‘n Nieuwe trend, maak je exploits op basis van de beschikbare patches. Nog betere trend. Doe het volautomatisch en binnen de minuut.
Enkele onderzoekers van Berkeley, Pittsburg en Carnegie Mellon beschrijven hun onderzoek.
Secure web browsing with the OP web browser
Het “Opus Palladianum” project heeft als bedoeling een nieuwe veilige browser te ontwerpen.
In plaats van één monolitische geheel zal de browser uit kleine zelfstandige subsystemenen bestaan die met elkaar communiceren.
Hebben we dat al niet eens gehoord voor operating-systemen? Dat monolitische systemen niet werken?
Authentication bypass in embedded devices
There is a very interesting post by Adrian Pastor about authentication bypass.
He talks about the well known vulnerability in the Linksys WRT54G router where the page that contains the different settings is password protected but the page that does the actual processing of the data (for the Linksys, a CGI script) was not protected at all.
Security Twits
An interesting post by Jennifer Leggio on Security Twits (Security folks using Twitter).
Spam Honeypots
The Project Honeypot allows for everyone who is hosting a website to create a mini honeypot to trap spammers. I’ve configured mine to run at this site at “coast.php”.
It is a “poor-man” honeypot but can still offer useful results. Watch for my future writeups on how to create honeypots with Bind, Apache and Postfix.
Differences of tcpdump linux / openbsd
One of the nicer options of tcpdump under Linux is the -C (that is a capital C). This allows you to write the captured traffic to a file and have the file rotated at a given size. According to the man-pages :
-C Before writing a raw packet to a savefile, check whether the file is currently larger than file_size and, if so, close the current savefile and open a new one. Savefiles after the … Read more.
CAPTCHA security Hotmail.com / Live.com bypassed
An article from Websense shows how new bots are able to bypass the CAPTCHA security that prevents spammers from creating large number of accounts.
According to Websense the three main advantages for spammers to target this CAPTCHA are:
the Microsoft domain is unlikely to be blacklisted they are free to sign up it may be hard to keep track of them as there are millions of users worldwide using the service.
.
The same … Read more.
FOSDEM 2008
FOSDEM, the free and open source developers’european meeting is taking place in Brussels on 23/24 February.
Their schedule is online and shows that there are going to be some interesting talks :
The virtualization track with talks on Xen. Application virtualization with next-generation Klik Unicoding With PHP 6 OWASP WebScarab-NG
SQLmap
SQLmap is a security tool that can check your site for sql injection vulnerabilities.
Fun with Trams
An article on the site of Bruce Schneier talks about “hacking Trams” via TV remote control.
Why would you need remote controls when most of the control cupboards are only protected with a generic lock for which you can find a key in any decent store? It’s much more fun figuring out what the function of the different buttons are if you’re closer to the “vehicle”.
