Web Security

Browsers are a really nice target for attackers of all stripes and skill levels. But, unless you're a savant or have just landed here from the future, you may want to take a pass on going after Google Chrome, judging by the insane level of effort and skill that an anonymous security researcher had to deploy in order to compromise Chrome during the company's Pwnium contest in March. Read more »

An Armenian court sentenced a 27-year old Russian man to four years in jail this week following his conviction in connection with the infamous Bredolab botnet that infected 30 million computers over the last few years.

G. Avanesov, later identified as Georgy Avanesov by several media outlets, was officially sentenced for committing computer sabotage by the Court of First Instance of Armenia's Arabkir and Kanaker-Zeytun administrative districts Monday. Read more »

Users who receive e-mails that appear to come from Facebook asking if they’d like to cancel their accounts should beware that it’s more than likely an attempt to install malware on their computers. Read more »

There's an old saying that all things end badly or else they wouldn't end. It sounds nice, but it's not necessarily true. Plenty of things simply end. The useful career of the Police, Man Vs. Food and highway A1A all ended without any catastrophic effects or gnashing of teeth. Now, with the end of Howard Schmidt's career as White House cybersecurity coordinator nearing its end, much will be made of what he did or didn't accomplish in his time in government service. That's a fun parlor game to play, but the most important aspect of Schmidt's time in Washington is the simple fact that he answered the bell when no one else would. Read more »

Blizzard Entertainment's update to the mega-popular Diablo game franchise hit a major snag over the weekend, after users started peppering support boards and the company with reports of raided accounts, missing virtual "gold" and mysterious new friends.  Read more »

In this talk from the TEDx San Jose conference, security and privacy researcher Chris Soghoian explains the way that surveillance works these days, why it's so easy for law enforcement to watch private citizens and why companies such as Facebook, Twitter, Google and others won't protect their users from this surveillance.

For the aspiring attacker or pen tester, there is no shortage of attack tools, scripts, crimeware kits and exploits available online. But, the Internet being what it is, there's always room for one more. Enter HULK, a new DDoS tool that arrives just in time to coincide with the release of some movie involving the actual Hulk and other CGI-ified mediocre-heroes. Read more »

Facebook, Gmail, Yahoo and Hotmail users should beware of rogue rebate offers and new secure payment options aimed at getting them to part with their debit card information.

Earlier this week Amit Klein, CTO of Trusteer, announced the discovery of a peer-to-peer variant of the Zeus platform that leverages trusted relationships and well-known brands to convince users to sign up for convenient services and better secure debit card transactions. On each site, the attack displays a little differently. Read more »

Twitter has implemented the Do Not Track header on its site, giving users the option of telling the site that they do not want to be tracked across other sites on the Web. The implementation is being done through the DNT technology in the Firefox browser. Read more »

This post is the last in a 5-part series on Application Security, or “AppSec”.

By Fergal Glynn

This blog post series has examined the growing threats to software, defined the components of a sound AppSec program, described an evolutionary path to AppSec maturity, and considered a number of tools and technologies worthy of investment. Ultimately, it is the Chief Information Security Officer (CISO) or equivalent’s responsibility to mitigate the enterprise’s level of software risk as part of a comprehensive infosec strategy. In this, the final post in this series, let’s review the return on investment possible from a sound AppSec program, including ways to build a business case for further investment in this critical IT security discipline. Read more »