Poking Mykonos
While checking on the latest updates in the start-up world from TechCrunch, I came across their article on Mykonos; the important part of their article (at least for me), is this:
Mykonos’s Web Security product uses deception to “detect, confuse, slow down and prevent attackers” in real-time in order to help companies protect their websites and Web apps from malicious hacker and proactively prevent fraud and theft.
A couple of minutes of reading, and my interest was piqued – to say the least. The thing that most interested me was the claim of no false positives, while they do talk about it – I really wanted to see it for myself. Assuming they used their own product to protect their site, I took a few minutes to see what I could find – and find I did.
Read more…Google Chrome Leaking Credit Card Data?
While testing ccsrch I noticed a number that looked familiar – my debit card number. Now, being just a little paranoid, I don’t leave such information on my system unencrypted – so seeing it was a real surprise. But, here’s the real kicker: it was on my work PC, where it never should have been. But there it was, plain as day, in clear text. I spent a couple of minutes staring at the log trying to figure out why it would be there.
Read more…CCSRCH v1.0.5
During my employers annual PCI audit, our auditor requested that we perform a search of all of our servers for credit card data. He recommended a tool called “ccsrch” – which like many open source projects had a couple of issues, and hadn’t been updated in years. So, I fixed it.
CCSRCH is a cross-platform, command-line application that reads every file from the starting point passed in, and scans them for what looks like credit card numbers (and using the Luhn algorithm to check each possible result). It’s fairly brute-force, but it gets the scans required for PCI – though I would be careful about using it during production hours, it can have a pretty significant impact on a server’s I/O performance.
Read more…SOPA Is Inevitable
SOPA, while it’s not likely to be passed as-is, I would be willing to bet money that something SOPA-like will be passed. It may be watered down with many of the most offending parts removed, but for those backing SOPA it’ll still be a real victory. For them getting it on the books, even in a weakened form means it can be tweaked (and extended) later.
There’s been an amazing resistance to SOPA, from the boycott of GoDaddy to public statements from celebrities such as Adam Savage – the public outcry against this horrid piece of legislation has been quite inspiring. But how often will you be able to get so many people to stand up and take action before they start to lose interest? How many times can you raise the troops before the numbers start to dwindle; how long before the celebrities start fearing they’ll be branded in the media as extremist or crazy? How many times can you raise the call of breaking the internet and freedom of speech before the public gets bored and goes to read about the latest Hollywood divorce instead?
Read more…Masking Credit Cards for PCI
PCI DSS, the security standard for companies that handle credit cards, defines a number of rules as to how credit cards are handled. One of those rules, 3.3, is defined as follows:
Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed).
So based on this requirement I assumed that the code to do this would be common and widely available; much to my surprise there are rather few samples that do this, and of those I found they only showed the last four (which when you are handling a lot of credit cards, searching for an account by the last four isn’t all that helpful) and were often rather fragile.
Read more…Why Cringely is wrong about Java
A couple of days ago I was sent a link to Robert Cringely’s latest treatise: The second coming of Java – and to say I disagreed was a bit of an understatement. To me, it represents a fundamental flaw in his perception of developers, and more importantly the economics of software development.
The key to Cringely’s argument comes down to this:
When SSDs gain enough capacity there will be a shift from the Ruby world back to the Java world. Not for prototyping, because, well, it’s prototyping. But simply because the statement “Ruby is incredibly slow but I don’t care because my database is slower” will no longer be true.
Read more…Pen-Testing Silverlight+RIA with SoapUI
I was recently given the task of ensuring that a Silverlight+RIA application that could contain private information was secure for deployment to a public web site. So I started searching for automated pen-testing tools that could work against Microsoft’s Binary SOAP protocol (
msbin1, a.k.aapplication/soap+msbin1) and found only disappointment. For various reasons, it’s significantly more complex to pen-test an application usingmsbin1than traditionalSOAP+WSDL.To properly test the services, I had to make a compromise: temporarily modify the application to expose a
Read more…SOAPendpoint. While this changes the state of the application and thus reduces the validity of the tests, it does provide a reasonable way of testing the web services to ensure that they are behaving as intended.A brief look at the latest @LulzSec release
Earlier today, the hacker collective Lulz Security released a batch of 62,156 email/password combinations from unknown sites; I decided to take a look at the data and see if there was anything to be learned from it.
And as always, LulzSec delivers: mediafire.com/?9em5xp7r0rd2y… 62,000+ emails/passwords just for you. Enjoy.
— The Lulz Boat (@LulzSec) June 16, 2011
So, let’s take a look at a few stats:
Total Domains: ~5,230
Top 15 Domains:
Read more…
bbPress 2.0 (beta-1) released!
This morning, the latest version of my favorite forum software, bbPress, was released. While this is a beta and not a final release, it’s still a major event for the project: this release is in the form of a WordPress plugin, instead of a stand-alone application as it’s been in the past. In December 2009 I wrote about this decision – and at the time I was rather disappointed with the change in direction; but now my views have changed. I’m also excited to see that Matt and his company, Automattic have decided to invest the time and money needed to make this happen; there for a while it looked like bbPress really was dying.
Read more…Happy 20th birthday Visual Basic!
Today I saw a post on Facebook by a friend of mine, Anthony Green, about writing his first blog post as a Microsoft employee (he has a personal blog as well, unfortunately he’s not written anything since 2008) – when I saw the title, I couldn’t believe it was 20 years already – seems just yesterday that I wrote about its 15th birthday:
Happy 20th Birthday Visual Basic!
My, what a journey it’s been. Almost fifteen years ago I randomly bought a copy of “Visual Basic 5: Deluxe Learning Edition” – I was just 15 at the time and wanted a new hobby, and writing software seemed like it would be fun. In those early days, I had no idea what career I would choose, and really didn’t intend for software development to become the dominant force in my life – I just wanted a better, more productive way to spend my time during the summer.
Read more…
About Me
Security researcher, engineer and software developer with more than 20 years of experience.
Work: I primarily focus on application security, usable security, secure communications, and cryptography. I build and lead strong and dynamic teams, who cover all facets of security and privacy.
Writing: I write about my research, security in general, development and software design, and leadership through my blog, essays, and various publications. I also engage in some creating writing when I can.
Photography: I am a purist fine art photographer, working primarily in black & white, and focused on sharing new perspectives of the world. Limited edition prints of my work are available on my online gallery. I also have a background in photojournalism, and volunteer in this field when I can.