Monday, June 30, 2008

Top 10 Strategies on Responding to Security Issues

This top 10 list is to about how to hide/handle security problems reported. It is taken from Thomas Ptacek's article at Matasano.
  1. Deny everything
  2. Keep it secret
  3. Forget the report
  4. Make excuses
  5. Downplay
  6. Wait for next release
  7. Beta-test the fix
  8. Patch the exploit
  9. Shoot the messenger
  10. Threaten lawsuit
You may laugh, but these are what loved by most employers.

Saturday, June 28, 2008

Internet Explorer 6 Window "location" Handling Vulnerability

Typical cross-site scripting (XSS) vulnerability found in IE6.



The vulnerability is caused due to an input validation error when handling the "location" or "location.href" property of a window object. This can be exploited by a malicious website to e.g. open a trusted site and execute arbitrary script code in a user"s browser session in context of the trusted site.



POC:

http://raffon.net/research/ms/ie/crossdomain/string.html



Recommendation:


  • To company: Upgrade to IE7.

  • To user: Switch to Firefox.




References:


  • http://www.f-secure.com/vulnerabilities/SA30857

  • http://www.f-secure.com/weblog/archives/00001463.html

Wednesday, June 25, 2008

ISMS Implementation and Certification Process

ISMS and ISO27K

Found some useful materials if you are planning on your ISO/IEC 27002 implementation project. The ISMS Documentation Checklist is a list of the documents required by by an Information Security Management System (ISMS).

The list was created by a team of ISMS users from ISO27001security.com.
There is a free ISO27k Toolkit to provides a suite of sample documents to get your ISMS implementation off to a flying start. There's also an implementer forum opened for those who have ISO27000 implementation experience.

Hacker inside Google

If you get bored with the standard Google start page, try something new today, at Google and Hacker.


OWASP.org and Hacked !!

A very popular "hacked" picture in OWASP::Papers section.

Tuesday, June 24, 2008

cal 9 1752

Try type the command "cal 9 1752" on any UNIX/Linux OS. Do you get this?
Notice 11 days missing? This isn't a bug. It is a bug if you don't get something similar to the above output.

In case you can't get the answer from your man(ual) page (try "man cal"), here's why:
The Gregorian reformation was adopted by the Kingdom of Great Britain, including its possessions in North America (later to become eastern USA), in September 1752. As a result the September 1752 cal shows the adjusted days missing. This month was the official (British) adoption of the Gregorian calendar from the previously used Julian calendar. This has been documented in the man pages for Sun Solaris as follows. "An unusual calendar is printed for September 1752. That is the month 11 days were skipped to make up for lack of leap year adjustments." The Plan 9 from Bell Labs manual states: "Try cal sep 1752."
From http://en.wikipedia.org/wiki/Cal_(Unix)

Bypassing Google Pack

Google forces you to install Google Pack. It isn't a bad idea to install it if the Google Updater works behind a company proxy which ask for password.

If you're having trouble installing software through the Updater, you should be able to install most Pack software using standalone installers from Google support page at:

  • http://www.google.com/support/pack/bin/answer.py?answer=33587&topic=12699

Tuesday, June 17, 2008

Download Firefox 3 NOW

The official date for the launch of Firefox 3 is June 17, 2008. Although the Firefox homepage at Mozilla site still show the current stable download version as 2.0.0.14, you can actually start download the version 3 using the link below (Windows version):

http://download.mozilla.org/?product=firefox-3.0&os=win&lang=en-US

You can also help to set a Guinness World Record by simply goto http://www.spreadfirefox.com/en-US/worldrecord/