A Chronology of Data Breaches Since the ChoicePoint Incident
this list of all the data breaches since 2005 that the privacy rights clearing house have assembled looks quite handy.
Penetration Test
I'm a bit of a fan of Mind maps so seeing this information in that format works pretty well for me...
Australian IT - Bungle exposes bank files (Natalie O'Brien and Michael McKinnon, JUNE 26, 2006)
Another story in a long line of articles about sensitive data being lost by organisations who should know better. This time it's the turn of the Australian High-Tec crime unit.
One thing I've noticed about these stories is that the organisations involved almost always blame the employee involved for "breaking the rules"
I think this is pretty disingenous(sp?) really. The organisation needs to provide methods/procedures/tools for it's staff to move data around in a secure fashion in the manners in which they need to before they can blame individual staff members for data losses and I don't think that it's likely that most companies will do that.
So that means if you need people to take data with them from one country to another, you have to provide file encryption software (or better still device encryption software). If data keys are the best way of doing this (and they usually are) then companies should be providing encrypted data keys to staff.
Otherwise what happens is that people break rules because they have no way of getting their job done whilst staying within them.
Now I may be off base and maybe all these companies have easy-to-use pervasive support for data encryption and the indiviudals involved were all just willfully negligent people who were willing to risk their jobs by deliberately avoiding all the controls their organisations had put in place.......
Top 100 Network Security Tools
Updated list of Pen testing tools from insecure.org. Interesting to see that web app. tools are starting to make an appearance into the list (albeit mostly in the lower orders)
iKu Systemhaus AG - Sicherheit
Advisory about a new(?) character encoding issue. The problem for Internet Explorer appears to be that they handle the encoding correctly but that A-V /Filtering systems may not, essentially obfuscating attacks on the browser....
Ajax security basics
Interesting article on Security Focus looking at the security implications of AJAX technologies and also the implications for Penetration testing AJAX enabled applications.
In terms of the security risks of AJAX it will be interesting to see how well frameworks like Atlas and RoR take care of this for the developer. One thing I noticed in testing .NET v2 applications was the in-built input validation really cuts down on XSS and SQL Injection vulnerabilities, instead of the "old days" with classic ASP where I could virtually guarantee some kind of input validation problem somewhere...
SQL Power Injector Product Information
A new release of SQL Power Injector. Not a tool I've played with much yet, but could be cool to try it out in conjunction with the hacme stuff from foundstone...
Foundstone, a division of McAfee, Inc.
Seems to be tool-tastic at the moment. Foundstone have updated their hacme books and hacme bank site and released hacme travel and shipping!
Shipping is a Coldfusion app with a mysql database and travel is in C++ which should be interesting... (like the typo on the travel page which explains that the system suffers from common vulnerabilities such as "SQL injection and bugger overflows")
"Hacking iSeries" references and links
Just started to go through the blackhat europe 2006 media archives and found something useful to keep a note of (expect many more posts as I go).
iSeries (more commonly known as AS/400) is not something which there's a wide understanding of, both in IT security and pen testing (IME of course)
This site seems to have a load of good links and an eBook on hacking iSeries .. Also here's a link to the blackhat presentation which has a lot of good info. on the topic Hacking iSeries Presentation
Survey: gaping security holes - Network World
Some interesting numbers relating to security trends. It's not surprising really though it should be..
over half of companies admit they're not doing a good job of working out what's on the network (kinda' hard to patch a box you don't know you've got)
And probably the worst, over 25% of companies dedicate no resource to assessing the value of business assets.
the question is how are these companies doing risk assessments or Business Continuity Planning (with the cynical answer being..."Not Well")...
