Latest Posts


From the Web

Too much personal data released

July 24, 2009 from: Office of Inadequate Security

Personal information of almost 900 people was given to a public-housing resident [in Virginia] who requested a list of those who had been banned from Hampton Redevelopment and Housing Authority property.

Comments  (0)


From the Web

Leahy reintroduces data breach bill

July 23, 2009 from: Office of Inadequate Security

Senate Judiciary Chairman Patrick Leahy (D-Vt.) has reintroduced a data breach bill that would set tougher rules for government agencies and private sector firms regarding consumers’ personal information.

Comments  (0)


From the Web

Heartland breach felt in Bermuda

July 23, 2009 from: Office of Inadequate Security

Hundreds of Bermudians may have been the victims of credit card fraud stemming from a US security breach in January.

Comments  (1)


From the Web

Report: Shortage of cyber experts may hinder govt

July 22, 2009 from: hackyourself.net

Federal agencies are facing a severe shortage of computer specialists, even as a growing wave of coordinated cyberattacks against the government poses potential national security risks, a private study found.

Comments  (2)


From the Web

wget DNS-rebinding and Weak Intranet Port Scanning

July 21, 2009 from: Rsnake's blog at ha.ckers.org

Albeit this a technical document, some interested points on browser technology in general (Linux's "wget" command) and DNS re-binding protection methods, this is an interesting read for you more saavy webappsec guys

Comments  (1)


From the Web

Firefox crash not exploitable (CVE-2009-2479)

July 19, 2009 from: Mozilla Security Blog

In the last few days, there have been several reports (including one via SANS) of a bug in Firefox related to handling of certain very long Unicode strings. While these strings can result in crashes of some versions of Firefox, the reports by press and various security agencies have incorrectly indicated that this is an exploitable bug. Our analysis indicates that it is not, and we have seen no ex...

Comments  (1)


From the Web

Measure What Matters – The SEC Essentials

July 14, 2009 from: Mozilla Security Blog

People want to know that they are safe when they browse the web. There are important differences between browsers when it comes to security, and so it’s no surprise to see a growing number of groups out there attempting to compare browsers based on their security record. That’s great news; not only does it help inform users, but it also lets browser authors know where they stand, and w...

Comments  (0)


From the Web

July 2009 Critical Patch Update Released

July 14, 2009 from: The Oracle Global Product Security Blog

This Critical Patch Update includes 10 additional fixes for Oracle Database Server. Three of these 10 vulnerabilities are remotely exploitable without authentication. None of these vulnerabilities affect client-only deployments.

Comments  (0)


From the Web

Critical JavaScript vulnerability in Firefox 3.5

July 14, 2009 from: Mozilla Security Blog

A bug discovered last week in Firefox 3.5’s Just-in-time (JIT) JavaScript compiler was disclosed publicly yesterday. It is a critical vulnerability that can be used to execute malicious code.

Comments  (1)

7fef78c47060974e0b8392e305f0daf0

Not So Smart Grid?

July 14, 2009 Added by:Infosec Island Admin

According to a security researcher, the so-called Smart Grid technology being rolled out accross the country as part of the stimulus bill, may be vulnerable to numerous attacks. According to the researcher, many of the commands that allow the power company to interact with the smart-meters at the user's house (for example) do not require authentication, have no encryption and are ripe fo...

Comments  (3)


From the Web

Hash Information Disclosure Via Collisions - The Hard Way

July 14, 2009 from: Rsnake's blog at ha.ckers.org

Every hashing algorithm has possible collisions once you allow a certain number of chars to be hashed. Let’s say you found out that “bob” and “sam” collided in whatever hashing algorithm. If you created an account on a web server with the password of “bob” and then later typed in the password of “sam” assuming no salts you would be able to get ...

Comments  (0)

7fef78c47060974e0b8392e305f0daf0

PCI Auditor Being Sued for Certifiying CardSystems as Compliant

July 13, 2009 Added by:Infosec Island Admin

Savvis is being dragged into court to defend their PCI DDS certification of CardSystems in 2004, which was subsequently responsible for losing a quarter of a million credit card numbers. This is the first of potentially many legal actions against PCI auditors that certified organizations as compliant, when they were subsequently breached and responsible for the loss of consumer cred...

Comments  (2)


From the Web

Running JavaScript in Chrome Despite View-Source

July 11, 2009 from: Rsnake's blog at ha.ckers.org

A post from Rsnake over at ha.ckers.org about a Google Chrome browser vulnerability where javascript is executed while using the "Browse Source" function - ouch!

Comments  (0)


From the Web

Shutting Down XSS with Content Security Policy

July 10, 2009 from: Mozilla Security Blog

For several years, Cross-Site Scripting (XSS) attacks have plagued many of the web’s most popular sites and victimized their users. At Mozilla, we’ve been working for the last year on a new technology called Content Security Policy.

Comments  (0)


From the Web

Measure What Matters - The SEC Essentials

July 10, 2009 from: Mozilla Security Blog

People want to know that they are safe when they browse the web. There are important differences between browsers when it comes to security, and so it’s no surprise to see a growing number of groups out there attempting to compare browsers based on their security record.

Comments  (0)


From the Web

New CSS Grammar Fuzzer

July 10, 2009 from: Mozilla Security Blog

Fuzzers are a tool that we’ve found incredibly valuable in the past, and continue to employ heavily. A fuzzer’s job is to make your application fail by feeding it surprising inputs.

Comments  (0)


From the Web

MD5 Weaknesses Could Lead to Certificate Forgery

July 10, 2009 from: Mozilla Security Blog

Researchers have recently found weaknesses in the MD5 hash algorithm, relied on by some SSL certificates. Using these weaknesses, an attacker could obtain fraudulent SSL certificates for websites they don’t legitimately control.

Comments  (0)


From the Web

The Importance of Good Metrics

July 10, 2009 from: Mozilla Security Blog

Bit9 says it drew up this list by identifying popular applications that have had a critical vulnerability reported in 2008. This is an ineffective test, as it rewards software companies that conceal their security vulnerabilities.

Comments  (1)


From the Web

The Best of Application Security 2009 (Mid-Year)

July 09, 2009 from: Jeremiah Grossman's Blog

very year the application security industry receives a number of phenomenal research papers and other great contributions. Even for those dedicated to appsec as their primary job function it is challenging to stay up-to-date, which means resources to help track them become extremely valuable. As such Ivan Ristic and I have been working on the "The Bes...

Comments  (1)


From the Web

The Most (Potentially) Lucrative Vulnerabilities

July 09, 2009 from: Jeremiah Grossman's Blog

I think few vulnerability researchers look for them, are unlikely to understand their potential value if found, and probably wouldn’t disclose them anyway. The vast majority of researchers focus on memory corruption issues, browser cross-domain leakage, custom Web application attacks, or flaws in online business logic processes

Comments  (1)