Monday, January 16, 2006

Google: Yes, You Can Find Just About Anything

Hackers and security experts use various custom and open source tools tocomplete their tasks.

In fact, one of the tools they use you probably useevery time you browse the web, the Google Search Engine.I remember the first time I used the Google Search Engine years ago. I was amazed at how quickly it fulfilled my search request.

Google's huge indexof systems / information and it's ability to perform complex searches haveevolved over the years. When we performed security assessments andpenetration test, we regularly use Google to locate information thatorganizations typically want to keep private and confidential.


Data protection watchdog investigation finds no evidence

UK banks escape punishment over India data breach

UK banks will not face any action over a data breach in an Indian call centre last year, where an undercover newspaper reporter was allegedly sold bank and credit card details of 1,000 customers.

Monday, January 02, 2006

Automatically Hardening Web Applications using Precise Tainting.

Most web applications contain security vulnerabilities. The simple and natural ways of creating a web application are prone to SQL injection attacks and cross-site scripting attacks as well as other less common vulnerabilities. In response, many tools have been developed for detecting or mitigating common web application vulnerabilities. Existing techniques either require effort from the site developer or are prone to false positives. This paper presents a fully automated approach to securely hardening web applications. It is based on precisely tracking taintedness of data and checking specifically for dangerous content only in parts of commands and output that came from untrustworthy sources. Unlike previous work in which everything that is derived from tainted input is tainted, our approach precisely tracks taintedness within data values.