Entries in insecure magazine (4)


Weak authentication and other publications

Last month we published a video demo called "Attacking Web Applications with Broken Authentication". This shows a simple web application that relies on a cookie called "userid" for authentication. You might think that very few sites are vulnerable to this issue, but the truth is I came across this issue last year in a rather large European security conference. Some of the local ISPs also have this sort of security flaw.

What the video demonstrates is not just the flaw, but how to automate exploitation of such a flaw with a particular web application security tool. Check out the video below.

Also, (IN)SECURE Magazine was released yesterday so go grab it. Includes my personal views on security incidents and events of last year. Look out for "The year that Internet security failed". Lots of articles look good but the following caught my eye:

  • Improving network discovery mechanisms

  • Scott Henderson on the Chinese Underground

  • Playing with Authenticode and MD5 collisions

Oh .. and here's the video:


(IN)SECURE Magazine and other updates

This is an update of what's been happening on this end:snapshot-2008-12-01-10-16-301

  • Issue 19 of (IN)SECURE Magazine is out, and with it you'll find a report on RSA Europe 2008 and an article called "How security can hurt us" by yours truly. The magazine has a number of high quality articles and isĀ  freely available from the main website.

  • Upcoming research: Vulnerabilities and tools related to Web Application Firewalls. Wendel Guglielmetti Henrique combined his and my research and presented it at H2HC. The presentation was called "Playing with Web Application Firewalls". Additionally, I presented my research at a local ISACA chapter. This research is still in its initial stage but is already showing significant results. Will be putting a separate post on this.

  • The blog at Acunetix now features posts by yours truly on (you guessed it) Web Application Security.

  • If you are based in Malta, then you might be interested in the Malta Infosec linkedin group that will be organizing some informal events "real soon". The blog is at Maltainfosec.org.


(IN)SECURE Magazine Issue 18

The latest issue of the free digital security publication is out and includes some thought provoking articles:

  • Browser security: bolt it on, then build it in by Jeremiah Grossman

  • Windows driver vulnerabilities: the METHOD_NEITHER odyssey by Anibal Sacco

  • Insecurities in privacy protection software by Shrikant Raman

  • Compliance does not equal security but it's a good start by Jack Danahy

This issue also includes my column which talks about why the latest happenings in the security industry should shake us to our senses. The idea is that we need to realize that some of the Internet technologies that we rely on have fundamental flaws.

Here's a download link.

When best intentions go wrong

(IN)SECURE Magazine issue 17 is out which includes an article by yours truly called "When best intentions go wrong". In short, it talks about the Debian OpenSSL security flaw and how it should be an eye opener for all of us when it comes to choosing strategies and security solutions that last. The concept that I tried to introduce is that we should be thinking about what happens when our defenses are broken.

Download this issue.