Securosis Blog

Hi everyone,

Just a quick note that tomorrow we’ll be giving a webcast about our research behind The Business Justification for Data Security paper we recently released. For those of you with too much ADD to read all 30+ pages, we’ll be covering all the core material and walking through an example case.

Brian Krebs posted last week that Sprint is claiming an employee has stolen customer data, including pin numbers and the “security question” you can use to recover a password. This is a vendor I have been following for a long time, and I’m surprised we have not seen this type of activity before. From Brian’s blog:

Hi everyone,

With me adapting to the new baby and holding the fort here at Securosis Central, and Adrian out at the Source conference, I wasn’t able to get our usual weekly summary together.

No, we don’t mean vote for your favorite geriatric patriarch or matriarch, but for your favorite security blog.

While I’m a little late posting this (I blame being distracted by the impending, then final, arrival of my incredibly cute daughter), there’s still plenty of time to vote. The awards are all part of the Security Blogger’s Meetup, which started as a little gathering put together by Martin and myself 3 years ago, and is now a pretty big & impressive event, with an actual budget. At…

Adrian and I are proud to release our latest whitepaper: Building a Web Application Security Program.

For those of you who followed along with the blog series, this is a compilation of that content, but it’s been updated to reflect all the comments we received, with additional research, and the entire report was professionally edited. We even added a couple pretty pictures!

With Rich pretty much out of commission this week and my very last minute preparation for Source Boston underway, this week’s post with be a short one. Plus I need to install the current Mac OS X patches and reboot all of the computers in the house. That little bouncing icon is finally going to get it’s way. On that note, has anyone out there ever looked at the viability of polluting the Apple downloads? Every time I click one of these I am always uncertain why I trust it or how I could verify…

A couple days ago I posted some thoughts on Data Security and the US Government, how I perceive the role of Cybersecurity, and what I suspected would be a difficult challenge as the Cybersecurity team was set up at cross-purposes with the intelligence community. Today the Wall Street Journal released an article on the resignation of National Cybersecurity Chief Rod Beckstrom. In a case of “even a blind squirrel occasionally finds a nut”, my estimate of internal conflict appears to already be…

Yesterday morning I read the article on The Tech Herald about the demonstration of a CSRF flaw for ‘Change Password’ in Google Mail. While the vulnerability report has been known for some time, this is the first public proof of concept I am aware of.

Via Slashdot, I just ran across Didier Stevens post on how to automate the JBIG2decode vulnerability in PDF documents. There is a video on the site where he runs through three scenarios to exercise the vulnerability - Manually starting up Reader, viewing a thumbnail PDF, and then automatic execution by simply visiting the page with the malicious document through Windows Explorer Shell Extensions, and shows you the results in the debugger. It’s worth the view.

I am going to be in Boston Tuesday through Friday at the Source Boston event that runs March 11th through the 13th. I am presenting on Encryption and Enterprise Data Security on Thursday afternoon right after Jeremiah Grossman. This is my first Source Boston event, so I am looking forward to it. Let me know if you are going to be in town!