Defining and Implementing a Strategic Security Management Framework
When it comes to mitigating security risks and satisfying compliance
requirements associated with information assets nothing achieves greater
results than a well structured and governed management system for
information security. This paper assesses the issues organisations must
consider when establishing an enterprise security strategy and introduces
the Strategic Security Management Framework, developed by Drazen Drazic
General Manager of Security-Assessment.com Australia.
Simplifying the Payment Card Industry Data Security Standard
The Payment Card Industry Data Security Standard (PCI DSS) was established
to set down minimal requirements to ensure the protection of
cardholder data. This paper outlines the purpose of the PCI DSS, the
affects of non-compliance on an organisation, and what merchant and service
providers are required toimplement and maintain in order to comply with PCI
compliance.
Access over Ethernet: Insecurities in AoE
ATA over Ethernet (AoE) is an open standards based protocol that allows direct network access to disk drives by client hosts.
This paper investigates the insecurities present in the ATA over Ethernet (AoE) protocol and presents some attacks that exploit various vulnerabilities in the protocol.
Exploiting Freelist[0] On Windows XP Service Pack 2
Windows XP Service pack 2 introduced some new security measures in an attempt to prevent the use of overwritten heap headers to do arbitrary byte writing.
This method of exploiting heap overflows, and the protection offered by service pack 2, is widely known and has been well documented in the past.
What this paper will attempt to explain is how other functionality of the heap management code can be used to gain execution control after a chunk header has been overwritten.
In particular this paper takes a look at exploiting freelist[0] overwrites.
Bugger The Debugger - Pre Interaction Debugger Code Execution
The use of debuggers to analyse malicious or otherwise unknown binaries has
become a requirement for reverse engineering executables to help determine
their purpose. While researchers in places such as anti-virus laboratories have
always done this, with the availability of free and easy to use debuggers it has
also become popular with corporate security officers and home users.
0x00 vs ASP File Uploads
The affects of the 'Poison Null byte' have not been widely explored in asp, but as with other languages the NULL byte can cause problems when ASP passes data to objects. This problem arises when data is compared and validated in ASP script but passed to the FileSystemObject without checking for NULL bytes. This document discusses how ASP upload scripts can be affected by the Poison Null byte attack.
Shattering by Example (French)
'Shatter Attack' is a term used to describe attacks against the Windows GUI environment that allow a user to inject code into another process through the use of windows messages. The attack methods described in this document use messages that at first glance appear safe, but can be used to write arbitrary values to a processes memory space leading to command execution.
