SEARCH RESULTS
 
Showing 1-10 of 15 records
 
Expand article

New faces and predictions for the New Year...

2008-01-22 22:11:00 by sdl in The Security Development Lifecycle
 
...Forgery (XSRF) vulnerabilities as reported in the US National Vulnerability Database. The root of request forgery vulnerabilities - relying solely on cookies for authenticating users - is more of a design flaw and not a simple implementation issue. This makes them tougher to identify and to remove. They can't be mitigated solely through input...
 
Tags: sdl team, team, sdl, sdl blog crew, cve, cve vulnerabilities, microsoft, single prediction, microsoft products
 
 
 
 
Expand article

Adding webwise.net into the CNI

2008-04-05 14:13:01 by Richard Clayton in Light Blue Touchpaper
 
...forgery attacks can only be made harder, not prevented altogether. Making it harder may currently be sufficient to make phishing attackers use simpler methods but if the prize is the disruption of web browsing for millions of people There are things that the ISPs can do to improve security such as each of them making themselves authoritative...
 
Tags: domain names, purchase domain names, net, dns, dns forgery issue, domain, dns forgery attacks, webwise, net domain
 
 
 
 
Expand article

SDL and the OWASP Top Ten

2008-05-01 15:46:00 by sdl in The Security Development Lifecycle
 
...Forgery 6. Information Leakage and Improper Error Handling 7. Broken Authentication and Session Management 8. Insecure Cryptographic Storage 9. Insecure Communications 10. Failure to Restrict URL Access Looking at this list, we address Cross-Site Scripting issues in the SDL very thoroughly today: we have several XSS detection and prevention...
 
Tags: security, web application security, top, security standpoint, list, previous list, agile development teams, development teams, security researcher
 
 
 
 
Expand article

On the Security of E-Passports

2007-12-03 15:30:21 by Editor in Help Net Security - Articles
 
The global introduction of electronic passports is a large coordinated attempt to increase passport security. Issuing countries can use the technology to combat passport forgery and look-alike fraud
 
Tags: combat passport forgery, increase passport security, global introduction, electronic passports, look-alike fraud, attempt, technology, countries
 
 
 
 
Expand article

Justice, in one case at least

2008-01-31 16:48:08 by Ross Anderson in Light Blue Touchpaper
 
...forgery. The question therefore was whether the dash in the above rubric meant OR, as the technology would suggest, or AND as the bank and the CPS hoped. The technology is explained in more detail in our recent submission to the Hunt Review of the Financial Services Ombudsman (see below ). I therefore advised the defence to apply for the...
 
Tags: card, circuit card, transaction, john, bank, transaction code, bank statement, emv card, egg
 
 
 
 
Expand article

Top 10 Security Stories of 2007

2007-12-27 04:53:17 by Bill in Grumpy Security Guy
 
...Forgery Goes Mainstream - Creating an article that diggs itself was just the start. PDP discovered a way to backdoor Gmail accounts via XSRF in April. XSRF has been around for a while under a few different names. Expect big scary things from it in the future 7. PCI tip toes into Web Application Security - PCI has flirted with Web Application...
 
Tags: top, security stories, top security stories, business, russian business network, web application security, bad guys, pci, ibm acquires watchfire
 
 
 
 
Expand article

SDL and Web 2.0

2008-02-28 22:26:00 by sdl in The Security Development Lifecycle
 
...forgery attacks like the Flickr attack mentioned earlier. If no applications anywhere on the site offer special functionality for authenticated users, then the SDL does permit the site to have a broad-reaching cross-domain access list. However, this does require constant oversight to ensure that no authenticated applications are added to the...
 
Tags: web, site, chriss web site, mashups, web mashups, site cookies, persistent cross-site, cookies, benefit anyones web
 
 
 
 
Expand article

FBI CSRF and Jail How to Get Someone Raided

2008-03-20 22:09:20 by Bill in Grumpy Security Guy
 
...Forgery ) Now this is not classic CSRF since CSRF generally implies I am exercising some functionality on the target site. I am using CSRF as a handy term for if you visit a page I control content on I can make you request any other link I want. Now remeber this is not only pages like this blog where I clearly control the content, but any...
 
Tags: fbi csrf, csrf, fbi, classic csrf, penetration test, penetration test rarely, control content, control, content
 
 
 
 
Expand article

The Security Mindset

2008-03-25 05:27:19 by schneier in Schneier on Security
 
...forgery -- than it is to teach someone a security mindset Which is why CSE 484 , an undergraduate computer-security course taught this quarter at the University of Washington, is so interesting to watch. Professor Tadayoshi Kohno is trying to teach a security mindset You can see the results in the blog the students are keeping. They're...
 
Tags: security mindset, mindset, security mindset immediately, security mindset explains, security mindset simply, security, security mindset involves, involves, security requires
 
 
 
 
Expand article

The Security Mindset

2008-03-25 05:27:19 by schneier in Schneier on Security
 
...forgery -- than it is to teach someone a security mindset Which is why CSE 484 , an undergraduate computer-security course taught this quarter at the University of Washington, is so interesting to watch. Professor Tadayoshi Kohno is trying to teach a security mindset You can see the results in the blog the students are keeping. They're...
 
Tags: security mindset, mindset, security mindset immediately, security mindset explains, security mindset simply, security, security mindset involves, involves, security requires