Intrepidus Group

Monthly Archives: March 2011

Some thoughts about the Tripadvisor breach

Posted: March 24, 2011 – 9:49 pm | Author: | Filed under: Articles, bugs, Passwords

Gawker, Trapster, now Tripadvisor.   I’m sorry Steve Kaufer, but I don’t think the email you sent is good enough anymore. You said “passwords remain secure” HOW DO WE KNOW THAT? State how you stored the passwords Is it a one way hash? If so, state the algorithm What about the salt? Did you have […]

Quantifying the Unknown: Measuring a Theoretical SecurID Attack

Posted: March 22, 2011 – 11:03 am | Author: | Filed under: Cryptography, Passwords, Risk Analysis

It’s been a few days since the attack on RSA / SecurID was made public. Last Friday, I considered potential risks the compromise may pose to RSA’s customers. Since then, the security world has been buzzing with analysis of risks, worst-case scenarios, and second-guessing of the offical RSA press releases. Late yesterday, RSA released additional […]

The RSA/SecurID Compromise: What is my risk?

Posted: March 18, 2011 – 8:32 am | Author: | Filed under: Cryptography, Risk Analysis

So yesterday, RSA, a security division within EMC and the folks responsible for SecurID, one of the most popular forms of two-factor authentication, announced that they’d been hacked. What does this mean? Well, we don’t have many details, but the most troubling bit is that apparently the attackers acquired information “specifically related to RSA’s SecurID […]

CanSecWest 2011

Posted: March 17, 2011 – 11:47 pm | Author: | Filed under: Conferences

CanSecWest 2011 is an important and influential gathering of information security professionals. The topics covered at CanSecWest are diverse and span a variety of topics on the offensive and defensive side of the information security fence. CanSecWest is a three day conference where attendees can attend every session, if they so choose. The talks are […]

This is not the Android Market Security Tool you are looking for

Posted: March 11, 2011 – 12:46 am | Author: , , , and | Filed under: android, android.bgserv, Cryptography, jailbreak, jailbreaking, Mobile Security

We have been actively following and analyzing the spate of Android malware in the Android Market place. The most recent outbreak to light up the blog-o-sphere has been the Droid Dream outbreak. Google’s response to this was to launch a search and destroy mission. They created and pushed a tool to all handsets that were […]

VeriFone vs Square – A Draw?

Posted: March 9, 2011 – 1:31 pm | Author: | Filed under: iOS, PCI, Risk Analysis

There’s been a lot of talk this morning about an open letter from VeriFone regarding the Square iOS credit card system. They make some pretty heavy accusations about a security hole in the Square system: The issue is that Square’s hardware is poorly constructed and lacks all ability to encrypt consumers’ data, creating a window […]

Bug Bounties: Do they work?

Posted: March 9, 2011 – 10:42 am | Author: | Filed under: bugs, Conferences, Security Management, software security, Web Apps

Two years ago at CanSecWest Charlie Miller, Alex Sotirov and Dino Dai Zovi declared there would be no more free bugs. One of the leading philosophies for the “no more free bugs” statement is that an organization paying an individual security researcher legitimizes that research and dramatically changes the organization’s posture on reported bugs. The […]

Discussion: Application Security Debt

Posted: March 5, 2011 – 11:49 am | Author: | Filed under: Mobile Security, SDL, Security Management, software security, Tools

I am going to break a rule of good blogging and straight-away direct my readers to some background material with the promise of a quick summary in this post: Application Security Debt and Interests Rates – Chris Wysopal A Financial Model for Application Security Debt – Chris Wysopal Fix to Wysopal’s Application Security Debt Metric […]

Financial News and malicious Android Apps

Posted: March 2, 2011 – 4:19 pm | Author: | Filed under: android, Articles, Mobile Device Management, Mobile Security

I’m a bit of a CNBC junkie; I stream it all day (so if you want to spear-phish me, send an email about my subscription to expiring, harhar). While drinking coffee this morning and going through my news feeds, the story about malicious Android applications floated to the top (via So who […]


This site is protected with Urban Giraffe's plugin 'HTML Purified' and Edward Z. Yang's Powered by HTML Purifier. 24799 items have been purified.