In addition to CGISecurity I work on other side projects from time to time. Below is my second announcement from my latest project. Introduction I have built out several penetration testing programs, both internally and externally at companies such as eBay, Paypal, and Box to name a few. Before you have the...
Last week I was fortunate enough to be invited to a Yahoo event discussing bug bounty programs where all the organizers of these bounties were discussing their experiences. I attended this conference because years earlier I was involved in creating PayPal's bug bounty program and wanted to ask a panel of people...
UPDATE: One of the authors has posted two responses including an apology (accepted). I was taught in grade school that if you plan on writing something, never plagiarize. If you want to republish portions of existing content ensure you properly quote/reference them, and never represent this content as your own original work....
Ten years ago today I started cgisecurity.com to fill a void in the application security space. At the time no other dedicated site existed, neither OWASP nor WASC had been created, and the www-mobile list was effectively the only place to discuss web related vulns and attacks . When I first started...
Corsaire has published a rather lengthy paper on attacking gift card systems. While this is a little off topic it's a good read. "This paper is based on research conducted on a large number of UK gift cards. It has been created to complement the presentation “Stored Value Gift Cards: Magstripes Revisited”,...
Sans published an entry about a new piece of malware that installs a rogue DHCP server that specifies a rogue DNS server, presumably for phishing and malware deployment. I wouldn't be surprised if this concept is fairly old but it appears to be the first time a common piece of malware is...
HD Moore sent the following to bugtraq this morning. "WarVOX is a suite of tools for exploring, classifying, and auditing telephone systems. Unlike normal wardialing tools, WarVOX works with the actual audio from each call and does not use a modem directly. This model allows WarVOX to find and classify a wide...
"What's Wikileaks, the net's foremost document leaking site, supposed to do when a whistle-blower submits a list of email addresses belonging to the site's confidential donors as a leaked document? That's exactly the conundrum Wikileaks faced this week after someone from the controversial whistle-blowing site sent an emergency fund-raising appeal on Saturday...
"Who discovers the most security vulnerabilities? That’s one of the more frequent questions I’ve encountered over the past few years. Funnily enough there’s usually a high correlation between the timing of my being asked and the latest marketing blitzkrieg customers may have encountered (not from IBM of course). It seems that every...
Here's a run down of the main mailing lists that I follow. While most of these are known in the security industry, many people who frequent this site are from various backgrounds and may find this list useful. Bugtraq: "BugTraq is a full disclosure moderated mailing list for the *detailed* discussion and...
I came across an interesting article discussing the dangers of amateur genetic engineers. "A group of so-called “bio-hackers” is setting up a community laboratory called DIYbio in Cambridge, MA. They want to provide publicly available lab space to budding amateur bio-engineers that need equipment and experiment space for their projects. The project...
I came across an interesting post at freedom-to-tinker discussing the impacts of google's flu monitoring program. "My concern today is whether Flu Trends can be manipulated. The system makes inferences from how people search, but people can change their search behavior. What if a person or a small group set out to...
Gadi Evron posted the following link to the Full Disclosure list this morning which I thought was interesting. Read More: http://www.icann.org/correspondence/burnette-to-tsastsin-28oct08-en.pdf
If you know me you know I don't like Atlanta and have many reasons (which I won't go into here). I have another one to add to this list after reading a story about Kevin Mitnick being detained for having lots of computer equipment with him. "In his luggage, they found a...
Slashdot linked to a top 13 list of amusing error messages. Check them out at: http://technologizer.com/2008/09/18/errormessage/
While this is off topic for this site I do find it amusing :) "Hackers broke into the Yahoo! e-mail account that Republican vice presidential candidate Sarah Palin used for official business as Alaska's governor, revealing as evidence a few inconsequential personal messages she has received since John McCain selected her as...
"Two weeks ago, when security researcher Dan Kaminsky announced a devastating flaw in the internet's address lookup system, he took the unusual step of admonishing his peers not to publicly speculate on the specifics. The concern, he said, was that online discussions about how the vulnerability worked could teach black hat hackers...
Today marks bill gates last day working in technology at microsoft. To celebrate this day I've created this tribute to bill from different moments in his life. Bill gates age 13 with paul allen Bill with the Microsoft Jr. Mafia Bill likes to drive way to fast Bill enjoying some Pie Bill...
"Google's search bots, which scour the web constantly for new pages, have begun a new, more active phase of their indexing jobs. In a blog post last week, Jayant Madhavan and Alon Halevy of Google's crawling and indexing team said the company has begun an experiment in which its indexing software experimentally...
"WarGames: The Dead Code stars Matt Lanter as a computer geek named Will Farmer who engages a government super-computer named R.I.P.L.E.Y. and enters in a game of online terrorist-attack simulation (yes, instead of global thermonuclear war from the original movie). But apparently the game is actually part of a sophisticated piece of...
Due to the increase in devastating vulnerabilities abusing AJAX and Google to hack the web more users are switching to 'safer' alternatives such as Gopher and Archie. Johnny Long was quoted as saying 'My next book on Archie hacking 'Jughead for idiots' will be out in late 2008 and I promise it...
I got the following christmas card from IOActive and thought that it was so amusing that I'd post it here (message excluded) Outside Inside
The time has come. I'm selling some security domain names I own because I just don't need them. webappfirewall.com webappfirewall.org webappfirewall.net j2eesecurity.com j2eesecurity.org j2eesecurity.net ajaxsecurity.org ajaxsecurity.net securecoding.net If you're interested either ping via sedo, or via the web form on this site.
"A patent infringement lawsuit recently filed by Cenzic against SPI Dynamics has Web application security companies and researchers on edge. If successful, the suit -- which centers around Cenzic's patent on a Web application vulnerability scanning technology -- could mean trouble for other scanner vendors, as well as researchers who develop scanning...
Vegas was interesting this year to say the least. For starters I finally got to attend NOT as a vendor which I gotta say was pretty nice. Here are the talks I attended. Intranet Invasion With Anti-DNS Pinning It's All About The Timing Tactical Exploitation (Part 1) Dangling Pointer IsGameOver(), anyone? The...
"A rather silly report commissioned by the Department of Trade and Industry talked about giving robots "human" rights - including the right to vote, to receive income support, the provision of council housing and even robot healthcare. The idea that your vacuum cleaner might be able to sue you for not giving...
So I've lived in Atlanta for 3.6 years now and miss my old hometown of Nashua NH. A small town of NH with less than 90k residents. That is until I saw the following linked off of slashdot. "NASHUA A city man is charged with violating state wiretap laws by recording a...
CERT has issued a warning against a new web based threat entitled a "Cross HTTP Response Splitting Session Fixation Smuggling Scripting Vulnerability". According to the founder of DSHIELD Johannes Ullrich "If on April 1st you have specific non default settings in Internet Explorer, visit a serious of 4 specific websites in order...
