Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Ask Richard Dawkins About Evolution, Religion, and Science Education

mrkitty Democratic society without religion? (1142 comments)

Do you believe a democratic society can exist which has no form of religion in its laws, or within government?

about 2 years ago
top

10 OSes We Left Behind

mrkitty VAX VMS (562 comments)

What, no VAX VMS or OpenVMS? People still use it in healthcare systems even though it came out around 1978. How I miss the good old days in the 1990's using a vax/vms in high school and UUCP'ing to send mail out of the building, and using our student BBS authored in DCL.

more than 5 years ago
top

IT Job Without a Degree?

mrkitty Information security (1123 comments)

Consider a job in infosec. Here are a few quick suggestions for building experience without a job - Research something within the infosec space, publish a paper - Find some vulns and publish some advisories (responsible disclosure!!) - Start attending OWASP chapter meetings and start networking I've been in infosec for 8 years without a degree and as long as you know wtf you're talking about (as is the case in many tech jobs), can admit when you don't know something, and can figure it out on your own you're fine.

more than 5 years ago

Submissions

top

Announcing the Web Application Security Scanner Ev

mrkitty mrkitty writes  |  more than 4 years ago

mrkitty (584915) writes "The Web Application Security Consortium is pleased to announce the release of version 1 of the Web Application Security Scanner Evaluation Criteria (WASSEC). The goal of the WASSEC project is to create a vendor-neutral document to help guide information security professionals during web
application scanner evaluations. The document provides a comprehensive list of features that should be considered when conducting an evaluation. The
WASSEC project does not promote any specific products or tools, but instead provides valuable information to help you make your own decision about which
of these tools best meets your needs.

The WASSEC document be found here in both wiki and PDF formats:
http://projects.webappsec.org/Web-Application-Security-Scanner-Evaluation-Criteria"

Link to Original Source
top

WASC's Distributed Open Proxy Honeypot Project

mrkitty mrkitty writes  |  about 5 years ago

WASC writes "The idea behind the IT security concept known as the honeypot is all about luring hackers into a server or network so they can be tracked. The Web Application Security Consortium (WASC) has its own particular brand of honey to attract would-be attackers — a blend of open source and open proxies. The WASC is now entering Phase Three of its Distributed Open Proxy Honeypot Project, including more participants, sensors and analytical reporting as the project moves into wide deployment. The aim remains the same, however: providing security researchers and law enforcement with a new resource in the battle against Web attacks. "Ultimately what we're trying to identify is Web-based attacks — how are they are actually happening — because it's very hard to get real details," WASC Honeypot Project Leader Ryan Barnett told InternetNews.com."
Link to Original Source
top

Transparent proxy architectural flaw discovered

mrkitty mrkitty writes  |  more than 5 years ago

MrFoobar writes "Transparent proxies allow organizations to influence and monitor the traffic from its users without their knowledge or participation. Transparent proxies act as intermediaries between a user and end destination, and aren't generally apparent to users sitting behind them. Enterprises, Hotels, and Internet Service Providers often use transparent proxy products to lower bandwidth consumption,speed up page loads for their users, and for monitoring and filtering of web surfing. When certain transparent proxy architectures are in use an attacker can achieve a partial Same Origin Policy Bypass resulting in access to any host reachable by the proxy via the use of client plug-in technologies (such as Flash, Applets, etc) with socket capabilities. This write up will describe this architecture, how it may be abused by Flash, its existence in various network layouts, and mitigations."
Link to Original Source
top

Appropriate QA Security Testing Expectations

mrkitty mrkitty writes  |  more than 5 years ago

WASC writes ""Developers by nature are detail oriented and typically (the good ones anyways) have a deep understanding of flows, and processes from start to finish. QA on the other hand is a different animal, they understand business use cases provided to them, and ensuring that the business use cases work (positive testing). Good QA people add negative testing to this mix typically to generate errors/crash things to ensure the platform is fairly stable. The majority of QA people aren't interested in becoming security engineers or having a thourough understanding of vulnerabilities such as sql injection, os commanding, or http response splitting. You may be lucky at your company and have a few that do care about these details but as a general rule they are in short supply and rarely sustainable. The security industry needs to re-align its security expectations for QA""
Link to Original Source
top

2007 Web Application Security Statistics Published

mrkitty mrkitty writes  |  more than 5 years ago

WASC writes "The Web Application Security Consortium (WASC) is pleased to announce the WASC Web Application Security Statistics Project 2007. This initiative is a collaborative industry wide effort to pool together sanitized website vulnerability data and to gain a better understanding about the web application vulnerability landscape. We ascertain which classes of attacks are the most prevalent regardless of the methodology used to identify them. Industry statistics such as those compiled by Mitre CVE project provide valuable insight into the types of vulnerabilities discovered in open source and commercial applications, this project tries to be the equivalent for custom web applications. There is also a PDF available for download."
Link to Original Source
top

Google Chrome vulnerable to carpet-bombing flaw

mrkitty mrkitty writes  |  more than 5 years ago

CGISecurity.com writes ""Google's shiny new Web browser is vulnerable to a carpet-bombing vulnerability that could expose Windows users to malicious hacker attacks. Just hours after the release of Google Chrome, researcher Aviv Raff discovered that he could combine two vulnerabilities — a flaw in Apple Safari (WebKit) and a Java bug discussed at this year's Black Hat conference — to trick users into launching executables direct from the new browser.""
top

