http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2009-01-07 19:22:21 - securosis.com : I was a bit shocked to read about the Adolf Merckle suicide yesterdayYou just don’t see this sort of thing coming and I cannot even fathomthe reasoning behind it This has sent tremors through the market andcertainly his holding company into dis-array for a while It alsoreminded me of other similar events surrounding http://www.secuobs.com/revue/news/49420.shtmlhttp://www.secuobs.com/revue/news/49420.shtml Secuobs.com : 2009-01-06 17:45:54 - securosis.com - Whew This is our final post in this series on Building a Web ApplicationSecurity Program Part 1, Part 2, Part 3, Part 4, Part 5, Part 6, Part7, and it’s time to put all the pieces together Here are ourguidelines for designing a program that meets the needs of yourparticular organization http://www.secuobs.com/revue/news/48995.shtmlhttp://www.secuobs.com/revue/news/48995.shtml Secuobs.com : 2009-01-05 22:30:08 - securosis.com - Macworld Expo may no longer be good enough for Apple, but it’s still oneof my conference highlights of the year I’ll be out there todaythrough Thursday while Adrian manages the fort in Phoenix I’vemanaged to convince him that cleaning the cat litter while my wife isat work is a formal job http://www.secuobs.com/revue/news/48750.shtmlhttp://www.secuobs.com/revue/news/48750.shtml Secuobs.com : 2009-01-05 19:27:37 - securosis.com - An interesting note popped up on Twitter this morning about a Phishingattack through direct messages and direct email The Phish is verywell done and looks legit, so it will probably be effective It isasking for you to provide access credentials to Twitter, but thedomain is accessloginscom The WHOIS for Access-Logins shows http://www.secuobs.com/revue/news/48709.shtmlhttp://www.secuobs.com/revue/news/48709.shtml Secuobs.com : 2008-12-30 19:35:28 - securosis.com - This morning in the US, afternoon in Europe, a team of securityresearchers revealed that they are in possession of a forgedCertificate Authority digital certificate that pretty much breaks thewhole idea of a trusted website It allows them to create a fake SSLcertificate that your browser will accept for any website The shorthttp://www.secuobs.com/revue/news/47335.shtmlhttp://www.secuobs.com/revue/news/47335.shtml Secuobs.com : 2008-12-30 03:57:08 - securosis.com - WAF products examine inbound and outbound HTTP requests, compare thesewith the firewall rules, create an alert about the detected conditionand either block the transaction, let it pass, audit it, or reset theconnection Typically deployed as a network appliance, WAF productsare placed as an in-line filter for the application proxy mode, or'out-of-band' by pulling traffic from the mirror or SPAN port There is also some degree of confusion here as Monitoring systems,depending upon how the solution is deployed, can also block or haltrequests that are considered to be violations in the same way WAFwillhttp://www.secuobs.com/revue/news/47159.shtmlhttp://www.secuobs.com/revue/news/47159.shtml Secuobs.com : 2008-12-24 19:46:52 - securosis.com - The Microsoft Security Advisory 961040 for SQL Server was posted on the22nd of December Microsoft has done a commendable job and provided alot of information on this page, with the cross reference of the CVEnumber CVE-2008-4270 so you can find more details if you need itLike any of the store procedures http://www.secuobs.com/revue/news/46341.shtmlhttp://www.secuobs.com/revue/news/46341.shtml Secuobs.com : 2008-12-24 19:46:52 - securosis.com - Remember our first post that there are no trusted sites Followed by oursecond one Now I suppose it’s time to start naming names in the posttitles, since this seems to be a popular trend American Express isour latest winner From Dark Reading: Researchers have been reportingvulnerabilities on the Amex site since April, when http://www.secuobs.com/revue/news/46340.shtmlhttp://www.secuobs.com/revue/news/46340.shtml Secuobs.com : 2008-12-24 19:46:52 - securosis.com - Remember our guest post from Jesse Krembs on the MIT students put under agag order during DefCon this year for hacking the rail system And Iquote: Please grow up; in the connected world there are very few ogresin caves any more, and they don’t let you ride their trains Thedifference between black http://www.secuobs.com/revue/news/46339.shtmlhttp://www.secuobs.com/revue/news/46339.shtml Secuobs.com : 2008-12-19 22:19:57 - securosis.com - This will be our last Friday Summary for 2008 This afternoon Adrian