Silly-Yammerings
Something about sudo, Kingcope and re-inventing the wheel
Willems and I are currently on an internal assessment and have popped a couple hundred (thousand?) RHEL machines, which was trivial since they are all imaged. Anyhoo – long story short, we have a user which is allowed to make use of sudo for a few commands, such as reboot and service. I immediately thought it would be nice to turn this into a local root somehow. Service seemed promising and I had a looksy how it works. Whilst it does do sanitation of the library path it does not remove LD_PRELOAD. So if we could sneak LD_PRELOAD past sudo then all should be good ?
Privilege Escalation in SQL Server (Depending on some dodgy requirements)
I was playing with a few SQL server idiosyncrasies more than a year ago before becoming so completely distracted with the whole SAP protocol-decoding business. Having some time on my hands for once, I thought I would blog it.
Early last year, I found it possible to create jobs owned by other users on MS SQL Server (2000, 2005 and 2008) by an unprivileged user – providing the user had the capability of creating or altering stored procedures in the [master].[dbo] schema. The reason for this, comes as a result of cross-database permissions being chained, by default, across the system databases [master], [msdb] and [tempdb]. According to Microsoft, this is by design.
Is the writing on the wall for general purpose computing ?
The Apple iPad announcement set the interwebs alight, and there is no shortage of people blogging or tweeting about how it will or wont change their lives. I’m going to ignore those topics almost completely to make one of those predictions that serve mainly to let people laugh at me later for being so totally wrong..
Heres my vision..
Its not just the Hipsters and college kids who get iPads, its the execs and CEO’s. They are happy for a short while using it just as an E-Reader, movie watcher and couch based web browser, but the app store keeps growing to support the new form factor. Apps like iWork for iPad (at only $10) means that sooner or later they are relatively comfortable spreadsheeting or document pushing on their iPad.. It doesn’t take too long for them to realize that they don’t have much heavier computing requirements anyway and besides.. the instant on experience is what they always wanted..
Happy New Year! (No predictions.. promise..)
It’s the last few hours of 2009 here in South Africa so i wanted to take the opportunity really quickly to wish the 2 readers of this blog all the best for new year..
Most security “pundits” are currently doing their 2010 predictions. (although in truth few of them so far have been particularly surprising or out-there.. “Adobe will be brutalized” ? really? hows that different to 08 or 09)(One really has to question how the current whipping boy for exploit writers managed to be a key contributor to Gary McGraws BSIM Model, but i digress)
John Viega’s “the myths of security”.. Really??
i go through a ton of books. Over the past 10 years, this has been dominated by books on computer security, computer science, programming (and some sprinklings of management classics).
I generally stay away from writing reviews, but was genuinely suprised at the number of 5 star reviews Viega’s new book had received and felt i had to chime in.
I picked up “the myths of security” (what the computer industry doesn’t want you to know) with hope, because O’Reilly books in general are well done and i really liked some of Johns previous books. Alas! I tried hard to think of a good thing to say about the book, and the best i can come up with right now is that “at least, it wont take up space on my bookshelf”.
The book is tiny (48 chapters, where each chapter is between a paragraph to 2-3 pages) which isn’t a bad thing, but it reads mostly as a collection of blog posts or hurriedly written notes-to-self.
Zappos number 1 priority
[Zappos.com] is one of those companies people love to write about. They make headlines for their use of new media and their CEO (Tony Hsieh) is as .com legendary as one gets.. (he sold LinkExchange in 1998 for $265 million and under him zappos went from $1.6 million in sales (2000) to $840 million in sales (2007)).
He recently gave a talk at the [Web 2.0 conference].
He talks about how they invest in the customer experience, free shipping bouquets, and suprise shipping upgrades to get customers products delivered before they expect it.. This is all cool, and im sure people love them for it, but then he goes on to mention their number 1 priority as a company..
Attack Vector based Risk Management?
Interesting post by Michael Dahn at pcianswers.com discussed (again) the difference between compliance and security. Do you know the joke about the difference between a canary? Apparently, its one leg is the same. Well, according to the post, the difference between compliance and security is… there is no spoon. I’m sounding facetious, but the post is actually not bad. Read more…
But actually, there was another part of the post that caught my eye. Its the comments about ‘Attack Vector based Risk Management’ or ‘AVRM’. Not much is said about this except:
You know you are getting old..
When you blog a link to poetry:
[The man watching] is a poem by Rainer Maria Rilke, that i picked up from a talk by Tim Oreilly during his [recent talk] where he chided the audience for focusing on trivial banalities while leaving bigger problems un challenged. A subsequent speaker picked up the theme, and likened it to abandoning NASA to work on DisneyLand.
I think the sentiment is grand, and the poem is inspiring.. and in particular the following lines, are probably going to keep me up nights for a while:
On working when everyone else is asleep…
This quote reminded of something H always says:
“When opportunity comes… its too late to prepare”
– John Wooden – Hall of Fame Basketball coach
Is URL / Variable Name the new Port Number ??
There has been a fair bit of blog buzz about the new SQL Injection worm that ran around infecting sites. I have not looked too deeply into it, but have not yet seen accounts of how the targeting was done. Since the sites do not appear to have been running a common framework i would guess that it was search-engine generated targets based on resource name (like inurl: search.asp)..
For ages we have been telling people that if they had to have a /admin/admin.asp on their internet facing web-app that they would at least help minimize their exposure a little by naming it /admin_[bet_u_dont_find_this]/admin_[another_variable].asp
Page 1 of 3
Next