http://www.cgisecurity.com/ http://images.cgisecurity.com/i/rss.gif All things related to website, database, SDL, and application security since 2000. en-US 2009-11-05T16:51:57-08:00 cgisecurityhttp://feedburner.google.com http://feedproxy.google.com/~r/cgisecurity/~3/5s-E9e6OE_8/steve-dispensa-and-marsh-ray-have-published-a-paper-describing-a-weakness-in-the-tls-negotiation-process-from-the-whitepaper.html Steve Dispensa and Marsh Ray have published a paper describing a weakness in the TLS negotiation process. This is the same attack discussed on the IETF TLS list. From the whitepaper "Transport Layer Security (TLS, RFC 5246 and previous, including SSL v3 and previous) is subject to a number of serious man-in-the-middle...<img src="http://feeds.feedburner.com/~r/cgisecurity/~4/5s-E9e6OE_8" height="1" width="1"/> Cryptography Defense Incidents IndustryNews Research Vulns Robert A. 2009-11-05T16:51:57-08:00 http://www.cgisecurity.com/2009/11/steve-dispensa-and-marsh-ray-have-published-a-paper-describing-a-weakness-in-the-tls-negotiation-process-from-the-whitepaper.html http://feedproxy.google.com/~r/cgisecurity/~3/n6pFbNGhoFg/amazon-ec2-cloud-computing-for-passwordcrypto-cracking-.html There is a rather lengthy set of posts on using cloud based computing services as ideal venues for crypto and password cracking. Link: http://news.electricalchemy.net/2009/10/cracking-passwords-in-cloud.html Link: http://news.electricalchemy.net/2009/10/password-cracking-in-cloud-part-5.html<img src="http://feeds.feedburner.com/~r/cgisecurity/~4/n6pFbNGhoFg" height="1" width="1"/> Cryptography Funny IndustryNews Research Robert A. 2009-11-04T11:01:18-08:00 http://www.cgisecurity.com/2009/11/amazon-ec2-cloud-computing-for-passwordcrypto-cracking-.html http://feedproxy.google.com/~r/cgisecurity/~3/pU7Cjko1G_g/microsofts-enhanced-mitigation-evaluation-toolkit-adds-protection-to-processes.html Microsoft has published the Enhanced Mitigation Evaluation Toolkit. This toolkit allows you to specify a process to add the following forms of protection (without recompiling). SEHOP This mitigation performs Structured Exception Handling (SEH) chain validation and breaks SEH overwrite exploitation techniques. Take a look at the following SRD blog post for more...<img src="http://feeds.feedburner.com/~r/cgisecurity/~4/pU7Cjko1G_g" height="1" width="1"/> Announcements Defense Development IndustryNews Research Security Tools Robert A. 2009-10-28T10:55:50-07:00 http://www.cgisecurity.com/2009/10/microsofts-enhanced-mitigation-evaluation-toolkit-adds-protection-to-processes.html http://feedproxy.google.com/~r/cgisecurity/~3/Hqr68eK5XQ0/attacking-magstripe-gift-cards.html Corsaire has published a rather lengthy paper on attacking gift card systems. While this is a little off topic it's a good read. "This paper is based on research conducted on a large number of UK gift cards. It has been created to complement the presentation “Stored Value Gift Cards: Magstripes Revisited”,...<img src="http://feeds.feedburner.com/~r/cgisecurity/~4/Hqr68eK5XQ0" height="1" width="1"/> IndustryNews Off Topic Research Robert A. 2009-10-26T10:36:04-07:00 http://www.cgisecurity.com/2009/10/attacking-magstripe-gift-cards.html http://feedproxy.google.com/~r/cgisecurity/~3/vGD_ROGeRJk/metasploit-sold-to-rapid7.html It was announced this morning that Rapid7 has purchased metasploit, and hdmoore! That is all. Rapid7 Announcement: http://www.rapid7.com/metasploit-announcement.jsp Metasploit Blog: http://blog.metasploit.com/2009/10/metasploit-rising.html Metasploit Blog: http://blog.metasploit.com/2009/10/joining-team.html More Coverage http://www.andrewhay.ca/archives/1085 http://blog.ianetsec.net/perspective/2009/10/nick-selby-metasploit-acquisition-shakes-up-the-pentest-landscape.html