andI are off to The Office for our Securosis Annual Staff Festivus Partysorry Chris, but we can drunk dial you if that makes you feelincluded 2008 has been an incredibly wild ride When it started Iwas just a solo consultant http://www.secuobs.com/revue/news/45475.shtmlhttp://www.secuobs.com/revue/news/45475.shtml Secuobs.com : 2008-12-19 18:06:32 - securosis.com - Looks like the RIAA has finally realized that treating customers likecriminals isn’t the best strategy in the world According to the WallStreet Journal via Slashdot they are ending their campaign of suingindividual file sharers to focus on working with ISPs to reduceillegal sharing As much as I like to rip the heck http://www.secuobs.com/revue/news/45408.shtmlhttp://www.secuobs.com/revue/news/45408.shtml Secuobs.com : 2008-12-17 15:16:13 - securosis.com - Just ran across this ‘new’ SQL Server vulnerability in my news feed Thisshould not be an issue because you should not be using this set offunctions If you are using external stored procedures on a productiondatabase, stop In fact, you want to stop using them altogether, lockthem down, or remove them http://www.secuobs.com/revue/news/44648.shtmlhttp://www.secuobs.com/revue/news/44648.shtml Secuobs.com : 2008-12-16 23:31:04 - securosis.com - In our last episode, we continued our series on building a webapplication security program by looking at the secure developmentstage see also Part 1, Part 2, Part 3, and Part 4 Today we’re goingto transition into the secure deployment stage and talk aboutvulnerability assessments and penetration testing Keep in mind thatwe http://www.secuobs.com/revue/news/44444.shtmlhttp://www.secuobs.com/revue/news/44444.shtml Secuobs.com : 2008-12-16 21:11:44 - securosis.com - Bryan Sullivan’s thought provoking post on Streamlining SecurityPractices for Agile Development caught my attention this morningReading it gave me the impression of a genuine generational divide Ifyou have ever witnessed a father and son talk about music, while theyare talking about the same subject, there is little doubt the two arehttp://www.secuobs.com/revue/news/44387.shtmlhttp://www.secuobs.com/revue/news/44387.shtml Secuobs.com : 2008-12-16 19:17:43 - securosis.com - Tomorrow I’ll be giving the first webcast in a three part series I’mpresenting for Oracle It’s actually a cool concept the series andI’m having a bit more fun than usual putting it together The firstsession is Database Security for Security Professionals If you are asecurity professional and want to learn more http://www.secuobs.com/revue/news/44351.shtmlhttp://www.secuobs.com/revue/news/44351.shtml Secuobs.com : 2008-12-16 19:17:43 - securosis.com - Just a quick note that I’ll be out in San Francisco for Macworld onJanuary 5-8 While most of my time is dedicated to the conference, Iwill be able to take some meetings in the SF area You can drop me aline at rmogull@securosiscom I’m under strict orders to not comehome with any http://www.secuobs.com/revue/news/44350.shtmlhttp://www.secuobs.com/revue/news/44350.shtml Secuobs.com : 2008-12-16 02:35:42 - securosis.com - Doing some research on business justification stuff for several projectRich and I are working on Ran across the Aberdeen Group researchpaper reference on the Imperva Blog,, which talks about businessjustification for database security spending You can download a copyfor free It’s worth a read, but certainly needs to be kept inperspective “Don’t http://www.secuobs.com/revue/news/44103.shtmlhttp://www.secuobs.com/revue/news/44103.shtml Secuobs.com : 2008-12-12 21:09:23 - securosis.com - There is an unpatched vulnerability for Internet Explorer 7 beingactively exploited in the wild The details are public, so any bad guycan take advantage of this It’s a heap overflow in the XML parser,for you geeks out there It affects all current versions of WindowsMicrosoft issued an advisory with workarounds that prevent http://www.secuobs.com/revue/news/43426.shtmlhttp://www.secuobs.com/revue/news/43426.shtml Secuobs.com : 2008-12-12 20:03:30 - securosis.com - When I was little, I remember seeing an interview on television of aChicago con man who made his living by scheming people out of theirmoney Back when the term was in vogue, the con man was asked todefine what a ‘Hustle’ was His reply was “Get get as much as you can,http://www.secuobs.com/revue/news/43401.shtmlhttp://www.secuobs.com/revue/news/43401.shtml Secuobs.com : 2008-12-11 23:56:26 - securosis.com - Things seem a little strange over here at Securosis HQ- we’re