It seems that every category of security flaw lists "Input Validation" as one of the solutions. Check the OWASP Top Ten or the CWE/SANS Top 25. There is even a free software library from OWASP to do input validation, and functionality built into frameworks such as Apache Tapestry.
So, what is it, and why is it such a hot topic, even though there are libraries that solve it?
The original pass-the-hash technique has been known about since 1997 but it in my experience it's implications are not widely understood by network administrators.
Understand the pass-the-hash attack
This attack essentially means that an attacker who compromises a single internal host and obtains cached credentials can gain control of ANY other host provided it's reachable on port 139/445 on the network. The attack essentially works by authenticating with the NTLM hash and using PSEXEC to execute code on the remote machine.
Location: Google Hangouts
Date: Thursday 7th June 2012
Time: 19:00 - 20:00 (NZT)
The mentoring scheme is officially underway!
However, before we match you all up with your perfect partner, we want to make sure that everyone has a firm grasp of what a mentoring programme involves and how to get the most out of it. To help make this learning process as quick, easy and flexible as possible we will be running a Google Hangout session on Thursday 7th June at 7pm NZT.
As much as we would like to believe that all of the issues we discover on our networks are new and exciting, the sad truth is that there are a number of issues that come up time and time again.
The quicker you learn how to fix and find them the better.
So, in no particular order - here is a list of the most common network issues and how to find/fix them.
This month has been yet another whirl wind of activity at in2securITy HQ.
Mentoring registration success
Thanks to all of you who applied to be part of the in2securITy mentoring scheme for 2012/13. We were thrilled to have so much interest, even attracting an cheeky application from Estonia.
The closing date for this phase of applications has now passed and the first phase of proteges and mentors will kick off in the next couple of weeks.
If I had a dollar for every new specialist IT qualification that came onto the market claiming to be the ‘best and only’ way to become a security professional, I would be rich.
The IT security qualifications market is complex and rapidly expanding with products available for every possible specialisation.
For those new to the industry, or those looking to stand out in the recruitment market, the temptation is to collect these qualifications as a mark of status or ability.
Qualifications and Recruitment
As a penetration tester, there are a few tools that are a must have on every job. They may not seem glamourous but they are fundamental, especially in the reconnaisance stage of penetration testing.
In this article we will introduce NMAP, how to use it and what to think about while learning its flags/options.
Last week was quite possible the most surreal (yet amazing) week in the brief history of in2securITy so far.
On Tuesday 1st May 2012, in2securITy were lucky enough to be given a presenting slot in the only free to attend/watch talk by Bruce Schneier in New Zealand!
Location: The Empire, 137 Victoria Street West Freemans Bay 1010
Date: Thursday 17th May 2012
Time: 18:30pm – 20:30pm
Ladies and Gents I am pleased to announce that Thursday 17th May 2012) is the next Auckland in2securITy social event.
Come along to The Empire (http://g.co/maps/5fq3p) from 18:30 for a drink (doesn't need to be alcoholic if thats not your thing) and get to know some of your fellow participants and professionals.
Everyone welcome and its free to come along. All you need is spending money for drinks.