Home Projects Pictures Books About PGP Key

Oklahoma IT Social Network Now Online

July 3rd, 2008 Anthony Towry

Some bright expo coordinators have created a social network on ning.com targeted at Oklahoma's IT professionals. I'm still a bit skeptical as to if it will take off or not, but it's worth a shot. If nothing else this will be one more place for me to peddle DC405 meeting times.

I love things that encourage geek collaboration. It'd be great if an OKCBarcamp came out of this sort of forum. I guess we'll see if it blossoms, or stutters and dies. Check out the OKTechOnline.ning.com group here.

Posted in Community | No Comments »

Oklahoma Leaks Social Security Numbers

April 16th, 2008 Anthony Towry

A recent post to thedailywtf.com details a long running hole in an Oklahoma Department of Corrections web application. It appears that their Sexual and Violent Offender registry was wide open to SQL injection via a specially crafted query string.

Now, SQL injection can get pretty damn creative, but come on, this is 2008. There's no reason to be open to this class of vulnerability. Shouldn't we be past creating dynamic SQL queries? So let's say you're nutso bongo enough to be creating dynamic SQL, these guys aren't even making the attacker interact with the form to discover the hole. It's a security through obscurity thing for sure (and as such just one shade of crap less offensive), but being on the hit list by way of a Google dork is just sad.

Developers don't all have to be security experts, but an understanding of the OWASP top 10 isn't too much to ask. Get out there, parameterize those queries, sanitize input and make sure that data stays data and doesn't suddenly make the jump to code!

  • Bruce Schneier and his audience weigh in on the incident

Posted in Uncategorized | No Comments »

Now Contributing to OSVDB!

November 2nd, 2007 Anthony Towry

...or at least trying to.  I applied to get an account with the Open Source Vulnerability Database project a while back.  Today I found out that my application was accepted and had been sitting in my spam folder for over two weeks.  Nice.

If you're signed up to contribute to the project you're supposed to try to keep up with mangling a vulnerability on at least a daily basis.  So, needless to say, I feel like I'm about two weeks behind.  Sure, the guys at OSVDB probably aren't going to bust my balls about it, but still Read the rest of this entry »

Posted in Projects, Security | 2 Comments »

  • Recent Posts

    • New ProCheckUp ValidateRequest Bypass
    • Samurai Web Test Framework 0.1
    • Altering the Mac OS X Login Access Window Text
    • Summary on the State of Nmap
    • Android Security Team Says Hi

  • Archives

    • September 2008
    • August 2008
    • July 2008
    • June 2008
    • May 2008
    • April 2008
    • March 2008
    • February 2008
    • January 2008
    • December 2007
    • November 2007
    • October 2007
    • September 2007
    • August 2007
    • July 2007

  • Categories

    • Art
    • Books
    • Community
    • conferences
    • Hardware
    • Management
    • Operating Systems
    • Podcast
    • Programming
    • Projects
    • Security
    • Site News
    • Software
    • Testing
    • Uncategorized
    • Web development

  • Blogroll

    • Defcon 405
    • ha.ckers.org
    • Halvar Flake
    • OSVDB Blog
    • phed.org
    • Scott Berkun’s Blog

  • Tags

    .Net ASP.NET Beta Books browser buffer overflow C Community Compliance Concept conferences Credit Cards dc405 defcon Development exploit Future fuzzing hacking Linux malware Management Metasploit Microsoft oklahoma Open Source osvdb OS X Patterns PCI Perl Podcast Programming protocols Ruby secure coding Security Silverlight SQL Server Testing tools vulnerabilities vulnerability WordPress xss

Calculated Decision has Joomla! under the hood!

Podcast Powered by podPress (v8.8)