davidnoren.com


Hi there. All you will find here are a few musings about information security and other topics I find personally interesting. If you want to know what I'm working on, find me on GitHub.


Attacking Windows EFS With Metasploit

Windows EFS Overview EFS, which stands for “Encrypting File System“, is a feature of the NTFS file system that has been available since NTFS version 3. Every business-focused version of Microsoft Windows since Windows 2000 has had the capability to employ Windows EFS. Note: This post was originally written on a WordPress-powered blog, and has been exported and imported to this blog platform. As a result, unfortunately, not all markdown, code, and output looks as pretty as it once did.

Externally-Hosted Libraries: Good or Bad Idea?

Many developers tout the benefits of using externally-hosted libraries for various website content – most typically javascript libraries. Google, for example, hosts most of the popular javascript libraries, including jQuery, MooTools, Prototype, etc. They state on their informational page that there are a number of benefits, including “stable, reliable, high-speed, globally available access”. Note: This post was originally written on a WordPress-powered blog, and has been exported and imported to this blog platform.

Password Security

One of the most frequent questions I get from people who know about what I do for a living is, “Is it bad that I use the same password everywhere?” I always answer in the affirmative, but I know that is not the answer people want. Password security is a complex topic. With so many websites requiring usernames and passwords yet many websites and organizations not caring as much about password security, and security in general, what can you do?

PHP extract() Vulnerability

PHP has a function named extract() to take all provided GET and POST requests and assign them to internal variables. Developers will, at times, use this function instead of manually assigning ‘$_POST[var1]’ to ‘$var1’. This function will overwrite any previously defined variables, including server variables. Extract() has options which prevent overwriting previously-defined variables, however this safety is not enabled by default, and developers might not enable the safety, just as many do not perform input validation.

Archive