http://darkreading.com/vulnerability_management/security/management/showArticle.jhtml?articleID=220800067<img src="http://feeds.feedburner.com/~r/cgisecurity/~4/vGD_ROGeRJk" height="1" width="1"/> IndustryNews Security Tools Robert A. 2009-10-21T09:42:37-07:00 http://www.cgisecurity.com/2009/10/metasploit-sold-to-rapid7.html http://feedproxy.google.com/~r/cgisecurity/~3/8f3eUV6LLt4/owasp-publishes-transport-layer-protection-cheat-sheet.html "This article provides a simple model to follow when implementing transport layer protection for an application. Although the concept of SSL is known to many, the actual details and security specific decisions of implementation are often poorly understood and frequently result in insecure deployments. This article establishes clear rules which provide guidance...<img src="http://feeds.feedburner.com/~r/cgisecurity/~4/8f3eUV6LLt4" height="1" width="1"/> Announcements IndustryNews Robert A. 2009-10-19T15:11:43-07:00 http://www.cgisecurity.com/2009/10/owasp-publishes-transport-layer-protection-cheat-sheet.html http://feedproxy.google.com/~r/cgisecurity/~3/wflog2ctn4c/wasc-announcement-2008-web-application-security-statistics-published.html The Web Application Security Consortium (WASC) is pleased to announce the WASC Web Application Security Statistics Project 2008. This initiative is a collaborative industry wide effort to pool together sanitized website vulnerability data and to gain a better understanding about the web application vulnerability landscape. The statistics was compiled from web application...<img src="http://feeds.feedburner.com/~r/cgisecurity/~4/wflog2ctn4c" height="1" width="1"/> Announcements IndustryNews Metrics WASC Robert A. 2009-10-16T09:36:54-07:00 http://www.cgisecurity.com/2009/10/wasc-announcement-2008-web-application-security-statistics-published.html http://feedproxy.google.com/~r/cgisecurity/~3/1_6KFYuLhaI/one-character-mistake-knocks-se-tld-offline.html "What was essentially a typo last night resulted in the temporary disappearance from the Internet of almost a million Web sites in Sweden -- every address with a .se top-level down name. According to Web monitoring company Pingdom, which happens to be based in Sweden, the disablement of an entire top-level domain...<img src="http://feeds.feedburner.com/~r/cgisecurity/~4/1_6KFYuLhaI" height="1" width="1"/> Funny Incidents IndustryNews Robert A. 2009-10-13T10:37:16-07:00 http://www.cgisecurity.com/2009/10/one-character-mistake-knocks-se-tld-offline.html http://feedproxy.google.com/~r/cgisecurity/~3/btZsoX1asJY/wasc-tc-v2-improper-input-handling-section-completed.html I lead the WASC Threat Classification v2 project and we've just completed a section that I felt deserved its own post. Prasad Shenoy along with the WASC TC peer review team authored a really great section on Improper Input Handling meant to describe each aspect of input handling with a medium level...<img src="http://feeds.feedburner.com/~r/cgisecurity/~4/btZsoX1asJY" height="1" width="1"/> Development IndustryNews Research WASC Robert A. 2009-10-09T10:20:04-07:00 http://www.cgisecurity.com/2009/10/wasc-tc-v2-improper-input-handling-section-completed.html http://feedproxy.google.com/~r/cgisecurity/~3/_-Ki0CcjkcU/yahoo-best-jobs-in-america-ranks-infosec-professional-8.html After checking out my favorite stocks this morning at finance.yahoo.com I saw an article titled 'best jobs in America' so figured I'd check it out. To my surprise Computer/Network Security Consultant was ranked as the 8th best job in the US. Very cool! Link: http://finance.yahoo.com/career-work/article/107932/best-jobs-in-america.html<img src="http://feeds.feedburner.com/~r/cgisecurity/~4/_-Ki0CcjkcU" height="1" width="1"/> Funny IndustryNews Robert A. 2009-10-09T09:38:56-07:00 http://www.cgisecurity.com/2009/10/yahoo-best-jobs-in-america-ranks-infosec-professional-8.html