Thursday, May 23, 2013

Microsoft SQL Server security tips

SQL server secyrity is one of my favorite topics. I have seen lots of applications that use the Microsoft SQL server as the database, and suffer from basic security issues regarding the configurations of the database engine. Fortunately I found a series of security tips here at  

Monday, April 29, 2013

Think like a hacker, write secure code!

Each program as a target for a security pen tester can be viewed as a new experience. But beyond the special characteristics of each target, I always see the big mistake that causes most of the vulnerabilities discovered:
"The programmers do not think as a hacker". Unfortunately most of the programmers write the code in a way that is suitable for a utopia. In such utopia, no one wants to bypass the guards, everyone is honest and respects the rules...
Perhaps the most important role of a programmer in the security program is to learn the art of thinking like a hacker.

Sunday, April 7, 2013

Windows Forensics (2)

I am collecting the tools and useful information on windows forensics. Thanks to Microsoft and the security community, there are amazing free tools, guideline, blog posts, etc. around the topic.
For the first post, I recommend this:
Use PowerShell to Perform Offline Analysis of Security Logs

Friday, April 5, 2013

Windows forensics (1)

Windows Forensics Toolchest (WFT) is an interesting and easy to use set of forensics tools that are suitable for use in a live windows system. You should prepare the tools for each windows version separately, as well as the common tools such as sysinternals suit.  The native windows tools such as cmd.exe is better to be copied from a trusted source other than the target system. The features set are available here.

Saturday, March 2, 2013

Security Blogger Award Winners 2013

The winners of the best security bloggers awards are announced. Here is the list of all nominees and the winners (from the Ashimmy's blog):

Best Corporate Security Blog
Other nominees:
McAfee Blog: click here
CloudFlare Blog: click here
SecureWorks Blog: click here
Solutionary Minds Blog: click here
Kaspersky Lab Securelist Blog: click here
Veracode Blog: click here
Trend Micro Blog: click here
Naked Security Blog: click here
Best Security Podcast
Other nominees:
Liquidmatrix Security Digest: click here
EuroTrashSecurity: click here
SANS Internet Storm Center: click here
Southern Fried Security: click here
Risky Business: click here
Sophos Security Chet Chat: click here
And the winner is:
Paul Dotcom: click here
The Most Educational Security Blog
Other nominees:
BH Consulting's Security Watch Blog: click here
Security Uncorked Blog: click here
Dr. Kees Leune's Blog: click here
Securosis Blog: click here Blog: click here
Critical Watch Blog: click here
The Security Skeptic Blog: click here
The New School of Information Security Blog: click here
And the winner is:
Krebs On Security: click here
The Most Entertaining Security Blog
Other nominees:
Packet Pushers Blog: click here
Securosis Blog: click here
Errata Security Blog: click here
Naked Security Blog: click here
Uncommon Sense Security Blog: click here
PSilvas Blog: click here
And the winner is:
J4VV4D's Blog: click here
The Blog That Best Represents The Security Industry
Other nominees:
SpiderLabs Anterior Blog: click here
1 Raindrop Blog: click here
Naked Security Blog: click here
The Firewall (Forbes) Blog: click here
Threat Level (Wired) Blog: click here
Securosis Blog: click here
Michael Peters Blog: click here
And the winner is:
Krebs On Security Blog: click here
The Single Best Blog Post or Podcast Of The Year
Other nominees:
The Epic Hacking of Mat Honan and Our Identity Challenge: click here
Application Security Debt and Application Interest Rates: click here
Why XSS is serious business (and why Tesco needs to pay attention): click here
Levelling up in the real world: click here
Secure Business Growth, Corporate Responsibility with Ben Tomhave: click here
And the winner is:
Meet The Hackers Who Sell Spies The Tools To Crack Your PC (And Get Paid Six-Figure Fees): click here
The Security Bloggers Hall Of Fame
The other nominees are:
Richard Bejtlich
Gunnar Peterson
Naked Security Blog
Wendy Nather
And the winner is:
Jack Daniel

Thursday, January 3, 2013

Intranet insecurity

Simple file sharing is largely used in many organization as the primary data exchange mechanism. The false sense of "being inside, behind a firewall equals being secure". What you can say when the organization has exactly no limitation for the file sharing capability? I believe that this is the lowest level of maturity in the context of information security. And what does an internal penetration test mean for such a totally open network? You need just a node, an three hours to find dozens of sensitive data, such as router configs, contract details, customer data, etc., being fully exposed by shares, ftp directories and so on!
This situation is by itself a security incident.