444 items tagged “security”
2007
If you found a hole in software that millions of people use, and is very high profile, you can sell that to the highest bidder for perhaps one or two million dollars.
— Jacques Erasmus # 4th February 2007, 7:06 pm
Microsoft confirms Vista Speech Recognition remote execution flaw. “I have verified that I can create a sound file that can wake Vista speech recognition, open Windows Explorer, delete the documents folder, and then empty the trash.” # 1st February 2007, 5:19 pm
MySpace Allegedly Kills Computer Security Website. No need for the allegedly; it’s been confirmed. MySpace got GoDaddy.com to redirect DNS for seclists.org after a list of phished user accounts posted to the full disclosure mailing list list was archived there. # 26th January 2007, 9:57 am
Solving the OpenID phishing problem
Most of the arguments I hear against OpenID are based on mis-understandings of the specification, but there is one that can’t be ignored: OpenID is extremely vulnerable to phishing.
[... 531 words]The NHL’s All-Star voting disaster. The NHL ran an online poll to decide which players are picked for their All-Star Game. The only authentication was a poorly implemented CAPTCHA. Unsurprisingly, it got gamed. # 19th January 2007, 9:50 am
MySpace: Too Much of a Good Thing? CSS customization really was just the result of forgetting to strip HTML. They “eventually” decided to filter out JavaScript(!) # 17th January 2007, 9:09 am
Details of Google’s Latest Security Hole. For a brief while you could use Blogger Custom Domains to point a Google subdomain at your own content, letting you hijack Google cookies and steal accounts for any Google services. # 14th January 2007, 1:36 pm
The JavaScript alert(), confirm() and prompt() functions in Firefox, Opera and MSIE (but not Safari) will truncate the message after any null character. So an unsuspecting programmer who inserts user-provided text into one of these dialog boxes opens up an opportunity for the user to rewrite the bottom of the dialog box.
— Neil Fraser # 13th January 2007, 12:28 pm
The Adobe PDF XSS Vulnerability. If you host a PDF file anywhere on your site, you’re vulnerable to an XSS attack due to a bug in Acrobat Reader versions below 8. The fix is to serve PDFs as application/octet-stream to avoid them being displayed inline. # 11th January 2007, 4:23 pm
Choosing Secure Passwords. Bruce Schneier describes the state of the art in password cracking software. # 11th January 2007, 2:55 pm
If you are subject to an XSS, the same domain policy already ensures that you’re f’d. An XSS attack is the “root” or “ring 0” attack of the web.
— Alex Russell # 8th January 2007, 10:48 pm
Why don’t we have a .bank or .bank.country_code TLD that’s regulated by the same people that regulate the banks themselves?
— Dean Wilson # 7th January 2007, 10:22 pm
2006
How is Google giving me access to this page?
Google have an open URL redirector, so you can craft a link that uses that:
[... 35 words]A Cost Analysis of Windows Vista Content Protection (via) Vista’s content protection is a nightmare for hardware manufacturers and consumers alike. It’s far worse than even BoingBoing readers would expect. # 24th December 2006, 10:34 am
Rogues are very keen in their profession, and know already much more than we can teach them
— The Construction of Locks # 19th December 2006, 8:55 am
Never store passwords in a database! The reddit.com developers just learnt this the hard way. It might be time to change some of your passwords. # 16th December 2006, 12:01 am
Real-World Passwords. Random passwords phished from MySpace are surprisingly decent. # 14th December 2006, 2:14 pm
BT acquires Counterpane Internet Security (via) They just bought Bruce Schneier. # 25th October 2006, 10:57 am
Better Metrics for Security—Understanding the Symantec Internet Security Threat Report. Mozilla defends against yet more spurious bug count reports. # 27th September 2006, 9:54 am
Parsing XML can open network sockets (via) Yikes. Something to bare in mind. # 18th August 2006, 2:27 pm
Bruce Schneier Facts. “SSL is invulnerable to man-in-the-middle attacks. Unless that man is Bruce Schneier.” # 17th August 2006, 2:19 pm
Schneier on Security: New Airline Security Rules. “I’m sure glad I’m not flying anywhere this week” says Bruce. Now I wish I wasn’t! # 10th August 2006, 4:26 pm
On the total nondisclosure of the 8/9/06 [Rails] security vulnerability. The best argument I’ve seen in favour of full disclosure. # 10th August 2006, 2:53 pm
Rails 1.1.5: Mandatory security patch. Upgrade now, and spread the word. # 9th August 2006, 8:55 pm
Why is XSS so common? Because dev tools don’t escape things by default. # 2nd August 2006, 8:57 pm
Don’t serve JSON as text/html. Another sneaky XSS trick. # 5th July 2006, 11:46 pm
Mozilla causing XSS in Livejournal. Their recent worm attack was caused by the -moz-binding CSS property. # 22nd January 2006, 9:37 pm
Xanga Hit By Script Worm (in December) (via) Description of an XSS worm that hit Xanga last month. # 21st January 2006, 8:47 pm
DHS Funding Open Source Security. Paying for “source code analysis technology” coverage of Linux, Apache, PostgreSQL and more. # 17th January 2006, 10:18 pm
2005
Chris Shiflett: Google XSS Example (via) UTF-7 is a nasty vector for XSS. # 24th December 2005, 5:21 pm