The other night, we had the special privilege of being guests on Martin McKeay's Network Security Podcast with co-host Rich Mogull. While having a great time several weeks ago at SunSec, and several beers into the night, we tricked Mogull into letting us [...]
Posted by Marcin on Wednesday, January 30, 2008 in
People and
Security.
I have one ShmooCon ticket available for $300. Contact me if you are interested. Why do I have one ShmooCon ticket for sale? I bought it in case we didn't get accepted to ShmooCon, but we did! Dre, Tom Stracener of Cenzic (and formerly nCircle), and I [...]
Posted by Marcin on Monday, January 28, 2008 in
Conferences,
Other and
Security.
Here's a new 2008 security prediction for you -- The iPhone camera is an odd device. There is no notification that a picture is being taken, so the only requirement for malware is to wait for user activity and then start taking pictures. My prediction is [...]
Posted by Dre on Sunday, January 27, 2008 in
Apple,
Hacking,
Privacy,
Security and
Tech.
Lesson 10:You could say I'm a little late on posting something. However, we've been up to a lot of great research, hopefully much of which we'll publish here over the next few weeks. We had a few posts lately, some of with a change of heart. The latest [...]
Posted by Dre on Wednesday, January 23, 2008 in
Defense,
Hacking,
Itsm and
Security.
Web application security scanners have not matured much. I guess patent wars and company-buyouts have caused a lot of stagnation over the past year. However, I think the problems may run deeper than just controversy and industry drama. AppScan DE and [...]
Posted by Dre on Monday, January 21, 2008 in
Security and
Tech.
What started as a simple DoS against the RIAA through a SQL injection vulnerability, originally posted to Reddit in tinyurl form. UNION ALL SELECT BENCHMARK(100000000,MD5('asdf')),NULL,NULL,NULL,NULL%20-- led an attacker on to dump their entire database. [...]
Posted by Marcin on Sunday, January 20, 2008 in
Hacking and
News.
Marcin Wielgoszewski graduated from the University of Advancing Technology in Tempe, AZ with a Bachelor's Degree in Network Security. Currently, he is a senior security consultant at Matasano Security in New York City. Prior to joining Matasano in [...]
Posted by Marcin on Friday, January 18, 2008.
Lesson 9:Yesterday was a bit of a whirlwind, discussing BGP, Whois/RWhois, and the DOM all in one big post. I'll try and keep it short and sweet today. Arshan Dabirsiaghi (leader of the OWASP Anti-Samy Project), commented on yesterday's post regarding [...]
Posted by Dre on Thursday, January 17, 2008 in
Defense,
Hacking,
Itsm and
Security.
Lesson 8:Two days ago we covered VoIP assessments, and yesterday we covered Intranets and the use of proxies. Most of last week also covered internal network infrastructure assessments, except for some topics such as PDA phones and WiFi devices. Today I [...]
Posted by Dre on Wednesday, January 16, 2008 in
Defense,
Hacking,
Itsm and
Security.
Lesson 7: Today I wanted to bring the real meaning behind these techniques into the spotlight. Learning about how IT groups do real security is only part of this. I'm also talking about what I've seen that IT security shops don't do. What [...]
Posted by Dre on Tuesday, January 15, 2008 in
Defense,
Hacking,
Itsm and
Security.
Lesson 6: Last week was great as I started out talking about a variety of topics including -- Day 1 -- Physical network segmentation / Browser tools Day 2 -- Kernel protection in network drivers / Crawling tools Day 3 -- Sandboxing / HTTP tools Day 4 -- [...]
Posted by Dre on Monday, January 14, 2008 in
Defense,
Hacking,
Itsm and
Security.
Lesson 5:After the first week, many of these assessment techniques don't all fit together or seem congruent. Mid next-week, I think a lot of these pieces will start to come together to form a big picture. The recommendations I've given so far are not [...]
Posted by Dre on Friday, January 11, 2008 in
Defense,
Hacking,
Itsm and
Security.
Last night Rich Mogull of Securosis, and co-host of Network Security Podcast, hosted SunSec (which was on hiatus for far too long) at the Furio in Scottsdale. It was a great turnout last night -- about twenty people had shown up and talked up all kinds [...]
Posted by Marcin on Friday, January 11, 2008 in
Conferences,
People and
Security.
Lesson 4: We've touched on some of the critical-path ways to assess and protect your infrastructure including network segmentation and OS/application sandboxing. Often, the weakest area of technology is what you can't segment or sandbox effectively, [...]
Posted by Dre on Thursday, January 10, 2008 in
Defense,
Hacking,
Itsm and
Security.
Lesson 3: After the first few days, we've covered securing WiFi, as well as basic software assurance tools to get you started with a web browser and crawler. This is just the beginning. Part 1: Information assurance vulnerability assessment — Sandboxing [...]
Posted by Dre on Wednesday, January 9, 2008 in
Defense,
Hacking,
Itsm,
Linux and
Security.
Lesson 2: We hope that you are enjoying the format of these, as well as the content. Yesterday, I talked about how rogue AP's/clients can be scanned for without adding infrastructure or spending active time walking around the office. I also introduced [...]
Posted by Dre on Tuesday, January 8, 2008 in
Defense,
Hacking,
Itsm and
Security.
Lesson 1:These techniques are in two-parts, 1) Information assurance strategies, and 2) Software assurance tools. My feeling is that vulnerability assessments are typically done less strategically/operationally in IT environments (relying too much on [...]
Posted by Dre on Monday, January 7, 2008 in
Defense,
Hacking,
Itsm and
Security.
Now that I'm back in the Connecticut area, the best thing happened! James McGovern has started the Hartford OWASP chapter. First meeting is set for Thursday, February 28th with opening remarks beginning at 5:30pm. The agenda for the night is as follows: [...]
Posted by Marcin on Wednesday, January 2, 2008 in
Conferences.
