Friday, December 28, 2007

So what did I miss?

Maui was a lot of fun, but more on that later. Today I got to get back to digital reality - wade through mountains of email, unread RSS feeds, and unplayed voicemail. Looks like while I was away there was a lot of chatter about PCI section 6.6 and WAFs, which make sense since the compliance date is only about six months away. Gary McGraw (DarkReading) and Joel Dubin (SearchSecurity) had some sage advice, but it was Ryan Barnett’s words that really spoke to me. Ryan discusses vulnerability REMEDIATION with respect to PCI, which is all too often overlooked, and highlights some interesting verbiage. And since Ryan works closely with ModSecurity, it’s fitting to pass along that Ivan Ristic just announced the RC for version 2.5 and it has with some slick sounding features.

Google’s social network Orkut also took its turn having to deal with the relatively new phenomena of Web Worms. This worm spread to a reported 650,000 users, short of Samy’s 1 million, but still enough to turn some heads. There was a lot of media and blog coverage, source code was made available for analysis. Amazing what a few lines of JavaScript can accomplish. What’s still surprising to me in all of this is the relatively infrequency of these attacks and that Web Worms have yet to see a malicious payload. Enjoy it while you can it won’t last forever.

Ironically while at the beach, I made Slashdot by sharing my personal “Web” surfing habits and discussing how to defend against CSRF attacks. Nah nah :) – this was the result of an interview I did some weeks back with Sarah D. Scalet of CSO and it was just recently posted. Gotta hand it to the Slashdot crowd for their consistency in NOT reading the story before commenting. The first person actually asks “How exactly is this strategy going to protect you from a keylogger?” and then the conversations degrades for there. Seesh. But Marcin (TSSCI) posted a nice little trick I haven’t tested out yet to simultaneously run multiple Firefox profiles, which should have nearly the same effect I was going for.

And while sla.ckers.org and XSSed.com are outing vulnerable websites, other websites suffered some Web security related incidents. Hundreds of MD Web Hosting customers websites were SE0wN3d, F-Secure Forum was defaced by a Turkish group, adult-entertainment hoster Too Much Media Corp who supports thousands of websites was compromised, an Ohio court website was penetrated using Credential/Session Prediction where several victim suffered identity theft, and the Tuscon police department website is having their fill of SQL Injection as well. All fun and games in webappsec land.

1 comment:

Arshan said...

Really? All I heard was that Britney Spears' sister was pregnant.

That's my contribution.