CGISecurity - Website and Application Security News

CGISecurity - Website and Application Security News http://www.cgisecurity.net/ http://images.cgisecurity.com/i/rss.gif All things related to website, database, SDL, and application security since 2000. en-US 2008-12-01T14:27:16-08:00 Insecure Magazine #19 Released http://www.cgisecurity.net/2008/12/insecure-magazine-19-released.html In this issue. The future of AV: looking for the good while stopping the bad Eight holes in Windows login controls Extended validation and online security: EV SSL gets the green light Interview with Giles Hogben, an expert on identity and authentication technologies working at ENISA Web filtering in a Web... Robert 2008-12-01T14:27:16-08:00 College students rig Victoria Secret online contest http://www.cgisecurity.net/2008/12/college-students-rig-victoria-secret-online-contest.html "At Drexel University and a handful of other colleges, students created computer scripts to sway the contest—an online vote to nominate a university to receive its own clothing line—in their campuses’ favor. Tim Plunkett, a junior at Drexel, created a script that could cast 1,500 votes per second, according to The... Funny Incidents Robert 2008-12-01T13:36:05-08:00 Manipulating Google Flu Trends to perform cyber warfare? http://www.cgisecurity.net/2008/12/manipulating-google-flu-trends-to-perform-cyber-warfare.html I came across an interesting post at freedom-to-tinker discussing the impacts of google's flu monitoring program."My concern today is whether Flu Trends can be manipulated. The system makes inferences from how people search, but people can change their search behavior. What if a person or a small group set out to... Off Topic Robert 2008-12-01T13:24:48-08:00 Inside Safari 3.2’s anti-phishing features http://www.cgisecurity.net/2008/11/inside-safari-32s-antiphishing-features.html An article over at macworld discusses the anti phishing features in the new safari."The release of Safari 3.2 on November 13 displayed Apple’s penchant for cryptic release notes, as the company describes all three versions as featuring “protection from fraudulent phishing Web sites.” Let's decode that for you: Safari 3.2 offers... Browsers Robert 2008-11-25T10:43:46-08:00 Oracle Forensics Part 7: Using the Oracle System Change Number in Forensic Investigations http://www.cgisecurity.net/2008/11/oracle-forensics-part-7-using-the-oracle-system-change-number-in-forensic-investigations.html David Litchfield has published a new tool and paper on forensics on Oracle Databases. From his email to the Websecurity mailing list."I've just posted a new tool and paper for Oracle forensics. The tool, orablock, allows a forensic investigator to dump data from a "cold" Oracle data file - i.e. there's... Articles Forensics Research Robert 2008-11-25T09:36:57-08:00 Article: What the NSA thinks of .NET 2.0 Security http://www.cgisecurity.net/2008/11/article-what-the-nsa-thinks-of-net-20-security.html Romain Guacher to the SC-L mailing list that the NSA has published a massive 298 page unclassified document on .NET 2.0 security. From the introduction."The purpose of this document is to inform administrators responsible for systems andnetwork security about the configurable security features available in the .NET Framework.To place some of... Articles Defense Development Robert 2008-11-24T09:15:30-08:00 Automated security testing & its limitations http://www.cgisecurity.net/2008/11/automated-secur.html "The team I work in uses both automated scanners, along with a few humans testing (minimum of 2)… A good tester should know the weaknesses of the automated testers.. The problem with automated testers, is, simply put, they are not human. That is they will not have intuition that a given... Reviews Security Tools Robert 2008-11-19T10:28:12-08:00 Metasploit Framework 3.2 Released http://www.cgisecurity.net/2008/11/metasploit-fram.html "Contact: H D Moore FOR IMMEDIATE RELEASE Email: hdm[at]metasploit.com Austin, Texas, November 19th, 2008 -- The Metasploit Projectannounced today the free, world-wide availability of version 3.2 oftheir exploit development and attack framework. The latest versionis provided under a true open source software license (BSD) and is backed by a community-based development... Security Tools Robert 2008-11-19T09:33:14-08:00 Microsoft to offer free Antivirus http://www.cgisecurity.net/2008/11/microsoft-to-of.html "Microsoft on Tuesday said it plans to kill off its Windows Live OneCare subscription security service in favor of a free offering that will feature a core of essential anti-malware tools while excluding peripheral services, such as PC tune up programs, found in OneCare. The move could help the software maker... IndustryNews Vendors Worms Robert 2008-11-19T09:11:06-08:00 Understanding How to Use the Microsoft's Exploitability Index http://www.cgisecurity.net/2008/11/understanding-h.html "On Oct. 14, 2008, Microsoft added another piece of information to the bulletin summary to better help customers with their risk assessment process: the Exploitability Index. This section is a brief overview to explain how customers can integrate the Exploitability Index with the Severity Rating system into their own risk assessment... Defense SDL Vendors Robert 2008-11-18T09:58:47-08:00