CSO

Financial institutions are finally wising up to the threat the phishing attack. Many are rolling out new login schemes which aim to protect the user from falling victim to these attacks but a recent proof of concept exposes the flaws in these systems. In the nebulous world of the internet, how can you be sure who you are giving your secrets to?

The people are starting to rise up against the companies that take their credit cards. Why? Compliance to the PCIDSS. They may never have heard of the document but they know about the very real threat of identity theft and data breaches. They see major data breaches like the TJX fiasco and want to make sure they are protected. Don't let this happen to you, get compliant before the customers leave or the auditors show up knocking.

I'm going to scream the next time somebody tells me RFID is going to solve all our security problems! Can somebody please help me understand how a technology originally created to help cattle farmers track their cows around the field is now being used in my passport?

Day two turned out to be more exciting than day one! HD Moore showed off the new version of his tool Metasploit and it's amazing ability to automatically take control over unpached systems. Mark Russinovich showed off many of the great new security features of Windows Vista and UAC.

I'm at CanSecWest this week a big software security conference in Vancouver, BC. There are some pretty amazing techniques and technologies being demoed here. This is my take on the excitement of day one.

Trusting your Google homepage to "do no evil" may be like trusting the City of New York to keep your personal belongings safe. Untrusted widgets, widgets that give too much power to the AJAX interface, and widgets with Cross Site Scripting (XSS) could usher in a new era of theft. In this blog I will talk about one of the ways these JavaScript beauties can exploit the trusting landscape that is your personalized homepage.

Over the next few weeks I will be writing about the terrible vulnerabilities that can occur when Cross Site Scripting is combined with web applications using AJAX. Prepare to be shocked, these are going to get ugly!

Early tests revealed that the client was identifying (and authenticating) the server with pieces of information that can be easily spoofed, namely a DNS name.