SecurityRatty: Grumpy Security Guy

The Business Case for WAFs + Testing

2008-06-19 18:09:06 by Bill in Grumpy Security Guy

...security/WhiteHat integrated solution to market This customer had a massive application written in ASP classic. Since it was in ASP classic it had massive numbers of SQLi vulnerabilities. Everything from Blind SQLi to the always fun SQL statements in the URL. The customer said this application was roughly 250,000 lines of code with SQL...

Tags: application, web application security, security, massive application, mod security, web application firewall, web site security, robust solution, solution

When ISPs Attack!

2008-06-19 16:31:53 by Bill in Grumpy Security Guy

Here is a scary story about a company, Nebuad (no link juice for you!) that performs a MITM attack all in the name of better ads. Now sniffing to get better data on your customers has been around for a while. In fact I worked at a company that did this as part of our offering. Where NebuAd goes over the line is they manipulate the traffic to get...

Tags: google, ads based, company drops, ads, nebuad faked, nebuad, company, google webpage, isps attack

Dude Dont Hack My Coffee

2008-06-18 05:19:11 by Bill in Grumpy Security Guy

...security. These things generally all have web UIs which makes the vulns that much more interesting. It is somewhat easy to detect the spread of a mass SQLi attack on public facing web sites but what happens when we get this attack on internally facing systems? They are much harder to track and even detect. What if my coffee maker now does...

Tags: coffee, coffee train, security, security neighborhood, coffee maker, hack, grumpy security guy, attack, mass sqli attack

Bots + Web Vulnerabilites - An Approaching Storm

2008-05-15 21:55:13 by Bill in Grumpy Security Guy

...Security Guy Bots + Web Vulnerabilites - An Approaching Storm

Tags: vulnerabilities, permanent xss vulnerabilities, xss, sql injection, attack shortly, attack, mass sql injection, web vulnerabilites, browser vulnerabilities

PCI 6.6 clarified

2008-04-22 16:47:40 by Bill in Grumpy Security Guy

...Information Supplement Released. All I have to say is well done to the PCI council! From my first pass it seems like it is pretty clear AND they understand the issues organizations are facing. I have a few nits, here and there but it is 1000% better than it was before Related Posts No related posts Post from: Grumpy Security Guy PCI 6.6...

Tags: pci, pci council, grumpy security guy, issues organizations, information supplement, trey ford, posts, pass, post

Your ID is worth $2

2008-04-10 16:44:52 by Bill in Grumpy Security Guy

...information security consultants effectivel These are the crazy people in your security neighborhood - Part 2 Private Pyle When you have been around the IT/Security space as long as I have you run into to a lot of whacky pe Post from: Grumpy Security Guy Your ID is worth $2

Tags: worth, web site-specific vulnerabilities, vulnerabilities, market, market appears, grumpy security guy, hit home, fixed quickly, specific sites

Mac Hacked in 2 Minutes, Apple is a lame patcher

2008-03-27 22:02:09 by Bill in Grumpy Security Guy

...security With the release of the details behind last years mysterious wireless driver OS X exploit we can fin Worst Security I Have Seen in a Long Time When the clueless are on the intarwebs this is what happens: http://thedailywtf.com/Articles/So-Y Apple blocks the word script OS X Leopard security concerns Post from: Grumpy Security Guy Mac...

Tags: apple, security, leopard security concerns, lame patcher, lame, apple sadly, worst security, apple blocks, minutes

FBI CSRF and Jail How to Get Someone Raided

2008-03-20 22:09:20 by Bill in Grumpy Security Guy

...Security Guy FBI CSRF and Jail How to Get Someone Raided

Tags: fbi csrf, csrf, fbi, classic csrf, penetration test, penetration test rarely, control content, control, content

The Big Announcement

2008-03-13 00:03:25 by Bill in Grumpy Security Guy

...security experts and trying to apply a default deny policy, while a great idea in theory, is pretty hard in the real world . There is just way to much movement in most applications to pin it down. Even if the app does not change frequently, WAF admins are very hesitant to even come close to blocking legitimate traffic.What really sold me...

Tags: vulnerabilities asap, vulnerabilities, app, web app, web application vulnerabilities, vulnerability, sentinel, business, default deny policy

5 Lessons on Public Disclosure From Elliot Spitzer

2008-03-12 17:26:54 by Bill in Grumpy Security Guy

...information. One area law enforcement is not going to get involved with is how you are going to respond to your customers. This template seems to have already been written, credit monitoring for a year and some gift cards. You can do better 5. Cut your loses At some point you are going to need to get back to work and put this incident behind...

Tags: public disclosure, disclosure, response, pretty quick response, cross site, fight cross site, time, law enforcement, incident response team

Your name:
Your email:
Describe a problem:
AntiSPAM Validation:

	Favorites
	My AOL
	My Ask Jeeves
	Blinklist
	Blogmarks
	Del.icio.us
	Digg
	Facebook
	Faves
	Furl
	Google
	Live
	Magnolia
	Netvouz
	Slashdot
	Spurl
	Technorati
	Yahoo

	Favorites
	My AOL
	My Ask Jeeves
	Blinklist
	Blogmarks
	Del.icio.us
	Digg
	Facebook
	Faves
	Furl
	Google
	Live
	Magnolia
	Netvouz
	Slashdot
	Spurl
	Technorati
	Yahoo

	Favorites
	My AOL
	My Ask Jeeves
	Blinklist
	Blogmarks
	Del.icio.us
	Digg
	Facebook
	Faves
	Furl
	Google
	Live
	Magnolia
	Netvouz
	Slashdot
	Spurl
	Technorati
	Yahoo

	Favorites
	My AOL
	My Ask Jeeves
	Blinklist
	Blogmarks
	Del.icio.us
	Digg
	Facebook
	Faves
	Furl
	Google
	Live
	Magnolia
	Netvouz
	Slashdot
	Spurl
	Technorati
	Yahoo