04.14.08

Interesting Links

Posted in Daily Link List at 12:32 pm by Tyler Reguly

I've got a few interesting links that I thought I'd share.

Up first is a map with the location of Google Data Centers (via Google Blogoscoped). This is actually pretty cool to check  out.

Next is OpenPacket.org, which I'll probably do a post about again sometime soon. For now a brief intro though. This is a great concept... a place where people can upload their packet captures, so that others can download and view them. This can be used by everyone... students, researchers and enthusiasts. I think first and foremost, it's a great learning tool, however if a certain level of quality is maintained, everyone will benefit from this project.

The last, and probably most interesting, is a Google XSS that Billy Rios blogged about. The XSS takes advantage of the fact that certain browsers (IE was used, but it was mentioned that others can be affected by this) don't always use the content-type suggested by the server. In many cases the browser will attempt to determine the content-type on it's own. This means that enough HTML in a response with content-type: text/plain will be rendered by IE (and in some cases other browsers) as HTML.

That's all for now...

OpenSSH 5.0 / W3AF beta 6

Posted in Daily Link List at 1:23 am by Tyler Reguly

Some new software shipped that I should have mentioned, and apparently it go past me..

The first is OpenSSH 5.0, release quite shortly after OpenSSH 4.9 (I believe it was 4 or 5 days). The following was attached to the release notes:

We apologise for any inconvenience resulting from this release
being made so shortly after 4.9. Unfortunately we only learned of
the below security issue from the public CVE report. The Debian
OpenSSH maintainers responsible for handling the initial report of
this bug failed to report it via either the private OpenSSH security
contact list (openssh@openssh.com) or the portable OpenSSH Bugzilla
(http://bugzilla.mindrot.org/).

The security issue in question was CVE-2008-1483.

The second piece of software is W3AF Beta 6. The Web Application Attack & Audit Framework is designed to create an extensible framework for finding and exploiting web application vulnerabilities. Beta 6 introduces a GTK UI, new plugins and bug fixes.

12.14.07

Daily Link List

Posted in Daily Link List at 5:58 pm by Tyler Reguly

Just a few short things that I thought I should mention:

The first has probably been seen by most at this point, it involves Rich Mogull and Chris Hoff... it's a rather funny interaction but requires that you read the following articles in order:

  1. Predicting Peril -- Dark Reading Room
  2. Off Topic: Argh! Smart House Went Stupid
  3. Breaking News:  Successful SCADA Attack Confirmed - Mogull Is pwned!
  4. Never Bring a Knife to a Gun Fight

I'm sure that this will continue for a while, but it's definitely good for a laugh as it stands right now.

Up next, Via SANS ISC, we've got an interesting article on how you can decrypt Cisco Type-7 Password from within the Cisco CLI. Not much to say here, except 'Where's the Security?'

Lastly, an article from RetroThing on the new Canadian DMCA bill. If you are Canadian, make sure you read this and respond appropriately.  No good can come from this bill, but our government would rather cave to pressure from the US than listen to the thoughts of it's own citizen's. I'd like to thank all of the conservatives out there that thought Stephen Harper would be good for this country.

12.08.07

Random Links

Posted in Daily Link List at 11:15 am by Tyler Reguly

I haven't done a Daily Link List in a while, but there are a few things I wanted to share.

  • Via Thoughts of a Technocrat, we've got the best Microsoft KB Article every, Computer Randomly Plays Classical Music.
  • From the Secunia Blog, we've got an interesting chain of letters between Secunia and Autonomy in which Autonomy repeatedly threatens legal action in an attempt to prevent Secunia from releasing a security advisory.
  • An interesting write-up from Gadi Evron on taking down spammer on ZDNet's Zero Day Blog. I recently had the opportunity to sit down with Gadi for  a couple of hours and get his insight and thoughts of various things... he's a very interesting guy to talk to.
  • RSnake wrote an interesting post on why PCI is Good for Business.  There was a response that PCI sets the Ceiling Not the Floor... I don't know if I agree that it sets the ceiling, not the floor. You could say that some companies chose to accept it as a ceiling, but at the same time it's also a floor for them.... A minimum bar is set that they have to get that... whether or not they go higher is there choice... before numerous companies wouldn't have even gotten to the point that PCI is setting.
  • Lastly we'll end with some humour, Via the SC Magazine Newsteam Blog, we've got the dumbest criminal of the year.

