DNS security talk
I spoke on DNS security at the March 16 meeting of the Ottawa Area Security Klatch (OASK).
This was updated version of my famous “Seven Deadliest Sins” talk, intended for a technical audience.
The slides with speakers notes are here:
OASK is a new security group in Ottawa. It’s supposed to be technical, informal and free. If you’re in town, check out the OASK web site for meeting dates and location.
Interesting links – March 16
Potentially interesting links for March 16:
- WhatWeb – Identify content management systems (CMS), blogging platforms, stats/analytics packages, javascript libraries, servers and more. Written in Ruby.
- Analyzing the Accuracy and Time Costs of Web Application Security Scanners (pdf) – Tests of Accunetix, IBM Appscan, BurpSuitePro, Cenzic Hailstorm, HP WebInspect, NTOSpider, and Qualys. (NTOSpider wins for accuracy).
- Web Security Dojo – Training Environment For Web Application Security – Free open-source self-contained training environment for learning and practicing web app security testing techniques. Standalone Ubuntu Karmic with vulnerable apps and tools installed.
Interesting links – March 2
Potentially interesting links for March 2:
- “Aurora” Response Recommendations (pdf) – Recommendations on how to defend against the “aurora” attacks used against Google and others. Internal DNS monitoring, VPN enrollments and (of course) better control of Windows endpoints are three key recommendations.
- No more and = 1 – SQL injection and XSS testing assistant. Interactive and WebScarab versions. Allows you to pick XSS and SQLi from menu and copy to clipboard.
- Sahi – Simple to use automated testing tool for web applications. Record and playback scripts. Runs on any modern browser which supports javascript.
- G-SEC SSL and Bluetooth Tools – Nice set of tools: “Harden SSL/TLS” – Change SSL/TLS settings on Windows, SSL Audit – scans servers for SSL support of all known cipher suites, BTCrack – Bruteforce Bluetooth PINs from captured keypairings.
The frugal CSO
Last month a gave a short presentation on free and low cost security tools to the Ottawa chapter of ISSA.
The slides are now available: The Frugal CSO: IT Security Tools for Tough Times (pdf).
This presentation was to raise awareness of the availability and quality of some of the leading free / open source and low cost security software.
Unlike the U.S. and European governments, the Canadian federal government has never officially blessed the use of open source. There are a ton of deployments, but they tend to be isolated, small and kept really quiet.
There are many outstanding open source and low cost security products out there, and there are few, if any, valid reasons to exclude them from consideration when evaluating products.
Interesting links – February 17
Potentially interesting links for February 17:
- Security Scoreboard – Security product directory and rating site. Vendor independent. Community driven.
- thrashd – Centralized rate-limiting services to one or many clients. Doesn’t block connections itself, but determines whether a connection should be blocked.
- Guerilla Security Leadership – A fun rant from Mike Rothman about the lack of security leadership and getting buy-in from executives
Older articles »