We use easily counterfeited identification, Social Security numbers that are written on the sides of buses and we rely on the anonymity of the phone, fax, internet and snail mail as a means of application. In other countries they solve problems. They have priorities and don’t deal with the rhetoric. They put security first, convenience second...
The mechanical wonders that once used kerosene and chain drive squeegee rollers to mass produce wet-paper copies are long gone. It’s a digital copier these days that falls into a gray area between Classification of Documents and Enterprise Cyber Security. As technology in the copy machine industry has evolved many of these systems now contain large hard drives which retain full and complete images of each and every copy made on the system...
Securing an organization's assets requires work, and there are many different ways to classify controls. This white paper examines three common types of controls are administrative, technical, and physical.
This weekend, BusinessWeek.com will feature our own Anthony M. Freed, Editor and Business Development Director for the Infosec Island Network.
The technique, found by Lava Kuppan describes a scenario where a mix of CSRF, parameter pollution and Clickjacking can defeat CSRF tokens in JSP and (sometimes) in ASP.NET. It’s worth a read. I did briefly mention using CSRF to pre-populate fields that may be necessary to create a Clickjacking scenario during Jeremiah and my brief talk at the world OWASP in New York. But this takes it to a new level, where you can pre-load information in such a way that it will actually defeat the application logic in the process. Anyway, cool stuff by Lava...
There is an UNEQUAL amount of good and bad in most things, the trick is to work out the ratio and act accordingly… The Jester
Many security professionals have sent me irrate comments via e-mail like: You’re insane! You can’t block China! How long have you been in security! You can’t block a whole country! These remarks come in response to my writings concerning cyberwarfare, China and similar themes. In today’s blog entry, I bring to you: “Advanced Persistent Errata – Defending The Castle;” in other words, Blocking ANYONE you damn well choose to block…
IT security firm, Sophos, has warned Twitter users on a new attack that has led to thousands of accounts being compromised by hackers using a Web 2.0 botnet. The hijacked accounts are later used to spread money-making spam campaigns. The security firm found out that fellow members of the micro-blogging network had posted messages disguised as humorous inks, but were actually aimed to phish passwords credentials from unsuspecting users. These messages were accompanied with clickable links which redirected users to a fake Twitter login page hosted on a website based in China. Watch the video which demonstrates the attack…
Infosec Island has gained exclusive access to a video demonstration of the XerXeS DoS attack as it is unleashed on the Taliban website www.alemarah.com, and carried out by infamous patriot hacker The Jester (th3j35t3r). The video release follows an earlier announcement that The Jester has been working to improve and automate aspects of the attack method, which unlike a DDoS attack, requires only one low spec machine to implement…
Trefis, named for its focus on trends, forecasts, and insights, is revolutionary in its forward-looking approach to stock analysis, which incorporates an intuitive look at the relationship between a company’s product divisions and its stock price. Services for Routers and Switches Make up 18% of Cisco’s Stock - Cisco makes a significant amount of money by providing troubleshooting and maintenance services to its hardware customers….