http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2011-09-28 21:17:58 - Analytical Engine : One of the concepts that I think gets heavily overlooked in security is the idea of an assurance the degree of protection a specific control provides When speaking about assurance the discussion is how resilient a control is to attack controls easily thwarted offer low assurance, controls very difficult to bypass offer high assurance http://www.secuobs.com/revue/news/331587.shtmlhttp://www.secuobs.com/revue/news/331587.shtml Secuobs.com : 2011-08-19 17:03:11 - Analytical Engine - I ve long held that one of the best ways of securing ones data functionality is by making them worthless to attackers If SSN wasn t the primary key to the US consumer credit system then systems could collect it without much concern, because there would be little incentive to try and compromise the system for SSNs There http://www.secuobs.com/revue/news/324083.shtmlhttp://www.secuobs.com/revue/news/324083.shtml Secuobs.com : 2011-08-08 23:28:43 - Analytical Engine - Having just returned from Blackhat I have a wealth of topics that time permitting I may articulate under the arrogant notion that random people on the internet have some interest in my thoughts Pertinent to this post is the ever popular habbit of PCI bashing at security conventions Having thought of this, I think in http://www.secuobs.com/revue/news/321818.shtmlhttp://www.secuobs.com/revue/news/321818.shtml Secuobs.com : 2011-08-08 22:29:00 - Analytical Engine - Matt Johansen and Kyle Osborn had a well delivered talk at Blackhat on hacking Google ChromeOS For those not familiar with ChromeOS it is essentially an OS made up only of the Chome web browser Google asserts that this creates a malware free operating environment which is not quite accurate as the talk showed http://www.secuobs.com/revue/news/321809.shtmlhttp://www.secuobs.com/revue/news/321809.shtml Secuobs.com : 2011-02-22 20:17:49 - Analytical Engine - Two talks at RSA last week helped galvanize a concept for me that has been kicking around unverbalized in my head I have long thought that things like CSRF are problems that developers shouldn t need to worry about they are a fundamental design issue with the web that requires custom coding in each application http://www.secuobs.com/revue/news/286923.shtmlhttp://www.secuobs.com/revue/news/286923.shtml Secuobs.com : 2010-10-14 21:39:47 - Analytical Engine - Microsoft has released a RegEx fuzzer and I suggest that people check it out as it is reasonably nifty Finding and fixing costly Regexes certainly has a great deal of utility That said, I have a bit of an issue with a sentiment aired by Brian Sullivan in an SDL Blog Post introducing the tool http://www.secuobs.com/revue/news/257069.shtmlhttp://www.secuobs.com/revue/news/257069.shtml Secuobs.com : 2010-07-21 19:26:09 - Analytical Engine - Google has a nice PR fluff piece trying to justify the actions of Tavis Ormandy, and like much of the analysis so far on the web it tries to play up the responsible full disclosure debate To begin with, while Full Disclosure is not necessarily irresponsible, there are certainly times where companies are so unresponsive or http://www.secuobs.com/revue/news/242571.shtmlhttp://www.secuobs.com/revue/news/242571.shtml Secuobs.com : 2010-05-12 07:14:08 - Analytical Engine - Mozilla has expanded their Plugin Check page to cover more than just firefox, now including Chrome, Safari, Opera, and to a limited extent, IE This is an awesome good citizenship concension, so bravo Mozilla I think it is a great step to building awareness about keeping plugins up to date, especially as they http://www.secuobs.com/revue/news/221290.shtmlhttp://www.secuobs.com/revue/news/221290.shtml Secuobs.com : 2010-05-12 05:39:22 - Analytical Engine - WhiteHat security has recently released a paper where they attempt to answer What is the most secure programming language or development framework available There are two very good responses to the paper from Michael Coates and pInvoke which are well worth the read Ignoring the multitude of issues with the actual methodology scientists WhiteHat http://www.secuobs.com/revue/news/221267.shtmlhttp://www.secuobs.com/revue/news/221267.shtml Secuobs.com : 2010-03-06 04:36:02 - Analytical Engine - Microsoft has made a little game of threat modeling, with details here The idea is that by printing particular scenarios on cards and creating a competition to figure out how each scenario can be applied to an application model a development team will be reasonably effective at finding threats I would add that if http://www.secuobs.com/revue/news/198916.shtmlhttp://www.secuobs.com/revue/news/198916.shtml Secuobs.com : 2010-02-25 21:51:01 - Analytical Engine - Couple random thoughts, observations, stuff Last night my wife wanted to pay her Sprint bill she didn t want to get up and go