Script kiddies rejoice! Metasploit 3.1 is out on the streets. This version comes boxed with a generous helping of attack modules (450+) prepared for your pwning pleasure.
Very cool stuff for your pen testing needs!
I found a set of short slides on 10 technologies that Big Blue has been working on. Some of the items aren't terribly surprising. Some of the items look like real dogs.
One I wasn't impressed with is the virtual conference idea they are calling "Bluegrass". Maybe it's my fear that I wouldn't have time to properly sculpt my avatar to look like Clint Eastwood. Read the rest of this entry »
According to a story running at ComputerWorld, two-thirds of Oracle DBAs haven't applied any patches to their systems. How incredibly nuts is that?
You know, Oracle doesn't have an insanely great track record of providing fixes. I remember sometime last year I believe it was, that David Litchfield was trying to get some attention paid to this in a big way (search BugTraq). Now that they've been dropping critical updates with dozens of fixes in them at a time, no one is applying them.
Oracle is entrenched in Universities, Government Agencies and other critical institutions and it sounds like it's unsafe at any speed.
The next question that should come to mind is "why?". The article cites the anxiety that patching the Oracle platform creates for DBAs. Sure, sure, they're a little squeamish about making changes to the engine that runs their world. I get that, but based on the article some of this anxiety might just be that it's something they've NEVER done before.
My feeling is that organizations will continue to let these important tasks fall by the way side until someone can help justify the cost of correction.
Until then, attackers can tap into the knowledge presented in The Oracle Hacker's Handbook and do our DBAing for us. Harden your systems Oracle folks!
This book is just almost worth reading, almost. I get excited about securing the endpoint. So, you can imagine how miffed I was when this book turned out to suck.
I agree with the author in that the endpoint has become the perimeter, and as such, shifts and flows as devices enter and leave. The endpoint is critical. The author does a fair job of presenting the concept. However, a communication breakdown starts to occur soon after. Your flag to put the book down is when he introduces the grand scheme for standardizing graphical representations of a network and it's endpoints.
The only place I can see this book being of use is in the hands of a lightly trained desktop manager. The basic steps for keeping a clean box are provided. Implementation may be a tough thing to bring about "by the book" as the recommendations are not necessarily business friendly.
There are some nuggets of wisdom buried in the noise, but it's really not worth the effort to read. I do not recommend this book.
If you haven't already heard Aaron Weaver has published a paper on "Cross Site Printing". Re-purposing printers isn't a new concept by any means, but this is a clever little attack.
What happens is that network printers are typically listening on port 9100 for some raw data. By providing a web page that attempts to connect to a resource on that port we establish a connection, push data, and as soon as the browser closes or timeout occurs we disconnect. The printer happily puts this to paper and out it comes.
Mr. Weaver demonstrates some rather creative ways of putting POST to use and the possibilities of pushing straight PCL to get a more professional look.
The spam is on the way, and the potential for this attack to be worked in conjunction with some of the recent DNS pinning attacks is interesting.
Read the paper, play with it on your LAN (there's something strangely satisfying about this simple little hack) and then tie the printer down to the print server.
InformationWeek's Alexander Wolfe asks that very question. The article goes on to say that podcasting hasn't lived up to the hype and that basically it's headed the way of the buffalo. Wolfe cites his reason based on podcasts not performing as big money makers.
In that regard, he'd probably be correct, but then the question becomes "Is making money indicative of the health of podcasting?" Which it is my opinion, clearly not.
Podcasting will advance along the same lines as other media (books, newspapers, etc.), which is the push for more localized and niche content. Pushing content for the most part isn't going to make a person rich, in fact, most producers would probably be thrilled to get a free beer now and then. That's cool though, that's really not all the reward that gets paid out.
Podcasting isn't even on the ropes really. If there's an issue at all, I think it's one of misguided expectations. Who the hell's fault is that? Read the rest of this entry »
We're back with Episode 6 and the first podcast of the year! In this episode we rant about the differences of managing the business aspects of security along side the technical requirements. We discuss the challenges of dealing with technical answers to business problems and what can be done to ease the tension...sort of.
Episode 6 Show Notes:
OS X has decided to throw a few nuts into the recipe for working with Ruby.
Ruby itself is part of the developer tools package. However, the issue here is that the version that comes with Tiger is an older one. Unfortunately, you can't build the rubygems package with it either.
The trick is to use fink or macports to get the latest Ruby installed. Then head out to RubyForge for the latest RubyGems package. Unpack this bad boy and build it from source. I experienced problems when trying to get it via the macports package. Building from source worked fine though.
Finally, to use gems without having to specify the -rubygems switch everytime I recommend adding the
export RUBYOPT=rubygems
line to your .bash_profile.
The article over at eWeek, "10 Mistakes Companies Make When Implementing SOA Projects and How to Avoid Them" got me thinking about some of the troubles I've seen in adopting architectures. As I was reading through Paul's list I found some things I really liked. He has a few gems that just might save some poor bastard a whole lot of frustration.
I'm going to pull a few numbered points directly from the article.
3. Spending More Time on SOA Products Than SOA Planning
5. Forgetting that SOA is a Business Problem
9. Expecting the SOA Project to Spread Quickly
My feeling is that the members of this dangerous little trifecta belong together. Let me explain why. Read the rest of this entry »
