming | NY TimesGenocide and Jedi: Why the Sith May Be The Good GuysThe Difference Between Pursuing Happiness and Pursuing Meaning
Updated: 2013-01-28 13:12:33This is a brilliant piece about the difference between happiness and meaning, or, more specifically, the difference between pursuing a happy life vs. pursuing a meaningful life. I suggest you read the entire thing, but here are some choice pieces of it. Examining their self-reported attitudes toward meaning, happiness, and many other variables — like stress levels, spending patterns, and having children — over a month-long period, the researchers found that a meaningful life and happy life overlap in certain ways, but are ultimately very different. Leading a happy life, the psychologists found, is associated with being a “taker” while leading a meaningful life corresponds with being a “giver.” Most importantly from a social perspective, the pursuit of happiness is associated with selfish behavior — being, as mentioned, a “taker” rather than a “giver.” The psychologists give an evolutionary explanation for this: happiness is about drive reduction. If you have a need or a desire — like hunger — you satisfy it, and that makes you happy. People become happy, in other words, when they get what they want. Humans, then, are not the only ones who can feel happy. Animals have needs and drives, too, and when those drives are satisfied, animals also feel happy, the researchers point out. What sets human beings apart from animals is not the pursuit of happiness, which occurs all across the natural world, but the pursuit of meaning, which is unique to humans, according to Roy Baumeister, the lead researcher of the study and author, with John Tierney, of the recent book Willpower: Rediscovering the Greatest Human Strength. Baumeister, a social psychologists at Florida State University, was named an ISI highly cited scientific researcher in 2003. Meaning is not only about transcending the self, but also about transcending the present moment — which is perhaps the most important finding of the study, according to the researchers. While happiness is an emotion felt in the here and now, it ultimately fades away, just as all emotions do; positive affect and feelings of pleasure are fleeting. The amount of time people report feeling good or bad correlates with happiness but not at all with meaning. Meaning, on the other hand, is enduring. It connects the past to the present to the future. “Thinking beyond the present moment, into the past or future, was a sign of the relatively meaningful but unhappy life,” the researchers write. “Happiness is not generally found in contemplating the past or future.” That is, people who thought more about the present were happier, but people who spent more time thinking about the future or about past struggles and sufferings felt more meaning in their lives, though they were less happy. I find this description of the distinction to be interesting, but not 100% solid, as many forms of Buddhism focus on happiness (here/now vs. past/future) but seem to clearly evade the charge of selfishness. I think there’s value in making a distinction, and I think this is a good way to start, but I’m not convinced it’s the purest answer. The Full Article Thoughts? Related Posts:Hacker News | Stanford Research on Happiness and MeaningUnhealthy HappinessOptions as the Main Cause of UnhappinessStudy says money only makes you happy if it makes you richerStarting a BookHowto: Tor With Python
Updated: 2013-01-28 09:27:00Howto: Exploit Nagios 3 History.cgi Host Command Injection With Metasploit
Updated: 2013-01-28 08:53:00Howto: Pivot network with Metasploit session
Updated: 2013-01-28 08:45:00Howto: Metasploit smb relay attack
Updated: 2013-01-28 07:40:00ISC StormCast for Monday, January 28th 2013 http://isc.sans.edu/podcastdetail.html?id=3082, (Mon, Jan 28th)
Updated: 2013-01-28 01:17:28...(more)...Update script for Backtrack 5 R3 Tool
Updated: 2013-01-27 03:56:00honeypot-setup-script - Setup honeypot on your server in 3 minutes
Updated: 2013-01-27 02:23:00HTC website was hacked via SQL Injection
Updated: 2013-01-27 00:53:00SQLiteManager 0Day Remote PHP Code Injection Vulnerability
Updated: 2013-01-27 00:50:00Github Search expose private SSH keys and other sensitive credentials.
Updated: 2013-01-25 03:59:00Sony Fined $390K in U.K. for 2011 PlayStation Network Data Breach
Updated: 2013-01-25 02:10:00Sony says it disagrees with the ruling and will appeal the $390,000 fine, which stems from an April 2011 data breach in which hackers penetrated the PlayStation Network and stole personal data from millions of members’ accounts.
R00tsec Blogspot On Facebook Page
Updated: 2013-01-24 15:43:00Critical SSH Backdoor in multiple Barracuda Networks
Updated: 2013-01-24 14:04:00Internal Threats Top Security Concerns for IT Pros: Wisegate
Updated: 2013-01-24 13:00:00CISOs need to be creative and tap into their in-house experts in marketing and training to help any awareness program be successful, a Wisegate report said.
