The importance of assessing an organization’s vulnerability to attack from the inside is virtually self-evident. With the exception of the very small company, hired employees are essentially strangers a company pays to perform a task. Even when background checks are performed and references are checked, there is simply no guarantee that the people tasked with … Read more
It’s one thing to send an e-mail to or chat with someone online during a SEA, but it’s quite another to meet face to face with them, or even speak to them on the phone for that matter. When working online, you can make your attempt and then sit back and see if you get … Read more
There are three basic types of vulnerability disclosures: full disclosure, partial disclosure, and nondisclosure. Each type has its advocates, and long lists of pros and cons can be debated regarding each type. CERT and RFP take a rigid approach to disclosure practices; they created strict guidelines that were not always perceived as fair and flexible … Read more
The Securely Protect Yourself Against Cyber Trespass (SPY Act) was passed by the House of Representatives, but never voted on by the Senate. Several versions have existed since 2004, but the bill has not become law as of this writing. The SPY Act would provide many specifics on what would be prohibited and punishable by … Read more
Beyond the basic searching techniques explored in the previous articles, Google offers special terms known as advanced operators to help you perform more advanced queries.These operators, used properly, can help you get to exactly the information you’re looking for without spending too much time poring over page after page of search results. When advanced operators … Read more
Advanced Google users begin testing advanced queries right from the Web interface’s search field, refining queries until they are just right. Every Google query can be represented with a URL that points to the results page. Google’s results pages are not static pages.They are dynamic and are created “on the fly” when you click the … Read more
Encoding flaws have arisen in many kinds of web server software and present an inherent threat in situations where the same user-supplied data is processed by several layers using different technologies. A typical web request might be handled by the web server, the application platform, various man-aged and unmanaged APIs, other software components, and the … Read more
Accipiter DirectServer This path traversal flaw could be exploited by placing URL-encoded dot-dot-slash sequences into a request. For more information about this flaw, see www.securityfocus.com/bid/9389 . Alibaba This path traversal flaw could be exploited by placing simple dot-dot-slash sequences into a request. For more information about this flaw, see www.securityfocus.com/bid/270 . Cisco ACS Acme.server This … Read more
Web server products range from extremely simple and lightweight software which does little more than serve up static pages, to highly complex application platforms that can handle a large variety of tasks. Historically, web server software has been subject to a wide range of serious security vulnerabilities, which have resulted in arbitrary code execution, file … Read more