getting aton of feedback on an old post from November of 2006, but so far onlyone person has left us any real comments on our Building a WebApplication Security Program series Just to make it clear, once weare done with the http://www.secuobs.com/revue/news/43127.shtmlhttp://www.secuobs.com/revue/news/43127.shtml Secuobs.com : 2008-12-11 22:25:13 - securosis.com - On Tuesday, Chris Hoff joined me as guest host for the Network SecurityPodcast and we got into a deep discussion on cloud security And asyou know, for the past couple of weeks we’ve been building our serieson web application security This, of course, led to all sorts ofimpure thoughts about where http://www.secuobs.com/revue/news/43106.shtmlhttp://www.secuobs.com/revue/news/43106.shtml Secuobs.com : 2008-12-11 15:05:56 - securosis.com - Now that we’ve laid out the big picture for a web application securityprogram, it’s time to dig into the individual details In this partsee also Part 1, Part 2, Part 3, and Part 4 we’re going to discusshow to implement security during the development phases of the webapplication lifecycle, including which http://www.secuobs.com/revue/news/42938.shtmlhttp://www.secuobs.com/revue/news/42938.shtml Secuobs.com : 2008-12-10 21:03:12 - securosis.com - It looks like China is thinking about requiring in-depth technicalinformation on all foreign technology products before they will beallowed into China I highly suspect this won’t actually happen, butyou never know If it does, here is a simple risk related IQ test formanagement: Will you reveal your source code and engineering documentsto http://www.secuobs.com/revue/news/42679.shtmlhttp://www.secuobs.com/revue/news/42679.shtml Secuobs.com : 2008-12-10 17:35:58 - securosis.com - Martin was out of town this week and put our fine show into mytrustworthy hands A trust I quickly dashed as I invited Chris Hoff tojoin the show We managed to avoid any significantly bad language, andboth of use were completely sober I think Chris and I started with adiscussion of the http://www.secuobs.com/revue/news/42553.shtmlhttp://www.secuobs.com/revue/news/42553.shtml Secuobs.com : 2008-12-10 02:12:30 - securosis.com - Adrian and I have been hard at work on our web application securityoverview series, and in a discussion we realized we left something offpart 3 of the series, where we dug into the differences between weband traditional applications In most applications we program the userdisplay/interface With web applications, we rely on an http://www.secuobs.com/revue/news/42371.shtmlhttp://www.secuobs.com/revue/news/42371.shtml Secuobs.com : 2008-12-10 02:12:30 - securosis.com - Just prior to this post, it dawned on us just how much ground we arecovering We’re looking at business justification, people, process,tools and technology, training, security mindset and more Writing isan exercise in constraint- often pulling more content out than we areputting in This hit home when we got lost within http://www.secuobs.com/revue/news/42370.shtmlhttp://www.secuobs.com/revue/news/42370.shtml Secuobs.com : 2008-12-09 18:24:19 - securosis.com - I despise the very concept of mortality That everything we were, are,and can be comes to a crashing close at some arbitrary deadline I’venever been one to accept someone telling me to do something justbecause “that’s the way it is”, and I feel pretty much the same wayabout death Having seen http://www.secuobs.com/revue/news/42193.shtmlhttp://www.secuobs.com/revue/news/42193.shtml Secuobs.com : 2008-12-08 19:16:13 - securosis.com - This scene I ran across last week captured the essence of one of thepoints I want to make regarding security programs This is a picturefrom a foreclosed home that I walked into Friday The view is from thethrone room master bedroom door, and you can see the shower stall offto the left, http://www.secuobs.com/revue/news/41828.shtmlhttp://www.secuobs.com/revue/news/41828.shtml Secuobs.com : 2008-12-06 00:36:56 - securosis.com - Adrian and I are hard at work on our Building a Web Application Programseries, and it lead to an interesting discussion this morning onwriting and writing styles I’m fortunate that I’ve always been apretty good writer; likely because I was a total bookworm as a kid Aswith many things in life, http://www.secuobs.com/revue/news/41071.shtmlhttp://www.secuobs.com/revue/news/41071.shtml Secuobs.com : 2008-12-04 22:40:32 - securosis.com - By now you’ve probably noticed that we’re spending a lot of timediscussing the non-technical issues of web application