Wednesday, September 30, 2009

Caught My Attention

Hey everyone, I'm taking a 4-day holiday to see some family ... and then off to SecTor... so I thought I would leave you today with a post on some of the things that have caught my attention lately, in no particular order...
  • I just updated my laptop's BIOS... in Windows ... Vista ... without generating any warnings or pop-ups asking for credentials ... should that worry me? --after all the safety nets we've put into the latest Windows versions (7 included) especially Vista (which was UAC overload anyway) ... the fact that I can update the very core of my computer with code I just downloaded (notice I didn't say anything about verifying certificates, signatures or anything) is appalling. I mean, sure, I'm positive there are mechanisms built into the update mechanism to make sure that it's downloading and flashing with "approved" BIOS updates ... right? right?
  • An extremely popular [product] website that a colleague of mine was asked to "vulnerability scan" as part of a product/services sale turned up ... you ready for this ... 300+ XSS, 5+ SQL Injections (pull the DB right out, point-n-click style), and CSRF on their purchase/profile pages and a boat-load of other vulns. This site, we were told, was "built and audited" by one of the "Big 3" consulting companies ... *facepalm* was all I can do. Anyone who argues against the value of black-box scanners for WebAppSec should hear this ... these guys claim to "do it manually" ... riiiiiight.
  • When I got my new laptop last week from work, and realized we're still hobbling along with Symantec A/V I broke down and installed Comodo's firewall+A/V in addition... it's just sick that you have to have multiple "anti-malware A/M" agents running on a machine now to keep you relatively safe from crap out there ... even if you're not surfing porn and warez all day ... ugh
  • No joke ... yesterday I got an @ tweet from some random user ... followed it on my "sandbox" VM just to see where it went and ... no joke ... it was an ad for a local escort service ... yes, local! Wow, even hookers are getting into location-based Twitter "advertising" eh? Sick...
So ... yea that it for today - some interesting things to rattle around in your brain as you eat lunch or whatever it is you're doing as you're reading this.

... stay vigilant.

No comments: