Home page logo
/
dailydave logo
Daily Dave Mailing List

This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.

List Archives

Jan–MarApr–JunJul–SepOct–Dec
2014855713
201377536771
201270658955
2011401139087
201086685556
200914314612974
2008161136252134
2007324209176193
2006270220315318
2005352399408281
2004247204294361
200384

Latest Posts

Re: Security Paleontology - The Jurassic Park rule Dennis Groves (Jul 18)
Data is IT Security, and you are correct it has to be protected and
to date it seems this has not been done well, if at all.

However, Information Security is about protecting the VALUE created by
the data for both the business and its customers. Businesses are
trading on the /value creation/ not the data. That value is usually
unique to the business, and the business is able to do something
faster, cheaper, at scale, bespoke or whatever for the...

Re: Security Paleontology - The Jurassic Park rule Rafal ( Wh1t3Rabbit) Los (Jul 18)
Wolfgang - this is both great and scary at the same time. People are historically horrible at managing passwords... so
now we're going to a system where payment is determined by something we're bad at keeping secret? In theory this is a
good idea, except for the password part. If they can figure out a way to make the *authentication* more 'secure' then I
think it's a leap forward.

Thinking about it more, am I wrong...

Re: Security Paleontology - The Jurassic Park rule Wolfgang Kandek (Jul 17)
Interesting thought. I listened to the following report on Visa' new
Checkout system on my home from work yesterday and it seems in line
with your suggestion. Online retailers get a one-time token for each
transaction from Visa's system which makes storage of card data
unnecessary at the retailer. I think that is comparable to how a
Paypal transaction would look like, but I am not sure how the same
level of comfort (1-click buy) that...

Re: Peeling the onion: Almost everyone involved in developing Tor was (or is) funded by the US government | PandoDaily Nick Selby (Jul 17)
Oh, there's an even deeper, darker secret not exposed by this article.

The Internet? Spook city. Developed by the military. Surest thing you know.

They best stop using it right away.

Oh, wait! There's even MORE! The American Interstate highway system?
TANKS!

Re: Security Paleontology - The Jurassic Park rule William Arbaugh (Jul 17)
Ultimately, we're suffering from the sins of the early days of information assurance. The focus then, as now, was on
protecting the computers and networks. Instead, the focus should have been on protecting the data.

It's a huge paradigm shift, and one that won't happen easily if at all.

Re: Security Paleontology - The Jurassic Park rule Dave Aitel (Jul 17)
I got a bunch of replies that said this:
"""
Dave, enjoyed reading your rant, but I don't understand your punchline
on securing data --"but in fact, just to make it less valuable" - how do
you do make data less valuable?
"""

So to bring us back to how you do this, let 's take a quick look at
credit cards and Target, which are the best example of an "If you
collect it, hackers will come"...

Peeling the onion: Almost everyone involved in developing Tor was (or is) funded by the US government | PandoDaily Ivan .Heca (Jul 17)
The United States government can’t simply run an anonymity system for
everybody and then use it themselves only. Because then every time a
connection came from it people would say, ‘Oh, it’s another CIA agent.’ If
those are the only people using the network.”

http://pando.com/2014/07/16/tor-spooks/

Security Paleontology - The Jurassic Park rule Dave Aitel (Jul 16)
Like many of you, I went to the theater with a child much too young and
re-watched new and more awesome 3D-Jurrassic Park until they cried
loudly enough to annoy the other theater-goers and wanted to leave.
Because in 3D, those big dinosaur things are scary. And also that dude
gets eaten while on the toilet.

And, honestly, looking at a lot of the security problems my friends are
dealing with on the defensive side makes me re-iterate that...

Abusing Oracle's CREATE DATABASE LINK Privilege for fun and Profit Sumit Siddharth (Jul 16)
Hello all,

A small blog on how a web based SQLi can be abused to obtain privilege
escalation and ultimately remote code execution against Oracle Database:

http://www.notsosecure.com/blog/2014/07/08/abusing-oracles-create-database-l
ink-privilege-for-fun-and-profit/

Thanks

Sid

Founder/Director

NotSoSecure Limited,

Upcoming NotSoSecure Events:

<http://blackhat.com/us-14/training/the-art-of-exploiting-injection-flaws.ht
ml> The Art of...

Re: Time Limits on 0days Ivan .Heca (Jul 07)

PHP Exploitation Class coming up... Dave Aitel (Jul 02)
Example Ex for Image preg_replace

The upcoming PHP class in Columbia MD this month still has some spots
open and I wanted to post one of the exercises - all of the exercises
are just real world bugs simplified to show a particular exploitation
technique. In this particular case you have to upload a real "image" to
take control of the server.

Keep in mind, you do so with the help of two instructors who are experts
in the area.

Even if...

Re: INFILTRATE 2014 Movie Release: Dickie George Dave Aitel (Jul 02)
So I wanted to point out that in fact Dickie George said nothing to
indicate that the US did economic espionage of the type China does.
Large contractual bids are often valid intelligence, but if these never
get handed over to the domestic competition, then having an intelligence
analyst review them is not economic espionage, and I think you have
perhaps misheard something in the video of the INFILTRATE 2014 keynote.
Keep in mind the US...

Time Limits on 0days Dave Aitel (Jul 02)
http://www.businessinsider.com/why-a-time-limit-on-zero-days-is-a-bad-idea-2014-7

I wanted to point this article out that Skylar and I wrote and got
pre-pub reviewed by the NSA (lifetime commitment yo) for those of you
not on the Immunity twitter feed.

There are a lot of points we DIDN'T make in this - but you have to keep
pieces short and sweet and there's always time to follow up to answer
any criticisms the EFF crowd may have....

INNUENDO 1.0 Released! Dave Aitel (Jun 25)
I'm happy to announce the release and general availability of Immunity
INNUENDO 1.0. And I hate to call it a "next generation" penetration
testing tool because the truth is that if you are modeling APT then
INNUENDO is your "current generation". Likewise, although it is flexible
and we will be putting more exploits into it, it is largely focused on
the problems of persistence and lateral movement, and not a scanning...

El Jefe secondary thoughts Dave Aitel (Jun 24)
Nico disagrees with me and thinks the best feature in the new El Jefe is
the ability to create a farm of VM's which you can then apply against
malware for analysis. So for example, you might have a "developer" VM
and an "executive" VM, and they might be different operating systems,
configurations, and all sorts of other setups. Perhaps one of them has a
more modern AV or HIPS on it even. Then you can quickly and easily...

More Lists

Dozens of other network security lists are archived at SecLists.Org.


[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]