So what caught my eye over the last week or so?
A couple of interesting stories concerning the exploitation of a couple of well-known organisations - Kaspersky and phpbb:
http://hackersblog.org/2009/02/07/usakasperskycom-hacked-full-database-acces-sql-injection/
http://hackedphpbb.blogspot.com/
It's good to the level of detail provided by the attackers of how exploitation took place, and the level of proof provided that the events occurred roughly as described.
I also came across a couple of informative papers, one by Bas Alberts of Immunity providing a useful critique of the Microsoft Exploitability Index and a paper by David Chappell which provides an overview of the Microsoft Azure cloud computing platform. Both available from Microsoft:
http://download.microsoft.com/download/3/E/B/3EBDB81C-DF2F-470B-8A64-981DC8D9265C/A%20Bounds%20Check%20on%20the%20Microsoft%20Exploitability%20Index%20-%20final.pdf
http://download.microsoft.com/download/e/4/3/e43bb484-3b52-4fa8-a9f9-ec60a32954bc/Azure_Services_Platform.pdf
Enjoy...
UPDATED: Kaspersky have now announced that they are bringing Dave Litchfield in to perform an audit of their database - and to publically share his findings. Now the public sharing of the results if security audits is certainly something I would like to see more of! It's a great way of establishing trust - provided that the auditor is someone well-respected by the community you are seeking to establish trust between.
About Me
- Lee
- I'm a cybersecurity chap, currently working as a Director for a global systems integrator. I've been working in [IT|Information|Cyber] Security since 1998 with major banks, systems integrators as well as two of the Big 4. This blog is for those thoughts and musings that reflect purely my own opinions and certainly not necessarily those of my employers!
No comments:
Post a Comment