US Government Detects Attacks on Obama and McCain Computers

cwysopal's picture
By Chris Wysopal November 7, 2008

Now that the presidential race is over Newsweek is reporting that the US Government, through the FBI and Secret Service, notified the Obama and McCain campaigns that their computers had been compromised and sensitive documents copied. ...the FBI and the Secret Service came to the campaign with an ominous warning: "You have a problem way bigger than what you understand," an agent told Obama's team... READ MORE

We’ve Reached the Application Security Tipping Point

cwysopal's picture
By Chris Wysopal November 4, 2008 3

It’s been a long road since the early 90s when people first started public sharing of vulnerability information. Back then there were flat LANs, no network filters, and world writeable NFS mounts hanging out on the Internet. But with the spread of vulnerability information it all started to change. The first major shift in exploit targets was the move from network vulnerabilities to system... READ MORE

Credit Cards Failing Open

CEng's picture
By Chris Eng October 30, 2008  | 11

Most consumers are aware that when you close a credit card account, it's not really closed. For "convenience" reasons, recurring subscription charges such as your cable bill will continue to be approved. You can kind of see where the credit card companies are coming from, but it's a pretty weak argument. The cable company just needs to notify me that the credit card on file is no longer valid,... READ MORE

A Security Lesson From the Joe the Plumber Snooper

cwysopal's picture
By Chris Wysopal October 25, 2008

First we had the Gov. Palin Yahoo email break in to teach us the vulnerabilities of weak password reset schemes. Now we have a Joe the Plumber government records snooper teaching us about proper computer account management. The Columbia Dispatch is reporting that a state employee with access to a "test account" has been accessing Joe the Plumber's government records: "We're... READ MORE

Partial Disclosure - The Good, Bad, and Ugly

TShields's picture
By Tyler Shields October 21, 2008

There is apparently a bit of fear going around information security circles that the next big trend in the disclosure wars is going to be "Partial Disclosure". In the past, the vulnerability research community has embraced the concepts of "Full Disclosure" and/or "Non-Disclosure". Once those concepts had been sufficiently played out, the general consensus was to move towards "Responsible... READ MORE

New To The Team - Old To The Game

TShields's picture
By Tyler Shields October 21, 2008  | 5

Welcome, come on in, have a seat. There is a cold beer in the fridge, help yourself! I may be new to the team, but I'm (reasonably) old to the game. My name is Tyler Shields and I'm the latest addition to the Veracode research team. I started at Veracode in September 2008 as a Senior Security Researcher and have been immediately thrown into the fire. Working for a fast paced, highly energetic... READ MORE

(ISC)2's Newest Cash Cow: The CSSLP Certification

CEng's picture
By Chris Eng September 29, 2008  | Research 23

Last week, during the OWASP AppSec 2008 Conference, the people behind the ubiquitous CISSP certification announced their latest creation -- the Certified Software Security Lifecycle Professional (CSSLP). In front of a captive audience waiting for a 42" plasma TV to be raffled, the  Executive Director of (ISC)2  outlined this new certification designed to appeal to... READ MORE

Learning From Sarah Palin's Yahoo Mail Compromise

cwysopal's picture
By Chris Wysopal September 18, 2008

The password reset functionality of any online service is a major source of risk. They are especially problematic when they use only a "secret question" concerning personal information only and don't tie back to another email account or a text message. Another account or cell phone number is something "out of band" from a direct transaction with the online service. It becomes 2-factor... READ MORE

Speculation on Palin E-mail Hack

CEng's picture
By Chris Eng September 17, 2008  | 8

Assuming the mailbox hack is not an elaborate ruse, how did they do it? Almost as bad as the Sprint PCS password reset fiasco that made the news in April, here is the Yahoo Mail password reset screen: As you can see, you need to know the user's birthday, country of residence, and postal code. Not difficult information to dig up in Palin's case. After you enter this information correctly, you are... READ MORE

Sarah Palin's Yahoo Mailbox Compromised

cwysopal's picture
By Chris Wysopal September 17, 2008

A group of individuals has compromised VP candidate Sarah Palin's personal email and sent the information to Wikileaks which has posted the information publicly. http://wikileaks.org/wiki/Sarah_Palin_Yahoo_email_hack_2008 Circa midnight Tuesday the 16th of September (EST) Wikileaks' sources loosely affiliated with the activist group 'anonymous' gained access to U.S. Republican Party Vice-... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.

 

 

 

contact menu