Latest Posts
From the Web
HTTP Cache Poisoning and Host Header Injection
June 01, 2009 from: hackyourself.net
A recent post came through the WASC mailing list today from Carlos Bueno regarding this topic. The basic gist is in the impact of utilizing the browser-supplied Host headers as a means for link consistency in programming your web code
Comments (1)
From the Web
Hacking Citrix (this again?)
June 01, 2009 from: hackyourself.net
An article from www.hackyourself.net blog describing some techniques and methods of hacking legacy Citrix applications. Much of this was before the advent of the new MetaframeXP, but some of it is still applicable when dealing with Published Applications
Comments (1)
From the Web
Top 5 SQL Injection Tools
June 01, 2009 from: hackyourself.net
This is a list of the Top 5 FREE SQL Injection tools currently available. Although there is already a list of the Top 15 Free SQL Injection Scanners, not all of them deserve the honors of the best general-purpose tools.
Comments (1)
From the Web
Using XSS to Launch a SQL Injection Attack
June 01, 2009 from: hackyourself.net
Several weeks ago I stumbled on a client’s e-commerce site that had (what appeared to be) a non-vulnerable SQL Injection pathway on a search form. I used the standard calls to determine if it was vulnerable, determined (or so I thought) that it wasn’t and moved on to test for XSS.
Comments (1)
From the Web
OSI Model’s Relevance to Web App Security
June 01, 2009 from: hackyourself.net
One of the things that I constantly run into is that of security engineers trying to thwart web application attacks with network security equipment (such as IDS/IPS, AV signatures, etc). A recent example regarded a SQL Injection attack on a web server. This particular entity has a very healthy multi-vendor network security perimeter, and felt that the gear in place was sufficient to both catch...
Comments (8)
Heartland Regains PCI Compliant Status
May 03, 2009 Added by:Anthony M. Freed
Heartland’s removal from the list of compliant payment processors had followed revelations that the company had suffered what may have been the largest data breach of payment card information to date, although details of the incident have not been made available due to ongoing investigations...
Comments (5)
Payment Card Industry Swallows Its Own Tail
April 01, 2009 Added by:Anthony M. Freed
The greatest threat to the survival of PCI DSS (Payment Card Industry Data Security Standard) may not be the ever-evolving tactics of the criminal hackers, but instead the dysfunctional nature of the relationships between the very parties the standards are meant to serve...
Comments (2)
From the Web
OWASP Releases World’s First Security Code Review Guide for Free
March 31, 2009 from: Writing Secure Software
The OWASP Foundation, March 30, 2009 – The Open Web Application Security Project (OWASP) today announced the official release of the free OWASP Security Code Review Guide v1.1. The Code Review Guide provides details on how to review code for all sorts of application vulnerabilities. Together with the OWASP Security Developer Guide and OWASP Security Testing Guide, OWASP has created a powerfu...
Comments (1)
Visa Puts Heartland on Probation Over Breach
March 13, 2009 Added by:Anthony M. Freed
HPS is now in a probationary period, during which it is subject to a number of risk conditions including more stringent security assessments, monitoring and reporting. Subject to these conditions, Heartland will continue to serve as a processor in the Visa system...
Comments (1)
Marine One Breach Has Winners and Losers
March 01, 2009 Added by:Anthony M. Freed
Billions of dollars are spent on security every year, and it can be trumped by one lapse in judgment. That is a tremendous amount of resources committed to security just to have it undermined by the whim of one individual, and it underscores the precariousness of secure systems...
Comments (2)
Heartland CEO Now Under SEC Investigation
February 26, 2009 Added by:Anthony M. Freed
The investigation may relate to stock trades made by Heartland CEO Robert Carr after Visa notified Heartland of suspicious activity on Oct. 28, 2008. According to insider trade filings, Carr sold just under US$8 million worth of stock between Oct. 29 and the day the breach was disclosed...
Comments (2)
Heartland Update: Reps Respond to Questions
February 01, 2009 Added by:Anthony M. Freed
Heartland first learned of a potential problem from the card associations on October 28th of last year, well after the announcement of this 10b5-1 plan. Heartland categorically denies that Mr. Carr was aware of a potential security breach at the time he adopted his trading plan...
Comments (2)
Heartland Breach Bad As Tylenol Poisonings?
January 25, 2009 Added by:Anthony M. Freed
The company issued statements Friday (1/23) in an effort at damage control in which the CEO compares the potential industry-wide impact of the breach to none other than that of the Tylenol poisonings of some twenty-five years ago that nearly brought down the drug maker...
Comments (7)
U.S.Banks Vulnerable to Sabotage
December 19, 2008 Added by:Anthony M. Freed
Democratic U.S. Rep. James Langevin of Rhode Island, who chairs the homeland security subcommittee on cybersecurity, said: “We’re way behind where we need to be now.” Dire consequences of a successful attack could include failure of banking or national electrical systems, he said...