tssci security

Archive for Privacy

Resident scripts and global cross-domain

In October of 2006, a vulnerability in IE7 known as the "mhtml:" Redirection Information Disclosure was discovered. RSnake wrote up a post about how nasty it was. The basics: it took over the entire browser experience. Fortunately, the bug was patched [...]

Another new blog over at NSS Labs

Not to be outdone by Neohapsis Labs, NSS Labs also enters the fray with their blog, Security Product Testing. Again, I think that NSS Labs (like Neohapsis Labs) has been blogging for awhile, but it has picked up more pace lately. In the past, the TS/SCI [...]

CERT on Securing your web browser

'Lo and behold, CERT has an excellent document on Securing your web browser! They cover IE, Firefox, and Safari -- three secure references for the three most popular browsers. The documentation and links provided are great. I was actually surprised that [...]

New blog over at Neohapsis Labs

The fine folks over at Neohapsis Labs appear to have a new blog focused on security related information. Technically, I guess they've had it up since January, but the posts are more frequent now. I just added them to my RSS feeds. Both Mike Murray and [...]

Privacy, Google, Scroogle, and You

In an article on the CNet Blogs, Chris Soghoian writes on Privacy: What should Google do? Brilliant article. A must read. I have one question, one comment, and one look into the future. Question: We might be able to trust Scroogle not to steal our search [...]

Implications of The New School

Recently, I finished reading "The New School of Information Security" by Adam Shostack and Andrew Stewart. It's only about 200 pages, so it's certainly worth your time to pick up and read. Some people will compare it to "Security Metrics" by Andrew [...]

My other phone is your iPhone

Here's a new 2008 security prediction for you -- The iPhone camera is an odd device. There is no notification that a picture is being taken, so the only requirement for malware is to wait for user activity and then start taking pictures. My prediction is [...]

More on Google Analytics: Now with Stolen Search Queries!

In my earlier article on Using Google Analytics to Subvert Privacy, I demonstrated how dangerous free tools could be to match privacy information to web clicks. But now that Google has updated their Analytics service to support internal search queries, [...]

Way to go Arnold -- why AB 779 was a lose-lose situation for small business

A lot of commotion has recently been stirred up around California Governer's, Arnold Schwarzennegar's recent vetoing of a bill (AB 779) that would strictly mandate all merchants to comply with. Many have scoffed at the Governer's "caving to lobbyists and [...]

Stop Wordpress 2.3 "phoning home"

A new release of Wordpress 2.3 was shipped last night. One of the features it sports is: Our new update notification lets you know when there is a new release of WordPress or when any of the plugins you use has an update available. It works by sending [...]

Using Google Analytics to subvert privacy

Marcin decided to take the day off with pay and allow me to share with you a guest blog post. Thanks, Marcin! Hello, my name is Andre and I'm a blogoholic. On with the post! With the popularity of MySpace also came the desire to track others who look at [...]

8 Firefox extensions towards safer browsing

Web 2.0 has (re)introduced a wide variety of attack vectors that can be used against Internet users to steal sensitive information, control the web browser, and more. The security industry has seen a shift from concentrating on the servers that house [...]

Greasemonkey script to block Gmail cookie-theft attacks

Ryan Naraine of ZDNet points out a Greasemonkey script that blocks Gmail cookie-theft attacks. The script can be downloaded here, and it redirects Gmail to use a "secure" HTTPS connection. You can modify the script to @include redirect any site that has [...]

Firefox + httpOnly? While we're at it...

kuza55 noted this morning that Firefox has implemented support for httpOnly cookies. It's not perfect, as ma1 pointed out in the comments, but it's better than nothing. The Firefox browser could be made even more secure by building NoScript, [...]

Suggested reading this week

I've been real busy lately, but I came across several blogs and articles this week that I'd like to share, Andrew Hay style. =) CEO Crime & Punishment -- Ben Horowitz, CEO of Opsware Inc., shares his thoughts on what entices executives to commit white [...]

SSN misuses

These two stories are interesting.. I wonder if Adam from Emergent Chaos has seen them: The most misused SSN of all time was (078-05-1120). In 1938, wallet manufacturer the E. H. Ferree company in Lockport, New York decided to promote its product by [...]

Hacking Techniques for Law Enforcement - A good idea or asking for trouble?

Mikko @ F-Secure made a post on their blog about whether or not law enforcement organizations should be permitted to utilize security tools and hacking techniques in investigations that got me thinking. To me the answer to this question is very clear -- [...]

Dell + Google Toolbar... profit??!?!

Andrew Hay writes: Dell & Google Secretly Installing Software to Make Money Off Your Typos Those bastards, how is this business practice not illegal? New Dell machines that include the Google toolbar as part of a marketing agreement also include a secret [...]

Protecting data in use

Last week, I blogged about data classification and how it's difficult for many organizations to gain control of. The next day SearchSecurity published Data classification is first step in successful data protection, an article that addresses the need to [...]

Hilarious, I'll never drink that much again!

And the post of the day goes to Mike Rothman, and his comments on Javelin's research survey that claims 77% of 2750 consumers said they would not shop at stores that suffered data breaches. I think this number is crap. Why? The analogy I'll use is [...]

What is my favorite movie?!!

I asked a colleague once how to answer those silly questions, you know, the ones banks and other sites like to use to reset passwords? They're used to verify you are, who you say you "were." Well, my bank at the start of the year had introduced some [...]

Incompetent blurring

While chatting in #snort-gui today, somebody noticed Gizmodo was showing off their ticket to Apple NAB. You can see they blurred the Name, Company and barcode on the ticket. Whoever did this, did a poor job because they didn't blur the name on the [...]

Comment Spam

Spam sucks. Why do spammers have to ruin every communication medium out there? Postal mail, email, popups, malware/spyware, and now comment spam. LonerVamp over at terminal23 has noticed an increase in spam on his blog as well. I had used Akismet to help [...]

TJX security breach.. check

I am not 100% positive or if this just merely coincidence, but I have a feeling my sister has fallen victim to the TJX security breach reported last week. Fraudulent transactions originating in France (of all places) began January 10th, comprosing four [...]
blog comments powered by Disqus