The DC 405 meeting for November covered the ins and outs of wireless security. n0mad presented some interesting things involving high-end countermeasures and solutions to common wireless deployment problems. Check it out online at blip.tv.
A post over on the BrainTree blog is talking about a fresh press release by Visa explaining their game plan for boiling off known vulnerable payment applications from their merchants. The press release comes complete with a timeline indicating at least some level of real commitment.
In addition to waking up merchants with point-of-sale systems this announcement could be read as the beginning of other "attention getters" related to PCI. It's also more obvious that issuers won't hesitate to pressure acquirers to enforce the DSS even in the lower priority classes (level 3 & level 4).
With as much criticism as the PCI DSS has seen in recent months, it's very cool to see that it may not be all smoke.
I just posted up the code, demo and info for a short utility I wrote for MS SQL Server password auditing. The application isn't all that special really, but should make one point.
When developing security apps, languages and libraries supported by a vendor might very well be way too abstracted to really get at the bits you want, but shouldn't be rejected out of hand. Vendor SDKs and APIs may provide the perfect interfaces for creating that dirty client you're working on.
Check out DoggednesSQL here.
This is just a heads up on the latest release of (IN)SECURE. Issue 14 has some great material including an interview with RSnake on the state of webappsec today and a very sharp article covering end-point security.
As always, there are several articles that dig into PCI compliance and organizational impact which I think most will find helpful during the long walk.
I recently started looking back into programming IA-32 ASM using nasm on Linux and came across a hell of a book written by a former professor at Carleton University in Ontario. What's peculiar about this book is that it spends a good 100 pages banging out hardware nuances to the reader, then as soon as you get going into some of the ASM stuff it provides the reader with a sweet macro file for the day-to-day coding. It's always interesting to see what certain instructors find important.
I've looked at Linux assembly before so a lot of what is contained in the macros isn't all that surprising, but I wonder if using the file from the beginning will make my prior knowledge jell-0 before the day's out. Moreover, I wonder if it's going to hurt me when I start looking at what I care about (deadlistings of malware/sploits/etc.).
At any rate, I figure I'll give the late Prof. Dandamudi's way of learning a try. Check out his sweet macro file and other material here.
Fuzzing: Brute Force Vulnerability Disclosure takes you to the edge of Application Testingville and kicks you 30ft outside city limits. The methods used to vulnerability test software in an automated way have never been so clearly conveyed. This book becomes family for anyone stalking the elusive 0-day. Like a second cousin really, but still you hold it near and dear. Read more...
David Intersimone of CodeGear recently gave a talk on the future of software development. The talk took place at EclipseWorld and hit on the Developer Evangelist's vision for development in 2027.
Future talks are interesting...I guess. People have a hard enough time seeing a trend in the next 5 years. That's alright, I think what David was getting at was really just another shot at what tools developers will be looking for in the future. The year count isn't really the point. Read the rest of this entry »
Scott Berkun has posted an article recently that is aimed squarely at the ambiguity surrounding the title of Project Manager. Right away he splits the title into two factions, a Project Tracker and a Project Leader. Right away we get a closeup view of what's wrong with the title in the industry today.
Scott shares some great insight into how he picks out the leaders from the trackers and he's got the questions you need to ask in order to find out "Just what the hell is it you do?".
A Project Manager ought to have some real ownership of where a project is headed. Anything else is pretty lame.
Lately I've been looking a little further into the Payment Card Industry's Data Security Standard. Unfortunately, you could look for weeks and still find out new "fun facts". So as usual, I've put together a crash course on what I know about the PCI DSS and a little bit about what it might mean to the average credit card accepting merchant.
Show notes:
As always, if I've left something out, or you've got something good to add, let me know.
The file sharing rockstars at thepiratebay.org have started up a project aimed at overhauling the Bittorrent p2p protocol. The project site, http://securep2p.com, is very much in the early stages, but is starting to show up in the media.
This is very cool for a couple of reasons. First, if anyone in p2p has a following it's thepiratebay. These guys could publish a recipe for chocolate chip cookies and people would download it. Second, this is an ambitious project in an area where we know there are tons of amateur/garage research designs being built. Maybe some really smart ideas will start showing up.
Lets hope this goes somewhere.
