WP Blogsecurify

The WP Blogsecurify 1.0 wordpress plugin is out.

What does it do?

WP Blogsecurify is a security plugin for WordPress designed to integrate several simple but important security patches for the popular blogging platform. [...]

more | comments | comments rss | posted by

Script Kiddies

According to Wikipedia:

It continues continues: Script kiddies have at their disposal a large number of effective, easily downloadable malicious programs capable of harassing even advanced computers and networks.

Anyway, according to Wikipedia, I do not know a single person involved in the information security industry today that does not fit the description of a script kiddie. [...]

more | comments | comments rss | posted by

Compliance

Someone on LinkedIn asked: Is Information Security driven by compliance? to which I say yes and this is a problem!

My long answer goes like this:

This is certainly not the best answer. Follow the discussion over here. You are not going to learn anything technical but at least you will get a good idea how the majority of security professionals on LinkedIn think.

more | comments | comments rss | posted by

More Advanced Clickjacking – UI Redress Attacks

This will be a quick post just to share some POCs and more information regarding the recent Clickjacking technique, i.e. UI Redress Attack, a name suggested by Michael Zalewski.

Clickjacking is an oldie but, a goodie. You can track the origin of the attack back at the beginning of this decade. Clickjacking is essentially the anti-CSRF killer. It is also the killer of Flash, AJAX (because AJAX apps are sometimes easier to clickjack, look at Google) and some other technologies. [...]

more | comments | comments rss | posted by

Security Certifications

Security Certifications – should you get some? Well, this is what I think.

IMHO if you go for a certificate then you pretty much put a box around yourself and your abilities. I am sorry, this is my personal opinion. People will perceive you as such and such because of your certifications. While having a cert might be a good idea for your career and in particular your CV, showing off with it could be a bit harmful. I am not saying that you shouldn’t get certified. [...]

more | comments | comments rss | posted by

Landing Secapps

A couple of months ago we started sorting out through all our work. In the processes we realized that we have to find a new home for several of our projects. It was a tough decision because we had a lot of projects on our hands and there were even more pending to be completed in some fashion. Nevertheless, we decided to go with the plan. So, the idea of Secapps was born.

So what is Secapps? Secapps is the new home of our GHDB tool. [...]

more | comments | comments rss | posted by

Simple Universal Authentication System

This idea is perhaps stupid. Nevertheless, I rather document it here for good than not documenting it at all.

Here is the story. I had to reset the credentials of an online account I have. As usual, I went on the vendors’ site, clicked the forgotten password feature, typed my email address and clicked submit. A moment later an email arrived in my inbox with instructions how to reset the password. [...]

more | comments | comments rss | posted by

Social Media Security

I am happy to announce the relaunch of Blogsecurify. I have some more announcements to make.

Blogsecurify will become a division of GNUCITIZEN. Although initially the project was planned to tackle blog-only security issues, today Blogsecurify moves into the more main stream domain – the social media platforms. [...]

more | comments | comments rss | posted by

Audio From Black Hat USA 2008

We’ve got some audio from the past Black Hat conference I’ve already talked about over here and here.

Keep in mind that without the slides it will probably sound very boring. Both parts of the presentation can be found here and here.

more | comments | comments rss | posted by

The QuickTime Vulnerability Overview

The details of the vulnerability were covered in my previous post. In this one I would like to briefly talk about the impact. Obviously, the vulnerability is very simple. Simple yet effective. However, this is not the type of vulnerability someone can exploit on a massive scale. Here is why.

Attack Vectors

The key element of the attack vector presented in my previous post is the attackers’ ability to point the victim to a file hosted on a NETBIOS share. [...]

more | comments | comments rss | posted by