Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Deja Vu - Web Apps

Published: 2009-02-27
Last Updated: 2009-02-27 04:09:28 UTC
by Patrick Nolan (Version: 1)
0 comment(s)

From FTC File No. 082 3113, the highlight is the Deja Vu, ymmv.

The complaint is for violations of the provisions of the Federal Trade Commission Act by an operator of a "computer network that consumers use" and it says;

"respondents engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for the personal information stored on their network. Among other things, respondents:

(1) stored personal information in clear, readable text;

(2) did not adequately assess the vulnerability of their web application and network to commonly known or reasonably foreseeable attacks, such as “Structured Query Language” (“SQL”) injection attacks;

(3) did not implement simple, free or low-cost, and readily available defenses to such attacks;

(4) did not use readily available security measures to monitor and control connections between computers on the network and from the network to the internet; and

(5) failed to employ reasonable measures to detect and prevent unauthorized access to personal information, such as by logging or employing an intrusion detection system.

FTC AGREEMENT CONTAINING CONSENT ORDER

Keywords:
0 comment(s)

Considering ITIL?

Published: 2009-02-27
Last Updated: 2009-02-27 04:08:28 UTC
by Patrick Nolan (Version: 1)
0 comment(s)

While reading up on recent work by one of my favorite ITIL writers, implementers and bloggers, Kevin Behr, there was a pointer to an article some may find useful in thinking about ITIL for their shop. Kevin wrote the article with his co-hort luminaries Gene Kim and George Spafford, see CMDB: The Key to Jump-Starting ITIL Success

Keywords:
0 comment(s)

Cisco Security Advisory

Published: 2009-02-27
Last Updated: 2009-02-27 03:46:18 UTC
by Patrick Nolan (Version: 1)
0 comment(s)

Yesterday Cisco released a Security Advisory for Multiple Vulnerabilities in the Cisco ACE Application Control Engine Module and Cisco ACE 4710 Application Control Engine

Three of the multiple vulnerabilities have CVSS Base Scores of 9, 10 & 10 and CVSS Temporal Score - 7.4, 8.7 & 8.7.

A number have "Functional" exploit code.

Keywords:
0 comment(s)
Diary Archives