Rodney Campbell's Blog

E-mail privacy in the workplace
Even with a well-heeled corporate privacy policy stating that all employee communications may be monitored in the workplace, the legality of e-mail monitoring is not as clear cut as one might think.

Secure Valuable and Sensitive Data in MySQL
Unlike database backup procedures, which can be automated, securing your data from the prying eyes of unauthorized users requires a certain amount of interaction from the system administrator. If you're using MySQL, there are some easy things you can do to secure your systems and significantly reduce the risk of unauthorized access to your sensitive data.

Black Hat: Hit spyware by punishing purveyors, experts say
Antispyware vendors are losing the fight against spyware creators and will have a tough time catching up, according to a panel discussion at the Black Hat security conference.

New tools test VoIP security
If your VoIP phone starts ringing off the hook, it might not denote a surge in your popularity–just that someone is trying one of 13 newly released security tools.

Day one at Black Hat
If you've been concerned about the death of Black Hat — either because of its purchase last November by CMP, or by the rumors you've heard of a "Microsoft track," — you can relax. The place is jammed.

Day two at Black Hat
The crowds are larger on this second day of Black Hat, though people are moving a little more slowly than yesterday, perhaps because of the free toga party last night at Caesar's Palace, marking the casino's 40th anniversary. Nevertheless, the conference sessions have been packed with intriguing information.

Breaking into a laptop via Wi-Fi
Flaws in software that runs wireless-networking hardware could let attackers take over PCs, including Macs, researchers at Black Hat warn.

Top Four Reasons for Email Archiving
Email generated by the corporate world continues to grow dramatically and storage-related costs of email are an escalating concern for IT executives. In fact, it has been predicted that this year 84 billion emails will be sent daily worldwide, requiring nearly 4 billion MB of server storage.

Metasploit Releases Web-Based ActiveX Fuzzing Engine
Metasploit offers AxMan – web-based ActiveX fuzzing engine. The goal of AxMan is to discover vulnerabilities in COM objects exposed through Internet Explorer. Since AxMan is web-based, any security changes in the browser will also affect the results of the fuzzing process.

eEye Releases Free Binary Diffing Suite
The eEye Binary Diffing Suite (EBDS) is a free and open source set of utilities for performing automated binary differential analysis. This becomes very useful for reverse engineering patches as well as program updates. 

Black Hat 2006 Presentations

Tip of the Day – Remove Default Route
Not having a default route in the router network is a great way to minimise the impact of malware on the corporate environment.

The death of email?
Email is undeniably the de facto standard for business communication but it is far from perfect. It can be a nightmare of paradoxes: from an organizational perspective, most users regard their mailboxes as personal and yet use them to store thousands of corporate documents.

Today's malware technology
Fifteen years ago, nobody could have imagined how far malicious code would get into our day-to-day work. When a new virus emerged, weeks or even months could go by before it could spread: a floppy disk is not the fastest means of propagation!

Firewall Chip Gets Funding
EU funding of 2 million Euros has been announced for a major new three-year project to develop a re-configurable photonic 'firewall on a chip'. Called WISDOM,, the new system will plug a major gap in the global data network security armoury – the lack of tools to implement security checks and algorithms directly at high optical data communications rates. 

Rounding the Corners of Network Security
As the Black Hat conference descends upon Las Vegas this week, internetnews.com presents a series of articles addressing security issues past and present. 

Security Model Analysis of Windows Vista
Matthew Conover, a security researcher over at Symantec, has published a new paper on the "Analysis of the Windows Vista Security Model". His paper provides an in-depth technical assessment of the security improvements implemented in Windows Vista, focusing primarily on the areas of User Account Protection and User Interface Privilege Isolation.

The six dumbest ways to secure a wireless LAN
A bit of humour to start the day 🙂 

The Month of Browser Bugs is coming to a close – HD Moore discovered over 100 Windows XP / Active X bugs in the Process
Using a custom-built data fuzzing tool, the security researcher pinpointed more than 100 vulnerabilities in the ActiveX controls included with the default installation of Microsoft's Windows XP operating system. Data fuzzing tools combine knowledge of the input parameters accepted by a software package with a tenacious and systematic mangling of the data to discover how applications react to various permutations, whether valid or invalid.

Learning to Detect Phishing Emails
Phishers launched a record number of attacks in January 2006, as reported by the Anti-Phishing Working Group. These attacks often take the form of an email that purports to be from a trusted entity, such as eBay or PayPal. The email states that the user needs to provide information, such as credit card numbers, identity information, or login credentials, often to correct some alleged problem supposedly found with an account.

The security risk in Web 2.0
Web 2.0 is causing a splash as it stretches the boundaries of what Web sites can do. But in the rush to add features, security has become an afterthought, experts say. The buzz around the new technology echoes the '90s Internet boom–complete with pricey conferences, plenty of start-ups, and innovative companies like MySpace.com and Writely being snapped up for big bucks. 

Detecting, Analyzing, and Exploiting Intranet Applications using JavaScript
Imagine visiting a blog on a social site like MySpace.com or checking your email on a portal like Yahoo’s Webmail. While you are reading the Web page JavaScript code is downloaded and executed by your Web browser. It scans your entire home network, detects and determines your Linksys router model number, and then sends commands to the router to turn on wireless networking and turn off all encryption. Now imagine that this happens to 1 million people across the United States in less than 24 hours.

The Evolving Art of Fuzzing
Fuzzing is a testing technique used to find bugs in software. Often these bugs aresecurity related since fuzzing is performed against the external or exposed interfaces ofprograms. Fuzzing is not used to establish completeness or correctness, the task of moretraditional testing techniques. Instead, Fuzzing complements traditional testing to discoveruntested combinations of code and data by combining the power of randomness, protocolknowledge, and attack heuristics. Adding automatic protocol discovery, reading real-timetracer/debugger information, fault data logging, and multi-fuzzer sessions is the cutting edge in fuzzing tools.

Opinion: Windows Genuine Advantage and why you should be annoyed
The only "advantage" of Windows Genuine Advantage, Microsoft's controversial anti-piracy software, is to help Microsoft, says Computerworld 's Scot Finnie.

Windows Genuine Advantage: What it is, how to ditch it
Looking to rid your Windows PC of Microsoft's anti-piracy software, Windows Genuine Advantage? Computerworld 's Scot Finnie takes you step-by-step through the process.