Dionach Information Security Blog

Gambling Commission ISO 27001 Security Requirements and Penetration Testing

Blog by Bil on 30 January
The Gambling Commission requires that remote gambling licence holders get annual ISO 27001 security audits done. This needs to cover a specific subset of ISO 27001 controls ...

Configuring Metasploit for Client Side Attacks

Blog by Michele on 22 November
During a client side test, several areas need to be setup for a successful attack. In this short article I will describe how to configure Metasploit by making use of the features in the latest release ...

Virtual Security Management

Blog by Dave on 18 October
First of all, in the interests of fairness, I should point out that I think virtualisation is amazing. I love the idea that my laptop can run several different, largely independent operating systems ...

An Effective Internal Penetration Test

Blog by Dave on 19 September
"My servers are all fully patched, and we've fixed the weak administrator password that the last guys found. So I don't really expect you to find anything!" The previous statement, paraphrased slightly ...

Security is a Process, not a Product

Blog by Michele on 5 September
It�s not a novelty to say that the market is often regulated by the strong business brand and it is no exception for IT security. Companies will often use a single commercial product to try to achieve ...

Custom Access Control

Blog by Dave on 6 July
As penetration testers we have a tendency to get caught up in the latest exploit, or the most intricate piece of SQL injection or cross-site scripting ...

Reviewing Your Security After Sony, RSA and IMF Breaches

Blog by Bil on 13 June
The various publicised data and network breaches (or "hacks") this year seem to fall into two camps...

Vulnerability: Grapecity DataDynamics Report Library Cross-Site Scripting

Blog by Dave on 13 May
Grapecity's DataDynamics Report Library is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data ...

Vulnerability: Kodak InSite Troubleshooting Cross-Site Scripting

Blog by Dave on 13 May
Kodak InSite is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data ...

Vulnerability: Domino Sametime Server 'stconf' Reflected Cross-Site Scripting

Blog by Dave on 13 May
Domino Sametime is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data ...

Vulnerabilities in Web Content Management Systems

Blog by Tassi on 21 February
During my time as a penetration tester I have come across a series of Web Content Management Systems (WCMS) including both Free Open Source Software (FOSS) and Commercial Off The Shelf (COTS) software ...

The Security Value of the Robots.txt file

Blog by Mithun on 10 February
This is my view on the use of robots.txt as a security control and the problems of not having one. From my penetration testing experience ...

Penetration Testing Is Not Vulnerability Scanning

Blog by Dave on 3 February
I recently received the go-ahead for an external penetration test which referred to the test as "a scan". This is not the first time I have seen penetration testing and vulnerability scanning confused ...

Update to ISO 27001 Planned for 2013

Blog by Bil on 25 January
I went to the UK User Group Consultation at BSI on 25th January. This provided the attendees to get an overview of the changes and comment on them. The update for ISO 27001 is currently on the 4th working draft ...

Web Services Blind SQL Injection

Blog by Bil on 18 January
There is plenty of documentation for using blind SQL injection in penetration tests. This code demonstrates exploiting blind SQL injection in a web service using Python...