July 8, 2009News is everywhere about Google’s new desktop operating system. About the best headline I’ve seen is TechCrunch’s “Google Drops A Nuclear Bomb On Microsoft. And It’s Made of Chrome.”
It’s somewhat good news – having alternate operating systems encourages competition in the marketplace and makes sure companies innovate. However, I’m very worried about this [...]
Posted in Industry 
1 Comment »
June 2, 2009Great post by Rich as Securosis of where he sees the state of web application and data security at the moment (based on customer contacts).
The first thing I really like about this post is the introduction where Rich outlines the inherent biases he faces as an analyst, and we all face in one way or [...]
Posted in Industry, Security 4 Comments »
May 27, 2009After years out in the wilderness (after Symantec acquired @stake, nothing was done with the tool and even getting a “legitimate” license was practically impossible), L0phtcrack is back
It looks much prettier than previous versions, and clearly targets enterprise users rather than the “nefarious” uses it can be put to by introducing scheduling, remediation [...]
Posted in Industry, Security No Comments »
January 22, 2009This may not be news to all, as conveniently this was dropped on inauguration day when pretty much all news (online, MSM, others) were following that, but it seems we may have a new title holder for possibly the largest breach of payment data thus far.
http://voices.washingtonpost.com/securityfix/2009/01/payment_processor_breach_may_b.html
The fact that there’s been another breach isn’t all that [...]
Posted in Industry, Security No Comments »
January 22, 2009I’ve been watching a few posts about the "changes" Obama is going to make as he takes office, and smiling at the culture shock some of his staff are going to face in transitioning into the whitehouse.
First, Obama doesn’t want to give up his blackberry – so here’s a little conjecture of what a presidential [...]
Posted in Industry No Comments »
January 10, 2009What with the twitter hack the other day, password security is pretty hot on the InfoSec blogs and mailing lists. I wasn’t planning to comment on this, but there’s been a few good posts that I want to link to.
In no particular order…
Dictionary attacks 101 – From Coding Horror. Tallying Twitter’s Application [...]
Posted in Industry, Security No Comments »
January 7, 2009I may be a little late on this, and not one of the first to post, but having time to watch others comment on the recent hack were researchers were able to create a rogue, correctly signed CA certificate really does help get some perspective on the issue(s).
First up, many of the initial posts I [...]
Posted in Industry, Security No Comments »
November 25, 2008Previously I posted about some accounts being hijacked via a *potential* CSRF hack that was being reported. In my defense I did say…
Have no idea if this is a "new" CSRF version, some regression that made it vulnerable again, or another vector (rumor is XSS rather than CSRF, but no details yet).
…but Google says it [...]
Posted in Industry, Security 3 Comments »
November 24, 2008A nice post over at ITPro about automated (web) security testing.
Nothing new for the people that follow this field, but interesting that the author sees about a 25-30% positive finding rate, and clearly identifies some of the things that the tools miss.
One of the things he mentions just makes me sad though
This is quite annoying [...]
Posted in Industry, Security No Comments »
November 24, 2008News over the weekend points to a new version of a previous exploit against GMail being used to steal user’s domains through register transfers.
I actually used this very exploit as an example in my CSRF talk at SDBP, so know that the original version was fixed. Have no idea if this is a “new” CSRF [...]
Posted in Industry, Security 1 Comment »
