An Ounce of Prevention is Worth a Pound of Cure

A conversation on Twitter this morning started out like this: @dinozaizovi: Finding vulnerabilities without exploiting them is like putting on a dress when you have nowhere to go. This clever analogy spurred a discussion about the importance of proving exploitability as a prerequisite to fixing bugs. While I agree that nothing is more convincing than […]

We Need To Learn More About the RBS Worldpay ATM Attack

The size and scope of the RBS Worldpay ATM heist are unprecedented. The perpetrators stole $9M in a matter of hours from 2100 ATMs worldwide. An indictment was handed down on Nov 10, 2009. I am always on the lookout for indictments and trials related to computer crime because this is often the only time […]

White Box Better Than Black Box

The WASS Project which Veracode contributed data to shows some nice benefits to White box (static) over Black box (dynamic) for many serious vulnerability categories. White box overall detects a higher prevalence of many categories which we can extrapolate to having lower FN rates. Now the sample set of apps is not the same so […]

From the 10 Years Ago Today Department

From the L0pht Archives: Weld Pond and Cult of the Dead Cow to be Featured on Dateline NBC 9.30.1999 The lack of client side security for internet transactions poses a huge security risk that online banks and others just seem to ignore. Tools such as BO2K and even simpler keystroke loggers can cut through the […]

Stealing PII is So 2007 — They Want Your Endpoint

Attackers are not going to be satisfied with a simple PII breach any more. The market is becoming saturated with PII. Look at the stats. In 2007, credit card records sold for an average of $10 per cardholder record; in 2009 the same records sell for an average of 50 cents per record. Attackers want […]

Trust Your Own Code?! Trust Your Own Compiler?!

Trust has long been a favorite target of malicious individuals. Most people would say that proper management of trust is one of the primary cornerstones of information security. Trust is a relative term and all trust relationships should be examined with a very critical eye. Ken Thompson’s seminal paper “Reflections on Trusting Trust”, which won […]

SQL Injection Blamed for 7-11, Hannaford and Heartland Breaches

The details of 3 major identity theft breaches came to light today with the release of the federal indictment of Albert Gonzalez. It turns out that the main entry point was a SQL Injection vulnerability. The indictment states that a SQL Injection vulnerability was exploited and used to install malware on the target network. The […]

Connection Between Identity Theft and Cyberwarfare

There is an article in the WSJ, Hackers Stole IDs for Attacks, which discusses the role ID theft played in the Georgian government web site attacks last year. “Mr. Bumgarner traced the attacks back to 10 Web sites registered in Russia and Turkey. Nine of the sites were registered using identification and credit-card information stolen […]

Bytecode Analysis Is Not The Same As Binary Analysis

Gartner analyst Neil MacDonald has written that Byte Code Analysis is not the Same as Binary Analysis. He describes the difference between statically analyzing binary code, which runs on an x86, ARM, or SPARC CPU, and statically analyzing bytecode, which runs on a virtual machine such as the Java VM or the .NET CLR. As […]

BlackHat Picks 2009

It’s time for the yearly BlackHat picks. Without further ado, here’s where you’ll have a good chance of finding me next week. Of course, you know what they say about the best laid schemes — there is no way I will actually make it to all of these, but as of now, this is what’s […]

1 2 3 4