Latest Posts

From the Web
Too much personal data released
July 24, 2009 from: Office of Inadequate Security
Personal information of almost 900 people was given to a public-housing resident [in Virginia] who requested a list of those who had been banned from Hampton Redevelopment and Housing Authority property.
Comments (0)

From the Web
Leahy reintroduces data breach bill
July 23, 2009 from: Office of Inadequate Security
Senate Judiciary Chairman Patrick Leahy (D-Vt.) has reintroduced a data breach bill that would set tougher rules for government agencies and private sector firms regarding consumers’ personal information.
Comments (0)

From the Web
Heartland breach felt in Bermuda
July 23, 2009 from: Office of Inadequate Security
Hundreds of Bermudians may have been the victims of credit card fraud stemming from a US security breach in January.
Comments (1)

From the Web
Report: Shortage of cyber experts may hinder govt
July 22, 2009 from: hackyourself.net
Federal agencies are facing a severe shortage of computer specialists, even as a growing wave of coordinated cyberattacks against the government poses potential national security risks, a private study found.
Comments (2)

From the Web
wget DNS-rebinding and Weak Intranet Port Scanning
July 21, 2009 from: Rsnake's blog at ha.ckers.org
Albeit this a technical document, some interested points on browser technology in general (Linux's "wget" command) and DNS re-binding protection methods, this is an interesting read for you more saavy webappsec guys
Comments (1)

From the Web
Firefox crash not exploitable (CVE-2009-2479)
July 19, 2009 from: Mozilla Security Blog
In the last few days, there have been several reports (including one via SANS) of a bug in Firefox related to handling of certain very long Unicode strings. While these strings can result in crashes of some versions of Firefox, the reports by press and various security agencies have incorrectly indicated that this is an exploitable bug. Our analysis indicates that it is not, and we have seen no ex...
Comments (1)

From the Web
Measure What Matters – The SEC Essentials
July 14, 2009 from: Mozilla Security Blog
People want to know that they are safe when they browse the web. There are important differences between browsers when it comes to security, and so it’s no surprise to see a growing number of groups out there attempting to compare browsers based on their security record. That’s great news; not only does it help inform users, but it also lets browser authors know where they stand, and w...
Comments (0)

From the Web
July 2009 Critical Patch Update Released
July 14, 2009 from: The Oracle Global Product Security Blog
This Critical Patch Update includes 10 additional fixes for Oracle Database Server. Three of these 10 vulnerabilities are remotely exploitable without authentication. None of these vulnerabilities affect client-only deployments.
Comments (0)

From the Web
Critical JavaScript vulnerability in Firefox 3.5
July 14, 2009 from: Mozilla Security Blog
A bug discovered last week in Firefox 3.5’s Just-in-time (JIT) JavaScript compiler was disclosed publicly yesterday. It is a critical vulnerability that can be used to execute malicious code.
Comments (1)
Not So Smart Grid?
July 14, 2009 Added by:Infosec Island Admin
According to a security researcher, the so-called Smart Grid technology being rolled out accross the country as part of the stimulus bill, may be vulnerable to numerous attacks. According to the researcher, many of the commands that allow the power company to interact with the smart-meters at the user's house (for example) do not require authentication, have no encryption and are ripe fo...
Comments (3)

From the Web
Hash Information Disclosure Via Collisions - The Hard Way
July 14, 2009 from: Rsnake's blog at ha.ckers.org
Every hashing algorithm has possible collisions once you allow a certain number of chars to be hashed. Let’s say you found out that “bob” and “sam” collided in whatever hashing algorithm. If you created an account on a web server with the password of “bob” and then later typed in the password of “sam” assuming no salts you would be able to get ...
Comments (0)
PCI Auditor Being Sued for Certifiying CardSystems as Compliant
July 13, 2009 Added by:Infosec Island Admin
Savvis is being dragged into court to defend their PCI DDS certification of CardSystems in 2004, which was subsequently responsible for losing a quarter of a million credit card numbers. This is the first of potentially many legal actions against PCI auditors that certified organizations as compliant, when they were subsequently breached and responsible for the loss of consumer cred...
Comments (2)

From the Web
Running JavaScript in Chrome Despite View-Source
July 11, 2009 from: Rsnake's blog at ha.ckers.org
A post from Rsnake over at ha.ckers.org about a Google Chrome browser vulnerability where javascript is executed while using the "Browse Source" function - ouch!
Comments (0)

From the Web
Shutting Down XSS with Content Security Policy
July 10, 2009 from: Mozilla Security Blog
For several years, Cross-Site Scripting (XSS) attacks have plagued many of the web’s most popular sites and victimized their users. At Mozilla, we’ve been working for the last year on a new technology called Content Security Policy.
Comments (0)

From the Web
Measure What Matters - The SEC Essentials
July 10, 2009 from: Mozilla Security Blog
People want to know that they are safe when they browse the web. There are important differences between browsers when it comes to security, and so it’s no surprise to see a growing number of groups out there attempting to compare browsers based on their security record.
Comments (0)

From the Web
New CSS Grammar Fuzzer
July 10, 2009 from: Mozilla Security Blog
Fuzzers are a tool that we’ve found incredibly valuable in the past, and continue to employ heavily. A fuzzer’s job is to make your application fail by feeding it surprising inputs.
Comments (0)

From the Web
MD5 Weaknesses Could Lead to Certificate Forgery
July 10, 2009 from: Mozilla Security Blog
Researchers have recently found weaknesses in the MD5 hash algorithm, relied on by some SSL certificates. Using these weaknesses, an attacker could obtain fraudulent SSL certificates for websites they don’t legitimately control.
Comments (0)

From the Web
The Importance of Good Metrics
July 10, 2009 from: Mozilla Security Blog
Bit9 says it drew up this list by identifying popular applications that have had a critical vulnerability reported in 2008. This is an ineffective test, as it rewards software companies that conceal their security vulnerabilities.
Comments (1)

From the Web
The Best of Application Security 2009 (Mid-Year)
July 09, 2009 from: Jeremiah Grossman's Blog
very year the application security industry receives a number of phenomenal research papers and other great contributions. Even for those dedicated to appsec as their primary job function it is challenging to stay up-to-date, which means resources to help track them become extremely valuable. As such Ivan Ristic and I have been working on the "The Bes...
Comments (1)

From the Web
The Most (Potentially) Lucrative Vulnerabilities
July 09, 2009 from: Jeremiah Grossman's Blog
I think few vulnerability researchers look for them, are unlikely to understand their potential value if found, and probably wouldn’t disclose them anyway. The vast majority of researchers focus on memory corruption issues, browser cross-domain leakage, custom Web application attacks, or flaws in online business logic processes