United States-English

Michael Sutton's Blog

Thursday, January 31, 2008 10:24 AM

» PCI Requirement 6.6 - The Clock is Ticking



Welcome to 2008. By now you have no doubt made and broken a number of New Year's resolutions. Not to worry if you've already wasted $50 bucks on a gym membership, there's always next year. I do however hope that taking PCI seriously was on
Posted By erik.peterson | No Comments | Trackbacks | Permalink

Wednesday, June 13, 2007 01:09 AM

»  Microsoft Black Tuesday - June 2007



The June edition of Microsoft Black Tuesday marked two important events - an all out assault on client side vulnerabilities and the end of the security honeymoon for Windows Vista. I've been saying for some time now that we're in the midst of
Posted By erik.peterson | No Comments | Trackbacks | Permalink

Friday, June 08, 2007 06:13 PM

» Identifying Web Application Technologies



Jeff Forristal has an interesting initiative and for those able to help out, there are cash and prizes to be had! Well ok, no cash, but you could walk away with some stylish SPI clothing or a few drinks on us. Jeff is looking for assistance in identifying
Posted By erik.peterson | No Comments | Trackbacks | Permalink

Wednesday, May 09, 2007 01:05 AM

» Microsoft Black Tuesday - May 2007



The break that we were given in April when only 8 vulnerabilities were delivered is now a long lost memory. While May was not a record month, it was big with 18 overall vulnerabilities in seven advisories. More importantly, the vulnerabilities were strongly
Posted By erik.peterson | No Comments | Trackbacks | Permalink

Wednesday, April 11, 2007 12:03 PM

» Educating Developers



I spend much of my time on the road conducting presentations on application security for various audiences. Of all the groups that I speak to, developers are a favorite of mine. Developers get a bad rap when it comes to security. They are generally blamed
Posted By erik.peterson | 4 Comments | Trackbacks | Permalink

Tuesday, April 10, 2007 04:56 PM

» Microsoft Black Tuesday - April 2007



The month of April started off with a bang, when Microsoft released MS07-017 , a rare out of cycle patch but ended with a fizzle, with 8 additional vulnerabilities. While four critical vulnerabilities were addressed, that is down significantly from the
Posted By erik.peterson | 1 Comments | Trackbacks | Permalink

Friday, March 23, 2007 12:35 AM

» Debug Message XSS Vulnerabilities



I was excited this afternoon when I thought that I'd stumbled upon a universal XSS vulnerability in verbose ColdFusion error messages. While testing a site, I had noted that a verbose debug error message (see below) echoed back many of the request
Posted By erik.peterson | 3 Comments | Trackbacks | Permalink
Filed under: ,

Thursday, February 15, 2007 01:02 AM

» What is Web 2.0?



Web 2.0 may be the most ill defined technology term to date. Everyone uses the term but I have yet to hear a decent definition of it. O'Reilly Media is credited with coining the phrase and Tim O'Reilly defines Web 2.0 as: " Web 2.0 is the
Posted By erik.peterson | 3 Comments | Trackbacks | Permalink
Filed under: ,

Wednesday, February 14, 2007 12:32 AM

» Microsoft Black Tuesday - February 2007



This month Microsoft decided to play catch-up and hit us with a hefty 12 security bulletins covering 20 vulnerabilities, 13 of which were critical. The volume was not surprising given that Microsoft pulled four of eight planned bulletins four days before
Posted By erik.peterson | No Comments | Trackbacks | Permalink
Filed under: ,

Friday, February 09, 2007 01:15 AM

» Phree Phishing



I recently blogged about the phishing pages that I found during a Tour of the Google Blacklist . In that posting I noted how I was surprised to find that Yahoo! was actually hosting phishing sites designed to phish Yahoo! credentials. Not surprisingly
Posted By erik.peterson | 4 Comments | Trackbacks | Permalink
Filed under:

Wednesday, January 31, 2007 01:27 PM

» How Prevalent Are XSS Vulnerabilities?



How Prevalent Are Cross Site Scripting (XSS) Vulnerabilities? Based on a recent experiment, I wasn't surprised to see that they're everywhere and finding dozens at a time doesn't present much of a challenge. Back in September, 2006 I sought
Posted By erik.peterson | 4 Comments | Trackbacks | Permalink
Filed under: ,

Friday, January 26, 2007 03:50 PM

» Evaluating Security Tools



All companies face the challenge of evaluating security tools that they will procure, but knowing where to start can be a daunting task. While there's no perfect way to ensure that a product meets your needs a little due diligence is essential. Fortunately
Posted By erik.peterson | 2 Comments | Trackbacks | Permalink

Wednesday, January 10, 2007 04:07 PM

» Decoding the Google Blacklist



After publishing last week's blog entitled ‘A Tour of the Google Blacklist' , I received a few queries about Google's encoded/hashed blacklist (enchash). This blacklist is separate from the unencoded blacklist that was the focus of the
Posted By erik.peterson | 3 Comments | Trackbacks | Permalink
Filed under:

Tuesday, January 09, 2007 02:13 PM

»  Microsoft Black Tuesday - January 2007



This month's bulletins leave us with two major headlines. First, ‘What happened to half of the bulletins?' and secondly, Internet Explorer 7.0 isn't apparently quite as bullet proof as advertised. Even before Black Tuesday arrived this
Posted By erik.peterson | 7 Comments | Trackbacks | Permalink

Thursday, January 04, 2007 12:48 PM

» A Tour of the Google Blacklist



[Update 01.10.07: In response to some of the queries that I've been receiving, I've published a follow up blog to discuss the structure/decryption algorithm of Google's Encoded/Hashed Blacklist .] I recently decided to devote a day to walking
Posted By erik.peterson | 53 Comments | Trackbacks | Permalink
Filed under: , ,
Information disclosed in this community becomes public. Exercise caution when deciding to disclose your personal information. HP reserves the right, but is not obligated to, edit or remove your comment if it contains personally identifiable information or other content HP deems unacceptable.  Opinions expressed are your personal opinions or those of the original authors, and not of HP. Please see HP's web Terms of Use for more details.
More Posts Next page »