Vulnerabilities


From the Web

Mod_Security and Slowloris

December 10, 2010 from: Rsnake's blog at ha.ckers.org

After all the press around Wong Onn Chee and Tom Brennan’s version of a HTTP DoS attack, I think people started taking HTTP DoS a tad more seriously. Yes, there are lots of variants of HTTP based DoS attack, and I’m sure more tools will surface over time. The really interesting part is how both Apache and IIS has disagreed that it is their problem to fix. So we are left to fend for ourselves. ...

Comments  (0)


From the Web

Cheating Part 2

December 07, 2010 from: Rsnake's blog at ha.ckers.org

It would have been fun to create a contest to see which strategies are the most effective in a bot on bot scenario. Is an all defensive strategy better, or an all offensive (always opportunistically taking the highest value word)? Or maybe a hybrid of both where you play defensively at some points or offensively when you know it’s better in the long run.

Comments  (0)


From the Web

Cheating Part 1

December 01, 2010 from: Rsnake's blog at ha.ckers.org

I just thought I’d write a few vaguely amusing posts having just come back from Abu Dhabi (Blackhat) and Brazil (OWASP). A few weeks back my Wife was having a rather fancy soiree work party that also had a casino night attached to it. I was pretty annoyed about the whole work party thing, having rarely had a good time at these things in the past. So immediately I start looking for ways to entert...

Comments  (0)


From the Web

FireSheep

November 16, 2010 from: Rsnake's blog at ha.ckers.org

I [Rsnake] go back and forth on whether I think FireSheep is interesting or not. Clearly, it’s old technology re-hashed. But it is interesting not because it works, but that it surprises people that it works. We’ve been talking about these problems forever, and now companies are scrambling to protect themselves. I guess the threat isn’t real until every newbie on earth has access to the hack...

Comments  (0)


From the Web

Website Security Statistics Report (2010) - Industry Bechmarks

November 08, 2010 from: Jeremiah Grossman's Blog

"How are we doing?" That's the question on the mind of many executives and security practitioners whether they have recently implemented an application security program, or already have a well-established plan in place. The executives within those organizations want to know if the resources they have invested in source code reviews, threat modeling, developer training, security tools, etc. are mak...

Comments  (0)


From the Web

Cooling Down the Firesheep

November 06, 2010 from: Mozilla Security Blog

There have been a number of reports about a new Firesheep tool that exposes a weakness in website security, letting attackers snoop on people using public networks, steal their cookies, access their accounts and pose as them on sites such as Facebook and Twitter. While the developers chose to use the Firefox add-on API, the tool could have just as easily been written and distributed as a stand-alo...

Comments  (0)


From the Web

Least Common Denominator

October 23, 2010 from: Rsnake's blog at ha.ckers.org

While at Bluehat Jeremiah got a question from someone (I believe he worked at Opera) saying that even something as simple as turning off third party cookies will break things like Yandex. Jer had an amusing response which was, “What’s that?” followed by, “So you’re telling me I need to be less secure because someone else wants to go to a site that I’ve never heard of?”

Comments  (0)


From the Web

Performance Primatives

October 21, 2010 from: Rsnake's blog at ha.ckers.org

Intel, Mozilla and Adobe. How are these companies related, you may ask? Well all of them care about performance. A year or so ago I was hanging out with the Intel guys and they informed me that they have a series of low level performance primitives that they surface through APIs. At the time I wasn't quite sure what to make of it.

Comments  (0)


From the Web

Odds, Disclosure, Etc…

September 18, 2010 from: Rsnake's blog at ha.ckers.org

I went to Data Loss DB the other day and I noticed an interesting downward trend over the last two years. It could be due to a lot of things. Maybe people are losing their laptops less or maybe hackers have decided to slow down all that hacking they were doing. No, I suspect it’s because in the dawn of social networking and collective thinking, companies fear disclosure more than ever before.

Comments  (0)


From the Web

Browser Differences, Minutia Et Al…

September 10, 2010 from: Rsnake's blog at ha.ckers.org

Browser security often turns into a religious war amongst technologists, instead of thinking about it pragmatically. What are the real motives of the companies that are developing the browsers? In most cases they care primarily about market share because market share makes them money (through search engine agreements, and so on).

Comments  (0)


From the Web

The Effect of Snakeoil Security

September 10, 2010 from: Rsnake's blog at ha.ckers.org

Bad security isn’t just bad because it allows you to be exploited. It’s also a long term cost center. But more interestingly, even the most worthless security tools can be proven to “work” if you look at the numbers. Here’s how.

Comments  (1)


From the Web

Prior Knowledge Of Users Cert Warning Behavior

September 02, 2010 from: Rsnake's blog at ha.ckers.org

One of the issues Josh and I talked about at Blackhat was how the SSL certificate warning message can be used to gain information about a user’s behavior and how that can be used against the user. Let’s say a man in the middle causes an error via proxying a well-known owner/subsidiary.

Comments  (0)


From the Web

The Chilling Effect

August 23, 2010 from: Rsnake's blog at ha.ckers.org

I feel like there are a lot of very talented people who will never get to see their day in the sun and as an unfortunate consequence of this vulnerability market some talentless people will...

Comments  (0)


From the Web

Hill-Billies: A Case Study

August 18, 2010 from: Rsnake's blog at ha.ckers.org

With every major innovation the security community comes up with, the general public and vendors alike figure out a way to abuse that innovation or work around it to do what they originally wanted to do again - think firewalls and tunneling over port 80...

Comments  (0)


From the Web

Removing Entropy From PHP Session IDs

August 15, 2010 from: Rsnake's blog at ha.ckers.org

There are a ton of sites these days that use load-balancers in front of them. There’s a few ways they can be installed - completely transparent or acting more like a proxy. The proxy is the more common setup but it has one pretty huge negative side-effect, all the IP addresses come to the server as just one - the internal IP of the load balancer.

Comments  (0)


From the Web

Petabytes On the Cheap

July 21, 2010 from: Rsnake's blog at ha.ckers.org

It turns out you can create a single chassis that contains around 67 terabytes in it for $7,867. That’s pretty incredible...It almost doesn’t make any cost sense to outsource your storage to the cloud with those cost savings.

Comments  (1)


« First < Previous   | 1 - 2 - 3 - 4 - 5 |   Next > Last »