Linux kernel team not disclosing security flaws?

mrkitty mrkitty writes  |  more than 6 years ago

iphone-deals writes ""The following email was sent to the full disclosure mailing list today by Brad Spengler, the author of GRSecurity. "The kernel was released with no mention of security vulnerabilities in the announcement, only "assorted bugfixes". Put simply, it only took about an hour or so to develop a PoC for this exploitable vulnerability which affects 64bit x86_64 kernels since January. So since the time of the fix itself (or even before that if someone spotted it before the kernel developers did themselves) users have been at risk. ""
Link to Original Source
top

Apache Debates the Apache UTF-7 XSS Vulnerability

mrkitty mrkitty writes  |  more than 6 years ago

topdeals writes "There is a great debate on the bugtraq mailing list regarding the apache utf7 xss issue. In this debate William Rowe (Apache) discusses why the Apache utf7 vulnerability is in fact not a vulnerability in Apache but in Internet Explorer for not following specifications properly. William first posted to bugtraq http://seclists.org/bugtraq/2008/May/0166.html with the following "Internet Explorer's autodetection of UTF-7 clearly violates this specification, introducing the opportunity for myriad similar attacks. These are literally everywhere on the web today, we can trust the kids to continue to explore this vector until it is fixed by Microsoft. However this vulnerability should clearly be labeled as a flaw in Internet Explorer. If the browsers under your supervision continue to enable the autodetection of UTF-7, your users remain at risk. As all ISO, UTF-8 and related charsets were 7-bit clean, it's clear that Microsoft err'ed on the side of accepting UTF-7 charset for automatic detection, contrary to to the behavior dictated by RFC 2616. " More at CGISecurity"
Link to Original Source
top

The Web Incidents Hacking Database

mrkitty mrkitty writes  |  more than 6 years ago

mrkitty (584915) writes "The web hacking incident database (WHID) is a Web Application Security Consortium project dedicated to maintaining a list of web applications related security incidents. The database is unique in tracking only media reported security incidents that can be associated with a web application security vulnerability. We also try to limit the database to targeted attacks only. WHID goal is to serve as a tool for raising awareness of the web application security problem and provide information for statistical analysis of web applications security incidents."
Link to Original Source
top

Greek spies plant rootkit in a phone exchange

mrkitty mrkitty writes  |  more than 7 years ago

http://www.cgisecurity.com writes "A highly sophisticated spying operation that tapped into the mobile phones of Greece's prime minister and other top government officials has highlighted weaknesses in telecommunications systems that still use decades-old computer code. The spying case, where the calls of around 100 people using Vodafone's network were secretly tapped, remains unsolved and is still being investigated. Also complicating the case are question marks over the suicide in March 2005 of a top engineer at Vodafone Group in Greece in charge of network planning. A detailed writeup can be found at http://www.spectrum.ieee.org/jul07/5280"
Link to Original Source
top

mrkitty mrkitty writes  |  more than 7 years ago

LordNikon (584915) writes "According to CERT "Full-width and half-width encoding is a technique for encoding Unicode characters. Various HTTP content scanning systems fail to properly scan full-width/half-width Unicode encoded HTTP traffic. By sending specially-crafted HTTP traffic to a vulnerable content scanning system, an attacker may be able to bypass that content scanning system.". Proof of concepts affecting IIS are already being posted to security mailing lists, and Cisco IPS and other IDS products are also affected."
top

mrkitty mrkitty writes  |  more than 7 years ago

foo writes "People are aware of the good that technologies such as AJAX have added to sites such as gmail, digg, and slashdot. The negative aspects and implementations of AJAX have mostly avoided by the media and are rarely spoken. CGISecurity has published a top 5 list of problems which can be encountered by implementing AJAX improperly."
top

mrkitty mrkitty writes  |  more than 7 years ago

CGISecurity.com writes "NASA officials say the space agency is capable of finding nearly all the asteroids that might pose a devastating hit to Earth, but there isn't enough money to pay for the task so it won't get done. "We know what to do, we just don't have the money," said Simon "Pete" Worden, director of NASA's Ames Research Center.""
top

mrkitty mrkitty writes  |  more than 7 years ago

webappsec writes "The Cross-site Request Forgery FAQ has been released to address some of the common questions regarding this commonly misunderstood web flaw. "Cross-Site Scripting exploits the trust that a user has for the website or application. Users generally trust that the content displayed in their browsers was intended to be displayed by the website being viewed. The website assumes that if an 'action request' was performed, that this is what the user wanted and happily performs it. CSRF exploits the trust that a site has for the user.""
top

mrkitty mrkitty writes  |  more than 7 years ago

CGISecurity.com writes "QASec.com has just released an article titled Writing Software Security Test Cases: Putting security test cases into your test plan. "Unlike typical penetration testing QA has access to internal documents and insider information giving them advantages to aide in the testing of an application. In addition to documenting customer use cases it's important to begin the process of documenting what an attacker may attempt against your application as well and incorporating these attacker 'use cases' into a security section of your standard test plan.""

Journals

mrkitty has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>