Zero in a bit
 
Showing 1-10 of 107 records
 
Expand article

Google Admitting Compromise Good News

2010-01-13 14:41:20 by Chris Wysopal in Zero in a bit
 
...security testing was performed It is time for organizations to take a hard look at the set of client software they allow on their employees workstations and determine how trustworthy that software is. In most organizations these client systems have unbounded risk and our receiving data from the untrusted internet. If this doesnt change,...
 
 
 
 
 
Expand article

An Ounce of Prevention is Worth a Pound of Cure

2009-11-20 17:46:02 by Chris Eng in Zero in a bit
 
...security over the long term A related topic, and one that hits closer to home for me, is how software developers deal with the results of static analysis. Static analysis is often misunderstood, particularly by people who have only dealt with dynamic analysis (fuzzing, web scanning, etc.) or penetration testing in the past. Because static...
 
 
 
 
 
Expand article

We need to learn more about the RBS Worldpay ATM attack

2009-11-11 13:38:37 by Chris Wysopal in Zero in a bit
 
The size and scope of the RBS Worldpay ATM heist are unprecedented. The perpetrators stole $9M in a matter of hours from 2100 ATMs worldwide. An indictment was handed down on Nov 10, 2009. I am always on the lookout for indictments and trials related to computer crime because this is often the only time the details of the attackers techniques...
 
 
 
 
 
Expand article

White box better than black box

The Article has images
2009-10-21 12:47:36 by Chris Wysopal in Zero in a bit
The WASS Project which Veracode contributed data to shows some nice benefits to White box (static) over Black box (dynamic) for many serious vulnerability categories. White box overall detects a higher prevalence of many categories which we can extrapolate to having lower FN rates. Now the sample set of apps is not the same so this can only be...
 
 
 
 
 
Expand article

From the 10 years ago today department

2009-10-02 10:46:56 by Chris Wysopal in Zero in a bit
 
...security for internet transactions poses a huge security risk that online banks and others just seem to ignore. Tools such as BO2K and even simpler keystroke loggers can cut through the authentication used for secure web transactions to allow an attacker to authenticate as the hapless consumer Dateline explores this problem on Sunday October...
 
 
 
 
 
Expand article

Stealing PII is so 2007. They want your endpoint.

2009-10-01 11:38:54 by Chris Wysopal in Zero in a bit
 
...information from PayChoice. They then used that information to target PayChoices customers. PayChoices customers recieved a phishing attack that was personalized with their PayChoice information. The phishing email contained browser and other client side exploits and also directed them to install a malicious plugin. The hybrid attack was...
 
 
 
 
 
Expand article

Trust Your Own Code?! Trust Your Own Compiler?!

The Article has images
2009-08-20 18:37:23 by Tyler Shields in Zero in a bit
...information security. Trust is a relative term and all trust relationships should be examined with a very critical eye Ken Thompsons seminal paper Reflections on Trusting Trust , which won a Turing Award, addresses in detail why we can never be fully sure of the trust relationships in our development environment. The paper asserts that since...
 
 
 
 
 
Expand article

SQL Injection blamed for 7-11, Hannaford and Heartland Breaches

2009-08-17 21:36:30 by Chris Wysopal in Zero in a bit
 
The details of 3 major identity theft breaches came to light today with the release of the federal indictment of Albert Gonzalez It turns out that the main entry point was a SQL Injection vulnerability. The indictment states that a SQL Injection vulnerability was exploited and used to install malware on the target network The indictment doesnt...
 
 
 
 
 
Expand article

Connection Between Identity Theft and Cyberwarfare

2009-08-17 13:42:49 by Chris Wysopal in Zero in a bit
 
...information stolen from Americans; one site was registered with information stolen from a person in France I have my own data point to share on this attack trend. My credit card number was used fraudulently to register 4 web sites from separate ISPs last Monday. The fraud detection was flagged at one of the ISPs, Laughing Squid Web Hosting....
 
 
 
 
 
Expand article

Bytecode Analysis is not the same as Binary Analysis

2009-07-27 09:38:00 by Chris Wysopal in Zero in a bit
 
...security testing technology wade into the no source available pool (come on in guys, the water is nice), it is important to understand what capabilities you need for software assurance when you dont have access to source If the software you are concerned about is written in a language such as C or C++, and then compiled to form an executable...
 
 
 
 
 
 
Showing 1-10 of 107 records