Header
9 results were found... happy reading.

Tue, 29 Jan 2008

HBN Bootcamp @ Black Hat
Tags: conferences, public, about:uscharl @ 21:03

Black Hat DC this year is supposed to be "a different kind of Black Hat". There are four tracks over the two days with a special emphasis on wireless and speakers include Chris Wysopal, FX from Phenoelit, Job de Haas, and Adam Laurie. The smaller shows are always good fun and good value for money and DC this year promises to have an excellent line-up of speakers.

As usual training courses are offered on the two days before the briefings begin. Its been a while since we trained at DC but this year we're back with a Bootcamp course. The course is filing up nicely, so we're totally stoked. Like the show, the courses tend to be smaller and more personal so if you've never attended a Hacking By Numbers
'Bootcamp' course before then this is a great opportunity. Bootcamp Edition teaches a method-based approach to hacking into networks and systems over the Internet. The method taught consists of seven distinct phases that each have their own objectives, techniques and tools. Students are provided with fully-configured laptop computers that are used stage-for-stage to complete fifteen different technical exercises. You can learn more or enroll here... otherwise contact us via training@sensepost.com if you'd like some more information.

If nothing else, please be nice to Bradley if you see him at the show. I'd like to suggest that you buy him beer but he can't really handle his alcohol and he's hard enough to tolerate as it is when he's sober...

No comments

Sat, 26 Jan 2008

John Heasman is now Blogging..
Tags: public, blogharoon @ 20:42

John is one of the bright guys over at NGS, and judging by his track record will boost the signal to noise ratio in the blogosphere.. You can read him at [aut disce, aut discede]

(of course, in truth.. i woulda linked to the blog just because i love the title (aut disce, aut discede - Either learn or leave))

No comments
On working when everyone else is asleep...
Tags: silly-yammerings, public, about:uscharl @ 20:33

This quote reminded of something H always says:

"When opportunity comes... its too late to prepare"

- John Wooden - Hall of Fame Basketball coach

3 comments

Tue, 15 Jan 2008

Eerie coincidences..
Tags: Uncategorized, fun, public, about:usharoon @ 20:43

a) its my birthday in a few days

b) Apple just announced the new macbookair..

Coincidence??? i think not!!!

air.PNG

No comments

Thu, 10 Jan 2008

Is URL / Variable Name the new Port Number ??
Tags: silly-yammerings, publicharoon @ 08:52

There has been a fair bit of blog buzz about the new SQL Injection worm that ran around infecting sites. I have not looked too deeply into it, but have not yet seen accounts of how the targeting was done. Since the sites do not appear to have been running a common framework i would guess that it was search-engine generated targets based on resource name (like inurl: search.asp)..

For ages we have been telling people that if they had to have a /admin/admin.asp on their internet facing web-app that they would at least help minimize their exposure a little by naming it /admin_[bet_u_dont_find_this]/admin_[another_variable].asp

It at least makes sure that the back-end isnt trivially discovered and hammered on.. (yes this is security through obscurity - but please lets not have this argument unless you mail me with a subject line - "Security by obscurity is useless and here are my banking details to prove it" )

Whats mildly interesting is that considering the possibility of injection targeting through a search for "login.asp", then a simple speedbump would have been naming your resource "login_to_customer_portal.asp". Of course this doesnt make you un-findable, and doesnt protect you from directed attack, but neither did running your SSHD on a non standard port, but we do that anyway to make sure that we dont get hit by the next big SSHD worm..

3 comments
Next 4 entries
Blog
Video
Research
QotW
Categories
about:us (31)
blackhat (5)
blog (10)
broadview (2)
build-it (1)
cloud (12)
community (15)
conferences (60)
crypto (3)
fail (3)
foos (1)
fun (51)
goodbye (1)
hackrack (2)
Hope? (2)
howto (8)
imsojaded (2)
infosec-soapies (25)
infrastructure (3)
local (5)
mac (15)
management (7)
materials (3)
memcached (2)
mindless-politics (4)
mindmaps (1)
PCI (2)
post-it (1)
privacy (6)
product (2)
programming (5)
public (275)
qo[w|m|?] (5)
README (1)
real-world (14)
research (37)
reversing (4)
security-fyi (8)
security-news (6)
silly-yammerings (19)
tech-toys (3)
time-waster (6)
tin-foil-hat (6)
tools (46)
training (18)
travel (1)
tricks (1)
Uncategorized (3)
vendors (6)
videos (6)
vulnerability (7)
wasc (1)
webapps (6)
web_x.0 (2)
writing-advice (1)
zen-hacking (6)
Archives
August 2010 (4)
July 2010 (1)
June 2010 (4)
May 2010 (3)
April 2010 (3)
March 2010 (7)
Feburary 2010 (2)
January 2010 (3)
December 2009 (4)
November 2009 (4)
October 2009 (3)
September 2009 (5)
August 2009 (9)
July 2009 (1)
June 2009 (5)
May 2009 (4)
April 2009 (10)
March 2009 (13)
Feburary 2009 (12)
January 2009 (11)
December 2008 (9)
November 2008 (8)
October 2008 (5)
September 2008 (5)
August 2008 (6)
July 2008 (6)
June 2008 (6)
May 2008 (2)
April 2008 (3)
March 2008 (7)
Feburary 2008 (12)
January 2008 (9)
December 2007 (8)
November 2007 (4)
October 2007 (9)
September 2007 (14)
August 2007 (18)
July 2007 (13)
June 2007 (17)
May 2007 (2)
July 2006 (1)
April 2006 (1)
August 2005 (1)
June 2005 (1)
May 2005 (2)
Archives
Conditions of use Privacy statement
Top of Page Legal stuff