SecurityRatty: tag: api-logger

Another MySpace XSS Through an API

2008-01-21 16:24:14 by RSnake in ha.ckers.org web application security lab

One of the things I love to talk about when Im ranting about the improper use of the same origin policy to dictate how we as security professionals are auditing a website is the use of APIs. Hackers dont care that your browser sees them as different domains. If they can attack the API and that API has access to the same data that the main...

Tags: api, mobile api, myspace, xss, website, main website, mobile platform, rosario, rosario valotta

Holiday Storm Part 3

2007-12-26 23:43:00 by Russ McRee in HolisticInfoSec.org

I know, I know...enough already. But our Storm friends have changed the game a bit for the third round, as discussed on the ISC Diary , in particular Update 3. The changed domain and binary name led me to ponder what else has changed. So 1) New hash: BE22F894AC662C905C37CEFDE66DE065 2) Better hiding skills, no visible running processes,...

Tags: kernel31 api log, log, api, zhelatin-asx, sys, asx, rootkit, helios rootkit detector, zhelatin

Minimizing the Attack Surface, Part 2

2008-07-07 21:10:25 by Chris Eng in Zero in a bit

Im finally getting around to finishing my post on minimizing attack surfaces. Heres Part 1 , in case you missed it First, a quick clarification. I noticed that some of the readers who commented on that first post wanted to talk about improving security through the use of various development methodologies or coding frameworks. Those are...

Tags: dwr-invoker dwr, dwr-invoker, dwr library, dwr, library, security, dwr dispatcher, security posture, point-in-time application profile

Phishers and Malware authors beware!

2007-06-18 14:59:00 by Niels Provos in Google Online Security Blog

Posted by Brian Rakowski and Garrett Casto, Anti-Phishing and Anti-Malware Teams OK, so it might be a little early to declare victory, but we're excited about the Safe Browsing API we launched today. It provides a simple mechanism for downloading Google's lists of suspected phishing and malware URLs, so now any developer can access the...

Tags: api, google, google desktop, garrett casto, malware urls, brian rakowski, declare victory, simple mechanism, close attention

Recent Symantec and IBM vulnerabilities, giblets, banned APIs and the SDL

2008-01-04 23:37:00 by sdl in The Security Development Lifecycle

Hi, Michael here. Happy New Year Recently, Symantec issued a security advisory warning users of critical remote code-execution security vulnerabilities in various Symantec email security products. The bugs caught my eye for a number of reasons First and foremost, security bugs in security products are always of great interest and concern to me,...

Tags: linker sdl requirements, sdl requirements, ibm, sdl, requirements, symantec, bugs affect ibm, bugs, sdl refers

Welcome to the Platform Club! :-)

2008-02-15 14:59:00 by Dr Anton Chuvakin in Anton Chuvakin Blog -

So, what sparked this was a post by my esteemed colleague about platforms. Not, not the platform shoes :-) Application platforms. In his post , Mr Baum climbs onto a platform :-) and proclaims that "the thoughtfulness by which were going about this [ i.e. trying to become a platform ] will yield much more than a bunch of hype." Despite that...

Tags: platform, platform club, log management platform, log management, platform requirements, application platforms, platforms, platform shoes, well-known application platforms

Thin Client Security: Wise up!

2008-04-18 23:36:44 by Craig Balding in Cloud Security

Thin Clients are an obvious choice for connecting users to the Cloud. In theory its a minimal attack surface. Amongst other things, diskless clients nicely sidestep the data at rest protection issues So why do some thin clients vendors just not get these 3 things Security people expect you to provide a secure, vendor independent method for...

Tags: thin client, thin clients, thin clients vendors, secure, api, secure loses, security people expect, rest protection issues, minimal attack surface

Security In The Cloud: Introducing Cloud Mashups

2008-04-21 16:40:49 by Craig Balding in Cloud Security

Security in the cloud just got more complicated with the introduction of Cloud Mashups What Do You Get When You Cross Salesforce.com and Amazon S3 The answer we are told is Appirio Cloud Storage - a fully integrated Salesforce.com add-on that uses Amazons Simple Storage Service (S3) to store larger files. Previously, Salesforce.com users were...

Tags: cloud, cloud mashups, cloud storage arrangements, security, appirio cloud storage, appirio, data, data portability, crm data

Storm keeps coming (4th variant)

2007-12-27 10:43:00 by Russ McRee in HolisticInfoSec.org

They just keep coming...this one is very similar to the 3rd variant we reviewed, but some changes are apparent 1) Hash: 1f362ad74d62262bff6bcb1d078cbf7d 2) Aside from yet again changing the domain and binary, the hidden files written upon execution are as follows Helios Rootkit Detector Scanning File System For Hidden Files Scanning Drive C 1...

Tags: trojan, sys, kernel31 api log, api, zhelatin-asx, zhelatin, config, helios rootkit detector, driver file company

A Question of Integrity: To MD5 or Not to MD5

2008-06-25 19:50:57 by Craig Balding in Cloud Security

Your name:
Your email:
Describe a problem:
AntiSPAM Validation:

	Favorites
	My AOL
	My Ask Jeeves
	Blinklist
	Blogmarks
	Del.icio.us
	Digg
	Facebook
	Faves
	Furl
	Google
	Live
	Magnolia
	Netvouz
	Slashdot
	Spurl
	Technorati
	Yahoo

	Favorites
	My AOL
	My Ask Jeeves
	Blinklist
	Blogmarks
	Del.icio.us
	Digg
	Facebook
	Faves
	Furl
	Google
	Live
	Magnolia
	Netvouz
	Slashdot
	Spurl
	Technorati
	Yahoo

	Favorites
	My AOL
	My Ask Jeeves
	Blinklist
	Blogmarks
	Del.icio.us
	Digg
	Facebook
	Faves
	Furl
	Google
	Live
	Magnolia
	Netvouz
	Slashdot
	Spurl
	Technorati
	Yahoo

	Favorites
	My AOL
	My Ask Jeeves
	Blinklist
	Blogmarks
	Del.icio.us
	Digg
	Facebook
	Faves
	Furl
	Google
	Live
	Magnolia
	Netvouz
	Slashdot
	Spurl
	Technorati
	Yahoo