LIfe, Friendship, and Ambition
Updated: 2013-01-24 00:24:09, ,The Only Blonde Joke You’ll Ever Read Here
Updated: 2013-01-24 00:23:14A blonde walks into a bank in New York City and asks for the Loan officer. She says she’s going to Europe on business for two weeks and Needs to borrow $5,000. The bank officer says the bank will need some kind of security for the loan, so the blonde hands over the keys to a new Mercedes Benz. The car is parked on the street in front of the bank, she has the title and everything checks out. The bank agrees to accept the car collateral for the loan. The bank’s president and its officers all enjoy a good laugh at the blond for using a $110,000 Benz as collateral against a $5,000 loan. An employee of the bank then proceeds to drive the Benz into the bank’s underground garage and parks it there. Two weeks later, the blonde returns, repays the $5,000 and the interest, which comes to $15.41. The loan officer says, “Miss, we are very happy to have had your business, and this transaction has worked out very nicely, but we are a little puzzled. While you were away, we checked you out and found that you are a multimillionaire. What puzzles us is, why would you bother to borrow $5,000?” The blonde replies, “Where else in New York City can I park my Car for two weeks for only $15.41 and expect it to be there when I return? Related Posts:The Big Banks Need an IT Overhaul | The EconomistHackers penetrate mid-level bank IT network | GDS PublishingProgrammer Heads to Prison After Planting Cash-Spitting…New Zeus Strain Pulls 47 Million in Funds | Ars TechnicaBusiness Owners Don’t Create Demand; Consumers With…Serbian Translation of my WebAppSec Resources Page
Updated: 2013-01-24 00:22:21Please check out Joana Milutinovich’s Serbian translation of my Webappsec Resources page. http://science.webhostinggeeks.com/izvori-testiranja Related Posts:danielmiessler.com | study | webappsec resourcesI Just Created the/r/webappsec SubredditHow to Convince Someone Evolution is True | RedditA Science of Literature?Conservatives Should Learn About Climate Science From Nate…Analyzing 85 GB of PCAP in 2 hours
Updated: 2013-01-24 00:20:00
Lets say you've collected around 100 GB of PCAP files in a network monitoring installation. How would you approach the task of looking at the application layer data of a few of the captured sessions or flows? For much smaller datasets, in the order of 100 MB, one would typically load the PCAP into[...]Deleting Horizontal Lines From Word
Updated: 2013-01-24 00:17:06<img src="http://danielmiessler.com/blog/wp-content/uploads/Screen-Shot-2013-01-24-at-4.18.50-AM.png" alt="Screen Shot 2013-01-24 at 4.18.50 AM" width="601" height="99" class="aligncenter size-full wp-image-13327"/ If you’ve ever had a problem deleting a horizontal line in Microsoft Word, this post is for you. The answer is something of a trick, as the horizontal line is not a line (or a graphic), it’s a bottom border.Removal In Office 2013 go to the Design tab and look to the far right for the Page Borders button. Within the borders settings, click on the leftmost tab titled Borders (not Page Border), and then select the top left option of None. That will delete the border (horizontal line) from the area in question. In previous versions of Word the solution is similar, i.e. find the Borders and Shading option and delete that bottom border. Related Posts:2012 Site StatsMobile Visitor Data: November 2012Obama Gaining GroundHow to Use WPA-2 Enterprise in Windows 7Using Nessus to Audit Microsoft SharePoint 2010 Configurations
Updated: 2013-01-23 15:25:00: Careers News Events About Tenable Contact Support Enter search text Solutions Solutions Overview Compliance Configuration Auditing Continuous Monitoring Federal Government Log Management Mobile Device Security SCADA Security Compliance SIEM Vulnerability Management Vulnerability Scanning Products Products Overview Nessus Scanner SecurityCenter Log Correlation Engine Passive Vulnerability Scanner Services Services Overview Nessus Perimeter Service QuickStart Services Partners Partners Overview Become a Partner Strategic Partners Enterprise Channel Partners Subscription Channel Partners Professional Services Partners Training Certification Training Certification Overview Become Certified Courses Delivery Methods Training Schedule eLearning Portal Resources Resources Overview Podcasts RSSIT Admins and Security Auditors
Updated: 2013-01-23 13:02:19In this article, the author discusses the pitfalls of security audits when administrators and auditors do not work well together.Recon-ng - Reconnaissance Framework
Updated: 2013-01-23 08:23:00Howto: Secure SSH with Google Authenticator’s Two-Factor Authentication
Updated: 2013-01-23 08:14:00Checks whether a site is blocked by the Great Firewall of China.