security Wefelt we needed to start more on the business side of the problem sincemany organizations really struggle to get the support they need tobuild out a comprehensive program We have many years http://www.secuobs.com/revue/news/40731.shtmlhttp://www.secuobs.com/revue/news/40731.shtml Secuobs.com : 2008-12-04 17:22:56 - securosis.com - By the time I post this you won’t be able to find a tech news site thatisn’t covering this one I know, since my name was on the list ofanalysts the press could contact and I spent a few hours talking toeveryone covering the story yesterday Rather than just reciting thepress http://www.secuobs.com/revue/news/40650.shtmlhttp://www.secuobs.com/revue/news/40650.shtml Secuobs.com : 2008-12-03 20:20:21 - securosis.com - Alright people, here’s the deal I just published my take on the whole“Apple he said/she said you do/don’t need antivirus” thing over atTidBITS Here’s my interpretation of what happened: Back in 2007 somesupport guy posts a list of major AV supported on the Mac On November21st, it’s updated to reflect the latest version numbers http://www.secuobs.com/revue/news/40377.shtmlhttp://www.secuobs.com/revue/news/40377.shtml Secuobs.com : 2008-12-02 23:50:25 - securosis.com - It’s just Martin and myself again this week as we discuss PCI, onlineidentities, telecom immunity, and one wacky data breach We also spenda fair bit of time talking about our home network setups and Martin’sadventures in protecting his kids from YouTube I also dig into howI’m using our Drobo and we manage http://www.secuobs.com/revue/news/40122.shtmlhttp://www.secuobs.com/revue/news/40122.shtml Secuobs.com : 2008-12-02 21:59:37 - securosis.com - In our last post in this series we introduced some of the key reasons whyweb application security is typically underfunded in mostorganizations The reality is that, with few exceptions, it’s oftendifficult to convince management why they need additional protectionsfor an application that seems to be up and running just fine Or http://www.secuobs.com/revue/news/40081.shtmlhttp://www.secuobs.com/revue/news/40081.shtml Secuobs.com : 2008-12-02 02:04:18 - securosis.com - This Sunday’s Arizona Republic picked up Brian Krebs’ article in theWashington Post about thieves tapping into home equity lines ofcredit This is very interesting- not just because it means there arepeople out there who actually still have home equity, but that alsobecause it is a very simple con with potentially devastating http://www.secuobs.com/revue/news/39833.shtmlhttp://www.secuobs.com/revue/news/39833.shtml Secuobs.com : 2008-12-01 22:30:13 - securosis.com - Did you buy one of the deeply discounted Plasma Televisions this weekendHow about a new digital camera How about eBay No, not somethingbeing sold there, but the company itself Chris O’Brien over at theSan Jose Merc speculates on what it would take to buy the auction siteas there have been some rumors http://www.secuobs.com/revue/news/39779.shtmlhttp://www.secuobs.com/revue/news/39779.shtml Secuobs.com : 2008-12-01 18:43:35 - securosis.com - Happy Monday everyone This year I broke with tradition and actuallyventured outside of the house of Black Friday We didn’t see too manydeals, but I did manage to grab a new rolling tool chest for thegarage That was before I heard about the disgusting hoard of lowlifesthat killed some poor temp http://www.secuobs.com/revue/news/39693.shtmlhttp://www.secuobs.com/revue/news/39693.shtml Secuobs.com : 2008-12-01 17:58:00 - securosis.com - It’s official- Arizona Governor Janet Napolitano is President-ElectObama’s choice for Secretary of Homeland Security I’ve only beenliving in Arizona for about 5 years now and have been consistentlyimpressed with Napolitano She’s a Democratic governor in a mostly-redstate and well respected by everyone except the extreme end of theGOP Very pragmatic, organized, http://www.secuobs.com/revue/news/39675.shtmlhttp://www.secuobs.com/revue/news/39675.shtml Secuobs.com : 2008-11-26 22:41:43 - securosis.com - PayPal announced their Mobile PayPal offering this week Really nothingnew here from a technology standpoint as it leverages services andVerisign/PayPal security key Why I was interested in the release wasthe signal that they are putting more resources behind this market Iam still shocked that payment via cell phone did not catch http://www.secuobs.com/revue/news/38921.shtmlhttp://www.secuobs.com/revue/news/38921.shtml Secuobs.com : 2008-11-26 22:04:25 - securosis.com - Martin and I are preparing for