Michael Sutton's Blog
Welcome to 2008. By now you have no doubt made and broken a number of New Year's resolutions. Not to worry if you've already wasted $50 bucks on a gym membership, there's always next year. I do however hope that taking PCI seriously was on
The June edition of Microsoft Black Tuesday marked two important events - an all out assault on client side vulnerabilities and the end of the security honeymoon for Windows Vista. I've been saying for some time now that we're in the midst of
Jeff Forristal has an interesting initiative and for those able to help out, there are cash and prizes to be had! Well ok, no cash, but you could walk away with some stylish SPI clothing or a few drinks on us. Jeff is looking for assistance in identifying
The break that we were given in April when only 8 vulnerabilities were delivered is now a long lost memory. While May was not a record month, it was big with 18 overall vulnerabilities in seven advisories. More importantly, the vulnerabilities were strongly
I spend much of my time on the road conducting presentations on application security for various audiences. Of all the groups that I speak to, developers are a favorite of mine. Developers get a bad rap when it comes to security. They are generally blamed
Posted By
erik.peterson
|
4
Comments
|
Trackbacks
|
Permalink
The month of April started off with a bang, when Microsoft released MS07-017 , a rare out of cycle patch but ended with a fizzle, with 8 additional vulnerabilities. While four critical vulnerabilities were addressed, that is down significantly from the
Posted By
erik.peterson
|
1
Comments
|
Trackbacks
|
Permalink
I was excited this afternoon when I thought that I'd stumbled upon a universal XSS vulnerability in verbose ColdFusion error messages. While testing a site, I had noted that a verbose debug error message (see below) echoed back many of the request
Posted By
erik.peterson
|
3
Comments
|
Trackbacks
|
Permalink
Web 2.0 may be the most ill defined technology term to date. Everyone uses the term but I have yet to hear a decent definition of it. O'Reilly Media is credited with coining the phrase and Tim O'Reilly defines Web 2.0 as: " Web 2.0 is the
Posted By
erik.peterson
|
3
Comments
|
Trackbacks
|
Permalink
This month Microsoft decided to play catch-up and hit us with a hefty 12 security bulletins covering 20 vulnerabilities, 13 of which were critical. The volume was not surprising given that Microsoft pulled four of eight planned bulletins four days before
I recently blogged about the phishing pages that I found during a Tour of the Google Blacklist . In that posting I noted how I was surprised to find that Yahoo! was actually hosting phishing sites designed to phish Yahoo! credentials. Not surprisingly
Posted By
erik.peterson
|
4
Comments
|
Trackbacks
|
Permalink
How Prevalent Are Cross Site Scripting (XSS) Vulnerabilities? Based on a recent experiment, I wasn't surprised to see that they're everywhere and finding dozens at a time doesn't present much of a challenge. Back in September, 2006 I sought
Posted By
erik.peterson
|
4
Comments
|
Trackbacks
|
Permalink
All companies face the challenge of evaluating security tools that they will procure, but knowing where to start can be a daunting task. While there's no perfect way to ensure that a product meets your needs a little due diligence is essential. Fortunately
Posted By
erik.peterson
|
2
Comments
|
Trackbacks
|
Permalink
After publishing last week's blog entitled ‘A Tour of the Google Blacklist' , I received a few queries about Google's encoded/hashed blacklist (enchash). This blacklist is separate from the unencoded blacklist that was the focus of the
Posted By
erik.peterson
|
3
Comments
|
Trackbacks
|
Permalink
This month's bulletins leave us with two major headlines. First, ‘What happened to half of the bulletins?' and secondly, Internet Explorer 7.0 isn't apparently quite as bullet proof as advertised. Even before Black Tuesday arrived this
Posted By
erik.peterson
|
7
Comments
|
Trackbacks
|
Permalink
[Update 01.10.07: In response to some of the queries that I've been receiving, I've published a follow up blog to discuss the structure/decryption algorithm of Google's Encoded/Hashed Blacklist .] I recently decided to devote a day to walking
Posted By
erik.peterson
|
53
Comments
|
Trackbacks
|
Permalink
Information disclosed in this community becomes public.
Exercise caution when deciding to disclose your personal information.
HP reserves the right, but is not obligated to, edit or remove your comment if it contains personally identifiable information or other content HP deems unacceptable.
Opinions expressed are your personal opinions or those of the original authors, and not of HP.
Please see HP's web Terms of Use for more details.
More Posts
Next page »
