Without consultation or warning, the Australian Government has decided to abolish the speciality skilled migration 457 visa system. There is currently a great deal of confusion, but it seems that the current plan is that there are two lists of skills shortages eligible for varying lengths of temporary stay and migration outcome: The Short Term Combined Skills Shortage…
Category: Security
The intelligence kimono
Some of my IR and forensics friends who I highly respect are getting all bent out shape about attribution, or the perceived lack of solid evidence for attribution regarding the DNC attacks. In particular, many of them are now publicly doubting on social media (and mainstream media) that Russia is behind the DNC hacks. When the Guccifer…
On backdoors and malicious code
So since the ASVS 3.0 retired much of the malicious code requirements, and after actually doing a line by line search of ~20 kLOC of dense J2EE authentication code, I’ve been thinking about various methods that backdoors might be created and not be findable by both automated and line by line searches. This obviously has…
Time to start rebuilding GaiaBB
In a life a long time ago in early 2002, we had to move Australia’s largest Volkswagen car forum from EzyBoard, which was distributing malicious ads and hard to get rid of pop ups to our users, to our own forum software. After a product selection, I chose XMB, which was (and is) better than…
Looking back at 2009 and Predictions for 2015
I looked back at the “predictions” for 2010, a post I wrote five years ago, and found that besides the dramatic increase in mobile assessments this last year or two, the things I was banging on about in 2009 are still issues today: Developer education is woeful. I recently did an education piece for a developer…
Independence versus conflict of interest in security reviews
I was giving a lecture to some soon to be graduating folks today, and at the end of the class, a student came up and said that he wasn’t allowed to work with auditors because “it was a conflict of interest”. No, it’s not. And here’s why. Conflict of interest It’s only conflict of interest if a…
Some people don’t get the hint
85.25.242.250 – – [28/Sep/2014:09:20:12 -0400] “GET / HTTP/1.1” 301 281 “-” “() { foo;};echo;/bin/cat /etc/passwd” 85.25.242.250 – – [28/Sep/2014:22:30:48 -0400] “GET / HTTP/1.1” 500 178 “-” “() { foo;};echo;/bin/cat /etc/passwd” Dear very stupid attacker, you have the opsec of a small kitten who is surprised by his own tail. Reported.
So it’s finally happened
Passwords. Pah. After running my blog on various virtual hosts and VPSs since 1998, my measures put into place to protect this site and the others on here were insufficient to protect against weak passwords. Let’s just say that if you are a script kiddy and know all about press.php, tmpfiles.php and others, you have terrible operational…
AppSec EU – DevGuide all day working party! Be a part of it!
Be a part of the upcoming AppSec EU in Cambridge! * UPDATE! Eoin can’t be in two places at once, so our hack-a-thon has moved to Tuesday 24 June. Same room, same bat channel. * Eoin Keary and myself will be running an all day working party on the Developer Guide On June 24…
Stop. Just stop.
In the last few weeks, a prominent researcher, Dragos Ruiu (@dragosr) has put his neck out describing some interesting issues with a bunch of his computers. If his indicators of compromise are to be believed (and there is the first problem), we have a significant issue. The problem is the chorus of “It’s not real”…