“Buffer overflows Injection attacks DoS attacks Memory leakage Information disclosure Compromised systems” What is the common factor between all of those vulnerability classes? If you have heard advice on how to prevent or fix them, chances are that advice prescribed input validation. It’s a glib and common answer, especially to address most web application vulnerabilities: […]
Suicide is a difficult topic to discuss. It has claimed many well-known individuals in society at large and in information security. It is a difficult topic for me to discuss since one of my best friends in college committed suicide just a few years ago, something I still struggle to talk about. As many of you know, I am a veteran, and far too many of my fellow veterans have also taken their own lives, at a rate far higher than the population at large. There have been a number of high-profile suicides in my home town recently…
It’s been about 3 1/2 weeks since the dump was released. In a random selection of 20-37 million people matching Ashley Madison’s user demographics, at least 250 to over 400 people have committed suicide. If three Ashley Madison users have committed suicide, they would have a suicide rate 1/100th that of the population at large. What’s going on?
Our goal is to increase security, but unfortunately, the proposed rules are too broad and will have negative effects on our legitimate vulnerability and intrusion software research, limiting our ability to defend against cyber intrusions. … I fear the primary result of the proposed regulations is to enable federal regulators to arbitrarily fine and prosecute anyone in security or software development on whim, simultaneously the biggest reason to oppose these regulations and the biggest reason regulators may push them through anyway.
I recently gave the following presentation at CanSecWest. (cansecwest.com) You can see the slides below:
-or- New tools to stop common laptop data thefts Why your OPSEC advice is wrong The internet security and privacy communities, law enforcement realms, all sides of the drug war, and the world as a whole have been enraptured by the unfolding saga of the Silk Road, the tor-hidden giant marketplace of illicit goods, and […]
There’s been a lot of focus on replacing passwords for authentication lately. Google and Twitter have each put forward proposals to address issues in authentication, Google’s based on browser modifications and Twitter’s based on mobile phone usage. Many people advocate multi-factor authentication while others advocate email-based authentication or even more unusual ideas. While many offer […]
If you manage systems with important data on them, you want to make sure you use the strongest form of authentication possible. Passwords are the worst form of authentication you can have, prone to theft, re-use, and hard to remember. SSH keys are much better, but the most secure option is to use a smart […]
If you’re a developer, the task of building secure software can seem to be daunting. Vulnerabilities are a bane of large complex software projects, and companies like Microsoft spend millions to try to address them. This shouldn’t be a surprise, but since it’s popular to claim everything is hackable and nothing can be secure, it’s worth spelling out: Remote code execution vulnerabilities are not hard to prevent if developers follow a few simple, practical rules from the start, since they basically always fall into the below categories.