06.14.07

Daily Link List

Posted in Daily Link List at 9:10 pm by Tyler Reguly

I know these aren't daily but there were a few things I came across today / last night that I thought warranted mini blog posts.

The first of these was a post by Rich Mogull over on Securosis.com. It's a great post, entitled 'Then There Was The Time I Sort Of Kidnapped Someone', which talks about education vs experience by discussing a story of Rich's from when he was in his early 20s. While it doesn't directly discuss IT, it definitely fits with any industry. I won't spoil the story as it was definitely worth the read, but in the end Rich points out that a superb education with 'top of the class' marks, doesn't compare to actual experience. I think this is important to point out because it applies to everything. There are plenty of businesses that still place things such as [CCNA, CISSP, MCSE, ] Required in their job posts and are firm on those requirements. Even if you the industry experience to have learned and utilized those skills, they'd rather someone with a piece of paper. Now I realize that this was talking more about people coming straight out of school and I think that is another reason it should be read, and read again... a chance to learn from the mistakes of someone else.

Something that has always bothered me... and maybe it's bothered me more than it would most because I'm a college graduate rather than a university graduate... is university students... and not all of them... but a number of them. I had this problem while attending college and I've had this problem afterwards while working in IT. I find that university students feel, that because they are going to (or have) graduated university they are superior to you, if you haven't done the same. They are "hot shit" so to speak and think the world of themselves. I think that reading Rich's article is a great way for some of these "hot to trot" show-offs to be brought back down to earth. It's better to learn from the mistakes of others, than to get out into the working world and be smacked down by those around you. So if you're one of these people... go give it a read... Since most of you won't admit it if you are... Everyone go give it a read.

Up next on the "interesting reads" list is a blog post over on the Websense Security Labs Threat Blog. It discusses how an "enterprising individual" (read: scam artist) used a little bit of basic javascript to change his customer feedback rating and turn himself into a power user to all those unsuspecting visitors to his eBay auctions. Web 2.0 frightens me... I'll be the first to admit it... This is a great example of how control is lost when security isn't quite up-to-snuff.

Also a quick thanks to the Websense people for their awesome booth at InfoSec Canada. You really can't beat free beer!

Next we've got an article by Brian Krebs in his Washington Post Security Fix blog. It touches on a bill that passed in the US House of Representatives. It is the second bill they've passed on the subject of Caller ID spoofing. The first bill is still before the Senate which is where this one will head.

I've got a soft spot in my heart for Caller ID spoofing since I disabling Caller ID with each call and I dislike that the telephone companies charge you to permanently hide your phone number. I've got my trusty SpoofTel account and I really enjoy using it in the occasional prank call to family members and friends. I can understand the problems with Caller ID spoofing... especially in fraud and scams. I just hope that if these bills are passed in the Senate and become law that they are used as intended... to deal with the fraudsters and scammers and not used to harass the little people who use Caller ID spoofing.

Note: For those of you that live away from home and make weekly calls to family back home. I highly suggest a SpoofTel account. Call your loved ones from a local number and tell them you're in town for a couple days and are on your way over... you stopped to call from a pay phone. You can really mess with them. You can also call one family member from another family member's phone number... it can be the source of endless hours of entertainment.

The last thing I wanted to mention is that the research team behind McAfee SiteAdvisor now has their own blog. The first few posts look interesting and everybody should probably check it out and add it to their RSS feeds in the near future.

03.22.07

A few links.

Posted in Daily Link List at 4:09 pm by Tyler Reguly

I've got a few things I wanted to touch on today....

First, a friend of mine, Max ( J_K9 ) is in Seattle... From the UK. He gave details on why he's going, which includes visiting Microsoft and presenting to the board of directors, on his blog. While he's there, he's writing entries on what's going on and so forth. While the first one only covers the traveling, I'm sure the upcoming posts will be very interesting. You can read them all on his blog.

