"A New York teenager broke into AOL networks and databases containing customer information and infected servers with a malicious program to transfer confidential data to his computer, AOL and the Manhattan District Attorney's Office allege. In a complaint filed in Criminal Court of the City of New York, the DA's office alleges...
Astroglide Website Helps Hackers Insert Rogue Code, Reader Reports
"Just last week BioFilm, the maker of the popular sexual lubricant Astroglide, confirmed that it had failed to properly secure the names and addresses of more than 250,000 individuals who requested free samples which resulted in those files showing up in a Google search for those individuals' names. Now THREAT LEVEL reader...
New Security Features in Internet Explorer 7
"Markellos Diorinos from the IE team at Microsoft introduces the new security features in IE 7 and speaks about extended validation SSL certificates. He also covers the Certification Authority Browser Forum whose members apart from Microsoft include also the Mozilla Foundation, Opera Software and KDE." Article Link: http://www.net-security.org/article.php?id=1003
What would happen if the robots turned against us?
"A rather silly report commissioned by the Department of Trade and Industry talked about giving robots "human" rights - including the right to vote, to receive income support, the provision of council housing and even robot healthcare. The idea that your vacuum cleaner might be able to sue you for not giving...
The Truth About Open Source Security
"Is it better to run your company's firewall or IDS using an open source tool, or is it better to buy something off the shelf? Let's step through some of the most common arguments used by each side of the open source security debate and see how they do or do not...
Article: The business case for security frameworks
I've written a new article for The Web Application Security Consortium's Guest Article Project. From the paper "One of the reasons why vulnerabilities are still common-place is because new generations of developers are making the same mistakes. I don't put the majority of the blame on them because they may not know...
Ad networks tracking users without cookies
I read Jeremiah's post about tracking users without cookies and had a conversation with him about it and how ad services companies could track users when cookies are not available. While the Basic auth method works it will only work with firefox since IE has disabled this ability after years of being...
US State Department gets Pwned with 0day
"A break-in targeting State Department computers worldwide last summer occurred after a department employee in Asia opened a mysterious e-mail that quietly allowed hackers inside the U.S. government's network. In the first public account revealing details about the intrusion and the government's hurried behind-the-scenes response, a senior State Department official described an...
A Software Call To Arms: Where are source control repository security scanning tools?
<rant> We've heard of source code analysis tools, and blackbox scanning tools and they have value to help secure your application. Unfortunately they have a major downside, they require the discipline of using them. If your developers don't run them they can still check in vulnerable code to your source code repository....
WASC-Articles: 'The Importance of Application Classification in Secure Application Development'
The Web Application Security Consortium is proud to present 'The Importance of Application Classification in Secure Application Development' by Rohit Sethi. In this article Rohit describes the importance of Application Classification during the secure development process. Article Link: http://www.webappsec.org/projects/articles/041607.shtml
Consumers dump breached retailers, says study
"In the wake of the massive breach of retailer TJX Companies, more than three quarters of consumers say they intend to stop shopping at merchants that suffer data leaks, according to a study conducted by analyst firm Javelin Strategy and Research. The survey of consumers found that 63 percent viewed retailers and...
Scaling back Web browser security expectations
" When Web browsers first emerged as front-end interfaces to Web-based applications, it was in an era where application-layer attacks were few and far between. Today, the browser has become one of the most critical and most used pieces of software on everyone's computer. Consequently, it has become the focus of attack....
WASC Beerfest in Silicon Valley
Jeremiah Grossman sent this out to the web security mailing list today. "Normally we hold WASC Meet-Ups during large conferences (RSA/ BlackHat) where a lot of web application security people are at same place at the same time. Around the S.F. Bay Area there's enough webappsec people that we we no longer...
Reflections on people within the application security industry
Anurag Agarwal has been writing up reflections on people within the application security industry. In case you're wondering who is involved from the product, services, and research levels check out his site. Reflection on Robert Auger (me) Reflection on Amit Klein Reflection on Jeremiah Grossman Reflection on Sheeraj Shah Reflection on Ivan...
HDIV (HTTP Data Integrity Validator) 1.1 released
Gorka Vicente ([email protected]) writes "The HDIV project is an Apache-licensed Struts' Security extension that adds security functionalities to Struts, maintain ing the API and Struts specification. This implies that we can use HDIV in applications developed in Struts in a transpa rent way to the programmer and without adding any complexity to...
Whitepaper: Inter-Protocol Exploitation
"In October 2006, this author presented a paper exploring the threat of Inter-Protocol Communication. That is, the possibility of two different applications using two different protocols to meaningfully exchange commands and data. This paper extends that and other research to explore Inter-Protocol Exploitation. These findings demonstrate the practicality of encapsulating exploit code...