“MicroISV on a Shoestring” posted in September 2010 a funny and detailed review of security flaws found in the open-source Diaspora platform. Authentication != Authorization: The User Cannot Be Trusted Mass Assignment Will Ruin Your Day NoSQL Doesn’t Mean No SQL Injection Take Care With Releasing Software To End Users Is Diaspora Secure After The … Continue reading Social Network Platform Security Lessons: Why I Deleted Facebook →

Secumania posted on February 4th a a privilege escalation flaw in Metasploit 3.5.1 By placing a DLL file in the %systemdrive%\framework\postgresql\bin it is possible to get it loaded by a program (postgres.exe) that is executed by the frameworkPostgreSQL´s service executable (pg_ctl.exe), every time the service starts, with NT AUTHORITY\SYSTEM user privileges, being able to run … Continue reading Metasploit 3.5.1 ‘Sploited →

Michal Zalewski gives a biting commentary …the purported details of the attack on HBGary – a horribly vulnerable, obscure CMS; unpatched internal systems; careless password reuse across corporate systems and Twitter or LinkedIn; and trivial susceptibility to e-mail phishing – are a truly fascinating detail. These tidbits seem to imply either extreme cynicism of their … Continue reading The HBGary Story →

A blog post by the EFF has a curious phrase towards the end: …the higher the stakes, the worse the security… Sample size? The author clarifies that “worse” means “easily resolved”. This seems to assert a shade of negligence — a decision to not fix security even when it is easy. He tries to explain … Continue reading EFF: Higher Stakes Brings Worse Security →