Up next is a blog post from F-Secure...  As most know, I don't always trust competitors when they discuss their competition... Given that F-Secure is now in competition with Microsoft on the AV front, I'd expect them to be attacking MS for AV related issues but apparently they've decided to take a different approach. They're discussing the fact that in Vista file extensions are still hidden by default. I think it's a very minor issue to take exception to and bring up. When you think that both home and business users run Vista... technical and computer illiterate alike... I think it makes sense. A technical user can easily enable this setting should they want to view extensions... The computer illiterate user will have a harder time disabling it. Does it allow certain malicious files to be executed... yes. However, I'd ask how they got the file. Internet Explorer, Firefox, Outlook, MSN... These programs show the complete file name and people generally launch their files right from the download dialogs. They don't go into Explorer and track them down and run them... that's a computer geek thing. So even if the default action were changed, I don't think it would affect the end user.

These next two are related to WebAppSec. The first is a post by Jeremiah Grossman on Jikto.  He makes some interesting points and I'd have to say I agree... I don't know if the release of such a powerful utility, which no "good" purpose is such a good idea.. Read his post for more details.. I may discuss this in the future but not now.

Lastly, a brief write-up on Web Security Auditing from SANS. It's fairly basic... nothing of interest but still a handy reference link.

Enjoy!

03.15.07

Odds and Ends

Posted in Daily Link List at 1:12 am by Tyler Reguly

A few things that I came across that I could have turned into a number of small blog posts but instead I choose to throw them all into one.

Up first we've got a WordPres plugin I recently downloaded and added... Like many bloggers I use Google Analytics, and like many wordpress bloggers, I've simply added the Google Analytics tag to my footer... This has all changed now. Thanks to a plugin called Ultimate GA. I've just set it up but I'll know better in a few days how it's working.... Here's the info from the website:

I managed to get a Google Analytics account back in the days when there was a long waiting list. I added the tracker JavaScript to the footer of all my pages, as instructed by Google Analytics. This gave me some great statistics to start with, but I wanted more.

I also want to track outgoing links to other sites and links to downloads (e.g. PDF documents) on my own site. Google Analtytics can do this, but you have to add an onClick JavaScript to all these links. I didn’t like the idea of editing all my blog entries to add an onClick event to the links. So I ended up writing a WordPress plugin that does it for me. You can download the plugin for your own use.

I've just set it up, so I'll let everyone know in a few days what I think of it.

Up next we've got a post on the Technology and Marketing Law blog, and this one is rather interesting.  It discusses a case ( Internet Archive v Shell ) which asks the question "Can a Spider Enter Into a Binding Contract?" As I have an interest in webs spidering this caught my attention. I think the case is ridiculous from the get go... The question being asked isn't the right question... The correct question should be, "Can a website provide a "contract" along the lines of Shell's and have it be valid?" I think the answer to that should be no. Although looking at Shell's website, I see this as an attempt at a money grab... She's targetting Internet Archive due to their size in my opinion... if she had a valid case, she'd have targetted Google, which I'm sure has cached her page.

Since she wants money from anyone who copies her website, I suggest you visit it.  Scroll to the bottom of the horridly designed website... It looks like those old Angelfire and Geocities websites. Shell licenses her website for viewing over the internet only... (I wonder if she's attempted to go after every visitor... after all their browser caches pages). In order to view the copyright, you have to click a box asking if you agree to the Terms (prior to seeing the terms)... The whole site made me laugh and the case is making me laugh even more... I'm definitely curious to see the outcome though... Maybe I'll add fine print to the bottom of this page that if you view the RSS feed you're agreeing to pay me $1000.00.

Next on the list is an article about Novell being linked to a press release stating that the TCO for Microsoft products is less than Linux. I'm sure this article has irritated plenty of Linux advocates... however the statement is true... This was debated before when Microsoft released their large Microsoft costs less than Linux campaign... and the Microsoft TCO is less. Think about it, you purchase the Microsoft product... you have an IT person... your cost is their salary + the software cost.  All of your software ties in quickly and easily and install / configuration is simple and a breeze. Now take a look at Linux... There are less Linux people out there so you will probably pay more for your Admin. Now you have to pay for the software (enterprises run SuSE or RH... not as many go grab VectorLinux or Debian). Now you have to painstakingly install and configure everything... You don't have the benefits of Active Directory... of your users being tied together... of software like Exchange... You may have a web based calendaring system... or thunderbird but the productivity just isn't at the same level... Something is lost. In the end, when everything is factored in... Microsoft is cheaper... I've actually blogged on this subject in the past... feel free to jump back and read it.

