Grumpy Security Guy

Trey Ford has a good roundup of the new PCI 6.6 clarification in PCI 6.6 Information Supplement Released. All I have to say is well done to the PCI council! From my first pass it seems like it is pretty clear AND they understand the issues organizations are facing. I have a few nits, here [...]

[Read more →]

At the CanSec West conference Charlie Miller wins the PWN 2 OWN contest. I think these contest are kinda lame as they do not prove much, other than Charlie Miller was most likely sitting on a vulnerability waiting until the contest. I still think it is some what cool that there are people that are [...]

[Read more →]

This seems pretty scary. Apparently the FBI posted a link on some online forum that claimed to display kiddy porn. The story is here.
Upon reading this the first thing that popped into my mind was CSRF(Cross Site Request Forgery) Now this is not classic CSRF since CSRF generally implies I am exercising some functionality on [...]

[Read more →]

I’ve not been this pumped about something in a long time. Jeremiah actually has been pulling me into liking this idea for a very long time. I hated it at first. I mean WAFs, bleh. Plus I mean didn’t we already try scanners + WAFs before? Oh yeah the total trainwreck that was AVDL. So one [...]

[Read more →]

Sorry for my silence here for the past month. I had a new son

and on top of that March 10th WhiteHat will be announcing something really big that we think is going to change the Web Application Security space. I have been busy on analyst calls as well as marshaling it through the development process. [...]

[Read more →]

I thought this was a pretty funny quote from this article.
Nine out of the world’s top 11 security hackers came to HP through the SPI Dynamics acquisition, he boasts, although it’s not immediately clear who ranked those top 11.
The “he” is Mark Potts CTO of Software, Hewlett-Packard. When I read that the first thing that [...]

[Read more →]

Sometimes I just want to give up. I really hate XSS because it is really a tricky issue to explain to people that don’t understand.  It basically boils down to bad people using my website to compromise clients. What they do with those compromised clients can range from fairly benign replicating worms ,  phishing scams, [...]

[Read more →]

1. We will see the first multi-website XSS worm.
I think we will finally get a true cross site XSS work in 2008. Combining XSRF and XSS to propagate a worm across multiple sites and multiple domains. The first one will be benign but the others will be much more malicious in nature. Leading victim candidate [...]

[Read more →]

Wired has a good article covering the fact that 2007 was the worst year on record when it comes to the amount of credit card and social security numbers disclosed to third parties.
Seriously people wake up. PCI might be nice and it might set a baseline and all that nice stuff. It is still [...]

[Read more →]

This is part of my occasional series on security consultants and how best to employ them.
Security consulting operations come in the standard small, medium and large sizes. Small shops are less than 30 consultants, medium 31-200, large 201+.
Small shops: Sometimes known as boutique firms or lifestyle firms (since the people that run them take jobs [...]

[Read more →]