Simon Willison’s Weblog

Entries tagged security in Nov

Filters: Type: entry × Month: Nov × security ×


Is there anyway to game unique link verifications?  Like when you get sent a link of the form https:/........com/UID=TYYN04001 How would one change the digits to reproduce another working link?

Not if they’ve been implemented correctly.

[... 42 words]

How could GitHub improve the password security of its users?

By doing exactly what they’re doing already: adding more sophisticated rate limiting, and preventing users from using common weak passwords.

[... 80 words]

Social engineering and Orange

I had a call on my mobile earlier today from a lady claiming to be from Orange (my phone service provider) who told me that my contract was about to expire. She asked me for my password.

[... 311 words]

The Register hit by XSS

Here’s a nasty one: popular tech news site The Register was hit on Saturday by the Bofra exploit, a nasty worm which uses an iframe vulnerability in (you guessed it) Internet Explorer to install nasty things on the victim’s PC. Where it gets interesting is that the attack wasn’t against the Register themselves; it came through their third party ad serving company, Falk AG.

[... 262 words]

High security is low security

Via Crypto-Gram, a great piece from Bruce Tognazzini about how tough security measures can actively reduce the security of a system:

[... 225 words]

XML security on SitePoint

Getting Started with XML Security is a SitePoint article of epic proportions. I had never really looked at any of the XML security applications but this article appears to cover the lot.

[... 33 words]

OWASP Security guide

The Open Web Application Security Project (OWASP) have a free guide to building secure web applications, which covers a large range of common problems such as cross site scripting and SQL injection vulnerabilities. The report is a 60 page PDF and although I haven’t had time to go through it yet it looks like an excellent read.

[... 74 words]