Nick
VMWare enters the cloud computing foray
BusinessWeek reports that VMWare has launched a new product aimed at establishing it as a competitor in the cloud computing space.
-snip-
Dubbed the Virtual Data Center Operating System (VDC-OS), the software creates a bank of computers, storage devices, and networking equipment that a company can tap at will, as computing needs arise—say, during a December spike in Web traffic for an online retailer.
-snip-
VMWare is the leet, so this should be interesting to watch…it should also be interesting as it is being spearheaded by some ex-Microsoft execs…
Vanilla SQL Injection is oh-so-90’s…wait…is it? (Jackin the K)
aka.. Someone put the hurtski on Kaspersky..
The Twitters (via XSSniper and others) and the Interwebs were ablaze with news on a SQL Injection vulnerability that was exploited on AV vendor Kaspersky’s site. Detail of the attack can be found here.
It’s interesting that SQL Injection (though as old as the proverbial hills) is still such a major issue.
In fact, I have it on good authority that the bulk of PCI-related compromises are still as a result of SQL Injection…
Turn of the century deja vu?
The recent widespread carnage caused by the Conficker worm is astounding, but is also comforting, in a strange way.
It has been a good few years since the world saw a worm outbreak of this magnitude. Indeed, since the Code Red, Slammer and Blaster days, things have been fairly quiet on the Interwebs front.
As a community, it seems we very quickly forgot the pains caused by these collective strains of evil. Many people proclaimed the end of issues of that particular bent, whether it be as a result of prolific post-worm hastily induced reaction buying of preventative technologies and their relatives, or whether more faith was placed in software vendors preventing easily “wormable” holes in their software.
Penetration Testing in 2009 – Opposing Viewpoints
The last few weeks have brought some fairly interesting predictions for 2009 to bear in CSO Magazine columns. Two recent articles caught my eye from a penetration testing perspective.
In the first, Brian Chess, CTO of Fortify (they make source code review and software security tools, and he has written a great book on static analysis) predicted that penetration testing as we know it will die in 2009.
The premise of his argument is that penetration testing will die and be reborn in a different form, aiming more at preventing bugs from occurring, rather than identifying them (rolling things into QA / SDLC etc). Granted, it’s a fairly valid point *in some respects*, albeit a biased one if you consider what he does for a living.
The fine line between failure and success
So…because I don’t have a report to write this weekend I’ve had some
time to ponder and reflect on stuff (and read my mail)- I thought I’d
share some stuff that came to the fore of my mind again now when reading
a newsletter.
Since the early days of playing competitive sport (in those days it was
paintball) I’ve always been astounded as to the intensity of the
emotions involved when you win and when you lose. Particularly how when
you are on a losing streak (or your personal game just sucks) it’s
really tough to drag yourself out of that and come back kicking ass. I
hate to lose…I really hate it…
Rational vs Emotional Commitment
I’ve spoken before on how I like some of Simon T Bailey’s stuff and his
general leetnesses…he has some gems…
This one, on rational vs emotional commitment is quite leet and touches
on a discussion we had over lunch…
-snip-
You might be wondering about the difference between rational and
emotional commitment.
Rational commitment is the “what†that you agree to give an organization
when youâ€re hired: your time, talent and energy in exchange for
financial compensation, professional development opportunities and the
chance to fulfill your career ambitions.
The myth of the expert
Something we preach very strongly in our training is the importance of
an understanding of the underlying technology / application / issues,
and being able to dig into the core of an issue, not just try a trick or
two and move on. Sadly, most people don’t see it this way.
It’s also somewhere between sad and frustrating for me that there seems
to be an over-abundance of so-called “experts” in our field. While this
isn’t an issue for those who have a deep understanding, the fact of the
matter is that for many of our customers, their key competence is their
respective industry, and not information security.
BlackHat Roundup – Ajax and h.323 and iax
The bulk of security research pertaining to VoIP call control, setup and signaling protocols has focused on the Session Initiation Protocol (SIP), due to the ubiquity and widespread adoption of this protocol. However, a number of other protocols and protocol suites are in use in many organizations and have been adopted by many of the VoIP vendors. Some examples of these protocols are Cisco’s Skinny Client Control Protocol (SCCP or Skinny), the H.323 suite of protocols, and Asterisk’s Inter-Asterisk eXchange (IAX).
Page 1 of 1