877.791.9571 |

Monthly Archives: February 2012

Which Security Certification Should I Get?

When it comes to deciding what security certifications to pursue, IT professionals should understand that they will be better off career-wise if they ask—and then answer—the right questions before choosing.

So says Chuck Davis, who as an adjunct professor at Harrisburg University of Science and Technology in Pennsylvania teaches ethical […]

InfoSec Book Excerpt: Security Metrics – Chapter 17

We like to read the latest and greatest security books, andsometimes the author and/or publisher is generous enough to share an extended with us – and you. We’ve selected one of our favorite topics as the sample chapter, but the entire book is well worth reading.
Step-by-step instructions to developing […]

Soft Skills: A Peek into the Mind of a Hiring Manager

As a recruiter, I often have the question posed to me in a variety of ways, “Exactly what is it that hiring managers want?” What is it that they are looking for when they review resumes and interview candidates?

Conceptually, screening candidates for best fit is a simple thing. If […]

By |February 23rd, 2012|Other|1 Comment

It’s What’s on the Inside that Counts

The last time I checked, the majority of networking and security professionals were still human.
We all know that the problem with humans is that they sometimes exhibit certain behaviors that can lead to trouble – if that wasn’t the case we’d probably all be out of a job! One […]

The Enderground: The Last Meeting – Chapter One

The sharp short sound of a black agent hibernating his Laptop’s OS echoed in the room. The box banged shut making the screen and the keypad kiss each other. The RJ-45 was still soldered to his eth0 but he didn’t care and cut the wires using a M9 bayonet […]

By |February 22nd, 2012|Other|11 Comments

Minimizing Vulnerabilities in Applications – Part 1

When I communicate with programmers who are writing a code for custom applications, I often wonder how carelessly they relate to the issue of safety in their code.

Certainly it is influenced by many factors.

For example, an already fairly experienced programmer during a private conversation said to me,

“Well, why should […]

  • java
    Permalink Gallery

    How to Build a Secure RPC Interface for AJAX Apps With Google Web Toolkit

How to Build a Secure RPC Interface for AJAX Apps With Google Web Toolkit

Why use GWT?
Most modern web applications utilize an AJAX functionality of some sort to make them highly interactive and to have a user interface that works very much like that of a traditional desktop application. If you are looking to build a web application that takes advantage of AJAX […]

Circumventing NAT with UDP hole punching

A lot of networks use NAT (Network Address Translation) these days. This allows the systems on the same network to have a single global IP address. This also assures enhanced security but at the same time adds complications, especially while connecting to P2P (Peer-to-Peer) networks. This is because at […]

CSRF and XSS: A Lethal Combination – Part I

Introduction
In the second installment of this series, we discussed one of the most prevalent attacks to applications: SQL Injection. The previous discussion introduced the reader to a technical understanding of how SQL Injection attacks inflict the most exposure of sensitive data, and how these vulnerabilities are not unique to […]

Information Gathering Using Maltego

The first phase in security assessment is to focus on collecting as much information as possible about a target application.
According to OWASP, information gathering is a necessary step of a penetration test.
The more information, the higher the success rate. There are basically two types of information gathering: active […]

pcAnywhere Leaked Source Code – An Anonymous Review

The pcAnywhere source code leaked out onto the internet late January 2012 includes 47,021 files weighing in at 1.3GB. The October 2006 snapshot provides an insight into Symantec development practices, polices, and of course the code itself. Below is a brief assessment of the source code and what it […]

Attack Surface Reduction – Chapter 4

This is Chapter 4 in Tom Olzak‘s book, “Enterprise Security: A practitioner’s guide.”
Chapter 3 is available here: Building the Foundation: Architecture Design – Chapter 3
Chapter 2 is available here: Risk Management – Chapter 2
Chapter 1 is available here: Enterprise Security: A practitioner’s guide – Chapter 1

In previous chapters, we examined risk assessments […]

Virtualization Security: Hacking VMware with VASTO

With the advancement of the technology in the field of computers, requirement for hybrid setups has also escalated. Nowadays every company is using a heterogeneous infrastructure for its variety of tasks. Everybody utilizes a different blend of services, infrastructure and platforms for its operations and service delivery. Sometimes there […]

Extending Burp Suite

Introduction
There are multiple intercepting proxy tools available and Burp Suite is one of the best tools available for interception. If you are not yet familiar with it, for a brief Burp Suite Walkthrough, please read the article written by Prateek Gianchandani.

The added advantage Burp provides is its extensible functionality […]

A New DNS Exploitation Technique: Ghost Domain Names

DNS is a naming system which coverts human readable domain names into computer readable IP addresses. Whenever there is a query for a domain which is not in the resolver’s cache, the process happens by traversing through the entire DNS hierarchy from the root servers to the top-level domain […]

How Can FireFox Plugins Help You?

I have a pet hate. This is something that really annoys me when I get a new laptop, which if you ask my girlfriend is much too often.

Above is a screenshot of Mantra and FireFox. Notice all of the plugins on the left, in the status bar and in […]

RootSmart Android Malware

Summary
Android’s increasing popularity, combined with the possibility to create alternative markets, makes this platform a fertile ground for malware authors. While most of these applications just exploit the inexperience of the average user that is looking for free software, others are pretty smart and use more sophisticated techniques to […]

  • phish
    Permalink Gallery

    Attacking the Phishers: An Autopsy on Compromised Phishing Websites

Attacking the Phishers: An Autopsy on Compromised Phishing Websites

In this article we will cover the results of an informal investigation I performed into phishing websites.
Rather than simply reviewing them externally as a potential phishing victim would, I performed an autopsy on the tools, techniques and methods used by these cybercriminals. I will review how to find phishing […]

By |February 10th, 2012|Hacking|6 Comments
  • iPhoneapps
    Permalink Gallery

    iPhone Hacking! Penetration Testing for iPhone Applications – Part 1

iPhone Hacking! Penetration Testing for iPhone Applications – Part 1

This article focuses specifically on the techniques and tools that will help security professionals understand penetration testing methods for iPhone applications. It attempts to cover the entire application penetration testing methodology on a physical device (running with iOS 5) rather than a simulator.
Background:
Since the introduction of the iPhone, Apple […]

A Look at ARP

If one gets diseased then he must search for the cure which uproots the disease. Hence, prevention is no longer better than cure.
-Rohit Kohli

Brief Intro of ARP

ARP is Address resolution protocol; it is used by the IP to map IP network addresses to hardware/NIC addresses. The mapping is stored […]

By |February 8th, 2012|Hacking|3 Comments