Monthly Archives: March 2011
Some thoughts about the Tripadvisor breach
Gawker, Trapster, now Tripadvisor. I’m sorry Steve Kaufer, but I don’t think the email you sent is good enough anymore. You said “passwords remain secure” HOW DO WE KNOW THAT? State how you stored the passwords Is it a one way hash? If so, state the algorithm What about the salt? Did you have [...]
Quantifying the Unknown: Measuring a Theoretical SecurID Attack
It’s been a few days since the attack on RSA / SecurID was made public. Last Friday, I considered potential risks the compromise may pose to RSA’s customers. Since then, the security world has been buzzing with analysis of risks, worst-case scenarios, and second-guessing of the offical RSA press releases. Late yesterday, RSA released additional [...]
The RSA/SecurID Compromise: What is my risk?
So yesterday, RSA, a security division within EMC and the folks responsible for SecurID, one of the most popular forms of two-factor authentication, announced that they’d been hacked. What does this mean? Well, we don’t have many details, but the most troubling bit is that apparently the attackers acquired information “specifically related to RSA’s SecurID [...]
CanSecWest 2011
CanSecWest 2011 is an important and influential gathering of information security professionals. The topics covered at CanSecWest are diverse and span a variety of topics on the offensive and defensive side of the information security fence. CanSecWest is a three day conference where attendees can attend every session, if they so choose. The talks are [...]
This is not the Android Market Security Tool you are looking for
We have been actively following and analyzing the spate of Android malware in the Android Market place. The most recent outbreak to light up the blog-o-sphere has been the Droid Dream outbreak. Google’s response to this was to launch a search and destroy mission. They created and pushed a tool to all handsets that were [...]
VeriFone vs Square – A Draw?
There’s been a lot of talk this morning about an open letter from VeriFone regarding the Square iOS credit card system. They make some pretty heavy accusations about a security hole in the Square system: The issue is that Square’s hardware is poorly constructed and lacks all ability to encrypt consumers’ data, creating a window [...]
Bug Bounties: Do they work?
Two years ago at CanSecWest Charlie Miller, Alex Sotirov and Dino Dai Zovi declared there would be no more free bugs. One of the leading philosophies for the “no more free bugs” statement is that an organization paying an individual security researcher legitimizes that research and dramatically changes the organization’s posture on reported bugs. The [...]
Discussion: Application Security Debt
I am going to break a rule of good blogging and straight-away direct my readers to some background material with the promise of a quick summary in this post: Application Security Debt and Interests Rates – Chris Wysopal A Financial Model for Application Security Debt – Chris Wysopal Fix to Wysopal’s Application Security Debt Metric [...]
Financial News and malicious Android Apps
I’m a bit of a CNBC junkie; I stream it all day (so if you want to spear-phish me, send an email about my subscription to pro.cnbc.com expiring, harhar). While drinking coffee this morning and going through my news feeds, the story about malicious Android applications floated to the top (via finance.yahoo.com): http://mashable.com/2011/03/01/android-malware-apps/ So who [...]
