So I’m getting a lot of Twitter spam with links to install bad crap on my computer. More than just occasionally, these DM’s are sent by folks in the infosec field. They should know better than to click unknown links without taking precautions. So what do you need to do? Simple. Follow these basic NIST…
Category: Security
Infosec apostasy
I’ve been mulling this one over for a while. And honestly, after a post to an internal global mail list at work putting forward my ideas, I’ve come to realise there are at least two camps in information security: Those who aim via various usual suspects to protect things Those who aim via various often…
Marketing – first against the wall when the revolution comes
A colleague of mine just received one of those awful marketing calls where the vendor rings *you* and demands your personal information “for privacy reasons” before continuing with the phone call. *Click* As a consumer, you must hang up to avoid being scammed. End of story. No exceptions. Even if the business has a relationship…
Responsible disclosure failed – Apple ID password reset flaw
Responsible disclosure is a double edged sword. The faustian bargain is I keep my mouth shut to give you time to fix the flaws, not ignore me. I would humbly suggest that it is very relevant to your interests when a top security researcher submits a business logic flaw to you that is trivially exploitable…
Running Fortify SCA 3.80 on Ubuntu 12.04 64 bit Linux
I have a bit of a code review job at the moment. It’s a large code base, and you all know what that means. LOTS OF RAM! So I got me a 16 GB upgrade. Then I found that I could only allocate 8 GB to a VM in VMWare Fusion. So here’s how to…
Zombie Apocalypse – Economic armageddon using Gresham’s Law
I was heartened to find out that someone was given grant money for a study that demonstrates that the fresh brains market in a zombie apocalypse would peter out after six months. Afterwards, the earth would be either empty (most likely) or a wasteland with few zombies. So that gave me an idea. Gresham’s Law,…
Argumentum ad antiquitatem
This post is not in Latin, but essentially a call to the Information Security industry to end policies based upon argumentum ad antiquitatem, which includes: Password change, complexity and length policies and standards that simply don’t make sense in the light of research and tools that show that we can crack ALL passwords in a reasonable…
Securing WordPress with obfuscation
So in a fit of security through obscurity, I renamed my WordPress database tables and promptly broke WordPress with a highly informative “You do not have sufficient permissions to access this page.” error message when accessing wp-admin. Changing the prefix is easiest done with a new installation, but my installation dates from the very first…
Time to update knowledge
This might be telling folks to suck eggs, but if you are doing secure code reviews and your development skills relate to type 1 JSP and Struts 1.3, it’s really time you got stuck into volunteering to code for open source projects that use modern technologies. There’s heaps of code projects at OWASP that need…
OWASP Developer Guide – time for a new meeting
If you are participating in the OWASP Developer Guide, I want to have another status meeting Friday next week. Friday 2nd November 1300 UTC Saturday 3rd November 0000 AEDST (my time zone) Come be my friend on Google+, and ask to be in my OWASP Guide circle. This circle can participate in the Hangout. Hope…