Updated: 2013-01-23 08:07:00IronWasp on Linux
Updated: 2013-01-23 08:04:00DNSChef 0.2 - DNS proxy (aka "Fake DNS")
Updated: 2013-01-23 07:52:00Howto: Install Metasploit From Github
Updated: 2013-01-23 07:44:00Linksys WRT54GL v1.1 XSS / OS Command Injection
Updated: 2013-01-23 07:29:00CrackStation.net - Free Password Hash Cracker
Updated: 2013-01-23 07:24:00F5 Vulnerabilities
Updated: 2013-01-23 06:56:00HIPAA Update Tightens Data Breach Liability Risks for IT Companies
Updated: 2013-01-22 16:20:00A change to the federal HIPAA rule adds security requirements for health care software developers and data backup services, classified as "business associates."
Tips for Secure Web Browsing: Cybersecurity 101
Updated: 2013-01-22 14:28:21
Still looking for the right New Year’s Resolution? We’ve got one for you: develop secure web browsing habits. Given the range of threats facing Internet users today, it is critical that users learn to protect themselves while browsing the web. Our second post in our “Cybersecurity 101” series offers our recommendations for browsing the Internet safely.McAfee Outlines Security Connected Platform
Updated: 2013-01-22 14:00:00The company said it plans to expand its current broad portfolio through acquisitions, development projects and partnerships to deliver integrated security solutions.
Network Security Podcast, Episode 300
Updated: 2013-01-22 12:55:47It’s here! We finally did it! Episode 300 of the Network Security Podcast has finally been recorded, edited and posted! Sorry it didn’t get published immediately, but it takes a while to edit over 2 hours of audio. So what did we do for Episode 300? Martin flew to Phoenix to record from Casa de [...]SSH Log Poisoning By Brute Logic
Updated: 2013-01-21 15:36:00CapLoader 1.1 Released
Updated: 2013-01-21 11:45:00Version 1.1 of the super-fast PCAP parsing tool CapLoader is being released today. CapLoader is the ideal tool for digging through large volumes of PCAP files. Datasets in the GB and even TB order can be loaded into CapLoader to produce a clear view of all TCP and UDP flows. CapLoader also provides[...]A List of Things to Know About San Francisco | The Art of Living
Updated: 2013-01-18 15:41:48I moved to San Francisco 9 months ago from the East Coast bastion of Boston. Despite having experience living in a major US city, I found quite a few surprises coming here. ome have been great, while others not so much. If you’re planning the move here, I hope this will help you know better what to expect. And if you already live in SF, this should give you a laugh or two and hopefully inspire you to leave a comment with anything I missed. Consider this the guide I wish someone had given me when I moved here.</p via jasonevanish.com Phenomenal post for anyone interested in San Francisco. Posted via email from danielmiessler.com | posterous Related Posts:A List of Starbucks Clover Stores in San FranciscoIf San Francisco Crime were Elevation | Doug McCuneAll San Francisco Crime Data in a Developer-friendly Format…<a rel="nofollow" target="_blank" href="http://danielmiessler.com/blog/san-francisco-psychological-map-by-wendy-macnaughton" class="crp_title"San Francisco Psychological Map by Wendy MacNaughtonNew York City Bans Outdoor Smoking | CNN.comSoftware Development as a Cooperative Game | Alistair Cockburn
Updated: 2013-01-18 15:36:15Software development is a cooperative game, in which people use markers and props to inform, remind and inspire themselves and each other in getting to the next move in the game. The endpoint of the game is an operating software system; the residue of the game is a set of markers to inform and assist the players of the next game. The next game is the alteration or replacement of the system, or creation of a neighboring system. — AlistairCockburn via c2.com Posted via email from danielmiessler.com | posterous </p Related Posts:Role-playing Game Classifications | Verus AequitasMan Accused Of Killing Kitten For Unplugging Game ConsoleBlizzard to integrate Facebook into Battle.net platform and…‘Game transfer phenomena’ | Technology |…Your Next Gym | Scott AdamsSimple Math Behind Early Retirement | Mr. Money Mustache
Updated: 2013-01-18 15:03:06.The Pentagon (Finally) Gets Real About Secure Software
Updated: 2013-01-17 16:02:07
There’s a lot to dislike in the National Defense Authorization Act (NDAA) if you’re a civil libertarian. But the big, flawed bill that President Obama signed this month has a lot to like when it comes to security. Best practice for using cloud computing in Europe 2013 (Part 2)
Updated: 2013-01-16 06:00:01This article (part two) will focus on the final three principles of good information handling. These principles will cover the obligations on organisations for processing and storing data.Vim Mastery Levels | WhileImAutomation
