Today's the day! PCI DSS section 6.6 is required

"Today, June 30, marks the start of new revisions on the PCI DSS specs. Section 6.6 is now required, specifically companies who deal with credit or debit cards online must use an application layer firewall or have a complete website audit code review to remain PCI compliant. With all the stolen and...

OFF Topic: A farewell to Bill gates

Today marks bill gates last day working in technology at microsoft. To celebrate this day I've created this tribute to bill from different moments in his life. Bill gates age 13 with paul allen Bill with the Microsoft Jr. Mafia Bill likes to drive way to fast Bill enjoying some Pie Bill...

Tools: Microsoft Announces Three Tools to help prevent SQL Injection

"On Tuesday, Microsoft issued new tools to assist Microsoft ASP and ASP.NET technologies against recent Web-based attacks. In April attackers went after Microsoft SQL sites by injecting malicious JavaScript onto legitimate sites. The JavaScript would direct a browser to a server hosting malicious software infecting the desktop with a variety of exploits....

Ruby creators warn of serious flaws

"The Ruby programming language, which has become popular as the basis for web 2.0 sites such as Twitter, contains serious security flaws that could allow attackers to take over an organization's web server, according to the Ruby development team. The "disturbing" flaws, which were disclosed on Friday, could affect nearly any typical...

Securityfocus interview with Mozilla security team

"Mozilla released its latest browser, Firefox 3.0, this week. SecurityFocus contributor Federico Biancuzzi tracked down two key members of Mozilla's security team, Window Snyder and Johnathan Nightingale, to learn more about the security features included in this major release. They discussed the protection against phishing and the new malware protection, the new...

My current stance on Web Application Firewalls

Andre Gironda has posted an interesting take on 'what web application security really is'. I agree with some of his points however one in particular I'm going to have to disagree with and that related to using Web application firewalls. For many years I've been anti Web application firewall and as a...

JavaScript Code Flow Manipulation, and a real world example advisory - Adobe Flex 3 Dom-Based XSS

"We recently researched an interesting DOM-based XSS vulnerability in Adobe Flex 3 applications that exploits a scenario in which two frames (parent & son) interact with each other, without properly validating their execution environment. In our research, we have seen that in some cases, it is possible to manipulate JavaScript code flow,...

Paper: The Extended HTML Form attack revisited

"HTML forms (i.e. <form>) are one of the features in HTTP that allows users to send data to HTTP servers. An often overlooked feature is that due to the nature of HTTP, the web browser has no way of identifying between an HTTP server and one that is not an HTTP server....

Firefox3 Released

Firefox3 has been released. This release improves memory management, speed, and has introduced a number of new security features. Download Link: http://www.firefox.com

Tools: Peach 2.1 Fuzzing Framework BETA3 Released

From the 'Millions of peaches, peaches for me. Millions of peaches, peaches for free ' department The following was posted to the full disclosure mailing list. "Peach 2.1 BETA3 has been released! This new beta includes a lot of changes and makes Peach feature complete for the 2.1 release coming in the...

Payment Card Industry (PCI) Mandate Stresses Importance of Web Application Security: Recommended Becomes Required

"On June 30, another refresh of the Payment Card Industry (PCI) Data Security Standards (PCI DSS) will upgrade Web application security testing from a best practice to a mandatory practice. The deadline forces merchants and vendors to take a closer look at application-layer security and emphasizes its importance in fighting increasing online...

Microsoft Patch Tuesday: Microsoft releases four critical patches

"Microsoft has issued seven patches addressing 10 vulnerabilities, including four rated 'critical' as part of this months patching cycle. The critical patches apply to its Windows operating system (OS), Internet Explorer (IE) and, unusually, a Bluetooth component. The Bluetooth patch, MS09-030, targets a third-party ActiveX control that comes bundled with Logitech hardware,...

Elevator pitch for explaining security risks to executives

Lenny Zeltser has posted an entry on sans on how to pitch security risks to upper management. "How to catch the attention of a busy executive, to highlight an important security risk? An elevator pitch is a persuasive statement delivered verbally in the time you would share with the listener in an...

Article: Quick tips for Web application security

"A traditional firewall is commonly employed to restrict Web site access to Ports 80 and 443, used for HTTP and Secure Sockets Layer communications, respectively. However, such a device does very little to deter attacks that come over these connections. URL query string manipulations including SQL injection, modification of cookie values, tampering...

ARP Spoofing leads to hijacking of metasploit website

Normally I don't post news about specific website issues however this was a great example of why you need to protect your webserver from local networks threats as well as remote. "Monday morning, Metasploit.com was temporarily hijacked using an attack on the local area network of Metasploit's hosting provider. Using what is...
Looking for something else or having a hard time finding a story? We recently moved things around so please use the search bar on the right!