SecurityRatty: Zero in a bit

Google Admitting Compromise Good News

2010-01-13 14:41:20 by Chris Wysopal in Zero in a bit

...security testing was performed It is time for organizations to take a hard look at the set of client software they allow on their employees workstations and determine how trustworthy that software is. In most organizations these client systems have unbounded risk and our receiving data from the untrusted internet. If this doesnt change,...

Tags: google, software, software acceptance, attacks, attacks similar, attackers, similar attackers, client software, intellectual property

An Ounce of Prevention is Worth a Pound of Cure

2009-11-20 17:46:02 by Chris Eng in Zero in a bit

...security over the long term A related topic, and one that hits closer to home for me, is how software developers deal with the results of static analysis. Static analysis is often misunderstood, particularly by people who have only dealt with dynamic analysis (fuzzing, web scanning, etc.) or penetration testing in the past. Because static...

Tags: static analysis customers, static analysis, analysis, application server, application, url, url construction, target application, developer

We need to learn more about the RBS Worldpay ATM attack

2009-11-11 13:38:37 by Chris Wysopal in Zero in a bit

The size and scope of the RBS Worldpay ATM heist are unprecedented. The perpetrators stole $9M in a matter of hours from 2100 ATMs worldwide. An indictment was handed down on Nov 10, 2009. I am always on the lookout for indictments and trials related to computer crime because this is often the only time the details of the attackers techniques...

Tags: rbs worldpay, rbs worldpay indictment, indictment, web application vulnerability, attackers, attackers techniques, vulnerability, pin codes, correct pin codes

White box better than black box

2009-10-21 12:47:36 by Chris Wysopal in Zero in a bit

The WASS Project which Veracode contributed data to shows some nice benefits to White box (static) over Black box (dynamic) for many serious vulnerability categories. White box overall detects a higher prevalence of many categories which we can extrapolate to having lower FN rates. Now the sample set of apps is not the same so this can only be...

Tags: white box, black box, sql injection, path traversal, web application analysis, static, risk level vulnerabilities, application, vulnerabilities

From the 10 years ago today department

2009-10-02 10:46:56 by Chris Wysopal in Zero in a bit

...security for internet transactions poses a huge security risk that online banks and others just seem to ignore. Tools such as BO2K and even simpler keystroke loggers can cut through the authentication used for secure web transactions to allow an attacker to authenticate as the hapless consumer Dateline explores this problem on Sunday October...

Tags: internet transactions poses, transactions, endpoint water slowly, slowly, endpoint, online banks, banks, secure web transactions, security

Stealing PII is so 2007. They want your endpoint.

2009-10-01 11:38:54 by Chris Wysopal in Zero in a bit

...information from PayChoice. They then used that information to target PayChoices customers. PayChoices customers recieved a phishing attack that was personalized with their PayChoice information. The phishing email contained browser and other client side exploits and also directed them to install a malicious plugin. The hybrid attack was...

Tags: target paychoices customers, endpoint, paychoices customers, customers, paychoice information, pii, information, payroll, online payroll company

Trust Your Own Code?! Trust Your Own Compiler?!

2009-08-20 18:37:23 by Tyler Shields in Zero in a bit

...information security. Trust is a relative term and all trust relationships should be examined with a very critical eye Ken Thompsons seminal paper Reflections on Trusting Trust , which won a Turing Award, addresses in detail why we can never be fully sure of the trust relationships in our development environment. The paper asserts that since...

Tags: compiler, malicious compiler, thompsons compiler backdoor, thompsons malicious compiler, trust, trust relationships, malicious, security, information security

SQL Injection blamed for 7-11, Hannaford and Heartland Breaches

2009-08-17 21:36:30 by Chris Wysopal in Zero in a bit

The details of 3 major identity theft breaches came to light today with the release of the federal indictment of Albert Gonzalez It turns out that the main entry point was a SQL Injection vulnerability. The indictment states that a SQL Injection vulnerability was exploited and used to install malware on the target network The indictment doesnt...

Tags: sql injection vulnerability, server, web server, execute code, execute, attackers access, install malware, attackers, malware

Connection Between Identity Theft and Cyberwarfare

2009-08-17 13:42:49 by Chris Wysopal in Zero in a bit

...information stolen from Americans; one site was registered with information stolen from a person in France I have my own data point to share on this attack trend. My credit card number was used fraudulently to register 4 web sites from separate ISPs last Monday. The fraud detection was flagged at one of the ISPs, Laughing Squid Web Hosting....

Tags: credit card info, credit card, card, credit-card information, information, sites, web sites, isps, attacks

Bytecode Analysis is not the same as Binary Analysis

2009-07-27 09:38:00 by Chris Wysopal in Zero in a bit

...security testing technology wade into the no source available pool (come on in guys, the water is nice), it is important to understand what capabilities you need for software assurance when you dont have access to source If the software you are concerned about is written in a language such as C or C++, and then compiled to form an executable...

Tags: bytecode, bytecode analysis, bytecode analysis techniques, binary analysis, bytecode decompiler, analysis, true binary analysis, direct bytecode analysis, model

Your name:
Your email:
Describe a problem:
AntiSPAM Validation:

	Favorites
	My AOL
	My Ask Jeeves
	Blinklist
	Blogmarks
	Del.icio.us
	Digg
	Facebook
	Faves
	Furl
	Google
	Live
	Magnolia
	Netvouz
	Slashdot
	Spurl
	Technorati
	Yahoo

	Favorites
	My AOL
	My Ask Jeeves
	Blinklist
	Blogmarks
	Del.icio.us
	Digg
	Facebook
	Faves
	Furl
	Google
	Live
	Magnolia
	Netvouz
	Slashdot
	Spurl
	Technorati
	Yahoo

	Favorites
	My AOL
	My Ask Jeeves
	Blinklist
	Blogmarks
	Del.icio.us
	Digg
	Facebook
	Faves
	Furl
	Google
	Live
	Magnolia
	Netvouz
	Slashdot
	Spurl
	Technorati
	Yahoo

	Favorites
	My AOL
	My Ask Jeeves
	Blinklist
	Blogmarks
	Del.icio.us
	Digg
	Facebook
	Faves
	Furl
	Google
	Live
	Magnolia
	Netvouz
	Slashdot
	Spurl
	Technorati
	Yahoo