It’s funny, because it’s true.

When I was an IT admin, I had the pleasure of dealing often with people who would submit urgent service requests and then leave for the day, leaving their office empty and computer locked by the time I could get there to help. Fortunately, I was often able to fix their problem while they weren’t there. Why? Their password was somewhere on their desk in one of these easy-to-find locations.

via The Most Common Hiding Places for Workplace Passwords.

This could be quite useful:

Two years after Rapid7 acquired the Metasploit Project, the company has rolled out a free and more user-friendly version of the open-source tool that is aimed at less technical users.

The new Metasploit Community Edition is a combination of the popular open-source Metasploit Framework and a basic version of the user interface of Rapid7′s Metasploit Pro commercial product.

via Metasploit For The Masses – Dark Reading.

Looks interesting:

A while ago, Dave Hoelzer did a nice video on how to use Windows PowerShell to hack domain user accounts. Basically, Dave leveraged PowerShell commands which any domain user can execute on a domain and receive either a positive and negative response based on the legitimacy of the username and password combination. This got me thinking. Since I’m not typically handed, or able to spawn, a PowerShell right from the get go, what else could I use to accomplish the same goal? The answer is attempting to connect to the IPC$ share of a domain controller. Using the following command, you can spray a huge list of domain users with a small number of passwords (to avoid lockout) and try to catch someone using something simple.

@FOR /F %n in (names.txt) DO @FOR /F %p in (passwords.txt) DO @net use \\DC01 /user:mydomain\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\DC01\IPC$ > NUL

WARNING: Make sure the number of passwords in your file is less then that of the account lockout policy.

And the other obligatory warning – make sure you have approval from Corporate before trying this.

via PaulDotCom: Archives.

“To have input validation turned off on their Web servers seems crazy,” he says. “There is literally a script feature on ASP.NET that checks input validation, and it’s on by default. These people have turned it off, and I cannot wrap my head around why they’re turning it off.”

Why would you disable the safety features of your development language, and put them into production like that?

via Mass SQL Injection Attack Hits 1 Million Sites – Dark Reading.

Aw nuts, I just barely got a top-of-the-line Droid Bionic, and it’s already an outdated has-been.
Google and Samsung unveil Galaxy Nexus, Android 4 at event.

Ah, the fun of legitimate penetration…

‘Hacker’ gets kudos from his financial services victim, as in-house security cameras go rogue and steal users’ credentials

via Strange But True Penetration-Testing Stories – Dark Reading.

First, the good news from Microsoft’s newest data on real-world Windows security incidents: Zero-day attacks are relatively rare. Now the bad news: Nintey-nine percent of all malware infections are due to organizations and users not applying security updates.

So why don’t people or organizations let the thousands of existing patches secure their machines?

via New Microsoft Data Puts Zero-Day Threat Into Perspective – Dark Reading.

Bruce Schneier has some interesting info on Official Malware from the German Police.

For National Cybersecurity Awareness Month, Bruce Schneier asked his readers for more exciting tips than what DHS has posted.  Some commenters went all out:

National Cybersecurity Awareness Month activity-a-day calendar

Day 1. google your own name

Day 2. google all your email addresses

Day 3. google all your telephone numbers

Day 4. google map your residence. Also check streetview. When did they take those pictures?

Day 5. Make a list of all your on-line accounts

Day 6. List the passwords for your accounts. How many accounts share the same password?

Day 7. Find your browser cache. Take a look. See what is there.

Day 8. Find out how to clear your browser history/cache/cookies

Day 9. Find all the cookies on your web browser. How many of the domain names do you recognize?

Day 10. Clear all the cookies on your web browser. Check back every day. How long does it take for them to return?

Day 11. Set your browser to refuse all cookies. Try to browse the web.

Day 12. Find the license or terms of use for your favorite program/service. Read them.

Day 13. Pick an account or service that you no longer use/need. Try to close/delete/eradicate it.

Day 14. Lower your attack profile. Pick a high-profile app (IE/Outlook/Acrobat/etc..) and switch to a lower-profile equivalent (FF/Thunderbird/Foxit/etc…)

Day 15. Find the number of people killed each year by computers. Compare with the number killed by automobiles.

Day 16. Locate all the executable programs on your computer.

Day 17. List all the vendors that those programs came from.

Day 18. List all the countries that those programs came from.

Day 19. Find a work that isn’t under copyright. Copy it.

Day 20. Enter a bill into wheresgeorge.com. Release it into the wild and track it on-line.

Day 21. Create an email address somewhere. Never use it. See how much SPAM it accumulates.

Day 22. Do a tracepath to your favorite site or service. How many machines get their hands on your data between here and there?

Day 23. Connect a machine with a common OS to the internet. Measure mean time to compromise.

Day 24. Run crack against all your encrypted passwords

Day 25. Run a port scan on your own IP address

Day 26. Do a security audit of your own computer

Day 27. Walk a tablet/netbook/PDA around your wireless access point and map its range

Day 28. Go wardriving with a friend. How many wireless access points can you find? How many are unsecured?

Day 29. Scavenge some drives from the $5 bin at your local computer surplus store. Plug them in. See what is on them.

Day 30. Read Ken Thompson–Reflections on Trusting Trust. Do you understand the attack? Do you care?

Day 31. (Halloween) Create an on-line identity that isn’t publicly tied to your real name. Masquerade on-line in that persona.

via Schneier on Security: National Cybersecurity Awareness Month.

Ironically, I couldn’t see this at work, due to the content filter: 1.00 FTE – We Are Not Bad People.