Updated 05/16/2008 2:00 p.m. CST: I officially have my first customer for the "Nate McFeters Safe" certification and Jeremiah Grossman and I have signed up another member for Scanless PCI, as noted security researcher Russ McRee has purchased our certifications, see http://holisticinfosec.
Staying on top of the latest in software/hardware security research, vulnerabilities, threats and computer attacks.
Violet Blue is the author of The Smart Girl's Guide to Privacy. She contributes to ZDNet, CNET, CBS News, and SF Appeal.
Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years
What are some of the main factors for the increase of phishing attacks, and their maturity from passive emails to blended threats attempting to not just steal personal information, but also infect with malware by embedding client-side vulnerabilities at the pages? It's all a matter of perspective, which in this post will emphasize on the continuing efforts on behalf of phishers to innovate, and introduce new features within the most recently obtained do-it-yourself phishing page generators.
Nitesh Dhanjani released information about some of his newest research on the Safari web browser this morning, and interestingly enough, Apple has decided NOT to fix some of the issues he presented.Dhanjani reported three issues, as follows below from his blog:1.
With the Quickness: HD Moore sets new land speed record with exploitation of Debian/Ubuntu OpenSSL flaw
So, for those who haven't heard, a Debian packager modified the source used for OpenSSL on Debian based systems (Debian and the whole of the Ubuntu family) to remove the seed used for PRNG (Pseudo Random Number Generator) used when creating SSL keys. Well, HD Moore set a new record for speed to exploit with the release of what he calls Debian-OpenSSL Toys.
I've been busy all day and just haven't been able to get to it until now, but Aviv Raff is a seriously bad man. I follow his blog religiously as he always has some cool stuff going on and a lot of it tends to be thought provoking for other areas of attack.
According to good friend Robert McMillan of IDG News, Sebastian Muniz, a researcher with Core Security Technologies, has developed malicious rootkit software for Cisco's routers, which he will release on May 22 at the EuSecWest conference in London. This will mark the first time (at least publicly) that someone has released a rootkit written for the Cisco IOS.
Thought I'd explore some of these bugs a bit more... first, Tipping Point released one of the vulnerabilities that Larry reported earlier, listed as a stack overflow issue in Microsoft Office Jet Database Engine.
Microsoft on Tuesday delivered four critical patches for vulnerabilities Office and Windows XP. There were six patches delivered.
In my most recent discussion on McAfee, I posted a talkback to Russ McRee stating, tongue in cheek mind you, that it'd be interesting to see an XSS or SQL Injection on McAfee's site, see if they are indeed "McAfee Secure". Well, I guess you get what you ask for...
Make botnets, not war? In April, last year, I asked the question "Why establish an offensive cyber warfare doctrine when you can simple install a type of Lycos Spam Fighting screensaver on every military and government computer and have it periodically update its hit lists?