Well my training session has completed and I head back home on the first thing smoking tomorrow morning. At the client site I was amazed to discover that the employees are mandated to take a ten minute break every hour. Not only are they told to take a break but their workstations actually lock them out after a specified period of time or after ‘x’ number of keystrokes. I’m fairly certain this would kill my productivity but it appears to work well for them. Very strange 🙂

Here’s the list:

2007 Security by the Numbers – Good set of statistics for use in your sales or technical presentations.

Phishing, spam, bot networks, trojans, adware, spyware, zero-day threats, data theft, identity theft, credit card fraud… cybercrime isn’t just becoming more prevalent, it’s getting more sophisticated and subtle every day. At least that’s the conclusion suggested by recent threat reports from major industry players and government organizations.

Iframe > malicious javascript > trojan, (Tue, Jun 5th) – Interesting analysis.

The server has since had the iframe removed. The owner was a little less than gracious when we spoke this morning. He was aware that it was compromised and infecting web users. If you are notified that a system you run or own is involved in an incident please take action as soon as you can.

My Presentation: Interop Moscow Keynote on Security Trends – Always a pleasure to read one of Dr. C’s presentations 🙂

Here is my recent keynote presentation on security trends from Interop Moscow (sorry, teaser version only – I plan to give it again some time)

SQLBrute – SQL Injection Brute Force Tool – New tool to check out.

SQLBrute is a tool for brute forcing data out of databases using blind SQL injection vulnerabilities. It supports time based and error based exploit types on Microsoft SQL Server, and error based exploit on Oracle. It is written in Python, uses multi-threading, and doesn’t require non-standard libraries (there is some code in there for pycurl, but it is disabled because it isn’t finished).

How to find your websites (Road to Website Vulnerability Assessment part 1) – Refresher of steps to take in order to start assessing a website for vulnerabilities.

I spend a lot of time with companies, mostly large and medium sized, who are interested in finding the vulnerabilities in their websites. Obviously the first step in the VA process is to first FIND the websites. Now this may come as a surprise to many, companies with more than 5 or 6 websites tend not to know what they are, what they do, or who’s responsible for them. And if they don’t know what websites they own, there is no hope of securing them.