The WP Blogsecurify 1.0 plugin is out. It was announced on the Blogsecurify blog and I am going to announce it here once again just in case you somehow missed the news.
WP Blogsecurify is a security plugin for Wordpress designed to integrate several simple but important security patches for the popular blogging platform. This plugin was developed by the Blogsecurify team - a special division of GNUCITIZEN Information Security Think Tank. [...]
According to Wikipedia: In hacker culture, a script kiddie is a derogatory term used for an inexperienced malicious hacker who uses programs developed by others to attack computer systems, and deface websites. It is generally assumed that script kiddies are juveniles who lack the ability to write sophisticated hacking programs on their own, and that their objective is to try to impress their friends or gain credit in underground hacker communities. [...]
Another tool is out of the door. I am happy to announce the official launch of the Netsecurify GNUCITIZEN initiative. In this post I am planning to give a bit of an overview of the system and also to explain what were are aiming to do with it.
Netsecurify is part of GNUCITIZEN’s online security toolkit including tools such as Blogsecurify (Social Media Security) and Websecurify (Websecurity services, yet to be released)! [...]
For those of you who are new to these things, NASL stands for Nessus Attack Scripting Language. NASL is part of the closed-source Nessus vulnerability scanner and its open-source form called OpenVAS (Open Vulnerability Assessment System).
Nessus plays big part in the hearts of many administrators, security consultants and scanning vendors. Nessus practically was the first stable and well maintained open-source security scanner until they closed the source.
So, what about NASL? [...]
Someone on LinkedIn asked: Is Information Security driven by compliance? to which I say yes and this is a problem!:
My long answer goes like this:
This is certainly not the best answer. Follow the discussion over here. You are not going to learn anything technical but at least you will get a good idea how the majority of security professionals on LinkedIn think.
I asked on LinkedIn what security professionals think about Cloud Security. The answer was as expected. Nobody really knew what I was talking about. How cloud security is any different from web security?
Cloud security is different because the rules of the game are totally different. The recourses involved are totally different. Money is not an issue. I believe that anyone can afford $0.15 per month for 1TB of storage. Networking capabilities are not an issue. [...]
This will be a quick post just to share some POCs and more information regarding the recent Clickjacking technique, i.e. UI Redress Attack, a name suggested by Michael Zalewski.
Clickjacking is an oldie but, a goodie. You can track the origin of the attack back at the beginning of this decade. Clickjacking is essentially the ant-CSRF killer. It is also the killer of Flash, AJAX (because AJAX apps are sometimes easier to clickjack, look at Google) and some other technologies. [...]
Here is a common problem. You have to write an web-based email, im, ssh, xmmp, SMB, etc. client which must connect to a server other then the originating one. What do you do then? Hint: You cannot use Java!
Well, due to the fact the the browser has no idea how to spawn a tcp socket, you are stuck in the proxy-land. Typically you will write an application that will do a lot of transcoding and state management. [...]
Security Certifications - should you get some? Well, this is what I think.
IMHO if you go for a certificate then you pretty much put a box around yourself and your abilities. I am sorry, this is my personal opinion. People will perceive you as such and such because of your certifications. While having a cert might be a good idea for your career and in particular your CV, showing off with it could be a bit harmful. I am not saying that you shouldn’t get certified. [...]
I heard of clickjacking a couple of weeks back when the media blast started. At that time a had a very vague idea what it was and just recently I saw some POCs coming out to show how it works in practice.
Clickjacking, if I may categorize it, falls into the category of GUI attacks. I associate the clickjacking attack with the focus stealing attack which allows attackers to steal any file from the disk as long as they trick the victim to type enough characters. [...]