Thanksgiving, just like everyone else inAmerica right now I don’t know about you, but that primarily means Ihave five days of work to accomplish in three days of the week So wedidn’t organize a guest this week, we sat down together 1000 milesapart and talked http://www.secuobs.com/revue/news/38916.shtmlhttp://www.secuobs.com/revue/news/38916.shtml Secuobs.com : 2008-11-26 18:41:55 - securosis.com - Hard to believe we’ve been around to post this yet a third time, but hereyou go Our list of advice for shopping safely online this year; andwe even updated it this time: —- Yes folks, Black Friday is only daysaway and the silly season is upon us As someone born and bred in goodhttp://www.secuobs.com/revue/news/38882.shtmlhttp://www.secuobs.com/revue/news/38882.shtml Secuobs.com : 2008-11-25 17:43:31 - securosis.com - Last week I talked a bit on the decision by Microsoft to kill OneCare andrelease a new, free antivirus package later in 2009 Overall, I statedthat I believe this will be good for consumers: I consider this anextremely positive development, and no surprise at all Back whenMicrosoft first acquired an AV company http://www.secuobs.com/revue/news/38574.shtmlhttp://www.secuobs.com/revue/news/38574.shtml Secuobs.com : 2008-11-25 15:08:26 - securosis.com - When I was with IPLocks, in the 2004 time frame we were exploring thepossibility of selling our monitoring and assessment suite into thegovernment Friends and contacts made introductions, and we beganinvestigating if there was a need for the solution, and if so, how wewould approach tackling that type of relationship While http://www.secuobs.com/revue/news/38537.shtmlhttp://www.secuobs.com/revue/news/38537.shtml Secuobs.com : 2008-11-25 00:57:20 - securosis.com - I installed Parallels 40 on the iMac last week, upgraded my licenses andconverted my bootable images to the new format It took a while as theconversion process takes a long time While the installation wastrivial, I had 4 different bootable images to convert, which took agood 3 hours to migrate even http://www.secuobs.com/revue/news/38440.shtmlhttp://www.secuobs.com/revue/news/38440.shtml Secuobs.com : 2008-11-24 17:42:54 - securosis.com - Catching up from last week I saw this article in Techworld fromNetworkWorld about an IETF meeting to discuss the impact of DanKaminsky’s DNS exploit and potential strategies for hardening DNS Theelection season may be over, but it’s good to see politics still hardat work: One option is for the IETF to do nothing http://www.secuobs.com/revue/news/38290.shtmlhttp://www.secuobs.com/revue/news/38290.shtml Secuobs.com : 2008-11-22 22:36:28 - securosis.com - Since I get asked this question a lot: Call yourself an analyst Convincesomeone to call you an analyst Business cards don’t hurt -richPS- Being a good analyst Totally different story, although youstill start the same wayhttp://www.secuobs.com/revue/news/38115.shtmlhttp://www.secuobs.com/revue/news/38115.shtml Secuobs.com : 2008-11-21 19:13:18 - securosis.com - After this week, Rich and I are ‘Home for the Holidays’, with the last ofthe years travel schedule behind us We have started work on the WebApplication Security Program, and in keeping with our dedication totransparency in our research, we will be posting research notes forcomments on the blog prior during the http://www.secuobs.com/revue/news/37962.shtmlhttp://www.secuobs.com/revue/news/37962.shtml Secuobs.com : 2008-11-21 18:40:25 - securosis.com - Experts: Cyber-crime as Destructive as Credit Crisis Bullshit -richhttp://www.secuobs.com/revue/news/37952.shtmlhttp://www.secuobs.com/revue/news/37952.shtml Secuobs.com : 2008-11-21 18:40:25 - securosis.com - Last week the SBN died as Google decided to drop support for Feedburnergroups during their transition of Feedburner to Google’s platformAlan Shimel worked hard behind the scenes, and the new SBN is hostedover here at Lijit Huge thanks to Alan and Lijit for saving the SBN,and please redirect your browsers and readers to http://www.secuobs.com/revue/news/37951.shtmlhttp://www.secuobs.com/revue/news/37951.shtml Secuobs.com : 2008-11-20 23:05:38 - securosis.com - I swore that I was not going to cover data ‘breach’ events unless therewas something that was really interesting or unique about it Thereare too many and the general public has grown desensitized as thenumber of records and the overall number of breaches is, well, mindnumbing But this caught my eye http://www.secuobs.com/revue/news/37474.shtmlhttp://www.secuobs.com/revue/news/37474.shtml