Latest Posts

7fef78c47060974e0b8392e305f0daf0

Not So Smart Grid?

July 14, 2009 Added by:Infosec Island Admin

According to a security researcher, the so-called Smart Grid technology being rolled out accross the country as part of the stimulus bill, may be vulnerable to numerous attacks. According to the researcher, many of the commands that allow the power company to interact with the smart-meters at the user's house (for example) do not require authentication, have no encryption and are ripe fo...

Comments  (3)


From the Web

Hash Information Disclosure Via Collisions - The Hard Way

July 14, 2009 from: Rsnake's blog at ha.ckers.org

Every hashing algorithm has possible collisions once you allow a certain number of chars to be hashed. Let’s say you found out that “bob” and “sam” collided in whatever hashing algorithm. If you created an account on a web server with the password of “bob” and then later typed in the password of “sam” assuming no salts you would be able to get ...

Comments  (0)

7fef78c47060974e0b8392e305f0daf0

PCI Auditor Being Sued for Certifiying CardSystems as Compliant

July 13, 2009 Added by:Infosec Island Admin

Savvis is being dragged into court to defend their PCI DDS certification of CardSystems in 2004, which was subsequently responsible for losing a quarter of a million credit card numbers. This is the first of potentially many legal actions against PCI auditors that certified organizations as compliant, when they were subsequently breached and responsible for the loss of consumer cred...

Comments  (2)


From the Web

Running JavaScript in Chrome Despite View-Source

July 11, 2009 from: Rsnake's blog at ha.ckers.org

A post from Rsnake over at ha.ckers.org about a Google Chrome browser vulnerability where javascript is executed while using the "Browse Source" function - ouch!

Comments  (0)


From the Web

Shutting Down XSS with Content Security Policy

July 10, 2009 from: Mozilla Security Blog

For several years, Cross-Site Scripting (XSS) attacks have plagued many of the web’s most popular sites and victimized their users. At Mozilla, we’ve been working for the last year on a new technology called Content Security Policy.

Comments  (0)


From the Web

Measure What Matters - The SEC Essentials

July 10, 2009 from: Mozilla Security Blog

People want to know that they are safe when they browse the web. There are important differences between browsers when it comes to security, and so it’s no surprise to see a growing number of groups out there attempting to compare browsers based on their security record.

Comments  (0)


From the Web

New CSS Grammar Fuzzer

July 10, 2009 from: Mozilla Security Blog

Fuzzers are a tool that we’ve found incredibly valuable in the past, and continue to employ heavily. A fuzzer’s job is to make your application fail by feeding it surprising inputs.

Comments  (0)


From the Web

MD5 Weaknesses Could Lead to Certificate Forgery

July 10, 2009 from: Mozilla Security Blog

Researchers have recently found weaknesses in the MD5 hash algorithm, relied on by some SSL certificates. Using these weaknesses, an attacker could obtain fraudulent SSL certificates for websites they don’t legitimately control.

Comments  (0)


From the Web

The Importance of Good Metrics

July 10, 2009 from: Mozilla Security Blog

Bit9 says it drew up this list by identifying popular applications that have had a critical vulnerability reported in 2008. This is an ineffective test, as it rewards software companies that conceal their security vulnerabilities.

Comments  (1)


From the Web

The Best of Application Security 2009 (Mid-Year)

July 09, 2009 from: Jeremiah Grossman's Blog

very year the application security industry receives a number of phenomenal research papers and other great contributions. Even for those dedicated to appsec as their primary job function it is challenging to stay up-to-date, which means resources to help track them become extremely valuable. As such Ivan Ristic and I have been working on the "The Bes...

Comments  (1)


From the Web

The Most (Potentially) Lucrative Vulnerabilities

July 09, 2009 from: Jeremiah Grossman's Blog

I think few vulnerability researchers look for them, are unlikely to understand their potential value if found, and probably wouldn’t disclose them anyway. The vast majority of researchers focus on memory corruption issues, browser cross-domain leakage, custom Web application attacks, or flaws in online business logic processes

Comments  (1)

7fef78c47060974e0b8392e305f0daf0

Google to Build Malware Resistant OS

July 09, 2009 Added by:Infosec Island Admin

According to Google's official Blog, Google plans to extend their Google Chrome browser (considered by most security professionals to be the most insecure browser out there) into a lightweight operating system designed to primarily interact with web-enabled technologies.

Comments  (2)


From the Web

Why vulnerable code should be fixed even after WAF mitigation

July 08, 2009 from: Jeremiah Grossman's Blog

Websites have vulnerabilities, vulnerabilities that are found by vulnerability assessment solutions, which are then communicated to Web Application Firewalls (WAF) for virtual patch mitigation. Given the extremely heightened activity of our adversaries, compliance requirements, volume of existing vulnerabilities, and money/time/human resource constraints this approach is becoming more common every...

Comments  (1)

7fef78c47060974e0b8392e305f0daf0

CWE Top 25 Part 2 of 2

July 08, 2009

This is a powerpoint presentation given to the Raleigh ISSA Chapter earlier this spring. The NC OWASP chapter was invited to give this presentation. This is part 2 of 2, covering the second 8 erorrs

Comments  (4)

7fef78c47060974e0b8392e305f0daf0

CWE TOP 25 Part 1 of 2

July 08, 2009

This is a powerpoint presentation given to the Raleigh ISSA Chapter earlier this spring. The NC OWASP chapter was invited to give this presentation. This is part 1 of 2, covering the first 9 errors on the list

Comments  (1)

7fef78c47060974e0b8392e305f0daf0

Federal Web sites knocked out by cyber attack

July 08, 2009 Added by:Infosec Island Admin

According to an article by the Assoiated Press, and subsequently the Washington Post, several Government agencies in the US and South Korea were under attack by roughly 60,000 infected PCs across the globe.

Comments  (0)

7fef78c47060974e0b8392e305f0daf0

Predictable Social Security Numbers

July 07, 2009 Added by:Infosec Island Admin

According to a story published by the Washington Post today, researchers at Carnegie Mellon University have found that your social security number could be determined just by knowing when and in what zip code you were born in.

Comments  (0)


From the Web

Cross Frame Scripting: Not Necessarily a Web Application Vulnerability

July 06, 2009 from: Writing Secure Software

Cross Frame Scripting (XFS) is a vulnerability that affects web applications that use frames in their web pages. Frames allow web pages to present the web content framed in different sections of the browser window...

Comments  (1)


From the Web

Security Threat Statistics Resources

July 06, 2009 from: Writing Secure Software

Some good links to Threat Statistics.

Comments  (1)


From the Web

Identity Theft and Phishing and How Affects Financial Institutions

July 06, 2009 from: Writing Secure Software

In the USA, online fraud has overtaken viruses as the greatest source of financial loss. Among on-line fraud threats, phishing represents a major threat for financial institutions and according to the Anti-Phishing group organization, 93.8% of all phishing attacks in 2007 are targeting financial institutions.

Comments  (1)