Updated: 2013-01-15 21:45:19Lv0. who doesn’t know about Vim Lv1. who knows basic usage of Vim Lv2. who knows Visual mode Lv3. who knows various motions Lv4. who doesn’t use Visual mode via whileimautomaton.net So true. Although there’s another level for text objects–which I’m already using. Posted via email from danielmiessler.com | posterous Related Posts:How Does One Explain SQL Injection to a Non-Techie?Visual.ly | Infographics & VisualizationsThe Vim PedalU.S. Exercise Levels Up, but Demographic Differences RemainWhat is MITx? – MIT News OfficeBoth Success and Failure Are Difficult: Pick One | Francis Pedraza
Updated: 2013-01-15 18:24:33:Muting the Internet | Zack Shapiro
Updated: 2013-01-15 17:22:25I’ve lost track of how many sites are on the Internet or how quickly we can now create the same amount of data as we created between the beginning of letter writing and 1850. When something big is going on in the news. I don’t think it’s wrong to say that you can get tired of hearing about it. We need to be able to Mute the Internet. via blog.zackshapiro.com Posted via email from danielmiessler.com | posterous Related Posts:Generalists Aren’tCharles Tillman on Improvement | Nathan KontnyBin Laden’s Email Workflow | APCapturing Everything You Know | Buster BensonThose Were the Days | Scott AdamsGlobal Enterprises Serve Up Risky S.O.U.P. Infographic
Updated: 2013-01-15 14:53:31Tracking Wireless SSIDs Using Nessus
Updated: 2013-01-14 16:50:00: Careers News Events About Tenable Contact Support Enter search text Solutions Solutions Overview Compliance Configuration Auditing Continuous Monitoring Federal Government Log Management Mobile Device Security SCADA Security Compliance SIEM Vulnerability Management Vulnerability Scanning Products Products Overview Nessus Scanner SecurityCenter Log Correlation Engine Passive Vulnerability Scanner Services Services Overview Nessus Perimeter Service QuickStart Services Partners Partners Overview Become a Partner Strategic Partners Enterprise Channel Partners Subscription Channel Partners Professional Services Partners Training Certification Training Certification Overview Become Certified Courses Delivery Methods Training Schedule eLearning Portal Resources Resources Overview Podcasts RSS
The Security Ledger Officially Launches
Updated: 2013-01-14 16:17:23
Paul Roberts has just officially launched his latest project in the form of IT Security news site The Security Ledger. A regular contributor to the Veracode blog and former editor of Threatpost, Paul is a well known and respected name in infosec journalism. The Security Ledger describes itself as - How to Explain SQL Injection to Anyone
Updated: 2013-01-11 10:59:41There are many ways to explain SQL Injection, and the “best” way is clearly determined by who you’re talking to. For somewhat technical folks, I like my friend Steve’s explanation, I use the explanation below. Two Key Concepts SQL Injection is a computer security vulnerability where two bad things are happening at once: the Confused Deputy problem and the confusion between Data and Commands. Confused Deputy is a security problem where someone wants to accomplish something they don’t have the permission to do, and they find a way to trick someone who does have the authority into doing it for them. A good example would be sneaking a gun into a bag of an airport worker (who bypasses security) and then retrieving it later behind the security barrier. You got the gun past security by using the authority of the airport worker. The confusion of Data vs. Commands is easy enough to see with a couple of examples. We give computers lots of different inputs: sometimes we give them data: “My address is ’123 Maple Street’”, and sometimes we give them commands, like, “print this photo” or “send this file”. The problem arises when the computer thinks it’s getting data (like an address), but it really gets a command (like ‘delete the hard drive’). SQL Injection is a combination of these two issues. The Courtroom Analogy The best way to conceptualize this is through the analogy of a courtroom. Imagine that you have present a defendant and a judge, and that the first thing the judge does at the beginning of a case is read the roster where the defendant wrote his name. He says: Calling $DEFENDANT_NAME. So if his name is Ender Wiggin, the judge would say: Calling…Ender Wiggin. Fair enough. But what happens if Ender writes his name as, “Case Dismissed”? Then, when the judge does his regular speil, he’d say: Calling…Case Dismissed. Ender then smiles and walks out of the courtroom. This is confusion of Data and Commands because the judge thought he was reading a name (data) and instead issued a command (dismiss the case), and it’s the Confused Deputy problem because Ender is not himself able to dismiss it–he had to get the judge to do it for him. Real World It’s the same with computers and web pages. There is often confusion