Breaking Into a Home With an iPhone

This is going to be one of these quick posts which just makes you think what the information security landscape will be like in 5 years. Before I move on with my commentary, here is a video which is essential for you to watch.

Got the idea? No? Let me explain. What you see in the video above is an application for the iPhone which gives you detailed characteristics of properties (houses) in USA. [...]

more | comments | comments rss | posted by

Even More XSS Worms

This morning I spotted several blog posts mentioning that Twitter has been hit by yet another XSS worm.

There is no merit in discussing how this has been done and for what purposes but this incident is yet another proof that the attack landscape is rapidly changing and moving towards web enabled infrastructures and the client-side. [...]

more | comments | comments rss | posted by

Twitter’s Security is so Poor

…and there are a lot of privacy concerns too.

IMHO, the way the Twitter folks designed their system, is totally wrong. The one and only major concern is that 3rd-part software is allowed to communicate with Twitter’s API by using the user’s login credentials. This is a bit insane as you can imagine. Why would you want to share your username and password with someone you certainly don’t trust? [...]

more | comments | comments rss | posted by

Facebook, Worms and RSS Feeds – Hacking The Web2.0 Way and Beyond

This morning I was reading an interesting article from Ryan Naraine (ZDNet Zero Day Blog) regarding a Facebook worm which uses RSS feeds and in particular Google Reader to strengthen its attack strategy. Interesting…

If you have been following GNUCITIZEN’s research and in particular this blog, you know this is not a big news since I’ve been describing the numerous web2.0 attack strategies countless of times. Perhaps you remember my paper on hacking Web2.0? [...]

more | comments | comments rss | posted by

Clouds and The Distorted Notion of Direct Control

I would like to share a few thoughts on the notion of being in direct control of your environment. This article is a continuation from my previous one and it aims to justify why nowadays individuals and organizations prefer to give away control in order to gain more agility. Needless to say, less control is often equal to less security.

Some of you who have been following the blog may be familiar with some of my other articles on the same topic. [...]

more | comments | comments rss | posted by

RISK 2008 Oslo

I need to do a lot of clean up work around all my projects. So, expect a series of quick posts. In this post you will be able to find my slides from a quite cool event in Oslo. The topic is Web2.0 again.

The event was quite successful and I am looking forward to attending it again. Not to mention that Oslo was just brilliant compared to the bad weather in UK.

more | comments | comments rss | posted by

Tomorrow’s Malware

My favorite tech quote is from Giorgio Maone. It goes like this: If today’s malware mostly runs on Windows because it’s the commonest executable platform, tomorrow’s will likely run on the Web, for the very same reason. Because, like it or not, Web is already a huge executable platform, and we should start thinking at it this way, from a security perspective.

Part of my job at GNUCITIZEN is to spot trends. [...]

more | comments | comments rss | posted by

Hijacking OpenID enabled Accounts

It has been a long time since I last spoke about OpenID. Today I would like to draw your attention to a tiny problem, which I found among several OpenID solutions. The problem is indeed tiny but the overall outcome is concerning.

CSRF – It comes very handy. It seams that no matter how much you talk about it, very few pay attention on the problem. And it is not a problem that you can afford to have. [...]

more | comments | comments rss | posted by

For my next trick… hacking Web2.0

After several month spent in research on Web2.0 Insecurities I’ve decided to sit down and write a whitepaper. The paper quickly became rather blurred due to enormous amount of notes I’ve collected on this subject. This is the reason why it was later restructured into stories, which provide a lot better medium for understanding the content.

The term Web2.0 appeared for the first time in 2003 at a conference organized by O’Reilly media. [...]

more | comments | comments rss | posted by

Web2.0 is not AJAX

I am going to speak at OWASP’s mini-conference in Brussels on 6th of September about the dangers of Web2.0. I am going to reveal some of the research that I have been conducting in the past couple of months on what exactly is Web2.0 hacking. During the conference I am also going to drop a paper and a conceptual tool called Renaissance. So stay tuned. If you have a chance, come visit the GC group in Brussels. It will be fun.

Here is the outline of my talk:

What is Web2.0? [...]

more | comments | comments rss | posted by