Much has been written this week on the sad story of Aaron Swartz and the Anonymous hack executed in his name. This story has affected many people in the IT community. Anonymous hackers, hacked &…
A Lesser Cross-Site Scripting Attack Greater Than Your Regex Security A lot of developers rely on regex to protect against XSS. The following article demonstrates different mechanisms on how developers use regex and how they…
Voting for Security B-Sides San Francisco presentations is in full swing. Be sure to vote for your favorites talks. We’re partial to these two talks by Dan Kuykendall! The Pineapple Express: Live mobile application hacking demonstration….A speeding bullet…
My buddy, Jim Broome over at DirectDefense wrote this great blog post, “Security that Works: Even on a Budget.” They have posted two blogs in the series. The first one covers “Hacking Attempts“ and the second focuses on…
NTLM Challenge Response is 100% Broken Security researcher Mark Gamache has used Moxie Marlinspike’s Cloudcracker to derive hashes from captured NTLM handshakes, resulting in successful pass-the-hash attacks. It’s been going on for a long time,…
SSNs, Salary Information Exposed In Breach of Army Servers Computer hackers have illegally gained access to personal information of more than 36,000 people connected to Army commands formerly based at Fort Monmouth. An Army spokeswoman…
The 2012 Web Session Intelligence & Security Report: Business Logic Abuse Edition The business logic abuse scenarios presented by the Ponemon Institue are web scraping, account hijacking, click fraud, botnets causing denial of service, electronic…
HTML5 Definition Complete, W3C Moves to Interoperability Testing and Performance The 5th revision of HTML is regarded as the future of web markup language. The long awaited specs for HTML5 have been finalized. This week,…
This very useful talk was as much an education in HTML5 for me as it was an education on how HTML5 can be abused. I am coming up to speed on HTML5 concepts. Shreeraj Shah…
First off, in the spirit of full disclosure, two points: One is that this talk took place at the same time as the Shreeraj Shah talk I attended, but I did indeed effectively attend this…