In my day job I publish two large information security studies a year. This involves completing hundreds of live interviews with security professionals in all types of industries. What’s produced is some of the most comprehensive market research on information security I’ve ever been involved with. But I need your help.
A recording of my most recent webinar is up, follow the link to access the recording. The webinar covers: Which projects are IT professionals implementing in the next 12 months? How do 2012 security budgets look? Who will be the winners and losers on the vendor side? Join us as Daniel Kennedy, Research Director, Information [...]
Today, December 10th, Anonymous, an Internet gathering, released a press release which you can read below. In it, a description is provided of what Anonymous is about, what Operation Payback is, and where the media is getting it wrong. Also in it, its author forgot to remove his name in the pdf’s Meta information.
A new XSS vulnerability was identified on Paypal.com earlier today, found by d3v1l and disclosed on both Security-Shell and XSSed. The problem is with the parameter sender_country in a transaction called nvpsm.
In a talk originally slated for last year before it was muffled by Juniper based on the concerns of “an affected ATM vendor”, Jack demonstrates what he calls jackpotting an ATM.
Twitter user 0wn3d_5ys has demonstrated a persistent cross site scripting (XSS) vulnerability he found on June 21st using his own Twitter account (visit at your own risk) that appears to be due to a lack of input validation of the application name field when accepting new requests for Twitter applications.
The big news hit earlier this week, the attack vector that allowed bad actors presumably from China into the networks of Google, Juniper, Adobe, and some 30 other firms was an Internet Explorer zero day, a use after free vulnerability on an invalid pointer reference affecting IE 6, 7, and 8 but only used in IE 6 according to Microsoft.
Bad actors have taken advantage by engaging in search engine poisoning including taking over existing web sites, using techniques that boost search ranking, and installing malicious software using scareware tactics on user’s PC’s. They also set up fake donation web sites. Finally, they employ Spam e-mail, Twitter messages, and related electronic communication methods in order to direct users to these web sites.
A group called the Iranian Cyber Army has, fresh off the heels of their DNS attack on Twitter last month, hijacked the domain of Chinese search engine Baidu.com.
A report has been received from Juniper at 4:25pm under bulletin PSN-2010-01-623 that a crafted malformed TCP field option in the TCP header of a packet will cause the JUNOS kernel to core (crash).
