Stealing PII is So 2007 -- They Want Your Endpoint

cwysopal's picture
By Chris Wysopal October 1, 2009

Attackers are not going to be satisfied with a simple PII breach any more. The market is becoming saturated with PII. Look at the stats. In 2007, credit card records sold for an average of $10 per cardholder record; in 2009 the same records sell for an average of 50 cents per record. Attackers want higher value than this. They want to control the endpoint. They want access to your online... READ MORE

Trust Your Own Code?! Trust Your Own Compiler?!

TShields's picture
By Tyler Shields August 20, 2009

Trust has long been a favorite target of malicious individuals. Most people would say that proper management of trust is one of the primary cornerstones of information security. Trust is a relative term and all trust relationships should be examined with a very critical eye. Ken Thompson's seminal paper "Reflections on Trusting Trust", which won a Turing Award, addresses in detail why we can... READ MORE

Connection Between Identity Theft and Cyberwarfare

cwysopal's picture
By Chris Wysopal August 17, 2009

There is an article in the WSJ, Hackers Stole IDs for Attacks, which discusses the role ID theft played in the Georgian government web site attacks last year. “Mr. Bumgarner traced the attacks back to 10 Web sites registered in Russia and Turkey. Nine of the sites were registered using identification and credit-card information stolen from Americans; one site was registered with information... READ MORE

Bytecode Analysis Is Not The Same As Binary Analysis

cwysopal's picture
By Chris Wysopal July 27, 2009 3

Gartner analyst Neil MacDonald has written that Byte Code Analysis is not the Same as Binary Analysis. He describes the difference between statically analyzing binary code, which runs on an x86, ARM, or SPARC CPU, and statically analyzing bytecode, which runs on a virtual machine such as the Java VM or the .NET CLR. As more companies with software security testing technology wade into the "no... READ MORE

BlackHat Picks 2009

CEng's picture
By Chris Eng July 23, 2009

It's time for the yearly BlackHat picks. Without further ado, here's where you'll have a good chance of finding me next week. Of course, you know what they say about the best laid schemes -- there is no way I will actually make it to all of these, but as of now, this is what's caught my interest: Day 1 John McDonald & Chris Valasek: Practical Windows XP/2003 Heap Exploitation Andrea Barisani... READ MORE

BlackBerry Spyware Dissected

CEng's picture
By Chris Eng July 15, 2009  | 12

Yesterday it was reported by various media outlets that a recent BlackBerry software update from Etisalat (a UAE-based carrier) contained spyware that would intercept emails and text messages and send copies to a central Etisalat server. We decided to take a look to find out more. We're not sure why the software was delivered in both .jar and .cod form. The .cod file is a RIM proprietary... READ MORE

Nation State Cyberwarfare Reality Check

cwysopal's picture
By Chris Wysopal July 8, 2009  | 4

Let's take a step back for a moment from who the actors are in the recent DDoS attacks and look at the root cause of the problem, because that isn't going away. We have a horribly insecure software ecosystem that let's the bad guys take advantage of all the insecure software that vendors have shipped in the last 5 years to build distributed denial of service (DDoS) armies. The attackers then... READ MORE

The Mobius Defense – An Impetus for Application Security

TShields's picture
By Tyler Shields June 30, 2009  | 5

The “Mobius Defense” is a somewhat novel defense model proposed by Pete Herzog, founder of ISECOM and lead author of the Open Source Security Testing Methodology Manual (OSSTMM). Before continuing to read the following post I suggest you take a few minutes and breeze through the slide deck linked here. It’s an easy and interesting read so get to it… Mr. Herzog suggests in... READ MORE

Mystery of Donkey Kong Kill Level Solved

cwysopal's picture
By Chris Wysopal June 17, 2009

It was an integer overflow. I guess it is never too late to fix a bug. Don Hodges used the old video game firmware and a MAME machine to debug and fix a problem which has kept expert Donkey Kong players from ever getting past level 22. If you have seen King of Kong you would know that one of the challenges of getting a high score is getting as many possible points before a software glitch causes... READ MORE

Even Government Censors Demand Secure Software

CEng's picture
By Chris Eng June 15, 2009

As of July 1, all personal computers sold in China must be pre-installed with content filtering software called Green Dam. The officially stated goal is to protect children from online pornography, but naturally, the technology will also serve to "protect" viewers from offensive text and images such as politically sensitive content. Subsequent to this announcement, researchers at the University... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.




contact menu