Haroon Meer
Two quick links on “how your app got hacked, even though it looked ok”
The first one from hacker news, aptly titled “How I Hacked Hacker News (with arc security advisory)”
and the 2nd, a welcome-back-to-the-blogosphere-tptacek post on the matasano blog: [Typing The Letters A-E-S Into Your Code? You’re Doing It Wrong!]
/mh
PS. for those going, man i wish someone would break down the important crypto stuff for me in a way thats understandable without being patronizing, there is Chris Eng and his owasp talk on [Cryptography For Penetration Testers]
How Good Companies Fail..
In early 2002 i recall reading and falling in love with Jim Collins book: “From good to Great“. I recall being so excited by some passages that i typed out whole paragraphs and sent them around to the rest of the office..
For my last birthday Deels got me Collins other book “Built to Last: Successful Habits of Visionary Companies“.
It seems as if he has done it again, with his new (soon to be released) book called “How The Mighty Fall: And Why Some Companies Never Give In”
Apple gets some clue points?
At [DeepSec] last year i had the pleasure of hearing Ivan Krsti? speak. While some of his arguments had (small) holes in them (which the audience were quick to pounce on), he raised the ugly fact that people like me like to ignore.. That some of us spend a lot more time thinking of elaborate ways to break stuff than we do designing less breakable stuff..
I think for most security “breakers” its an argument that sometimes hits hard, and makes you wonder if you should be refocusing your efforts..
Episode 9 of the ITSecurity Pubcast..
Yvette Du Toit (E&Y – UK/ZA) featured on the latest ITSecurity Pubcast and spoke about her role in CREST. SensePost were invited along, and i showed that while i have a face for radio, i do not have the voice for it.. Ahh.. some day ill find my niche..
Till then, you can listen to the pubcast [here] and SensePosters can grab the mp3 [here]
Zappos number 1 priority
[Zappos.com] is one of those companies people love to write about. They make headlines for their use of new media and their CEO (Tony Hsieh) is as .com legendary as one gets.. (he sold LinkExchange in 1998 for $265 million and under him zappos went from $1.6 million in sales (2000) to $840 million in sales (2007)).
He recently gave a talk at the [Web 2.0 conference].
He talks about how they invest in the customer experience, free shipping bouquets, and suprise shipping upgrades to get customers products delivered before they expect it.. This is all cool, and im sure people love them for it, but then he goes on to mention their number 1 priority as a company..
Chris Eng 1 – 0 Verizon DBIR Cover
Chris Eng over [at the Veracode blog] documents how he approached, and decoded the info behind the [2009 Verizon Data Breach Investigations Report ]
Its an interesting read, and although in the end it turned out to be just a [Vigenère cipher] and fell to (effectively) a [known plaintext attack], its def. worth the few minutes it will take to read..
Virtualization as an answer to backward compatability?
Part of the problem Microsoft bumped into with Vista, was hordes of people who had grown too attached to XP.. It seems they learnt their lesson (and found a cheap way to maintain backward compatability without having to keep legacy code forever). [XP with SP3 as a virtual-pc virtual machine within Windows 7]
We thought we had problems classifying client side bugs that required user intervention (remote? local?), what happens when a remote in XP-SP3 allows one to execute code in the Windows7 machine through local VM breakout? (indeed a new acronym is needed in anticipation: RAXPLVMB??)
Comments have been broked :(
Comments on the blog have been suprisingly quiet and we should have realised this when more and more people started having discussions with us via twitter or email (as opposed to simply saying their piece here).
Short Story:
It was broken, and it should be fixed again. Blame has been assigned and culprits have been whipped appropriately.
Long Story:
Most SensePost’ers interact with the blog through our company-internal blog. This allows us to share top secret information like lolcats without publishing it here. Selected posts are pumped through to public via a plugin inside (which also publishes certain comments / etc).
Should InfoSec companies be betting on PCI ?
The United States committee on Homeland Security’s Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology recently held a hearing to determine if “the Payment Card Industry Data Standards Reduce Cybercrime?”
Risky Business played snippets of the hearing under the apt title: “Washington spanks PCI DSS” – Like most episodes of RB, its well worth the listen..
One of the “merchants” giving testimony made his point quite succinctly. The credit card companies require us to keep card details, and shift the burden of fraudulent transactions to the merchant. There are much better ways to handle transactions, but the current method is a cheap way for the CC vendors to shift the burden and the risk to the merchants who historically had no alternative.
#include fakeNewsStory.h
what? on April 1st???? Never!