Bookmarks for February 15th through February 26th
These are my links for February 15th through February 26th:
- A Big Case of …OOPS… – Following the White Rabbit Blog - -
- Recording Information – Organizations are desperate for effective guidance on the best ways to introduce and manage Web application security within their software development life-cycle. Success comes by learning the techniques on how to quickly and efficiently fix immediate issues and implement incremental long-term changes that are neither expensive nor disruptive to the software development process. There is no better way to learn that than through a genuine case-study walk through.
- SkullSecurity » Blog Archive » VM Stealing: The Nmap way (CVE-2009-3733 exploit) – If you were at Shmoocon this past weekend, you might remember a talk on Friday, done by Justin Morehouse and Tony Flick, on VMWare Guest Stealing. If you don’t, you probably started drinking too early.
- PaulDotCom: Archives – After listening to Larry’s excellent technical segment on dumping the event logs from a large list of computers, I decided to try it out on my own
- Digital Soapbox – Down the Security Rabbithole!: Web “Hacking” Gets (even) Easier – I’m talking about “NoMore AND 1=1″. This tool comes in 2 flavors, stand-alone and attached to the OWASP WebScarab web proxy tool… and it sets the bar even lower for those wishing to poke and prod at web sites without actually being good at hacking.
- Phoenix/Tools – OWASP – Tons of Tools aggregated by OWASP
- Jeremiah Grossman: Infrastructure vs. Application Security Spending – A recent study published by 7Safe, UK Security Breach Investigations Report, analyzed 62 cybercrime breach investigation and states that in “86% of all attacks, a weakness in a web interface was exploited” (vs 14% infrastructure) and the attackers were predominately external (80%).
- WinMerge – WinMerge is an Open Source differencing and merging tool for Windows. WinMerge can compare both folders and files, presenting differences in a visual text format that is easy to understand and handle.
- Using Curl to Retrieve Malicious Websites – Here’s how to use Curl to download potentially-malicious websites, and why you may want to use this tool instead of the more-common Wget.
- So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users (PDF) – It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore security warnings, and are oblivious to certificates errors. We argue that users’ rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort. Looking at various examples of security advice we find that the advice is complex and growing, but the benefit is largely speculative or moot. For example, much of the advice concerning passwords is outdated and does little to address actual threats, and fully 100% of certificate error warnings appear to be false positives. Further, if users spent even a minute a day reading URLs to avoid phishing, the cost (in terms of user time) would be two orders of magnitude greater than all phishing losses.
Related posts:
Categories: del.icio.us
Comments