between Data and Commands in a web page that asks for an address (data) but receives a SQL command instead (e.g.: get me stuff from your database) Confused Deputy is in play because you (the web user) are not allowed to ask the database direct questions–but the web page you just gave your command to is Either way, Ender gets what he wants: out of jail or access to data he’s not supposed to have. Slippery bugger. Additional Links 1 This is an incredible explanation recommmended by my friend Joel. Related Posts:How Does One Explain SQL Injection to a Non-Techie?Hacktivists and Havij | Dark ReadingThe Steps To a Mature Visual Analytics Practice | raffy.chOSX: Reformat a Drive via Command LineFacebook co-founder Mark Zuckerberg opens up : The New…Routing Security Debate | IGP Blog
Updated: 2013-01-10 18:03:33In essence, what is now being debated in SIDR is whether routing – one of the last areas in which Internet operations is distributed and autonomous – will become rigidified and centralized by what one participant in the debate calls “slamming a hierarchical PKI into a distributed routing system. via internetgovernance.org Posted via email from danielmiessler.com | posterous Related Posts:Twitter is Now Filtering LinksWeb Vulnerability Assessment vs. Web Penetration TestThe Climate Science Debate at InformationIsBeautifulDefeating iOS Jailbreak detection for Mobile Applications |…How to Practice Your Web Application Testing Skills | HP…Soda Linked to Depression
Updated: 2013-01-10 16:57:16The study, which was released on Tuesday and will be presented at the American Academy of Neurology‘s annual meeting in March, involved 263,925 people between the ages of 50 and 71. Researchers tracked their consumption of beverages like soda, tea, coffee, and other soft drinks from 1995 to 1996 and then, 10 years later, asked them if they had been diagnosed with depression since the year 2000. More than 11,300 of them had. Participants who drank more than four servings of soda per day were 30 percent more likely to develop depression than participants who did not drink soda at all. People who stuck with fruit punch had a 38 percent higher risk than people who didn’t drink sweetened drinks. And all that extra sugar isn’t the actual problem: The research showed that low-calorie diet sodas, iced teas, and fruit punches were linked to an slightly higher risk of depression than the high-calorie stuff. Researchers say that the artificial sweetener aspartame may be to blame. via shine.yahoo.com There’s a major issue with this correlation, I think. I think it’s pretty likely that lazy people who don’t do much with their lives, and are therefore depressed, are extremely likely to be soda drinkers. Either way, don’t drink soda. I stopped drinking soda as an accompaniment to meals about a year ago, including diet drinks, and life has been excellent since. I still have a few a month, but always as a desert and not as a regular beverage. I strongly recommend everyone switch to water, tea, and coffee. Not only are they better for you, but their lack of overwhelming sweetness allows you to notice the subtle flavors of many great foods (Sashimi, for example). Posted via email from danielmiessler.com | posterous Related Posts:FuturePundit: Sugar Caffeine Drink Dosage Too High For…Why Can’t We Tax Soda in The U.S.?Obesity: Drink till you drop | The EconomistObesity and Depression Cause Daytime Sleepiness | Medical…Depression as an Evolved Cognitive Enhancer | Wired.comMorning Reading 011013
Updated: 2013-01-10 16:04:01It’s been an interesting week and start to the year. Between the Ruby on Rails vulnerability and the Java zero day released today, we have some serious patching issues on our plates. And if history is any indicator of future performance, the security technorati are already in the process of patching, which only leaves the [...]Build.com Integrates Veracode Testing
Updated: 2013-01-10 13:20:40
Build.com, an online retailer of home improvement products is announcing today their integration of the Veracode testing platform into it's Bamboo and JIRA software development tools. This integration will help Build.com detect and fix code vulnerabilities earlier in it's SDLC, reducing time and the cost of remediation.BitLocker Enhancements in Windows Server 2012 and Windows 8 (Part 2) - Cluster Share Volume Support
Updated: 2013-01-09 06:00:00
In Part 2, we'll take a look at two more important new features of BitLocker: used disk space only mode and preprovisioning of BitLocker.Morning reading 010313
Updated: 2013-01-03 15:12:05In the spirit of my only ‘resolution’ for the new year, here’s a quick post on some of what I’m reading this week. Like many security professionals, I read dozens of posts and articles each week, but only a few of them are worth retweeting or blogging about. This week is the first of the [...]