Trust has long been a favorite target of malicious individuals. Most people would say that proper management of trust is one of the primary cornerstones of information security. Trust is a relative term and all trust relationships should be examined with a very critical eye.

Ken Thompson’s seminal paper “Reflections on Trusting Trust”, which won a Turing Award, addresses in detail why we can never be fully sure of the trust relationships in our development environment. The paper asserts that since people tend to only …

The details of 3 major identity theft breaches came to light today with the release of the federal indictment of Albert Gonzalez.

It turns out that the main entry point was a SQL Injection vulnerability. The indictment states that a SQL Injection vulnerability was exploited and used to install malware on the target network.

The indictment doesn’t give any details of the technique that was used to leverage the SQL Injection vuhnerability to install the malware. I have my theories. Here are some potential ideas:

xp_cmdshell was enabled and allowed the attackers to execute the commands of their choice on the …

There is an article in the WSJ, Hackers Stole IDs for Attacks, which discusses the role ID theft played in the Georgian government web site attacks last year.

“Mr. Bumgarner traced the attacks back to 10 Web sites registered in Russia and Turkey. Nine of the sites were registered using identification and credit-card information stolen from Americans; one site was registered with information stolen from a person in France.”

I have my own data point to share on this attack trend. My credit card number was used fraudulently to register 4 web sites from separate ISPs last Monday. The fraud …