Rory.Blog

blog.searchinfosec.com

Well in order to keep things a bit separated, and also so that I can have a play with the cool mephisto blogging software, I've set up a new blog for searchinfosec.com related items over at blog.searchinfosec.com

searchinfosec.com

well I decided to try and work on the Information Security search engine a bit more, so in order to make it easier to find, I've setup www.searchinfosec.com .

From there you can add searchnifosec.com to your google search toolbar.

Information Security Search Engine with Google Coop

There's an interesting new beta project from google launched today, which allows you to create custom search engines which focus on a given topic area by customising which sites are indexed as part of the search. I've created a couple of one's in areas that interest me .

I think that this could be really useful for targeted searches as it can cut out a lot of the "spam" and other less relevant sites from the search results.

This one is an Information Security Search engine. At the moment it's based on some sites which I use (list below), but if there are other ones that anyone would like to see include just leave a comment, or feel free to volunteer to help out on the search engine front page.

Anyway here's a link to the Information Security Search Engine Homepage

and here's an embedded version which google provide the code for

Information Security Search Engine

Current site listing (24/10/2006)

isc.sans.org
msdn.microsoft.com/security
www.cert.org
www.securityfocus.com
www.stupidsecurity.com
www.mckeay.net/secure/
www.schneier.com/blog/
catless.ncl.ac.uk/Risks
www.networkworld.com/topics/security.html
www.sans.org/reading_room/
sunbeltblog.blogspot.com
taosecurity.blogspot.com
www.red-database-security.com
www.isc2.org
www.cccure.org
secunia.com
www.mccune.org.uk
www.securityforum.org
www.issa.org
csrc.nist.gov
www.cisecurity.com
www.dhanjani.com
financialcryptography.com

Ruby on Rails Search Engine with Google Coop

Ever gone looking for some insight into your latest rails conundrum and ended up finding answers for the wrong language that mention ruby elsewhere in the page? I know I have.

Here's an interesting new beta project from google launched today, which allows you to create custom search engines which focus on a given topic area by customising which sites are indexed as part of the search.

I think that this could be really useful for targeted searches as it can cut out a lot of the "spam" and other less relevant sites from the search results. Also while you can get the same effect by using the site: parameter, doing that about 20 or 30 times per search doesn't really appeal.

So here's a Ruby on rails Search. At the moment it's based on some sites which I use (list below), but if there are other ones that anyone would like to see include just leave a comment, or volunteer to help out on the search engine front page.

edit: Looks like quite a few people in the RoR community had this idea.... so rather than have lots of different searches doing the same thing I've removed my one.

But if you're looking for a RoR search engine head over here to the Ruby Inside Search Engine

Site Listing

http://www.rubyforge.org/
http://www.ryandaigle.com/
http://weblog.rubyonrails.com/
http://www.loudthinking.com/
http://www.slash7.com/
http://www.oreillynet.com/ruby/
http://www.rubyonrailsforum.com/
http://www.ruby-forum.com/
http://www.bigbold.com/snippets/tags/rails
http://wiki.rubyonrails.com/
http://dev.rubyonrails.org/
http://www.ruby-lang.org/en/
http://www.37signals.com/
http://www.rubyonrails.com/
http://blog.t0fuu.com/
http://weblog.jamisbuck.org/
http://www.railtie.net/
http://www.rubyonrailsblog.com/
http://cardboardrocket.com/
http://www.danwebb.net/
http://mephistoblog.com/
http://curthibbs.wordpress.com/
http://www.softiesonrails.com/
http://nubyonrails.com/
http://www.rubyinside.com/
http://www.height1percent.com/
http://www.straw-dogs.co.uk/blog/

Handy Ruby Framework for scripting

SimpleConsole - Building Console Apps

Interesting looking idea. I know that a lot of the work I do tends to revolve around writing little command-line scripts so anything that helps with that can only be a good thing

Using Google Code search to find the programming language most likely to drive you mad

After seeing all the great uses people are finding for Google's new Code Search I thought, "yeah these are useful, but what would be really useful would be to use this to find out what language is most likely to drive programmers mad!"

So I developed a rigourous methodolgy which primarily consists of searching for code invoking the name of Great Cthulhu ! What surer sign of madness than using the name of a great old one!

so without further ado, here's the results of my painstaking search.

From this we can clearly see that C is leading the pack, with TCL obviously a pretty mind-bending second place.

SQL Injection tool

.:: nothern-monkee ::.

Another interesting looking SQL injection tool to look at.

Cool list of YouTube stuff

The Amazing YouTube Tools Collection

One for my handy links collection

Lightweight Windows... At last

Redmond | Feature Article: Server Core: Windows Without Windows

Interesting looks like Microsoft are working on a cut down version of vista for certain core services. This is one of the things that's bugged me about windows for ages (why does a server need a media player!!) and I think one of the main things that'd hampered their activitie s in creating a more secure operating system.

Looks a touch basic at the moment and I'm left wondering how easy it will be for 3rd party vendors to get their software running on it (it would make complete sense for things like database servers to use this rather than a default install of windows), but it's definately a step in the right direction.

some more web tools...

OPEN-LABS

Some more stuff to look at when I get a chance.

cool XSS DB

xssdb

Wapiti - Web App. Scanner

Wapiti - Web application security auditor

hmm... A python based web application scanner. Not come across this one before...

People finding new uses for Google's Code search engine

Death By Comet » Blog Archive » Some of your db passwords are belong to us

Here's a post about people starting looking "secret" information in google's new source code search engine.

Also there's some postings about trying to reproduce the famous search of microsoft's codebase for profanity over here

I'm guessing that this will be just the start of a series of new googledorks...

Really interesting study on the prevalence of SQL injection

Michael Sutton's Blog : How Prevalent Are SQL Injection Vulnerabilities?

Really interesting study showing that of a sample population of web apps. live on the Internet 11.3% had SQL injection vulnerabilities.

I also thought it was very interesting to see how a combination of the googleAPI and some relatively simple coding can be turned into a very powerful vulnerability finding mechanism.

I've been doing some SQL injection work on recent tests and it's amazing how much information you can get from a database through one error message, it's pretty trivial (especially if automated) to enumerate all tables on a database and all databases on a server assuming (which tends to be the case) that the database server hasn't been hardened and the user being used by the web application hasn't been restricted (again tends to be the case)

Thinking about it, it's a little surprising that no-one's gone the extra step and done an automation that auto-roots servers with SQL injection vulns... It would be a fair bit harder than a buffer overflow (lots more variables to take account of like differing database servers and differing results from the initial injection allowing different queries to work) but given the reduced efficacy of worms attacking publicly available services (there's not really been a repeat of slammer in recent years) it would seem to be a viable attack path...

Mega Rails cheatsheet

Ruby on Rails Cheat Sheet Collectors Edition

looks like there's loads of useful info. here