"The Mozilla Foundation released on Monday a beta version of the group's latest open-source Firefox browser, rewriting parts of the code and enhancing security. Firefox 3 Beta 1 adds anti-malware features to the browser, using a similar mechanism as the anti-phishing feature in Firefox 2, harnessing a Google-generated blacklist of sites that...
Browser Security: I Want A Website Active Content Policy File Standard!
UPDATE Before reading on any further I want to prefix that the purpose of this post is to begin a discussion on the ways a website can communicate to a browser to instruct it of what its behavior should be on that site. The example below is a "sample implementation" and isn't...
IIS7 short Security Guide by Chris Weber
Chris Weber has a great writup of the new security changes in IIS7. Here are a few article section highlights * Integrated request processing pipeline and WCF * ASP.NET Integration * Request filtering (replaces URLScan) * IIS7 URL Authorization He even has a nice checklist at the bottom. Guide Link: http://chrisweber.wordpress.com/2007/09/19/iis7-security-guide-for-application-reviews/
Appsec 2007 Event pictures
The WASC/OWASP event went very well as over 250 showed up. Below are some pictures of the event by a few of the sttendee's including Anurag a WASC officer. I will add some more pictures as they become available including news stories covering the event. Anurag Picture Link: http://myappsecurity.blogspot.com/2007/11/appsec-2007-pictures-of-breach-party.html Wayne Picture Link:...
Loophole in Windows Random Number Generator
"The pseudo-random number generator (PRNG) used by the Windows operating system is the most commonly used PRNG. The pseudo-randomness of the output of this generator is crucial for the security of almost any application running in Windows. Nevertheless, its exact algorithm was never published. We examined the binary code of a distribution...
Nikto 2 released
Sullo writes " Nikto is an open source (GPL) web server scanner which performs tests against web servers for multiple items, including over 3500 po tentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers. Version 2 adds a ton of enhancements, including: - Fingerprinting web...
WabiSabiLabi founder arrested, in custody of Italian authorities
"Italian authorities are holding the founder of WabiSabiLabi, an eBay-like online marketplace for buying and selling zero-day vulnerabilities. However, the arrest of Roberto Preatoni, reportedly on charges related to a well publicized Italian spying scandal, has not affected the organization's day-to-day operations, according to a statement released by the Switzerland-based group. WabiSabiLabi...
Hacked grades = 20 years in jail?
"It's the stuff of movies such as War Games but two California men accused of hacking into a University database system to change their grades face up to 20 years imprisonment. John Escalera, 29, and Gustavo Razo, 28, are charged (PDF) with conspiring together to increase their marks by manipulating California State...
WASC meetup on Nov 8
WASC is having a meetup in Silicon Valley in Cupertino California. If you're interested in attending visit the meetup link below and RSVP. These meetings are a good way to find out what WASC (The Web Application Security Consortium) is all about, chat with fellow security people, and drink beer. Meetup Link:...