Zero in a bit
 
Showing 1-10 of 28 records
 
Expand article

The Governments Top Hackers?

2008-07-01 18:40:47 by Chris Eng in Zero in a bit
 
...information security industry, with the built-in disadvantage of the government pay scale . If that wasnt bad enough, they also have to compete with themselves (i.e. the rest of the NSA) for already scarce resources. Given these challenges, how could one realistically expect the Red Team to be as advanced as the article portrays Finally, lets...
 
Tags: team, nsa red team, red team, team sound, red team operations, nsa, red, red teams charter, enterprise security team
 
 
 
 
Expand article

Selling 0day Exploit Code

2008-06-30 18:55:01 by Chris Wysopal in Zero in a bit
 
...security companies I have been acquainted with frown on this type of activity, as I am sure HP has. Its hard for them to sell security products and services when their employees are selling the very tools the company is purportedly defending against
 
Tags: fast company, company, consultant, rigano, steve rigano, self-taught hacker, network consultant, hacker, sap vulns
 
 
 
 
Expand article

DWR 2.0.5 Fixes XSS Vulnerability

2008-06-30 03:04:21 by Chris Eng in Zero in a bit
 
...security seriously. For this particular vulnerability, I e-mailed him on a Saturday night, and within 12 hours, he had confirmed the problem, patched the code, and built a 2.0.5 release candidate. Granted, it was a tiny code change, but Ive still never seen a response that fast. Less than a week later, the official 2.0.5 release (which...
 
Tags: vulnerability, xss vulnerability, code, dwr, tiny code change, attack surface post, dwrs ajax implementation, ajax framework, saturday night
 
 
 
 
Expand article

Why Do I Attend BlackHat?

2008-06-26 18:33:51 by Chris Eng in Zero in a bit
 
...information security for the upcoming year or two When I first started attending BlackHat, I was drawn to the talks discussing 0-day vulnerabilities, tool releases, shellcode tricks, and the like. These days, anything relating to static analysis, automation, and of course web security are most interesting to me. I also consider whos speaking,...
 
Tags: blackhat, attend blackhat, attend, blackhat time, time, topic, future veracode employees, alan shimels topic, future
 
 
 
 
Expand article

Scrawlr: Are We Being Too Greedy?

2008-06-25 16:19:45 by Chris Eng in Zero in a bit
 
...Security mailing list for having some pretty major limitations. Billy Hoffman et al have been quick to point out that the tool was designed to address a very specific subset of SQL Injection vulnerability the type affected by the mass attacks and is not designed to be a general purpose replacement for existing SQL Injection scanners. Lets...
 
Tags: sql injection, sql injection scanners, sql injection vulnerabilities, blind, blind sql injection, scrawlr, tool, free tool, mass attacks
 
 
 
 
Expand article

Minimizing the Attack Surface, Part 1

2008-06-24 19:09:34 by Chris Eng in Zero in a bit
 
...security? Theres a good chance it had something to do with port scanning. After scanning a few boxes, you realized that modern operating systems have a lot of open ports by default, meaning a lot of services. Some had an obvious purpose, like telnet on tcp/23 or ftp fon tcp/21. Others left you wondering, what the heck is listening on tcp/515...
 
Tags: attack surface, custom web applications, web, services, prevent unnecessary services, unnecessary services, security, third-party libraries, fix security holes
 
 
 
 
Expand article

Art vs. Science

2008-06-20 20:56:38 by Chris Eng in Zero in a bit
 
...security blog, in which he predicts the upcoming OWASP People Certification Project will be the next big thing. This paragraph is quoted from James McGoverns blog (James is the project leader As an Enterprise Architect, I understand the importance of the ability for a security professional to articulate risk to IT and business executives, yet...
 
Tags: security, security professionals, security professional, tssci security blog, science, test, opcp test, james, art
 
 
 
 
Expand article

Someone Should Have Told Them How Switches Work

2008-06-17 15:16:46 by Chris Eng in Zero in a bit
 
From the Burlington Free Press , a story about a local hacking competition set up as a spectator event Their competition, tantalizingly called a digital combat exercise, was supposed to give onlookers a rare opportunity to watch a computer hacking job in progress, complete with play-by-play It didnt work out that way, though, thanks to what...
 
Tags: technical glitch, sniffer trace, stephenson, pesky hackers, programs faculty, story implies, competition set, story, time
 
 
 
 
Expand article

Verizon Business has a new report on data breaches

2008-06-12 20:21:39 by Chris Wysopal in Zero in a bit
 
...information is obvious The largest single type of breach is hacking and within that the largest type is application/service layer attacks. So if we multiply 59% times 39% we get 23% of those 500, or 115, data breaches are due attackers hacking applications. That is a very significant number of the whole slice of the data breach pie. It is...
 
Tags: data breaches, breaches, attacks, layer attacks, vulnerability counts, vulnerability, report, exploit unknown vulnerability, actual attacks
 
 
 
 
Expand article

Trip Report: PH-Neutral

The Article has images
2008-05-28 20:56:40 by Chris Eng in Zero in a bit
...security conference Ive attended and I found it quite different from any North American security gathering Ive been to, such as BlackHat , CanSecWest , SOURCE Boston , BlueHat , or RSA . Everything was far more casual and laid back, which is something I had heard about European conferences but hadnt experienced until now (even EUSecWest is...
 
Tags: talk, james atkinsons talk, flash, flash movies, recent flash 0day, befs talk, dingy club, conference, european security conference
 
 
 
 
 
Showing 1-10 of 28 records
1