Liudvikas Bukys

While looking for examples of SQL Code Injection attacks, I found

a nice concise summary of many typical web application vulnerabilities, including specific product-specific things to look for, e.g.:

MySQL

– Supports ‘INTO OUTFILE’
– Runs often as “root”
– Most modules and libs do not support multiple-statements.

Oracle

– Subselects possible
– UNION possible
– Comes with many stored procedures (utf_file!)
– No multiple-statements

DB2

– Subselects possible
– UNION possible
– Stored procedures
– No multiple-statements

Postgres

– Supports COPY (if superusermode)
– Subselects possible
– UNION possible
– Stored procedures
– Multiple statements are possible!

MS SQL

– Subselects possible
– UNION possible
– Stored procedures
– Multiple statements are possible!
– Many dangerous default stored procedures (xp_cmdshell, sp_adduser)

John Robb:
The New Economy
: “Did the Internet enable a new economy? I think the latest evidence says that it has. But it isn’t the new economy corporate America expected.”

Wireless Networking at 72Mbps Dual-channel 802.11a [Slashdot: News for nerds, stuff that matters]

Lessig, Morpheus, and Stanford story:

Andy Oram:
“…the plug was recently pulled on law professor Lawrence Lessig’s computer by anxious university staff that detected a Morpheus server running on it. He had just installed the server so that he could offer some of his significant and highly desired legal papers to supporters and researchers. Nothing could better illustrate the alternatives facing us than the thrall of richly textured Web Services and the pall of Lessig’s blank monitor.”

Dave Winer:
“He wrote a scholarly paper. He launched a copy of Morpheus and put his paper in the shared folder. Went home for the weekend. On Monday he comes into the office and his computer is disconnected. Stanford security had paid him a visit. “That’s illegal,” they said. Heh. He’s the expert on what’s legal. He wrote the stuff. He wanted to share it. Gotcha.”

Sun, RSA Focus on Network Identity. Boston.Internet.com May 17 2002

See also: Sun’s vision of network identity InternetNews.com March 12, 2002

[Moreover – Tech latest]

Dan Updegrove:

A(n Extended) Campus Information Security Conversation (PDF)
“With all the indirect cost recovery this department generates, I can’t believe the central administration lets us be exposed to such risks!”

TechRepublic:


Set up NAT using the Cisco IOS



Set up Port Address Translation (PAT) in the Cisco IOS

Apache + TomCat + load balancing

Linux Journal:
How Can You Defend Against a Superworm?

See also:

Nicholas Weaver: Warhol Worms: The Potential for Very Fast Internet Plagues

Staniford, Grim, Jonkman: Flash Worms: Thirty Seconds to Infect the Internet

ZDNET: Sun CTO: Why PC design must change. “The third wave is on the way, and even as we create it, we need to prepare ourselves; it’s shaping up to be a regular tsunami. I call it a network of things. Trillions of things. Things you’d hardly think of as computers. So-called sub-IP (Internet Protocol) devices such as light bulbs, environmental sensors and radio-frequency identification tags.” Interactive Week May 13 2002 7:54AM ET [Moreover – Tech latest]