Marcin and I were talking a bit about mainframe security today. I recalled how fantastic mainframes were while he had his hands in the trenches. Yes, I know that IBM renamed MVS to z/OS (as well as other things) years ago. However, the concepts remain the same: TSO, ISPF, and JCL are […]

Here’s a new 2008 security prediction for you –
The iPhone camera is an odd device. There is no notification that a picture is being taken, so the only requirement for malware is to wait for user activity and then start taking pictures.
My prediction is that malware will be written to do just this and […]

Lesson 10: You could say I’m a little late on posting something. However, we’ve been up to a lot of great research, hopefully much of which we’ll publish here over the next few weeks.
We had a few posts lately, some of with a change of heart. The latest must-read from the blog world […]

What started as a simple DoS against the RIAA through a SQL injection vulnerability, originally posted to Reddit in tinyurl form.
UNION ALL SELECT BENCHMARK(100000000,MD5(’asdf’)),NULL,NULL,NULL,NULL%20–
led an attacker on to dump their entire database. I sure hope they don’t have backups — part of me thinks they deserve it and wants them to suffer… muwhahaha

Lesson 9: Yesterday was a bit of a whirlwind, discussing BGP, Whois/RWhois, and the DOM all in one big post. I’ll try and keep it short and sweet today.
Arshan Dabirsiaghi (leader of the OWASP Anti-Samy Project), commented on yesterday’s post regarding how web application security scanners are immature. He thinks they are immature because of […]