-
Full disclosure – yet again
I came about this post about ethical hacking and I felt the need to respond to it publicly since (I feel that) the article offers a skewed view and does not present the counter-arguments: First of all I would like to stress that discovering and writing exploits for certain types of flaws (and I’m not…
-
Month of PHP bugs roundup
The month of PHP bugs is over and I thought that I make a little list with things you can do to mitigate the bugs where possible: Update to PHP 5.2.1 and watch out for the next version and update to it as soon as it comes out. Do not PHP4, because there is a…
-
Shared risk of shared runtimes
I love the interpreted languages. I love PHP, Perl, Java, C# and all the others. The liberty they give you is incredible! However there is a security aspect to them: because the actual machine code is shared by the programs written in one particular language, security features / products which depend on the executable image…
-
How to submit suspected malware samples?
A quick tip: if you have file(s) which you suspect that are malicious, submit them to any of the following places: VirusTotal VirScan Jotti’s malware scan Virus.Org Rogue File Scanning Service Virus Chief FilterBit NoVirusThanks Beside the fact that these sites will eliminate or enforce your suspicion (based on the number and types of detection…
-
Game Over – You Lost!
The famous security researcher Joanna Rutkowska has posted on her blog an article entitled The Game Is Over! and as a typical second class blogger I jump on it and give my (unrequested) comments :-). The post reiterates two of the ideas she has been promoting recently: The security industry doesn’t focus enough on the…
-
An other tool to manage security in Windows
One of the first posts on this blog was about different (free) options you have to temporarily elevate your privileges under Windows. So it is natural that this blog post from George Ou sparked my interest. It talks about a product, BeyondTrust, using which you can temporarily elevate the privileges of certain applications and provides…
-
Three letter acronyms don’t provide good security!
As a second part for my previous post, here is an other post where Deb Shinder gets it wrong (or at least emphasizes the wrong words): Security Mechanisms in Office 2007. My problem is not with the post per-se (because admittedly I only saw Office 2007 in the Channel 9 videos), but with this particular…
-
Biometrics is not the answer!
Deb Shinder is the resident MVP at Sunbelt Software. One of her posts caught my eye and I felt the urge to post about it: Passwords: A Thing of the Past? In it she advocates to use biometrics as a replacement for passwords. Here are my (not so positive – as you may have guessed)…
-
Update on the Month of PHP Bugs
The month is nearing to an end (but fear not, next month we will have a month of MySpace bugs it seems), and here are the latest developments: Two bugs using which you can bypass the open_basedir restriction. They are in the user-contributed PECL modules, so there is a chance that they will be fixed…
-
How not to get your application signed by AV
Disclaimer: these are my own opinions and they do not necessarily reflect the opinions or policies of any of my current or past employers. There is a class of applications which can be categorized as greyware: programs which can be used for both good and evil. A few examples (in no particular order): nmap, the…