A quickie link here to a couple of online PDF viewers.... one offered by Adobe and a third party one... I tested both of this with the same PDFs this evening and the third party viewer worked much better... actually it worked, which is more than I can say for the Adobe offering.

Lastly, everyone has been jumping on the horn to mention The Top 59 Influencers in IT Security for 2007. Congrats to everyone on the list and hopefully none of you will find what I say next overly insulting or think of it as an attack. I take some issues with the list... The focus on C-Level Execs and Bloggers is interesting... but not how I would have done it... Certain bloggers and C-Level execs that were listed certainly belong to be there... but I think the emphasis was missed... The end of the list contains the real influencers and even that portion seems to have missed the boat. H.D. Moore, Fyodor (which is spelled incorrectly on the list) and others are the ones that it should be focused on... Those are the people that I think deserve to be considered as the influences for 2007. Others that should have been on that list that were not included... Jeremiah Grossman (sure his blog was mentioned briefly but he should have had his own number), RSnake and David Litchfield for example. Web App Sec and Database Security are still growing issues... WebAppSec is getting bigger daily and we recently saw the release of a Free Database Security Scanner. Others should not have been on the list at all... Kevin Mitnick for example... that turns the blog list into a 90s throw back... How about Kevin Poulsen and Tsutomu Shimomura...

So Congrats to the decently large number of you that deserve to be on the list... and to the authors of the list.. Consider leaving the 1990s hero worship out of it next time... especially if you're attaching a date to the list... If you want to play out the hero worship bit, you might as well include the entire TLC Hackers Hall of Fame list. I may release what I consider to be a more accurate list in the near future.

Now that I've sufficiently irked a large number of people... that's it for me...

02.24.07

Non IT Daily Link List

Posted in Daily Link List at 7:10 pm by Tyler Reguly

These are just some cool sites... I found them via another blog but unfortunately between finding them yesterday and going to post this today, the blog link has escaped me. I apologize to the offer of that blog and will link them if they want to contact me with the link.

Anyways... just a few links to share...

Pipl - A People Search Engine... The information that it finds is interesting.. you could do the same using google but it provides a bit more and it's free. It also directed me to A9 Lite (which lists the individual with each company they can be found with on the net). From the Pipl "What makes us different" page:

So how come the best search engines fail so miserably when it comes to people search? The answer lies in a little known but very important part of the web called "the deep web".

Also known as "invisible web", the term "deep web" refers to a vast repository of underlying content, such as documents in online databases that general-purpose web crawlers cannot reach. The deep web content is estimated at 500 times that of the surface web, yet has remained mostly untapped due to the limitations of traditional search engines.

Since most personal profiles, public records and other people-related information is stored in databases and not on static web pages, most of the higher-quality information about people is simply "invisible" to a regular search engine.

Even when a personal profile is available to search engines, some information might not appear on the page itself and will therefore be "invisible"; for example, the real name of a person will rarely appear on MySpace or Flickr profiles, and although this information is publicly available using a search form on the site itself it is still invisible to search engines.

While I may not agree with all of that... It does make for some interesting searches.

Up next we have Craigs Number.  The idea is that it gives you a free anonymous phone number to post with online auctions and ads. I could see this having malicious uses as well, but it's still an interesting site... Currently you can get a number related to the following cities:

  • Atlanta
  • Boston
  • Chicago
  • Cincinnati
  • Dallas
  • Detroit
  • Houston
  • Indianapolis
  • Las Vegas
  • Los Angeles
  • Miami
  • New Jersey
  • New Orleans
  • New York
  • Phoenix
  • Pittsburgh
  • Portland
  • Salt Lake City
  • San Diego
  • San Francisco
  • Seattle
  • St. Louis
  • Washington DC

The numbers can last for varying times from 1 hour to 1 month and will redirect to your phone when called. It would be nice to see this startup for other countries.

