Recession is not a time to pull the cover over and crawl in. It's a time to work harder, work smarter and improve your own development just to maintain your competitiveness.
- hashdump: dump the LanMan and NT hashes from the registry (deobfuscated).
- lsadump: dump the LSA secrets (decrypted) from the registry.
- cachedump: dump any cached domain password hashes from the registry. This will obviously only work if the memory image comes from a machine that was part of a domain.
- Software buyers will be able to buy much safer software. ( with a certificate of code beign free of these 25 bugs)
- Programmers will have tools that consistently measure the security of the software they are writing.
- Colleges will be able to teach secure coding more confidently.
- Employers will be able to ensure they have programmers who can write more secure code.
- Try to measure productivity in output and not in hours. (article)
- Assign tasks to the geeks who are most interested in them, not the ones with the most experience.
- Segregate the corporate, compensatory hierarchy from the leadership hierarchy. Basically this mean that the Geeks will organize in a meritocracy, following the group guru. In my opinion not always will be this way, but a halfway option could be good.
- Allow them to work remotely.
- Don't impose absurd procedures, that consume time.
- Listen to their opinions usually they have very good alternatives or ideas, they are problem solvers and like challenges.
- Don't impose online content control/management, they are the "online generation", if they are productive why to worry if they are chatting or browsing the net. Most of the times they will be reading information that will improve their work and knowledge, and this is good for you.
- Give recognition, most of the business today relay on their work, stop and think again how much of your business relay on their work. Management tend to know the work of the geeks when things goes bad, what about of recognize them when everything goes smooth ?
- Don't burn them, they will leave, they do not tend to stay as other kind of employees.
- Give them the correct equipment, why people don't understand that a 3 year old computer is not adequate for doing the job in conditions? It's true that they work but they performance is awful and that will demotivate the geek. They spend the whole day working with the computer, usually multitasking, go and buy them a good and powerful computer, with a big screen or multiple screen setup, productivity will boost... and remember 19" is not a big screen...
- Let them wear casual clothes in your company, they are not too friends of the tie. But they understand that if the need to go to customer office is necessary to wear the suit.
- Provide them with a creative environment.
- Give them training, they will take advantage of it.
For the ones who don't know, virustotal.com offer a service of online antivirus, using 39 antivirus engines. It's very useful when you need to check a downloaded file or a suspicious file during an investigation.
You can check it here
Info via lifehacker.com
I'm starting to play with this thing, but seems pretty solid, there are people that are running in their homes as PIX firewalls, routers, ipsec vpns and QoS, with GNS3.
This is very interesting when you need to test something in a real IOS, and you don't have the necessary hardware.
You can download check it here: CCC presentations
Last vulnerability in Internet Explorer 7 was a bad one, affecting all previous versions and giving little time to patch it since malware started to take advantage of it. As explained in my post at S21sec´s blog (spanish), the vulnerability was used in a massive SQL injection campaign along many other vulnerabilities affecting Real Player, Adobe Acrobat and MS Office among others.
The discovery of the vulnerability seems to be in China, rounding the dark market by mid November, but the disclosure was after MS patching Tuesday during December. However, the question of HOW it was discovered has not an easy answer ... I was reading about this at Microsoft´s blog and it is not clear at all. Even using SDL this vulnerability is not easy to spot, much more difficult without having the code (as I assume). There is not much room for fuzzers (but they might be useful), and not likely to happen just by chance, so it seems someone really took bug finding in IE 7seriously.
You see these vulnerabilities appearing from time to time, but when you stop to think about this, is really amazing. As guys at MS say, bad guys have all time in the world to look for vulnerabilities but developers have tight deadlines and limited resources. This is true, and this makes necessary the use of several layers for security, but my final thought is that bad guys are going really professional, so we still have a lot of work to do to stop them.