Jul 022013
 

Gothard Technology is relocating to the Mississippi Gulf Coast.

Effective July 15, 2013, our office will be located in Ocean Springs, MS.

We will continue to provide remote support to Alabama clients on a limited basis indefinitely and can schedule on site service through one of our recommended partners at your request.

We would like to thank all of our customers in the Birmingham area for your support, and know that we will be more than happy to assist you in any way possible, including transitioning to a new local provider.

Apr 242014
 

Thanks to Gebhard for letting us know about a new vulnerability in Apache Struts.

If you recall the classloader vulnerability of few months ago, the fix for that seems to be case and punctuation sensitive (using [] instead of "."  was not accounted for)

In any case, they have posted a mitigation how-to here: http://struts.apache.org/announce.html#a20140424

This affects all versions up to 2.3.16.1

Find more information on this here:
http://www.pwntester.com/blog/2014/04/24/struts2-0day-in-the-wild/

================
Rob VandenBrink
Metafore



 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Apr 242014
 
 ===============
Rob VandenBrink
Metafore
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Apr 232014
 

As systems administrators and security folks, we've all had our fill of our users and customers using simple passwords.  Most operating systems these days now enforce some level of password complexity by default, with options to "beef up" the password requirements for passwords.

The prevailing wisdom today is to use passphrases - demonstrated nicely by our bud at xkcd - http://xkcd.com/936/

So I routinely have very long pass phrases for public facing accounts.  Imagine my surprise when I was creating a new account on major cloud service (the one that starts with an "O" and ends with a "365"), and found that I was limited to a 16 character password. 

Needless to say I have a case open to see if that limit can be removed.  I'm not looking for no limit / invitation to a buffer overflow status on the password field, but something bigger than 16 would really be appreciated !

 

 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
%d bloggers like this: