Start in the Middle

Organizations are currently engaged in a push to improve their software security maturity in order to increase the quality of their applications. This applies to software they develop both for internal use as well as for selling to...

Confessions of a Security Optimist

I used to be a cynic. I wore the black geek t-shirts and firmly believed that the worst would always happen. I used to say things such as "Users are dumb." So what happened?

Have we all become "Patch Crazy?"

I've heard "Oh, I just can't wait until the next Service Pack" all too often by those loyal users that stand by their software no matter what. Most recently, I've heard it from early adopters of OS X Leopard, but it's the battle cry...

When DDoS Attacks Become Personal

Two semi-recent events have hit home for many people that have introduced them to the Distributed Denial of Service attack or DDoS. These events have shaken you to the core if you have children or if you are a baseball fan. The...

Your Kingdom for a Hot Dog: Privacy Concerns in the Elementary School Lunch Line

A new battle in the privacy war has broken out at elementary schools across the country. Schools seeking to speed up cafeteria lines are starting to roll out finger print scanners as a method of payment. Is this a brilliant time saver...

Cybercrime surpasses illegal drug trade and we still don't think it's a big deal (updated)

Cybercrime has surpassed the illegal drug trade in revenue generated per year, yet key decision makers for companies, law makers and law enforcers still fail to see the gravity of the situation. For those of us who have "seen the...

Destroy somebody's life for just $20 per month

I was just interviewed by a local news station (Seattle) about a story they were doing on daring hackers that have started advertising their abilities to destroy a person's life for as little as $20 per month. The interviewer wanted...

Does compliance really matter?

Is compliance and auditing nothing more than a money making scheme or can it really help secure a company against the constant onslaught of cyber crime attacks that exist day to day?

Back-ups: The weakest link in data security

More and more companies are taking steps to secure their data and protect themselves from the types of breaches that make headlines. They are spending millions locking down networks and applications, but what about the back-ups? What...

Banking in the Dark

Financial institutions are finally wising up to the threat the phishing attack. Many are rolling out new login schemes which aim to protect the user from falling victim to these attacks but a recent proof of concept exposes the flaws...

My New Super Power - I See Non-Compliance

The people are starting to rise up against the companies that take their credit cards. Why? Compliance to the PCIDSS. They may never have heard of the document but they know about the very real threat of identity theft and data...

RFID Insanity

I'm going to scream the next time somebody tells me RFID is going to solve all our security problems! Can somebody please help me understand how a technology originally created to help cattle farmers track their cows around the field...

Live from CanSecWest: Day 2

Day two turned out to be more exciting than day one! HD Moore showed off the new version of his tool Metasploit and it's amazing ability to automatically take control over unpached systems. Mark Russinovich showed off many of the...

Live from CanSecWest: Day 1

I'm at CanSecWest this week a big software security conference in Vancouver, BC. There are some pretty amazing techniques and technologies being demoed here. This is my take on the excitement of day one.

Crashing the Stock Market with XSS and AJAX

Trusting your Google homepage to "do no evil" may be like trusting the City of New York to keep your personal belongings safe. Untrusted widgets, widgets that give too much power to the AJAX interface, and widgets with Cross Site...

XSS: The Spark to the AJAX Dynamite

Over the next few weeks I will be writing about the terrible vulnerabilities that can occur when Cross Site Scripting is combined with web applications using AJAX. Prepare to be shocked, these are going to get ugly!

Poor server validation: Letting the thief in through the front door

Early tests revealed that the client was identifying (and authenticating) the server with pieces of information that can be easily spoofed, namely a DNS name.

Welcome to Security Renegades!

This blog will serve as a spring board for understanding what hackers can do with unpatched security vulnerabilities and poorly deployed software.  We’ll talk about who is largely at risk (ie..organizations using a specific...

Load More
Top Blog Posts