Vulnerabilities
From the Web
Mod_Security and Slowloris
December 10, 2010 from: Rsnake's blog at ha.ckers.org
After all the press around Wong Onn Chee and Tom Brennan’s version of a HTTP DoS attack, I think people started taking HTTP DoS a tad more seriously. Yes, there are lots of variants of HTTP based DoS attack, and I’m sure more tools will surface over time. The really interesting part is how both Apache and IIS has disagreed that it is their problem to fix. So we are left to fend for ourselves. ...
Comments (0)
From the Web
Cheating Part 2
December 07, 2010 from: Rsnake's blog at ha.ckers.org
It would have been fun to create a contest to see which strategies are the most effective in a bot on bot scenario. Is an all defensive strategy better, or an all offensive (always opportunistically taking the highest value word)? Or maybe a hybrid of both where you play defensively at some points or offensively when you know it’s better in the long run.
Comments (0)
From the Web
Cheating Part 1
December 01, 2010 from: Rsnake's blog at ha.ckers.org
I just thought I’d write a few vaguely amusing posts having just come back from Abu Dhabi (Blackhat) and Brazil (OWASP). A few weeks back my Wife was having a rather fancy soiree work party that also had a casino night attached to it. I was pretty annoyed about the whole work party thing, having rarely had a good time at these things in the past. So immediately I start looking for ways to entert...
Comments (0)
From the Web
FireSheep
November 16, 2010 from: Rsnake's blog at ha.ckers.org
I [Rsnake] go back and forth on whether I think FireSheep is interesting or not. Clearly, it’s old technology re-hashed. But it is interesting not because it works, but that it surprises people that it works. We’ve been talking about these problems forever, and now companies are scrambling to protect themselves. I guess the threat isn’t real until every newbie on earth has access to the hack...
Comments (0)
From the Web
Website Security Statistics Report (2010) - Industry Bechmarks
November 08, 2010 from: Jeremiah Grossman's Blog
"How are we doing?" That's the question on the mind of many executives and security practitioners whether they have recently implemented an application security program, or already have a well-established plan in place. The executives within those organizations want to know if the resources they have invested in source code reviews, threat modeling, developer training, security tools, etc. are mak...
Comments (0)
From the Web
Cooling Down the Firesheep
November 06, 2010 from: Mozilla Security Blog
There have been a number of reports about a new Firesheep tool that exposes a weakness in website security, letting attackers snoop on people using public networks, steal their cookies, access their accounts and pose as them on sites such as Facebook and Twitter. While the developers chose to use the Firefox add-on API, the tool could have just as easily been written and distributed as a stand-alo...
Comments (0)
From the Web
Least Common Denominator
October 23, 2010 from: Rsnake's blog at ha.ckers.org
While at Bluehat Jeremiah got a question from someone (I believe he worked at Opera) saying that even something as simple as turning off third party cookies will break things like Yandex. Jer had an amusing response which was, “What’s that?” followed by, “So you’re telling me I need to be less secure because someone else wants to go to a site that I’ve never heard of?”
Comments (0)
From the Web
Performance Primatives
October 21, 2010 from: Rsnake's blog at ha.ckers.org
Intel, Mozilla and Adobe. How are these companies related, you may ask? Well all of them care about performance. A year or so ago I was hanging out with the Intel guys and they informed me that they have a series of low level performance primitives that they surface through APIs. At the time I wasn't quite sure what to make of it.
Comments (0)
From the Web
Odds, Disclosure, Etc…
September 18, 2010 from: Rsnake's blog at ha.ckers.org
I went to Data Loss DB the other day and I noticed an interesting downward trend over the last two years. It could be due to a lot of things. Maybe people are losing their laptops less or maybe hackers have decided to slow down all that hacking they were doing. No, I suspect it’s because in the dawn of social networking and collective thinking, companies fear disclosure more than ever before.
Comments (0)
From the Web
Browser Differences, Minutia Et Al…
September 10, 2010 from: Rsnake's blog at ha.ckers.org
Browser security often turns into a religious war amongst technologists, instead of thinking about it pragmatically. What are the real motives of the companies that are developing the browsers? In most cases they care primarily about market share because market share makes them money (through search engine agreements, and so on).
Comments (0)
From the Web
The Effect of Snakeoil Security
September 10, 2010 from: Rsnake's blog at ha.ckers.org
Bad security isn’t just bad because it allows you to be exploited. It’s also a long term cost center. But more interestingly, even the most worthless security tools can be proven to “work” if you look at the numbers. Here’s how.
Comments (1)
From the Web
Prior Knowledge Of Users Cert Warning Behavior
September 02, 2010 from: Rsnake's blog at ha.ckers.org
One of the issues Josh and I talked about at Blackhat was how the SSL certificate warning message can be used to gain information about a user’s behavior and how that can be used against the user. Let’s say a man in the middle causes an error via proxying a well-known owner/subsidiary.
Comments (0)
From the Web
The Chilling Effect
August 23, 2010 from: Rsnake's blog at ha.ckers.org
I feel like there are a lot of very talented people who will never get to see their day in the sun and as an unfortunate consequence of this vulnerability market some talentless people will...
Comments (0)
From the Web
Hill-Billies: A Case Study
August 18, 2010 from: Rsnake's blog at ha.ckers.org
With every major innovation the security community comes up with, the general public and vendors alike figure out a way to abuse that innovation or work around it to do what they originally wanted to do again - think firewalls and tunneling over port 80...
Comments (0)
From the Web
Removing Entropy From PHP Session IDs
August 15, 2010 from: Rsnake's blog at ha.ckers.org
There are a ton of sites these days that use load-balancers in front of them. There’s a few ways they can be installed - completely transparent or acting more like a proxy. The proxy is the more common setup but it has one pretty huge negative side-effect, all the IP addresses come to the server as just one - the internal IP of the load balancer.
Comments (0)
From the Web
Petabytes On the Cheap
July 21, 2010 from: Rsnake's blog at ha.ckers.org
It turns out you can create a single chassis that contains around 67 terabytes in it for $7,867. That’s pretty incredible...It almost doesn’t make any cost sense to outsource your storage to the cloud with those cost savings.
Comments (1)
- Improving Security by Failing Faster
- BYOD: Should It Be the Wave of the Future?
- Trend Micro Discovers "SafeNet" - a New Targeted Espionage Operation Online
- Managing My Company’s Security is a Nightmare
- Bridging the Cybersecurity Divide, Why Security Innovation Must Lead the Way
- The Evolution of Industrial Control System Information Sharing
- ATM Security (And Really Learning from the Past)
- Complimentary IT Security Resources [May 13, 2013]
- Steps Toward Weaponizing the Android Platform
- Mobile Security Processes Could Be Applied to Medical Devices: Bluebox