The technique, found by Lava Kuppan describes a scenario where a mix of CSRF, parameter pollution and Clickjacking can defeat CSRF tokens in JSP and (sometimes) in ASP.NET. It’s worth a read. I did briefly mention using CSRF to pre-populate fields that may be necessary to create a Clickjacking scenario during Jeremiah and my brief talk at the world OWASP in New York. But this takes it to a new level, where you can pre-load information in such a way that it will actually defeat the application logic in the process. Anyway, cool stuff by Lava...
Apple Stock: iPad Business More Valuable Than Mac Desktops - We estimate that Apple’s iPad business accounts for 4% of the $267 Trefis price estimate for Apple’s stock compared to about 3% for Apple’s Mac desktop business…
The U.S. Department of Defense (DoD) announces the official approval of the EC-Council Certified Ethical Hacker (CEH) certification program as a new baseline skills requirement for U.S.cyber defenders. Specifically, the new Certified Ethical Hacker program is required for the DoD's computer network ...
The FTC sending a warning to 100 companies and agencies that their employees are leaking client and sensitive data on the web via Peer to Peer file sharing (P2P) is the single most pathetic and embarrassing communication to come across the desk of an IT professional. It’s over, Johnny IT’S OVER…
Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence…
Has someone been putting strange substances in the drinking water at Gartner’s Greenwich, CT headquarters? Some of their analysts are beginning to sound like New Age gurus on a mission to bring peace, love and harmony to the corporate world. Consider these words of wisdom recently imparted by Gartner analysts to clients at an Orlando conference…
Trefis Analysis: Notebook PCs 17% of Dell’s Stock on February 25, 2010 Dell shipped an additional 1.2 million notebook PCs in 2009 over 2008. We expect growth in the global notebook market to drive Dell’s notebooks sales in the future…
Once an agency crosses over into social media interactions with other agencies and non-governmental organizations, the guidance gets diluted. The guidelines point to five government agencies, none of which are the definitive resource for social media implementations. These guidelines are a must read for any organization that is considering a foray into the Web 2.0 sphere…
Many security professionals have sent me irrate comments via e-mail like: You’re insane! You can’t block China! How long have you been in security! You can’t block a whole country! These remarks come in response to my writings concerning cyberwarfare, China and similar themes. In today’s blog entry, I bring to you: “Advanced Persistent Errata – Defending The Castle;” in other words, Blocking ANYONE you damn well choose to block…
IT security firm, Sophos, has warned Twitter users on a new attack that has led to thousands of accounts being compromised by hackers using a Web 2.0 botnet. The hijacked accounts are later used to spread money-making spam campaigns. The security firm found out that fellow members of the micro-blogging network had posted messages disguised as humorous inks, but were actually aimed to phish passwords credentials from unsuspecting users. These messages were accompanied with clickable links which redirected users to a fake Twitter login page hosted on a website based in China. Watch the video which demonstrates the attack…