Zack Whittaker

Zack Whittaker is the security editor for ZDNet, covering cyber and national security. He is based in New York newsroom, and is also found on sister-sites CNET and CBS News. You can reach him with his PGP key: EB6CEEA5.

Charlie Osborne

Charlie Osborne is a cybersecurity journalist and photographer who writes for ZDNet and CNET from London. PGP Key: AF40821B | Research/security tips email: cingred@protonmail.com.

Jennifer Leggio

Jennifer Leggio has been in the security industry for 17 years as a marketer, advisor, and writer. Her focus is on security culture, including disclosure, community issues, equality in security, disruptive trends, and even marketing best practices. PGP Key: 3A708289 | She prefers other contact on Twitter via @mediaphyter.

Latest Posts

Google downplays severity of Gmail CSRF flaw

Google downplays severity of Gmail CSRF flaw

Yesterday, Vicente Aguilera Diaz from Internet Security Auditors released proof of concept of a CSRF (Cross-Site Request Forgery) vulnerability in Google's Gmail, which he originally communicated to Google two years ago. The CSRF flaw affects Gmail's "Change Password" function, since according to Diaz the session cookie is automatically sent by the browser in every request making the attack possible.

March 4, 2009 by in Security

Bad, bad, cybercrime-friendly ISPs!

Bad, bad, cybercrime-friendly ISPs!

In a post-McColo, post-Atrivo and post-EstDomains cybercrime ecosystem, the researchers at FireEye have recently launched a "Bad Actors series" aiming to put the spotlight on some of the currently active badware actors online. The sampled ISPs represent safe heavens for drop zones for banker malware,  DNSChanger malware, rogue security software and live exploit URLs.

March 4, 2009 by in Security

Why full disclosure is an important tool

Why full disclosure is an important tool

Guest editorial by Danny QuistThis latest Adobe vulnerability has created a stir on some of the closed mailing lists regarding full disclosure. While I would have liked to think that this debate was over a long time ago, I now realize that everyone has disagreed to disagree.

March 3, 2009 by in Enterprise Software

Conficker worm to DDoS legitimate sites in March

Conficker worm to DDoS legitimate sites in March

Among the key innovations of the Conficker worm (W32.Downadup) was the pseudo-random domain generation algorithm used for the generation of dynamic command and control locations in order to make it nearly impossible for researchers and the industry to take them down.

March 3, 2009 by in Security

Pwn2Own hacker: Apple Safari is 'easy pickings'

Pwn2Own hacker: Apple Safari is 'easy pickings'

Charlie Miller, the security researcher who won last year's Pwn2Own hacker contest, is predicting that Apple's Safari browser will be the easiest target this year.In a note posted on the popular Daily Dave mailing list, Miller describes Safari as "easy pickin's" and forecasts that at least four zero-day Safari flaws will be used during the contest at CanSecWest later this month.

March 3, 2009 by in Security

The return of L0phtCrack

The return of L0phtCrack

More than two years after Symantec pulled the plug on L0phtCrack, the venerable password cracking tool is being prepped for a return to the spotlight.The original creators of L0phtCrack has reacquired the tool with plans to release a new version at next week's SOURCE Boston conference.

March 2, 2009 by in Security

Design specs on the president's helicopter found on Iranian systems; leaked via P2P

Design specs on the president's helicopter found on Iranian systems; leaked via P2P

Design specs on the President's helicopter, Marine One, have been found on an Iranian server, according to a security firm that gathers intelligence on peer-to-peer networks.According to P2P intelligence firm Tiversa, a soon-to-be-ex-employee of a Bethesda-based military contractor installed a P2P app on their cleared desktop and leaked out the design specs for the helicopter that carries the President from the White House to Air Force One.

March 1, 2009 by in Enterprise Software

URL rewriting can help thwart Web app attacks

URL rewriting can help thwart Web app attacks

A Microsoft Web application security specialist is suggesting an offbeat defense-in-depth strategy to protect Web sites and applications from cross-site scripting (XSS) and cross-site request forgery (XSRF) attacks.According to Bryan Sullivan, security program manager for Redmond's Security Development Lifecycle team, Web developers should consider URL Rewriting as a technique to ward off hackers looking to exploit Web app vulnerabilities.

February 27, 2009 by in Collaboration

Microsoft takes aim at Vista 'SoftMod' hack

Microsoft takes aim at Vista 'SoftMod' hack

Starting this week, Microsoft will ship an update to Windows Vista Ultimate users to ferret out cracked copies of its most expensive and feature-packed operating system.The renewed anti-piracy campaign is aimed directly at the activation exploit known as the "SoftMod hack," according to a post on Microsoft's WGA blog.

February 26, 2009 by in Microsoft

Research: 76% of phishing sites hosted on compromised servers

Research: 76% of phishing sites hosted on compromised servers

In a newly released paper entitled "Evil Searching: Compromise and Recompromise of Internet Hosts for Phishing" Tyler Moore and Richard Clayton provide empirical evidence according to which 75.8% of the phishing sites that they've analyzed (2486 sites) were hosted on compromised web servers to which the phishers obtained access through Google hacking techniques (search engine reconnaissance).

February 25, 2009 by in Security

Microsoft 'Fix it' automates fixing Windows problems

Microsoft 'Fix it' automates fixing Windows problems

I'm a little bit late with this but it's such a useful move by Microsoft, I figured I'd point it out for Zero Day readers.Microsoft has been adding a nifty one-click "fix it" utility to its Knowledge Base (KB) articles to help end users solve Windows problems without having to navigate through the maze of instructions.

February 25, 2009 by in Enterprise Software

Google wants to buy Native Client security flaws

Google wants to buy Native Client security flaws

Google is (indirectly) buying security vulnerabilities from white hat hackers.Under the guise of a Native Client Security Contest, the search engine firm is offering big cash prizes to hackers who find bugs and other security flaws in the open-source research technology for running x86 native code in Web applications.

February 25, 2009 by in Security

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All

Top Stories