Just Fancy That
We believe it is not in the best interest of the consumers, merchants and overall payment
industry to publish the details of product designs describing potential attacks however
remote those might be. Even if these attacks are difficult to be accomplished it gives the
bad guys a leg up on research they would not have to do and encourages bad behavior.
— Verifone in 2007 in response to security research showing their UK “Chip & PIN” credit card readers were insecure.
In less than an hour, any reasonably skilled programmer can write an application that will “skim” – or steal – a consumer’s financial and personal information right off the card utilizing an easily obtained Square card reader. How do we know? We did it. Tested on sample Square card readers with our own personal credit cards, we wrote an application in less than an hour that did exactly this.
[…]
Don’t take our word for it. See for yourself by downloading the sample skimming application and viewing a video of this type of fraud in action.
— Verifone in 2011, after Square reduced their fees for credit card processing to well below Verifone’s rates.
SQL injection, ssh password authentication and re-used weak passwords. *headdesk*
Facebook’s “security” feature circumvented by Facebook’s blatant sharing of default-by-public data. What’s the opposite of “security by obscurity”? (Insecurity by publicity?)
Filed under
:
duh!
:
facebook
:
security
“While the risk of getting a fatal cancer from the screening is minuscule, it’s about equal to the probability that an airplane will get blown up by a terrorist, he added.”
This is A Big Deal. Makes stealing session cookies from other computers on your local network as easy as clicking a button. Will be interesting to see how big sites respond. Are we finally going to see HTTPS deployed on all pages?
Crazy smart security and caching system for websites. You repoint your domain’s DNS to their servers, and everything gets cached and filtered automagically. Comment spam has almost entirely disappeared since I installed it on my blog.
Every programmer should read this list now. If you don’t have a high-level understanding of all of these (and a deep understanding of the ones that affect the platform you build on), you’re dangerous.
OS X Safari users: Install this! Blocks Flash until you click on the object in Safari (and other WebKit-based applications). A way to mitigate the risk of the Flash exploit without completely nuking Flash Player from your machine.
All current versions of Flash Player are remotely exploitable on all platforms. “This vulnerability is being actively exploited.” Only workaround is to uninstall Flash Player.
Filed under
:
adobe
:
flash
:
security
“It is 10 times more secure to use “this is fun” as your password, than “J4fS<2”.” True dat. Of course, password complexity isn’t really an issue. Easiest way to crack a user’s password? Hack a website (or social engineer someone that works for a website) that stores passwords in cleartext.
Filed under
:
passwords
:
security
Essential reading if you write webapps.
Filed under
:
security
:
xss
Full details on yesterday’s Twitter hack. Twitter’s admin interface was available offsite to all their admin users, one of whom has a weak password, plus their monitoring didn’t notice a dictionary attack going on. Oops.
Filed under
:
security
:
twitter
Obama Phished?
Looks like the president-elect's Twitter credentials have been compromised.
The plugin for OS X’s Mail app which makes cryptography easily manageable.
Quick cryptogeek note
I’m stopping using my old PGP key (0×8C80C35F). It’s been active for 12 years, and I had set it to expire later this year, so I’m retiring it now.
In its place is 0×1A5FFE23 which I will use for personal purposes for the next five years. It has been signed by 0×8C80C35F (as well as the CACert root key), so should be considered trustworthy. Almost all personal mail from me shall be signed with this key.
PS. I am not being rubber-hosed as I type this.
Filed under
:
email
:
gpg
:
pgp
:
security
MD5 collisions can be used to make SSL certificates that modern browsers will trust for any domain. This is a: Bad Thing.
Filed under
:
md5
:
security
:
ssl
Because if they’re in small containers in a plastic baggie, they *can’t* be dangerous…
Great piece on the “security theatre” at airports that inconvenience travellers, but do nothing to improve security. Particularly enjoy the author going through screening wearing a “beer belly”, but having his bottle of water confiscated.
Since breaking the search box on groovymother a couple of weeks ago, I’ve spotted a lot of XSS attempts in my logs. The phrase “a912rtag9” in particular seems to appear a lot, and it looks like it’s a bot spidering search boxes across the internet. Anyone know its origin? UPDATED TO ADD: Looks like it’s Yahoo’s Slurp Bot making these requests! Also, the Googlebot is searching for “a912rtag6”. (And yes, I’ve verified the IP addresses) How odd!
Filed under
:
a912rtag9
:
security
:
xss
I'm