You’ve probably read by now that online retailer Zappos suffered a security breach affecting over 24 million customers. As a Zappos customer, I received the email last night alerting me about the breach. I got a nearly identical email from their sister company, 6pm.com, as well. This is a clear sign that I buy too many shoes.

What’s interesting to me about this breach is that Zappos is renowned for their customer service, so watching how they communicate in the coming days and weeks should be an interesting case study. A few notable points so …

Here’s a feel good story to start the new year.

Just before the holidays, we detected a cross-site scripting (XSS) vulnerability while running a web application scan for one of our customers. Nothing special about that; we detect thousands of these things every week. But as we discussed this particular finding, we noticed that the layout of the website looked… familiar. As it turned out, the discussion forum where we found the XSS was a SaaS-based product called Lithium.

From Lithium’s website: “The world’s most innovative companies such as AT&T, Barnes & Noble, Best Buy, Sephora, Univision, Home Depot, and HP …

ICS-CERT warns of backdoors in a standard network module for control systems. The type of equipment is the Schneider Electric Quantum Ethernet Module. Both static passwords and a remotely accessible debug service were found.

Backdoors in industrial control systems

These backdoor revelations in industrial control equipment are becoming frequent. Earlier this year Dillion Beresford found similar backdoor vulnerabilities in Siemens equipment.

We find these types vulnerabilities fairly often when we scan vendor code on behalf of our customers at Veracode. Our recent State of Software Security Report vol. 4 detailed the findings. We didn’t find …

Let’s not mince words: this rambling diatribe from Oracle’s CSO is aimed directly at Veracode. No need for a cutesy acronym; we’re the only company with true static binary analysis technology, delivered as a service. Now that we’ve got that out of the way, let’s try to cut through the rhetoric (in just over a thousand words, to boot).

The recurring theme in her manifesto is the notion that certain software suppliers are “too big to test”. It’s fine for the little guys, but not the 800-pound gorillas. Instead, software purchasers should blindly trust companies with security …

I’ve been focused on conducting research into the mobile spyware arena these last few months and the results have been very interesting. As I’m sure you are aware, I released a fully functional piece of Blackberry Spyware called txsBBSpy at the Shmoocon security conference in February 2010 and have done a number of interviews and podcasts on the topic. While my research is interesting, other high profile attacks just this week could really make this type of spyware/trojan a lot more dangerous.

At CanSecWest security conference this week, iPhone, Firefox, Safari, and other mobile operating systems and browsers were …

I applaud Google for coming forward and letting the world know about how they were attacked and what the attackers were after. Secrecy only helps the offense. Most of the time we only hear about attacks when there is public evidence such as a defaced web page, screen shots sourced from the attacker, or there is a prosecution. Since the vast majority of attackers are quiet and not prosecuted the public admission of attacks is a great public service which will help organizations understand their own risk. Other organization similar in size and sophistication to Google are clearly …

Vaserve, a UK webhosting company says that 100,000 of its customer sites were wiped out in what looks like a zero day attack on HyperVM, a virtualization application they used. The HyperVM was a product of lxlabs.

I checked out the lxlabs product documentation and website and could not find any reference to using a secure development lifecycle. I did find this rather disturbing post to their forum as the first post on a new topic “Security” in April 10, 2009. It was not replied to until yesterday.

http://forum.lxlabs.com/index.php?t=msg&th=11197&start=0&:

Lxadmin/hyperVM has become popular enough that people are SPECIFICALLY …

Monster.com recently disclosed yet another major breach that compromised the personal data of over 1.3 million users. This is not unlike the previous breach in August 2007, though the attack vector was likely different. From a notice on their website (emphasis mine):

We recently learned our database was illegally accessed and certain contact and account data were taken, including Monster user IDs and passwords, email addresses, names, phone numbers, and some basic demographic data. The information accessed does not include resumes.

Considering the well-known tendency to use the same password on multiple websites, compounded with the fact …

With regard to the recent Patch Tuesday fix, there has been an issue fixed regarding NTLM Relaying, that has been around for more than eight years.

In 2000, I wrote an advisory about NTLM relaying (CVE-2000-0834). The problem turned out to be significantly larger than I originally suggested in the advisory. The attack extended to other NTLM-based authentications on other protocols and allowed general-purpose credential theft via a man-in-the-middle attack.

The SMBRelay tool was published in 2001 by Sir Dystic of Cult Of The Dead Cow, and that really took it to the next level. The protocol completely …