down stairs to grab her purse and credit card so she asked me for mine and I just tossed her my wallet without thinking Rather than grabbing my dedicated credit card http://www.secuobs.com/revue/news/195681.shtmlhttp://www.secuobs.com/revue/news/195681.shtml Secuobs.com : 2010-02-18 22:45:14 - Analytical Engine - Google is currently getting reamed for their poorly handled roll out of Buzz to Gmail users It is pretty clear that they made the choice to automatically enroll as many people as possible into Buzz in order to grow its initial market share, at the expense of user choice and privacy This http://www.secuobs.com/revue/news/193318.shtmlhttp://www.secuobs.com/revue/news/193318.shtml Secuobs.com : 2009-12-09 14:24:53 - Analytical Engine - It is a truism in the application security world or really any security that in order to have an effective Security Program you need executive buyoff and executive support To many this means that you need executives to care about security, be willing to fund it, and be willing to stand behind their security http://www.secuobs.com/revue/news/170197.shtmlhttp://www.secuobs.com/revue/news/170197.shtml Secuobs.com : 2009-12-09 14:24:53 - Analytical Engine - Hey Everyone, did you hear- WebGoat is full of security holes Way to go FullDisclosure, you really nailed that one, though you did miss severl dozen vulnerabilities in the software it is almost like it was designed to be vulnerable , for example little trivial things like command injection Did you hear from the http://www.secuobs.com/revue/news/170196.shtmlhttp://www.secuobs.com/revue/news/170196.shtml Secuobs.com : 2009-12-09 14:24:53 - Analytical Engine - From Acidus on Curiouser and Curioser USPA 0090132950 IBM s patent on input validation The present invention discloses a system for providing real-time validation of text input fields in a Web page during text entry Such a system can include a validation-enhanced text input element and an input text validator The validation-enhanced text input element http://www.secuobs.com/revue/news/170195.shtmlhttp://www.secuobs.com/revue/news/170195.shtml Secuobs.com : 2009-12-09 14:24:53 - Analytical Engine - So here is a hypothetical - Say a small real-estate agency is using a simple PostNuke website which is out of date to gather rental applications applications with all of the information necessary to both verify and apply for credit as well as history of passed residences In other words, say they were collecting http://www.secuobs.com/revue/news/170194.shtmlhttp://www.secuobs.com/revue/news/170194.shtml Secuobs.com : 2009-12-09 14:24:53 - Analytical Engine - It turns out that Green Dam, the censorware that China want s installed on all machines sold within its borders, is crap The security researchers who wrote the article in that link found many major vulnerabilities within twelve hours of examining the software First, it has buffer overlows, which can be exploited just by http://www.secuobs.com/revue/news/170193.shtmlhttp://www.secuobs.com/revue/news/170193.shtml Secuobs.com : 2009-12-09 14:24:53 - Analytical Engine - Does anyone know of a decent program that allows you to whitelist which executables may be loaded even better would be executables, dlls, and assemblies but that would be a bit of a headache to manage Conceptually it shouldn t be that hard to write just poll the running processes and kill any not http://www.secuobs.com/revue/news/170192.shtmlhttp://www.secuobs.com/revue/news/170192.shtml Secuobs.com : 2009-12-09 14:24:53 - Analytical Engine - This is a great article on some of the pitfalls of the security mindset the post is essentially based around the quote The more secure you make something, the less secure it becomes A quick snippet I recently attended two conferences on Usability, Security, and Privacy The first, SOUPS Symposium on Usable Privacy and Security , http://www.secuobs.com/revue/news/170191.shtmlhttp://www.secuobs.com/revue/news/170191.shtml Secuobs.com : 2009-12-09 14:24:53 - Analytical Engine - There is an interesting writeup on the Reddit blog about the particular vulnerability that lead to their exploitation In general it is a reasonably informative writeup that delves into their mistake and I wish all security flaws recieved such an informative writeup You occassionally see Michael Howard delve into details on a Microsoft vulnerability, http://www.secuobs.com/revue/news/170190.shtmlhttp://www.secuobs.com/revue/news/170190.shtml Secuobs.com : 2009-12-09 14:24:53 - Analytical Engine - An old and well worn addage is Do as I say, not as I do , generally in a fit of hypocracy when the listener is asked to ignore the example being set by the speaker The fallacy of that statement was addressed by the series of I learned it by watching you advertisements trying to http://www.secuobs.com/revue/news/170189.shtmlhttp://www.secuobs.com/revue/news/170189.shtml