Up next is the Fake Name Generator... While this may seem like an odd thing to be useful, I can think of plenty of times when I've developed web apps that had user data stored and having test data created for me which was accurate would have been much better than me randomly populating the fields. The generated data looks like this:

Carol J. Haynes
4517 Goosetown Drive
Marion, NC 28752

Email Address: Carol.J.Haynes@mytrashmail.com

Phone: 828-655-1932
Mother's maiden name: Fitzgerald
Birthday: January 12, 1942

Visa: 4532 9847 9280 7632
Expires: 6/2008

SSN: 245-30-5007

You an choose gender, name set and country. I know you're all thinking how is this useful... You generate the data and now have to enter it from the format they give you, but this isn't so... They also offer a bulk generation service, that will let you generate and receive data in MySQL, CSV, tab delimited and Excel formats... This is all done free of charge. For a fee you can also have custom data generated.

The last site we're going to look at is SlideShare.  SlideShare allows you to upload both PowerPoint and OpenOffice formatted slide shows and share links or embed them in web pages. This could be a great way for professors to make their slides available on a larger base (assuming they don't want them private)... It's also a great way to share slides on your web site or blog. You can also visit the site to search slides that have been posted there.

Enjoy!

02.23.07

Daily Link List

Posted in Daily Link List at 4:32 pm by Tyler Reguly

Sometimes I provide just links in these, other times I use them to house numerous "mini-blog posts"... The last one was links, this one is "mini-blog" posts.

The first thing I want to bring up is some of the "tutorials" that have been written on the Official Google Blog.  The first was Controlling How Search Engines Access and Index Your Website. It was posted back in January and covered robots.txt, it's a great intro for anyone who's never used robots.txt before. It also provides some external links to some excellent resources. The more recent of these, The Robot Exclusion Protocol, covered using META tags to issue directions to Googlebot. It covers the NOFOLLOW, NOINDEX, NOSNIPPET and NOARCHIVE META tags. Both of these are fairly short, a single page, and definitely worth taking a couple of minutes to read.

Next up we have an interesting post on Jeff Pettorino's VeriSign Blog. While it's a common sense issue, we quite often forget how many people fail to use common sense. The article speaks to home alarm systems and why they don't work with VoIP. I always thought it made sense as to why you needed a land, or POTS, line but I guess that's because of a technical background and those without the technical background think of a phone as just being a phone. My sister for example signed up with Rogers for Internet, Cable and Phone... She signed up for home phone service and it wasn't until her and I were talking one night and I pointed out that the, so called, "Home Phone Service" was actually VoIP... so I guess to most people a phone is just a phone. For you people, Jeff's post is an excellent read.

Up next we've got an interesting bill being proposed in Massachusetts that would make retailers responsible for monetary losses due to data loss... This is a great bill and hopefully it becomes a law and then, if all goes well, hopefully other places will put similar laws in place. Right now if a business loses your credit card information, the credit card company is responsible for any loss you incur. Under the proposed law the business would be responsible. I think this would drive a lot of companies to beef up the security that they have in place and start to take data loss seriously.

An article published on Dark Reading a couple of weeks ago covered a study done by the University of Maryland which determined that the average computer on the internet is attacked every 39 seconds. A second article was published yesterday with more information from the study pointing to the top ten passwords that are attempted during these attacks.

Lastly, we've got a post from Mitchell Ashley on a third type of hat that should accompany white hat and black hat... I would argue that this is actually the fourth type of hat, as the third type was grey hat.  While I agree that this described "yellow hat" does indeed exist, I wonder if we should introduce yet another hat... perhaps we should have the "green hat"... The hat of jealousy and envy... The "green hat" isn't unlike the yellow hat, except that instead of finding flaws in their competitors software and publishing them irresponsibly to make themselves look good, they verbally attack them with no real basis for the attack. Without naming names, I can think of individuals at a few different companies who regularly resort to this and I think we should label them green hats.

02.22.07

Daily Link List

Posted in Daily Link List at 1:38 am by Tyler Reguly

Just a few quickies today:

Sid @ SecuriTeam has an interesting post on how he found out that his router was open to the world to FTP into.  It's worth a read... and it also introduced me to nmap online... Something I'd be previously unaware of.

Brian Krebs has a nice write-up on the flaw in Google Desktop which prompted a quick patch.

I'm a little behind on this one, but apparently Stefan Esser has been making mention of March being the Month of PHP Bugs. Haven't we seen enough of these already?

The beta of Nessus 3.2 has been made available for Linux, FreeBSD and Solaris.

That's all... short and sweet.

« Previous entries