Online “Pick Pocket” Attacks Getting Worse After All These Years

cwysopal's picture
By Chris Wysopal March 21, 2007

You see, Oliver... [sung] In this life, one thing counts In the bank, large amounts I'm afraid these don't grow on trees, You've got to pick-a-pocket or two. You've Got To Pick-a-Pocket or Two lyrics, from Oliver! Does this ABC News story on criminals looting 401K and online trading accounts of tens of millions of dollars surprise anyone in the security field? Well of course it shouldn’t. We... READ MORE

Vulnerability Disclosure Evolves

CEng's picture
By Chris Eng March 13, 2007

Jeremiah recently posted about the Microsoft Security Response Center inviting security researchers to disclose vulnerabilities discovered in a Microsoft "online web property," which is to say, anything in the domain (or,, etc.). Immediately, people started trying to profit from the idea, suggesting that Microsoft agree in advance to a "reward system" whereby they... READ MORE

It's Time For Fair Use In Patent Law

cwysopal's picture
By Chris Wysopal February 27, 2007

RFID security device manufacturer HID is using threats of patent infringement to stifle a Black Hat Federal presentation by Chris Paget on the threat of RFID card cloning. The risks of RFID card cloning are real and are nothing new. The details of the technology has been publicly available for years. What is new is the visceral demonstration that a device can provide. HID is scared that people... READ MORE

Better Criteria for Selecting Pen Test Consultants

CEng's picture
By Chris Eng February 27, 2007  | Research 3

An article was forwarded to me today, entitled Avoid Wasting Money on Penetration Testing. While the core message is on target (i.e. be sure you know what you are getting before you sign on the dotted line), the suggestions for how to achieve this are misleading. Let's examine the "5 steps to choosing a supplier" outlined in the article: Ask if their consultants have passed an... READ MORE

Implications of the Google Desktop Hack

CEng's picture
By Chris Eng February 23, 2007

Watchfire just released a whitepaper on Overtaking Google Desktop which is a thought-provoking read. It essentially exploits the mechanism by which Google Desktop hooks the browser in order to inject links to the local Google Desktop instance when the user performs a typical online Google search. There are a couple of gating factors to making this attack viable -- the initial attack vector... READ MORE

TJX Data Theft Just Keeps Getting Worse

cwysopal's picture
By Chris Wysopal February 23, 2007

TJX issued a press release yesterday coming clean on what they know about the breach of their corporate network. They are now admitting that they have been compromised as early as July 2005 and continued to be compromised up until December 2006. It is unlikely only one attacker found the vulnerabilities exploited. I wouldn't be surprized if dozens of attackers found their way into the network... READ MORE

Stupid Solaris Tricks, and a Brief Retrospective

CEng's picture
By Chris Eng February 12, 2007 3

An annoyingly stupid vulnerability in the stock Solaris 10/11 telnet daemon, courtesy of Full Disclosure (more details in this PDF, but it's NSFW): Pass "-f[user]" as the "-l" option to telnet, and presto, you bypass the entire authentication process and are logged in as the user of your choice! Works for the root user too, as long as the server is configured to allow remote root logins. ceng@... READ MORE

Heading to RSA

CEng's picture
By Chris Eng February 4, 2007

Like many of the people who will eventually read this, I'm packing my bags and heading to San Francisco tonight for the RSA Conference. For those of you also attending, please stop by our booth (#2612) and say hello. We'll be giving demos of our service platform and discussing how our software-as-a-service delivery model will help solve application security problems that tool-based approaches... READ MORE

How to Pick Up Malware at the Airport

CEng's picture
By Chris Eng February 3, 2007  | 4

A few weeks ago I was waiting for a flight in the JetBlue terminal of JFK. JetBlue offers free Wi-Fi to its customers, which is a nice touch. I powered up my laptop and this is what I saw: If I'm your typical non-security-minded traveler, which of these networks am I most likely to connect to? I would guess that the majority of people will select one of the two with Jet Blue in the SSID, or... READ MORE

The Software Trustworthiness Framework (STF©)

cwysopal's picture
By Chris Wysopal January 30, 2007  | Research

[Today we have our first guest blog entry from Elfriede Dustin. Elfriede is a co-author of "The Art of Software Security Testing" and has written a few books on software testing, most notably, "Automated Software Testing" published by Addison-Wesley in 1999. We have heard plenty from security experts on how to fix the software development process to produce more secure... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.