Raesene's Ramblings

SiteKey-20060718.pdf (application/pdf Object)
An article detailing some problems with the SiteKey implementation at BofA. I must say I'm not surprised by the one about real-time MITM bypassing the problem, but I'm a little surprised about one of the security processes for login being waived once the user clicks a button on a given PC and moreso that there's no easy way to remove the bypass from a given PC....
Secondary security questions (well one's that aren't likely to be public knowledge anyway) are a decent add-on to an authentication procedure, but I wouldn't have thought that they were so onerous, that you couldn't just ask them every time...

GData: An Online MD5 Hash Database
I've been looking for a good site to get password dictionaries from for ages. Don't know why this one doesn't seem to show well on google searches, but the dictionaries for download there look good to me

The XSS Vulnerability" href="http://www.informit.com/articles/article.asp?p=603037&rl=1">XSS, Cookies, and Session ID Authentication – Three Ingredients for a Successful Hack > The XSS Vulnerability
Some more reading for me.

DNS: Spoofing and Pinning.
SPI Dynamics Article on Javascript system enumeration
A Couple of interesting articles on the dangers of javascript/XSS attacks...

PSS > Tools > Nessj" href="http://www.pss.intekras.com/tools/nessj/">Intekras > PSS > Tools > Nessj
Handy. A java based nessus client.

Windows_Vista_Security_Model_Analysis.pdf (application/pdf Object)
Symantec's analysis of the Vista Security Model. Another one to read when I get some time.

A Process for Performing Security Code Reviews
Article on Performing security code reviews, one to read when I get a chance.

Sztywny Blog - Stiff asks, great programmers answer
Very interesting answers...

Oracle Exploits
Location with some good explanations and exploit code for various Oracle versions. Also some links to other locations with exploit code.

- VMTN Virtual Appliances Directory
The vmware virtual appliances directory looks very very cool to me. It's a collection of pre-installed pre-configured virtual machines setup for specific purposes... need a media-wiki server... no problem... need a network security scannng server ... no problem...
just download and go...
And if you combine it with the release of vmware server FOR FREE then you really have something cool...
One thing I did notice is that, unsurprisingly, all the VM's I looked at are based on Linux, and I expect this kind of thing will really drive the takeup of linux. If you think about it.. you're asked to demo a say e-mail security server to handle your burgeoning Virus/SPAM problems...
you could pay for a windows server license, buy it, configure it, get some software to do the filtering, install it, configure it, etc etc
or you could download a pre-configured Linux VM using Pre-configured Open source software ...
If you were a small overworked IT department... which would you choose?