Cryptographic keys can be stolen from ASP.NET web applications by modifying cookies and reviewing the resulting errors — an information disclosure vulnerability from a side channel attack. This video shows the Padding Oracle Exploit Tool (POET) in action: Details can be found here: Padding Oracle Crypto Attack (POCA) The attack allows someone to decrypt sniffed … Continue reading ASP.NET Padding Oracle Attack
SAS 70 is over 18 years old and has begun to show its age. It was born before SOX or HIPAA existed, although not before COBIT. Two years ago the AICPA started looking at replacing SAS 70. The result is SSAE 16, which must be used for any service auditor report that ends on or … Continue reading SOC1 (Service Organization Control 1) and SSAE 16 / SAS70
At the start of this year there was a report from IDG, which said that Google maintains a system to access data about users. Much ado was made about the outside hackers somehow getting inside and taking control of a system meant only to be used in the rare cases of law enforcement search warrants: … Continue reading Google and the Evil Insider
I am honored to be presenting three topics at the The High Technology Crime Investigation Association (HTCIA) International Conference next week. They just mentioned it on the conference blog: Davi Ottenheimer, a security and PCI expert, blogs at http://www.flyingpenguin.com/ — not just about infosec, but also on a wide variety of topics including energy, food, … Continue reading Come Hear Me at the HTCIA International Conference Next Week