This one covers a vast range of possible system issues, and in the OWASP context it's not actually restricted to configuration in its literal sense because the category also includes problems with out-of-date software (which may have security bugs that are fixed in later releases). The three genuinely configuration-related issues I've seen most over the years are:Leaving diagnostic messages enabled on the server. For instance in an out-of-the box PHP installation you can generally point the browser at http://www.mysite.com/phpinfo.php – which dishes up all the gory information about your server, OS version, database version, PHP version … everything an intruder needs in order to look up your vulnerabilities via Google.

Excessive permissions on back-end systems – usually databases. As with the SQL injection example earlier, the connection from your Web server into the back-end system must have the minimum possible privilege so if someone manages to execute (say) a SQL injection that deletes data it's rejected due to a lack of permissions.
FireEye has admitted that a snafu involving its email filtering technology meant harmless messages were shuffled off to quarantine for no good reason.

The glitch persisted for around two hours during during Monday morning before the problem was resolved, as a statement by the security vendor supplied to El Reg explains.At approximately 10am BST Monday 1 August, FireEye became aware of an issue with a newly released version of the Security Content in its Email Security products that caused certain non-malicious emails to be temporarily quarantined.
A new version of Security Content was released in under two hours, limiting impact and resolving the issue for customers automatically.FireEye deploys rapid updates to Security Content in order to quickly mitigate emerging campaigns, and we will continue to improve our testing and review prior to release.El Reg heard of the “computer says no” issue from a reader – who asked to remain anonymous – and complained that FireEye “crippled email globally for all their customers running email protection”, a comment that doubtless stemmed from understandable personal frustration.

• Battery for Acer AS10D3E


• Battery for Acer AS07A31


• Battery for Acer AL10B31


• Battery for A32-U50


• Battery for Asus A32-K55


• Battery for ASUS ZenBook UX31


• Battery for ASUS UX31


• Battery for ASUS G75

Black Hat video Car hackers Charlie Miller and Chris Valasek have again hacked a 2014 Jeep Cherokee, this time by physically linking a laptop to commandeer its steering and kill the brakes.The duo have captured the hack to be presented at Black Hat Las Vegas this week in video proof-of-concept demonstrations.The compromise requires attackers to be physically present in order to compromise the car.However Miller confirmed this writer's suggestion that the attacks could be carried out using a concealed device which either contains automated and timed commands, or with remote attacks over a wireless link.Such a feat which Miller says were "most definitely" possible could be considered a vector for targeted, albeit over-engineered, assassination.The localised attack is similar to other CAN bus attacks in which researchers have popped locks, compromised steering, and brakes.There are legitimate uses for tapping CAN buses that have spawned companies which manufacture products that tap into the ports in order to display detailed fuel consumption and engine data to drivers, for example.

In one of the proof-of-concept videos Miller sits in the back of the Jeep with a lead connecting his laptop to the CAN bus above the dashboard.
Valasek cruises at low speed through a cornfield road until Miller causes the steering wheel of the Jeep to lock 90 degrees to the right sending it off road.The attack affects the same Jeep which was patched after the duo remotely hacked it last year killing the engine during a live demonstration on US highway I-64.
The pair attacked the Jeep's electronic control units disabling one by sending it into a maintenance mode and using another to send spoofed commands.Cruise control speed can also be set but drivers can quickly regain control by tapping brakes.
The pair say they've penned a paper, to be revealed at Black Hat, in which they recommend vehicle manufacturers should better lock down CAN buses. To help auto-makers along, the pair have built an intrusion detection system that can detect their attacks. Black Hat Neil Wyler and Bart Stump are responsible for managing what is probably the world’s most-attacked wireless network.The two friends, veterans among a team of two dozen, are at the time of writing knee deep in the task of running the network at Black Hat, the security event where the world reveals the latest security messes.

• Battery for ASUS G73S


• Battery for ASUS C22-UX31


• Battery for ASUS A32-K55


• Battery for Apple PowerBook G4 15inch


• Battery for Apple MacBook Pro 17inch


• Battery for Apple MacBook Pro 15"


• Battery for Apple MacBook Pro 15.4"


• Battery for Apple MacBook Pro 13inch

The event kicks off with three days of training, then unleashes tempered anarchy as the conference proper gets under way.Wyler, better known as Grifter (@grifter801), heads the NoC – the network operations centre – at Black Hat, an event he has loved since he was 12 years old. “I literally grew up among the community,” he says.Wyler's day job is working for RSA's incident response team while Stumper is an engineer with Optiv, but their Black Hat and DEF CON experience trumps their professional status. Wyler has worked with Black Hat for 14 years and DEF CON for 17 years, while Stump has chalked up nine years with both hacker meets.Together with an army of capable network engineers and hackers, they have operated two of the few hacker conference networks that delegates and journalists are advised to avoid.Rightly so; over the next week the world’s talented hacker contingent will flood Las Vegas for Black Hat and DEF CON, the biggest infosec party week of the year. The diverse talents – and ethics – of the attending masses render everything from nearby ATMs to medical implants potentially hostile and not-to-be-trusted.

Some 23 network and security types operate the Black Hat NoC and are responsible for policing that particular conference's network, which they helped create. Come August each member loosens the strict defensive mindset they uphold in their day jobs as system administrators and security defenders to let the partying hackers launch all but the nastiest attacks over their network.“We will sit back and monitor attacks as they happen," Wyler tells The Register from his home in the US. "It's not your average security job."The crew operates with the conference din as a background, sometimes to cheers as speakers pull off showy hacks or offer impressive technical demos in rotating shifts. In the Black Hat NoC, some laugh, some sleep, and all work in a darkness broken by the glow of LEDs and computer screens. Their score is a backdrop of crunching cheese Nachos, old hacker movies, and electronic music."Picture it in the movies, and that's what it's like," Stump says, commiserating with your Australia-based scribe's Vegas absence. "It'll be quite a sight, you'll be missing something."

To add a comment please login by clicking here