Web App Security
From the Web
Security Religions and Risk Windows
August 09, 2009 from: Jeremiah Grossman's Blog
Information security threats are way up, fraud losses continue to rise, regulatory fines are increasingly common, and budget dollars to solve the myriad of problems are in short supply. Hampered by a sluggish economy, organizations simply cannot afford to hire all the talent they need, implement every best-practice, or buy every blinking light widget out there. Sacrifices are unavoidable, risk mus...
Comments (0)
From the Web
SMBEnum
August 09, 2009 from: Rsnake's blog at ha.ckers.org
Notes from Robert "Rsnake" Hansen about a talk given at DefCon last week regarding how Internet Explorer can be used to enumerate local system files.
Comments (0)
From the Web
Mozilla shuts Firefox e-store after security breach
August 05, 2009 from: Office of Inadequate Security
Mozilla shuttered its online store late Tuesday after finding out that the firm it hired to run the backend operations of the company’s e-tailing business had suffered a security breach.
Comments (1)
From the Web
Employees sacked for ID card data breach
August 04, 2009 from: Office of Inadequate Security
The database in question holds data on 92 million people in the U.K. About 200,000 people have access to it. If they cannot adequately secure the database from misuse by employees, well……. Nine local authority workers have been sacked after illegally accessing personal details of the public held on the government’s national identity database.
Comments (0)
OWASP Testing Guide Version 3
August 03, 2009
This is an excellent resource on the process of testing web applications for security vulnerabilities/general insecurities...this is by no means exhaustive nor perfect for every envirnment, but a valuable read for anyone who manages or tests web applications
Comments (2)
Adobe Releases Critical Patches for Flash Player
July 31, 2009 Added by:Michael Menefee
Today, Adobe released version 10.0.32.18 of their Flash Player software. This new version fixes multiple critical vulnerabilities, many of this Adobe has not been forthcoming about.
Comments (3)
From the Web
URL bar spoofing vulnerability
July 28, 2009 from: Mozilla Security Blog
Firefox - The URL in the address bar can be spoofed when a new window or tab is opened by a malicious web page.
Comments (0)
From the Web
Locking up the valuables: Opt-in security with ForceTLS
July 28, 2009 from: Mozilla Security Blog
Computers are increasingly mobile and, to serve them, more and more public spaces (cafes, airports, libraries, etc.) offer their customers WiFi access. When a web browser on such a network requests a resource, it is implicitly trusting the hotspot not to interfere with the communication. A malicious computer hooked up to the network could alter the traffic, however, and this can have some un...
Comments (1)
From the Web
Leahy reintroduces data breach bill
July 23, 2009 from: Office of Inadequate Security
Senate Judiciary Chairman Patrick Leahy (D-Vt.) has reintroduced a data breach bill that would set tougher rules for government agencies and private sector firms regarding consumers’ personal information.
Comments (0)
From the Web
Report: Shortage of cyber experts may hinder govt
July 22, 2009 from: hackyourself.net
Federal agencies are facing a severe shortage of computer specialists, even as a growing wave of coordinated cyberattacks against the government poses potential national security risks, a private study found.
Comments (2)
From the Web
wget DNS-rebinding and Weak Intranet Port Scanning
July 21, 2009 from: Rsnake's blog at ha.ckers.org
Albeit this a technical document, some interested points on browser technology in general (Linux's "wget" command) and DNS re-binding protection methods, this is an interesting read for you more saavy webappsec guys
Comments (1)
From the Web
Firefox crash not exploitable (CVE-2009-2479)
July 19, 2009 from: Mozilla Security Blog
In the last few days, there have been several reports (including one via SANS) of a bug in Firefox related to handling of certain very long Unicode strings. While these strings can result in crashes of some versions of Firefox, the reports by press and various security agencies have incorrectly indicated that this is an exploitable bug. Our analysis indicates that it is not, and we have seen no ex...
Comments (1)
From the Web
Measure What Matters – The SEC Essentials
July 14, 2009 from: Mozilla Security Blog
People want to know that they are safe when they browse the web. There are important differences between browsers when it comes to security, and so it’s no surprise to see a growing number of groups out there attempting to compare browsers based on their security record. That’s great news; not only does it help inform users, but it also lets browser authors know where they stand, and w...
Comments (0)
From the Web
Critical JavaScript vulnerability in Firefox 3.5
July 14, 2009 from: Mozilla Security Blog
A bug discovered last week in Firefox 3.5’s Just-in-time (JIT) JavaScript compiler was disclosed publicly yesterday. It is a critical vulnerability that can be used to execute malicious code.
Comments (2)
From the Web
Hash Information Disclosure Via Collisions - The Hard Way
July 14, 2009 from: Rsnake's blog at ha.ckers.org
Every hashing algorithm has possible collisions once you allow a certain number of chars to be hashed. Let’s say you found out that “bob” and “sam” collided in whatever hashing algorithm. If you created an account on a web server with the password of “bob” and then later typed in the password of “sam” assuming no salts you would be able to get ...
Comments (0)
From the Web
Running JavaScript in Chrome Despite View-Source
July 11, 2009 from: Rsnake's blog at ha.ckers.org
A post from Rsnake over at ha.ckers.org about a Google Chrome browser vulnerability where javascript is executed while using the "Browse Source" function - ouch!
Comments (0)
- Managing My Company’s Security is a Nightmare
- Bridging the Cybersecurity Divide, Why Security Innovation Must Lead the Way
- The Evolution of Industrial Control System Information Sharing
- ATM Security (And Really Learning from the Past)
- Complimentary IT Security Resources [May 13, 2013]
- Steps Toward Weaponizing the Android Platform
- Mobile Security Processes Could Be Applied to Medical Devices: Bluebox
- The Emperor Is Naked!
- Infographic: Keeping Web Applications Safe
- Do You Have a Vendor Security Check List? You Should!