BlackBerry Spyware Dissected

Yesterday it was reported by various media outlets that a recent BlackBerry software update from Etisalat (a UAE-based carrier) contained spyware that would intercept emails and text messages and send copies to a central Etisalat server. We decided to take a look to find out more. We’re not sure why the software was delivered in […]

Nation State Cyberwarfare Reality Check

Let’s take a step back for a moment from who the actors are in the recent DDoS attacks and look at the root cause of the problem, because that isn’t going away. We have a horribly insecure software ecosystem that let’s the bad guys take advantage of all the insecure software that vendors have shipped […]

The Mobius Defense – An Impetus for Application Security

The “Mobius Defense” is a somewhat novel defense model proposed by Pete Herzog, founder of ISECOM and lead author of the Open Source Security Testing Methodology Manual (OSSTMM). Before continuing to read the following post I suggest you take a few minutes and breeze through the slide deck linked here. It’s an easy and interesting […]

Mystery of Donkey Kong Kill Level Solved

It was an integer overflow. I guess it is never too late to fix a bug. Don Hodges used the old video game firmware and a MAME machine to debug and fix a problem which has kept expert Donkey Kong players from ever getting past level 22. If you have seen King of Kong you […]

Even Government Censors Demand Secure Software

As of July 1, all personal computers sold in China must be pre-installed with content filtering software called Green Dam. The officially stated goal is to protect children from online pornography, but naturally, the technology will also serve to “protect” viewers from offensive text and images such as politically sensitive content. Subsequent to this announcement, […]

Vulnerability in Virtualization App Wipes Out 100,000 Sites

Vaserve, a UK webhosting company says that 100,000 of its customer sites were wiped out in what looks like a zero day attack on HyperVM, a virtualization application they used. The HyperVM was a product of lxlabs. I checked out the lxlabs product documentation and website and could not find any reference to using a […]

Obama to Pick New Cyber Czar

It has been announced that President Obama will pick his new cyber czar tomorrow. This will likely be a position reporting to the National Security Advisor, similar to Richard Clarke’s position under President Clinton. This position will be critical for organizing the government’s fragmented information security efforts, both for the government sector and the country’s […]

But That’s Impossible!

In lieu of actual technical content, and inspired by Jeremiah’s blog post, 8 reasons why website vulnerabilities are not fixed, I started thinking about all the different manifestations of reason #8, “No one at the organization knows about, understands, or respects the issue.” I polled the Veracode research group, most of whom have been security […]

Best Practice: Consider External Data Feeds Untrusted

If you visit this article on the New York Times website, you’ll get immediately redirected to the website containing the original content of the article. [UPDATE: they fixed it, so it won't redirect you anymore] Why does this happen, you ask? Apparently the New York Times ingests various third-party news feeds, wraps the article in […]

Decoding the Verizon DBIR 2009 Cover

As you probably know by now, the pattern of 1s and 0s on the cover of the 2009 Verizon Data Breach Investigations Report contains a hidden message. I decided to give it a whirl and eventually figured it out. No doubt plenty of people managed to beat me to it, as evidenced by the fact […]

1 2 3 4