Everyone has had that dreaded experience: you open up the task manager on your computer… and there’s a program name you don’t recognize. It gets worse when you google the name and can’t find a concrete answer on what it is and why it’s there. It gets even worse when you remove it from Autoruns and it comes back. It gets terrible when you realize it has keylogger functionality. The icing on the cake, however, is when the mystery program is also eating up all your RAM.

The recently released Microsoft Security Intelligence Report shows that web-based propagation vectors have surpassed traditional malware propagation vectors as the largest threats to distributed network environments. While I agree with Microsoft’s assessment of the threat landscape, I don’t think this is anything new; it is just the current state of a long running trend.

Back in November 2012 I did Veracode’s initial release of a report on the top 1 million websites from the Alexa list. My goal was to turn it into a series so it would be possible to track how these sites change over time in regards to security headers that are added, removed or changed.

Many years ago, you got your first job and bought your first car. It was a reasonable price, sturdy, and you made sure always to wear your seatbelt and not to break the posted speed limit too badly. It did its job and served you well as you went to college and started your career.

When we were kicking around ideas for a new SoSS supplement, I thought the vendor testing angle could be interesting. We had just launched our VAST program so the topic made our marketing folks happy, but also because I think the supply chain analogy can be an interesting lens to view the security industry. We can think about the software supply chain as the vulnerability supply chain.

I would like to share with you all the results of my scan and review of the Alexa Top 1,000,000 Sites HTTP response headers as they relate to security. I was mostly curious about which sites were using Content Security Policy (CSP) but ended up becoming more interested in all of the various modern day security headers that sites specify. The results were pretty impressive and I certainly learned a lot from it.

When I read the New York Time BITS article “The Dangers of Allowing an Adversary Access to a Network” by John Markoff, I thought the fear of trojaned vendor products is misplaced. The much bigger problem is vulnerable products. To cyber security experts, a serious vulnerability is indistinguishable from a backdoor as both allow an adversary to take control of a system or device. Yet the U.S. House Committee seems preoccupied with backdoors in Huawei technology while ignoring the gaping vulnerabilities.

RSA has published, “THE VOHO CAMPAIGN: AN IN DEPTH ANALYSIS” which describes an APT style campaign against several targets. The campaign used malicious content on several websites dubbed “watering holes” in order to compromise the campaign target’s client machines.

Injecting malicious content into vulnerable websites that will then become a drive-by client attack to a website visitor is old news. I wrote about this in my blog post, “SQL Injection Tangos with Heap Overflows”, back in Dec 2008.

What I see new here is the watering hole concept where the websites that are …

The following post is about a beta software release, which may — and hopefully will — change.

You know what they say about assuming…

My faithful army of security-minded Twitter followers alerted me to a sudden change in the Ubuntu Linux distribution’s 12.10 beta build that they found alarming: Amazon search had been integrated into the system search bar by default, so that, for example, searching for a musician’s name to find your MP3s on your local hard drive would also suggest albums on the Amazon store. As everyone assumed, the purpose of this surprise feature is to help Ubuntu raise …

Millions of web sites suddenly became unreachable on Monday due to severe DNS-related problems at GoDaddy. Whether this was the result of a hack, or an internal problem, or a combination of both remains a hot topic, but today we’re going to ask a more pragmatic question: Could your domain survive a DNS attack or failure?

You may already have a robust, reliable web application infrastructure, but if a DNS problem prevents people on the Internet from connecting to your site, then it hardly matters how good the rest of your system is.

The key to a robust DNS infrastructure is …

By now, our readers have undoubtedly seen the buzz about a serious security vulnerability in Oracle Java, with corresponding exploit code making its way around (in the form of active, in-the-wild attack campaigns, as well as penetration testing tools). If you haven’t, the gist is that, due to an issue in the way access control permissions are checked in Java, it is possible for an applet to effectively grant itself full permissions, including the ability to execute commands *outside* of the Java sandbox (an operation that is, of course, typically limited). For those interested, Immunity, Inc., posted an excellent,

With over 20% of all web vulnerabilities being attributed to SQL Injection, this is the 2nd most common software vulnerability and having the ability to find and prevent SQL injection should be top of mind for web developers and security personnel. In general, a SQL Injection attack exploits a web application which does not properly validate or encode user-supplied input and then uses that input as part of a query or command against a back-end database.

It’s that time of year again.

Veracode’s security research team and our Chief Scientist will be at the Vegas cons in force this year engaging in the usual roguery.

Here’s where to see us speaking:

• Christien Rioux, “Lessons of Binary Analysis”, BlackHat, July 26, 10:15am
• Zach Lanier and Andrew Reiter, “Mapping and Evolution of Android Permissions”, BlackHat, July 26, 2:15pm
• Chris Lytle, “Puzzle Competitions and You”, B-Sides Las Vegas, July 25, 4pm

We’ll also have a booth (#229) for the first time. Here’s when you can stop by and speak with members of the research team, assuming you don’t bump into them in the …

Last week, a fake iOS App Store server went live with simple instructions for how to circumvent paying for in-app purchases (such as bonus levels in games) and unlock them for free. Most apps were vulnerable to being duped into believing the user had already paid for their content. Many people willing to engage in software piracy eagerly followed the steps and found that they worked, but there was a lot of confusion about how it could possibly work and whether it was safe.

The particular person who published the instructions added a note to remember not to type in …

When you tap in your life’s details into the latest and greatest cloud-enabled mobile app, where does that information actually go? When you post on a website that claims you’re anonymous, are you really? Hey, did you read the privacy policy for any of those services you’re using? Do they even have a privacy policy?

In the rush to play with new online services – which, admittedly, are often awesome – it’s easy to forget that anyone with fifteen dollars in their pocket can rent a server to store your personal data in whatever haphazard way they want. It was only …