Friday, March 28, 2008

Burp to attack the web site application

99 pounds license
clipped from portswigger.net

Burp Suite is an integrated platform for attacking and testing web
applications. It contains the latest versions of all the Burp tools,
including:

  • Burp Proxy
  • All of the Suite tools are tightly integrated, with numerous
    interfaces designed to facilitate and speed up the process
    of attacking an application.

  • Burp Spider
  • Burp Repeater
  • Burp Intruder
  • Burp Sequencer
  • Burp Decoder
  • Burp Comparer
  •  blog it

    Thursday, March 27, 2008

    State of Private Investigator Licensing

    More clarification with letters from many State ofices
    Computer Forensics and Forensic Accounting Licensing Survey - Results are In!

    Kessler International, the leading forensic accounting, computer forensics and corporate investigations firm announced today the release of the results of a nationwide survey detailing each state’s licensing requirements as a private investigator when practicing forensic accounting or computer forensics. The results of the survey can be found here: http://www.investigation.com/surveymap/surveymap.html

     blog it

    Monday, March 24, 2008

    Exploit-Me with Firefox

    Application vulnerability assessment tool, convenient and easy to use
    clipped from www.darknet.org.uk


    SecurityCompass Exploit-Me - Firefox Web Application Testing Tools

    Exploit-Me is a suite of Firefox web application security testing tools. Exploit-Me tools are designed to be lightweight and easy to use. Instead of using a proxy like many web application testing tools, Exploit-Me integrates directly with Firefox. It currently consists of two tools, one for XSS and one for SQL Injection.

    The Exploit-Me series was originally introduced at the SecTor conference in Toronto. The slides for the presentation are available for download [PDF].

    Currently in their beta release stage, these open source (GPL v3) FireFox plug-ins search through web applications for vulnerable visible and hidden form fields to perform input validation attacks.

     blog it

    Wednesday, March 19, 2008

    Grid computing for trading applications

    What makes more sense than distribute your processing to the grid? Here is an example of Allegro, one of the trading leaders, using the multiple CPU power.
    clipped from www.gridtoday.com
    Allegro Leverages Grid Computing in Trading Software
     blog it

    Friday, March 7, 2008

    A plethora of PaaS options

    A nice overview that puts things in perspective. Also contains links for further reading. The summary of options:

    • Do-it-yourself
    • Managed hosting
    • Cloud computing
    • Cloud IDEs
    • Cloud application builders.
    Enjoy!

    How To Set Up Dynamic DNS for your Amazon EC2 Instance

    Here's a step by step to setting up dynamic dns for you EC2 instance. This is required because EC2 does not have static IPs (yet).

  • First of all, you need a dynamic dns account. You can get one at www.dyndns.com or my personal favorite, www.zoneedit.com.
  • Thursday, March 6, 2008

    Linux tool for forensics use by police

    Can we get this CD and use it in the US?
    clipped from news.zdnet.com
    Australian university students have developed a Linux-based data forensics tool to help police churn through a growing backlog of computer-related criminal investigations.
     blog it

    Wednesday, March 5, 2008

    Idea for an ad

    Nobody can represent a picture of a hacker better than a real hacker, and rSnake beats them all. Remember all the phony hackers in the ads? I wonder what will rSnake say about this?

    Get off the beaten track, finally!


    I was charged with a task of setting up a PointGuard demo.

    Now, PointGuard "friendly infects" the computers on internal network and then controls them, enforcing policy rules and compliance. It has to run on a server such as Windows 2003 and it needs a good number of machines to control. How does one do this?

    Obvious solution of actually having all these machines is DOA, dead on arrival.

    I thought of running it on my "monster server" which has 2 Gigs of RAM. I would put the Windows 2003 on top of VMWare, and run a few VMWare Windows XP, and one machine makes a complete demo.

    I have spent a couple evenings just installing Windows 2003 (the server is somewhat old and boots slow, but then "flies"). Until the idea hit me! How could I have gone on this track! All my other projects are on EC2/S3, and this one is on my own hardware! Unbelievable.

    So here is the right architecture.
    1. Get an AMI with VNC working, so that you can work on the machine with GUI;
    2. Install VMWare (if not present) and install 2003 on top of that. Get a trial version for 6 months;
    3. Replicate 50 (our demo key only allows that many) and control the 2003 slaves through the 2003 master;
    4. Bring it up on demand, then shut it down.
    So what is "monster" about my server? That it is monstrously old, born 2001, and I almost went the way of the dinosaurs, but recovered my wits at the last moment. Sigh of relief.

    Tuesday, March 4, 2008

    Amazon AWS, EC2, S3

    Excellent article in Baseline on Amazon EC2 and the large number of startups based on it. 14 billion objects on S3 and 300,000 users of EC2 for starters.

    Watching your bandwidth utilization

    Blocking may suck for the workers, but if the workers suck the bandwidth, then it sucks for the company. To wit,

    "I know our people will say we're acting like Big Brother," says Mr. Cunningham of the new online-video ban. "But those pipes belong to the company. If management says we need to protect our resources, then that's what happens."
    clipped from online.wsj.com

    Carriage Services Inc., a Houston funeral-services company, recently discovered that 70% of the workers in its 125-person headquarters watched videos on Web sites like Google Inc.'s YouTube and News Corp.'s MySpace for about an hour a day.

    "I almost fell out of my chair when I saw how many people were doing it and how much bandwidth those sites sucked up," says Jeff Parker, the company's information-technology administrator. He quickly blocked access to both sites.

    blog it

    Monday, March 3, 2008

    An open-source eDiscovery engine?

    Derek Gottfrid of New York Times was able to upload 4T of data and create 1.5T of PDF's out of it in 24 hours. He did it for $800 paid for upload, and $240 paid for processing (my estimate) . How?

    On his blog he tells us how he did it, but in brief, he used

    100 Amazon EC2 machines, running Hadoop (open-source version of Google's MapReduce) and his scripts which were already running on his machine. Essentially, he cloned his machine 100 times on EC2 and Hadoop took care of running them all concurrently.

    Bravo, Derek!

    I only wonder how long did the upload take. I asked him on the blog. And by the way, compare this to $1,000,000 if done by an eDiscovery vendor at the low price of $250/Gig. Now, I know that the discovery vendors also make it searchable and put it in the format suitable for upload to a litigation tool, but that can surely be cured for the remaining balance of $998,960.

    Anybody wants to join me for this project?

    Art: Fernando Botero - Man Reading a Paper 1996

    Inadequate Keyword Searches by Untrained Lawyers May, in Some Circumstances, be Sanctionable

    Sherlock HolmesA recent decision in Texas suggests that inadequate keyword searches could lay a predicate for spoliation sanctions when the defective searches cause evidence to be lost. Diabetes Centers of America, Inc. v. Healthpia America, Inc., 2008 U.S. Dist. LEXIS 8362, 2008 WL 336382 (S.D. Tex. Feb. 5, 2008). The plaintiff relied upon an untrained associate attorney to do keyword searches, apparently to decide which emails of a key witness to preserve and produce. Her sleuthing skills were poor and she botched the job. As a result numerous relevant emails were lost, emails that defendants claimed would have helped their defense.

     blog it