A collection of articles and posts pulled from some of our favorite bloggers across the Internet.
Do you have an IT/Infosec Security blog that we can display here? Suggest a Link, otherwise Contact Us about getting blogging rights here on the Island!
Latest From the Web
From the Web
Hackers Use Custom PoS Malware to Target Retailers
March 31, 2016 from: SecurityWeek
A cybercriminal group has been using a custom-build point-of-sale (PoS) malware family to steal payment card data, which it sells on underground forums.
Comments (0)
From the Web
Mod_Security and Slowloris
December 10, 2010 from: Rsnake's blog at ha.ckers.org
After all the press around Wong Onn Chee and Tom Brennan’s version of a HTTP DoS attack, I think people started taking HTTP DoS a tad more seriously. Yes, there are lots of variants of HTTP based DoS attack, and I’m sure more tools will surface over time. The really interesting part is how both Apache and IIS has disagreed that it is their problem to fix. So we are left to fend for ourselves. ...
Comments (0)
From the Web
Cheating Part 2
December 07, 2010 from: Rsnake's blog at ha.ckers.org
It would have been fun to create a contest to see which strategies are the most effective in a bot on bot scenario. Is an all defensive strategy better, or an all offensive (always opportunistically taking the highest value word)? Or maybe a hybrid of both where you play defensively at some points or offensively when you know it’s better in the long run.
Comments (0)
From the Web
Cheating Part 1
December 01, 2010 from: Rsnake's blog at ha.ckers.org
I just thought I’d write a few vaguely amusing posts having just come back from Abu Dhabi (Blackhat) and Brazil (OWASP). A few weeks back my Wife was having a rather fancy soiree work party that also had a casino night attached to it. I was pretty annoyed about the whole work party thing, having rarely had a good time at these things in the past. So immediately I start looking for ways to entert...
Comments (0)
From the Web
FireSheep
November 16, 2010 from: Rsnake's blog at ha.ckers.org
I [Rsnake] go back and forth on whether I think FireSheep is interesting or not. Clearly, it’s old technology re-hashed. But it is interesting not because it works, but that it surprises people that it works. We’ve been talking about these problems forever, and now companies are scrambling to protect themselves. I guess the threat isn’t real until every newbie on earth has access to the hack...
Comments (0)
From the Web
Website Security Statistics Report (2010) - Industry Bechmarks
November 08, 2010 from: Jeremiah Grossman's Blog
"How are we doing?" That's the question on the mind of many executives and security practitioners whether they have recently implemented an application security program, or already have a well-established plan in place. The executives within those organizations want to know if the resources they have invested in source code reviews, threat modeling, developer training, security tools, etc. are mak...
Comments (0)
From the Web
Cooling Down the Firesheep
November 06, 2010 from: Mozilla Security Blog
There have been a number of reports about a new Firesheep tool that exposes a weakness in website security, letting attackers snoop on people using public networks, steal their cookies, access their accounts and pose as them on sites such as Facebook and Twitter. While the developers chose to use the Firefox add-on API, the tool could have just as easily been written and distributed as a stand-alo...
Comments (0)
From the Web
Least Common Denominator
October 23, 2010 from: Rsnake's blog at ha.ckers.org
While at Bluehat Jeremiah got a question from someone (I believe he worked at Opera) saying that even something as simple as turning off third party cookies will break things like Yandex. Jer had an amusing response which was, “What’s that?” followed by, “So you’re telling me I need to be less secure because someone else wants to go to a site that I’ve never heard of?”
Comments (0)
From the Web
Performance Primatives
October 21, 2010 from: Rsnake's blog at ha.ckers.org
Intel, Mozilla and Adobe. How are these companies related, you may ask? Well all of them care about performance. A year or so ago I was hanging out with the Intel guys and they informed me that they have a series of low level performance primitives that they surface through APIs. At the time I wasn't quite sure what to make of it.
Comments (0)
From the Web
Obfuscated URLs within iframes
October 06, 2010 from: Mozilla Security Blog
Issue There has been discussion today about a Firefox feature that warns users when a site’s URL is deceptive. When a Firefox user visits a site with a url that might be deceptive (e.g. http://www.good.com@evil.com/) , Firefox will stop the load and confirm with the user that they are really visiting the site they expected to visit (in this example, evil.com is the ...
Comments (0)
From the Web
HTTP Strict Transport Security
October 06, 2010 from: Mozilla Security Blog
A while ago, we talked about Force-TLS that lets sites say “hey, only access me over HTTPS in the future” and the browser listens. Well, this idea has been solidifed into a draft spec for HTTP Strict Transport Security (HSTS) and we’ve landed support for it into our source tree. This means that HSTS will be shipped with Firefox 4, and will be deployed as soon as the next beta release.
Comments (0)
From the Web
Super Nuclear Worm Invades Kazakhstan
October 03, 2010 from: AEON Security Blog
When I first heard about Stuxnet, it made me shrug my shoulders just as much as I shrugged when hearing about Aurora – the “(un)Advanced Persistent Threat.” Outside from all the hype, the entire concept of “Stuxnet” being a “highly weaponized targeted” threat is way out of tune with reality. From everything I have read so far, everyone seems to be repeating what everyone else is repe...
Comments (2)
From the Web
Odds, Disclosure, Etc…
September 18, 2010 from: Rsnake's blog at ha.ckers.org
I went to Data Loss DB the other day and I noticed an interesting downward trend over the last two years. It could be due to a lot of things. Maybe people are losing their laptops less or maybe hackers have decided to slow down all that hacking they were doing. No, I suspect it’s because in the dawn of social networking and collective thinking, companies fear disclosure more than ever before.
Comments (0)
From the Web
Browser Differences, Minutia Et Al…
September 10, 2010 from: Rsnake's blog at ha.ckers.org
Browser security often turns into a religious war amongst technologists, instead of thinking about it pragmatically. What are the real motives of the companies that are developing the browsers? In most cases they care primarily about market share because market share makes them money (through search engine agreements, and so on).
Comments (0)
From the Web
The Effect of Snakeoil Security
September 10, 2010 from: Rsnake's blog at ha.ckers.org
Bad security isn’t just bad because it allows you to be exploited. It’s also a long term cost center. But more interestingly, even the most worthless security tools can be proven to “work” if you look at the numbers. Here’s how.
Comments (1)
From the Web
Prior Knowledge Of Users Cert Warning Behavior
September 02, 2010 from: Rsnake's blog at ha.ckers.org
One of the issues Josh and I talked about at Blackhat was how the SSL certificate warning message can be used to gain information about a user’s behavior and how that can be used against the user. Let’s say a man in the middle causes an error via proxying a well-known owner/subsidiary.
Comments (0)
- If You Don’t Have Visibility, You Don’t Have Security
- Ransomware: Why Hackers Have Taken Aim at City Governments
- 5 Limitations of Network-Centric Security in the Cloud
- 1 Million South Korean Credit Card Records Found Online
- Top Three Cross-Site Scripting Attacks You Need to Know Now
- Arkose Labs Launches Private Bug Bounty Program
- Eight Steps to Migrate Your SIEM
- What Call Center Fraud Can Teach Us about Insider Threats
- Best Practices for Remote Workers’ Endpoint Security
- Cisco Patches Critical Flaw in Vision Dynamic Signage Director