Well in order to keep things a bit separated, and also so that I can have a play with the cool mephisto blogging software, I've set up a new blog for searchinfosec.com related items over at blog.searchinfosec.com
October 2006 Archives
well I decided to try and work on the Information Security search engine a bit more, so in order to make it easier to find, I've setup www.searchinfosec.com .
From there you can add searchnifosec.com to your google search toolbar.
There's an interesting new beta project from google launched today, which allows you to create custom search engines which focus on a given topic area by customising which sites are indexed as part of the search. I've created a couple of one's in areas that interest me .
I think that this could be really useful for targeted searches as it can cut out a lot of the "spam" and other less relevant sites from the search results.
This one is an Information Security Search engine. At the moment it's based on some sites which I use (list below), but if there are other ones that anyone would like to see include just leave a comment, or feel free to volunteer to help out on the search engine front page.
Anyway here's a link to the Information Security Search Engine Homepage
and here's an embedded version which google provide the code for
Information Security Search Engine
Current site listing (24/10/2006)
Ever gone looking for some insight into your latest rails conundrum and ended up finding answers for the wrong language that mention ruby elsewhere in the page? I know I have.
Here's an interesting new beta project from google launched today, which allows you to create custom search engines which focus on a given topic area by customising which sites are indexed as part of the search.
I think that this could be really useful for targeted searches as it can cut out a lot of the "spam" and other less relevant sites from the search results. Also while you can get the same effect by using the site: parameter, doing that about 20 or 30 times per search doesn't really appeal.
So here's a Ruby on rails Search. At the moment it's based on some sites which I use (list below), but if there are other ones that anyone would like to see include just leave a comment, or volunteer to help out on the search engine front page.
edit: Looks like quite a few people in the RoR community had this idea.... so rather than have lots of different searches doing the same thing I've removed my one.
But if you're looking for a RoR search engine head over here to the Ruby Inside Search Engine
Interesting looking idea. I know that a lot of the work I do tends to revolve around writing little command-line scripts so anything that helps with that can only be a good thing
After seeing all the great uses people are finding for Google's new Code Search I thought, "yeah these are useful, but what would be really useful would be to use this to find out what language is most likely to drive programmers mad!"
So I developed a rigourous methodolgy which primarily consists of searching for code invoking the name of Great Cthulhu ! What surer sign of madness than using the name of a great old one!
so without further ado, here's the results of my painstaking search.
From this we can clearly see that C is leading the pack, with TCL obviously a pretty mind-bending second place.
Another interesting looking SQL injection tool to look at.
Interesting looks like Microsoft are working on a cut down version of vista for certain core services. This is one of the things that's bugged me about windows for ages (why does a server need a media player!!) and I think one of the main things that'd hampered their activitie s in creating a more secure operating system.
Looks a touch basic at the moment and I'm left wondering how easy it will be for 3rd party vendors to get their software running on it (it would make complete sense for things like database servers to use this rather than a default install of windows), but it's definately a step in the right direction.
hmm... A python based web application scanner. Not come across this one before...
Here's a post about people starting looking "secret" information in google's new source code search engine.
Also there's some postings about trying to reproduce the famous search of microsoft's codebase for profanity over here
I'm guessing that this will be just the start of a series of new googledorks...
Really interesting study showing that of a sample population of web apps. live on the Internet 11.3% had SQL injection vulnerabilities.
I also thought it was very interesting to see how a combination of the googleAPI and some relatively simple coding can be turned into a very powerful vulnerability finding mechanism.
I've been doing some SQL injection work on recent tests and it's amazing how much information you can get from a database through one error message, it's pretty trivial (especially if automated) to enumerate all tables on a database and all databases on a server assuming (which tends to be the case) that the database server hasn't been hardened and the user being used by the web application hasn't been restricted (again tends to be the case)
Thinking about it, it's a little surprising that no-one's gone the extra step and done an automation that auto-roots servers with SQL injection vulns... It would be a fair bit harder than a buffer overflow (lots more variables to take account of like differing database servers and differing results from the initial injection allowing different queries to work) but given the reduced efficacy of worms attacking publicly available services (there's not really been a repeat of slammer in recent years) it would seem to be a viable attack path...
looks like there's loads of useful info. here