Monday, December 12, 2011

The 12 Days of INFOSEC

Ok script kiddies, gather around and sing with me;

On the 1st day of Christmas a malicious hacker faxed to me <pause> poof of SQLi in a production website (database using SELECT * FROM members WHERE username = 'admin'--' AND password = 'password') with a username list  -- it appeared they also taped the 4 pages of data to create a loop in the fax machine sending a unlimited amount of fax pages to me resulting in a denial of service on my office fax machine

On the 2nd of Christmas the hackers gave to me a Cross Site Scripting in my critical web application < IMG SRC="javascript:alert('XSS');" > and a link to cheat other sheets to at: and WAF suggestions for monitoring and potentially blocking the input, output, or system service calls which do not meet the configured policy of the firewall

On the 3rd of Christmas the hackers gave to me Direct Object Reference on a critical system that provided full admin access to the application because I was stupid....


On the 4th day of Christmas the hackers gave to me.... "A FREE .PDF Book on how to find application security flaws ( )”

On the 5th day of Christmas the malicious hackers drove by my office and used Aircrack to recovery my Wifi WEP password and changed my SSID to "Hacked"and left it as an Open AP

On the 6th day of Christmas the hackers gave to me code snips of critical system code on the new secret internal project that he trolled and picked up from PasteBin Ugh.

On the 7th day of Christmas a hacker breached my door using a "9999" cut bump key on door #1, a shim on door #2 and and placed a "boom" sign inside my desk draw that was locked to prove a point about my lame physical security... and they drank my 18 year old scotch too!

On the 8th day of Christmas the hackers returned to me a bag of dumpster diving treasure to point out lack of cross-cut shredding that included bills from trusted vendors with account info, credit card carbons, internal printed emails, customer data and more...

On the 9th day of Christmas the hackers hacked me via an email aimed at my wife concerning a refund of a holiday purchase with targeted malware using a custom packer that bypassed my installed and updated corporate AV investment, then after getting a remote shell he popped my work laptop that was also connected to my personal LAN that was unpatched due to the holiday freeze then exported the cert on the VPN client installed a keystroke logger on the computer that I use for business to capture the password.... damn

On the 10th day of Christmas the malicious hackers came back..... after it was updated and guessed my lame ass WPA password after being upgraded from WEP on Day 5 and changed it to "Hacked Again" and made it Open AP again

On the 11th day of Christmas the hackers knocked down my commerce website during the busy season with a Denial of Service -- and suggested I look at the OWASP CRS Mod_Security project

On the 12th day of Christmas the hackers mailed to me a link to the breach report archives and state laws

After getting my A$$ handed to me in 201x..... I started to read the OWASP Foundation website @ and found things like a new Enterprise Security API (EASPI), Free Videos, Guidance on Mobile Security, Jobs Postings from around the world and over 140 other projects: that helped me. I planned to attend both Global and Local AppSec events value and I became a member in support of the community.


Happy Holidays

Tom Brennan
The 12 Days of INFOSEC Christmas

Thursday, December 1, 2011

November 2011 OWASP Newsletter

The November, 2011 issue of the OWASP newsletter is now available.  Many thanks to Deepak Subramanian for his efforts putting this together.

Table of Contents
  • Notes from the Editor – Deepak Subramanian    
  • Notes on Internal Projects    
  • OWASP Communities – Michael Coates    
  • Protecting against XSS – Gareth Heyes    
  • OWASP Podcast – hosted by Jim Manico   
  • OWASP Zed Attach Proxy (ZAP) – Simon Bennetts   
  • Global Board of Directors Announced    
  • Global Committees    
  • Upcoming Events    
  • OWASP Organizational Sponsors    
  • The OWASP Foundation    
  • OWASP Membership    
  • Newsletter Advertising

OWASP is a volunteer driven organization that provides free and open resources to advance the state of application security and make application security risks visible.  Please consider helping support our mission if these resources are useful to you or your organization.