Webappsec->General
From the Web
Some Possible Insights into Geo-Economics of Security
July 21, 2010 from: Rsnake's blog at ha.ckers.org
Buying a certificate to allow for transport security is a good idea if you’re worried about man in the middle attacks. But when you’re in another country where the cost of running your website is a significant investment compared to the United States, suddenly the fees associated with the risks are totally lopsided...
Comments (0)
From the Web
Flash Camera and Mic Remember Function and XSS
July 19, 2010 from: Rsnake's blog at ha.ckers.org
Flash’s settings are very often scoped to the domain rather than the app. Although currently allowing Flash access to camera and microphone isn’t all that common, if it ever did become common using XSS would be a pretty interesting tactic...
Comments (1)
From the Web
Full-Disclosure, Our Turn
July 06, 2010 from: Jeremiah Grossman's Blog
Vulnerabilities in websites happen, especially the ever pervasive Cross-Site Scripting (XSS). Essentially every major website has had to deal with XSS vulnerabilities published publicly or otherwise. This also includes security companies. No one is perfect, no website has proven immune, ours included. As experts in Web application security and specifically XSS, yesterday even we took our turn. W...
Comments (0)
From the Web
Gmail Introduces Suspicious Activity Warning
July 05, 2010 from: Saumil's Infosec Blog
Recently, My gmail account was hacked by some botnet which sent out e-mails to all my contact asking them to check out a website. I only realized this when I checked my gmail "Sent Mail" folder and had to immediately send a warning message to all my contacts telling them that my account was hacked and not to click on any links from my previous mails.
Comments (1)
From the Web
Using DNS to Find High Value Targets
June 16, 2010 from: Rsnake's blog at ha.ckers.org
With the impending release of Fierce 2.0 I thought I’d spend a minute talking about finding high value targets. I was working with a company in a specific vertical when I realized they use a very large single back end provider (essentially a cloud-based SaaS). But they aren’t the only large company using that SaaS - there are many hundreds of other companies using them as well.
Comments (1)
From the Web
CSRF Isn’t A Big Deal - Duh!
April 14, 2010 from: Rsnake's blog at ha.ckers.org
Did you hear the news? CSRF isn’t a big deal. I just got the memo too! There were a few posts pointing me to an article on the fact that CSRF isn’t that big of a deal. Fear not, I am here to lay the smack down on this foolishness. To be fair, I have no idea who this guy is, and maybe he’s great at other forms of hacking - web applications just don’t happen to be his strong ...
Comments (3)
From the Web
Mozilla Plans Fix for CSS History Hack
March 31, 2010 from: Rsnake's blog at ha.ckers.org
The CSS history hack is soon going to close. If you look at the original Bugzilla thread this is something that Mozilla had marked as a P1 bug since 2002. You heard me right, this P1 bug has been open for 8 years. And here we are, on the cusp of an actual fix.
Comments (0)
From the Web
Effectiveness of User Training… and Security Products in General
March 17, 2010 from: Rsnake's blog at ha.ckers.org
It’s not every day I come across real wisdom in research but I saw a link yesterday to So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users which is a research paper written by one of the guys at Microsoft. There are some amazingly choice quotes in there, like
Comments (0)
From the Web
Using Parameter Pollution and Clickjacking to Aid Anti-CSRF Bypass
March 11, 2010 from: Rsnake's blog at ha.ckers.org
It’s been a while since I’ve talked about Clickjacking, with only a few exceptions here and there. Mostly because I haven’t seen it much in the wild - at least not yet. But there’s still a lot of research out there to be done. I got an interesting email the other day that talked about a way to use parameter pollution (or a mix of URL parameters and POST) to create a conditi...
Comments (0)
From the Web
Even Einstein Can’t Track Google’s “Script Kiddie” Hackers
March 09, 2010 from: AEON Security Blog
News surrounding the attacks at Google and other companies are a dime a dozen and, while we have not seen any evidence publicly disclosed, we too can speculate along with everyone else. My first thoughts surrounding the news of the attack led me to believe that the compromise may have been an inside job.
Comments (4)
From the Web
Fiserv to Banks: Stay on Outdated Adobe Reader
March 08, 2010 from: Office of Inadequate Security
Brian Krebs reveals that Fiserv, a “Fortune 500 company that provides bank transaction processing services and software to more than 16,000 clients worldwide,” is urging customers not to use the most updated version of Adobe Reader.
Comments (2)
From the Web
Banks, Businesses, Viruses and the UCC
February 24, 2010 from: Rsnake's blog at ha.ckers.org
There’s an interesting post over at Krebs On Security talking about some poor company that is going bankrupt because TD Bank allegedly will not give them their money back after it was stolen out of their account.
Comments (1)
From the Web
Thousands of Twitter user accounts compromised
February 23, 2010 from: Saumil's Infosec Blog
IT security firm, Sophos, has warned Twitter users on a new attack that has led to thousands of accounts being compromised by hackers using a Web 2.0 botnet. The hijacked accounts are later used to spread money-making spam campaigns.
Comments (1)
From the Web
Nevermind, I Was Wrong, Google Is Evil
February 15, 2010 from: Rsnake's blog at ha.ckers.org
I [,RSnake have] been waiting a while to do this post - several weeks actually since my original post. In that post, I applauded Google’s apparent interest in reigning censorship as “the first really truly non-evil thing I have seen Google do in years”. Since then, I thought it appropriate to give them some time to sift through the nuances of their blog post - you know, to give t...
Comments (11)
From the Web
Phishing With Google Wave
February 10, 2010 from: Rsnake's blog at ha.ckers.org
...a good article on how to phish Google Wave users using malicious gadgets. This is precisely what Tom Stracener and I were talking about in our presentation at DefCon and Blackhat a few years back - except this is for Wave instead of iGoogle. Either way the point is the same - when you let other people control content that is embedded in your site, you are at the mercy of whatever they chose to ...
Comments (0)
From the Web
Fixing security holes without introducing new bugs
February 10, 2010 from: Mozilla Security Blog
When fixing any bug, there is a risk of introducing new bugs, which we call regressions. Regressions caused by security fixes can be especially problematic because shipping a buggy security update can erode user trust for future updates.
Comments (0)
- Improving Security by Failing Faster
- BYOD: Should It Be the Wave of the Future?
- Trend Micro Discovers "SafeNet" - a New Targeted Espionage Operation Online
- Managing My Company’s Security is a Nightmare
- Bridging the Cybersecurity Divide, Why Security Innovation Must Lead the Way
- The Evolution of Industrial Control System Information Sharing
- ATM Security (And Really Learning from the Past)
- Complimentary IT Security Resources [May 13, 2013]
- Steps Toward Weaponizing the Android Platform
- Mobile Security Processes Could Be Applied to Medical Devices: Bluebox