May 27, 2009After years out in the wilderness (after Symantec acquired @stake, nothing was done with the tool and even getting a “legitimate” license was practically impossible), L0phtcrack is back
It looks much prettier than previous versions, and clearly targets enterprise users rather than the “nefarious” uses it can be put to by introducing scheduling, remediation [...]
Posted in Industry, Security 
No Comments »
January 22, 2009This may not be news to all, as conveniently this was dropped on inauguration day when pretty much all news (online, MSM, others) were following that, but it seems we may have a new title holder for possibly the largest breach of payment data thus far.
http://voices.washingtonpost.com/securityfix/2009/01/payment_processor_breach_may_b.html
The fact that there’s been another breach isn’t all that [...]
Posted in Industry, Security No Comments »
January 12, 2009Just before xmas, the guys that run the Microsoft Bluehat blog asked if I would like to write something for my experiences of bluehat, a particular gripe/rant, or a post to wrap up the year. Well, I’ve already done a post on my thoughts for bluehat 2008, but I always seem to have a bit [...]
Posted in Security No Comments »
January 10, 2009What with the twitter hack the other day, password security is pretty hot on the InfoSec blogs and mailing lists. I wasn’t planning to comment on this, but there’s been a few good posts that I want to link to.
In no particular order…
Dictionary attacks 101 – From Coding Horror. Tallying Twitter’s Application [...]
Posted in Industry, Security No Comments »
January 7, 2009I may be a little late on this, and not one of the first to post, but having time to watch others comment on the recent hack were researchers were able to create a rogue, correctly signed CA certificate really does help get some perspective on the issue(s).
First up, many of the initial posts I [...]
Posted in Industry, Security No Comments »
December 4, 2008A bit of a lull in posting – I’m noticing a pattern when the number of posts I write are inversely proportional to how much code I’m writing. As I enjoy the problem-solving nature of programming, I spend more and more time doing that when I have a project. In any case, Rich over at [...]
Posted in Security No Comments »
November 25, 2008Previously I posted about some accounts being hijacked via a *potential* CSRF hack that was being reported. In my defense I did say…
Have no idea if this is a "new" CSRF version, some regression that made it vulnerable again, or another vector (rumor is XSS rather than CSRF, but no details yet).
…but Google says it [...]
Posted in Industry, Security 3 Comments »
November 25, 2008Consulting can be a lonely job at times – often we are either on a client site, or working at home (which don’t get me wrong, has it’s own benefits) – so having a chat open between all the other people in Foundstone keeps one "connected". Although the beer-signal-to-noise-noise ratio is sometimes low, it’s really [...]
Posted in Musings, Security No Comments »
November 24, 2008A nice post over at ITPro about automated (web) security testing.
Nothing new for the people that follow this field, but interesting that the author sees about a 25-30% positive finding rate, and clearly identifies some of the things that the tools miss.
One of the things he mentions just makes me sad though
This is quite annoying [...]
Posted in Industry, Security No Comments »
November 24, 2008News over the weekend points to a new version of a previous exploit against GMail being used to steal user’s domains through register transfers.
I actually used this very exploit as an example in my CSRF talk at SDBP, so know that the original version was fixed. Have no idea if this is a “new” CSRF [...]
Posted in Industry, Security 1 Comment »
