Security Balancetrying to bring balance to the Force |
 |
I was reading a great post from Hoff that describes what he and Richard Mogull are envisioning as the next evolution of security solutions. Hoff says: “What CMMP represents is the evolved and converged end-state technology integration of solutions that today provide a point solution but “tomorrow” will be combined/converged into a larger suite of [...]
This has just been announced: “Adobe joins Linux Foundation, develops AIR for Linux” OK, now the vulnerabillities from Adobe that sinked Windows on the Pwn2Own contest will be available for Linux users too. Those contests will be more fair now Now seriously, it’s impressive how people don’t realize the importance of Adobe software security. We [...]
I was LOL after reading this, from The Register: “(CanSecWest) VMware researcher Oded Horovitz got an earful when he told a group of security buffs his company’s virtualization software was theoretically impenetrable. Speaking at the CanSecWest conference in Vancouver, his hour-long presentation, titled Virtually Secure, included a slide titled “VM Escape” that carried the following [...]
The SANS ISC mentioned that today there are patches available for Adobe Acrobat, Firefox and QuickTime. Next Tuesday there will be a bunch more from Microsoft. So what? Try to find a Windows box that doesn’t have one of them installed. That means that during these days almost all Windows boxes will be vullnerable to [...]
Well, it’s funny to see this discussion started by Farnum about “Availability versus Security”. I remember seeing one of the first product presentations from Symantec after the Veritas deal. It was the first time that I heard someone saying something as “there is Availability and there is Security”. I remember the guy showing one of [...]
I’m having a good conversation about OTP/2FA for online banking in the cisspforum mail list. Tim Bass and Martin Wehlou incredibly good professionals and are adding valuable points to the subject. Martin posted (01/2007) in his blog a very good explanation about the problem that the banks are trying to solve with OTP solutions. He [...]
I’ve just read from the Symantec Security Response Weblog that they detected a trojan that behaves exactly like what I predicted a few years ago: it dynamicly changes the content from wire-transfer transactions, defeating two factor authentication mechanisms. It was also part of my Black Hat presentation last year. What will happen to the two-factor [...]
I was reading at SANS ISC diary about mass compromises by SQL Injection. It seems to be something automated, maybe a botnet or even a worm. What kind of automated threat this is isn’t really what matters here. The most important fact here is that we are now seeing SQL Injection attacks being used by [...]
Since the WMF vulnerability in January 2006 the client applications seemed to become the next target for malware and malicious attackers. I wrote about the evolution of threats and related vulnerabilities at that time. So, it’s not very surprising to see here and here that people are worried about vulnerabilities in software other than the [...]
