Shirkdog's blog

The boundaries between public and private information systems

There is currently a push in congress to pass a cybersecurity bill, which opponents claim will give the government the power to shutdown private infrastructure that is deemed "critical infrastructure" to the United States:

Civil libertarians slam McCain cybersecurity bill

GitHub SSH Key Vulnerability

If any of you regularly use GitHub, you might have received this email referring to a security issue that allowed for SSH keys to be added to arbitrary GitHub accounts. Here is the contents of the email:


A security vulnerability was recently discovered that made it possible for an attacker to add new SSH keys to arbitrary GitHub user accounts. This would have provided an attacker with clone/pull access to repositories with read permissions, and clone/pull/push access to repositories with write permissions. As of 5:53 PM UTC on Sunday, March 4th the vulnerability no longer exists.

How is your job network?

Avoiding the politics of the job market, I think it is interesting to note the requirement to network with professionals in order to make it in the information assurance or even information technology field. It was a recommendation from a teacher of mine to always keep up with my network of people as I may need to reach out at any time to find new people, or to potentially reach out for a new job.

MS12-008 Write-up and Darun Grim

Byoungyoung Lee provides another write-up with Darun Grim diffing the patch for MS12-008.

MS12-008 : win32k.sys Keyboard Layout Use After Free vulnerability

Encrypted Drives protected under the 5th Amendment

An important court decision occured this past week. It is important to look to the case detail, not the case as a whole for the right of citizens to be protected under the 5th amendment to not self incriminate. The story describes the analogy of a combination to open a safe as similar to "giving of testimony" as a pass-phrase to decrypt a confiscated hard-drive. The defendents guilt is left to other evidence.

Appeals court: Fifth Amendment protections can apply to encrypted hard drives

RHEL CVE Database

Have you ever had to perform a C&A for a system that uses RHEL? Well Redhat has made available a webpage to easily search for CVE's without any additional effort:

https://access.redhat.com/security/cve

MS12-013 PoC with write-up

Byoungyoung Lee provides a PoC with additional information based on the interpretation of this bug by the Microsoft Security Research Center (MSRC)

MS12-013: Vulnerability in C Run-Time Library could allow remote code execution

Nessus 5.0 Released by Tenable Network Security

For those of you that like use Nessus for vulnerability management:

Nessus 5.0 Released!

The new version of Nessus incorporates the following key features and updates:

  • Installation and management (for enhanced usability)
  • Scan policy creation and design (for improved effectiveness)
  • Scan execution (for improved efficiency)
  • Report customization and creation (for improved communication with all parts of the organization).
  • Nortel Networks pwn3d for an entire decade

    You would think being in there for almost 10 years they might have made changes to make the network better for their access.

    Nortel Networks Hackers Had Access to Everything For Years

    The dangers of backwards thinking on software security

    I noticed the following story today:

    Offensive security research community helping bad guys

    Starting with this quote from Adobe Security Chief Brad Arkin:
    "We are involved in a cat-and-mouse game on [the software] engineering side. Every time we come up with something new and build new defenses, it creates incentive for the bad guy to look beyond that."

    Syndicate content