On the 31st of July 2011, the system administrator of Brooks-Jeffrey Marketing (BJM) was working on his newly upgraded servers. At exactly the same time a hacker was slowly sniffing his way through the same systems and picking up everything in his tracks. The hacker had rooted…
Anonymous hack US Department of Defence – Analysis of the Attack
On the 12th of July 2011, Booz Allen Hamilton the largest U.S. military defence contractor admitted that they had just suffered a very serious security breach, at the hands of hacktivist group AntiSec. Operation Anti-Security (AntiSec) is a hacking operation, carried out by two of the biggest…
Properly Scoping your Web Security Assessments
I’ve heard experts in time management say that one minute of planning can save you five minutes in execution. This applies to so many things we do in IT and information security but I can’t think of anything more important than security testing. Applying the…
Malicious Hackers Slurp over a million user accounts from Washington Post
The Washington Post website has been hit with a double security breach. Malicious hackers have made off with around 1.3 million user IDs and email address from the “Jobs” section of the site. The attackers were able to gain access on two separate occasions:…
How Much Web Security is Enough?
A good web application security environment is one that balances security with convenience. Nothing more and nothing less; just the security that’s needed to keep things reasonably in check. But just how much is enough? All too often I see websites and applications with too…
The Cure for Many Web Application Security Ills
One of the things I’ve learned throughout my career is that many solutions to the problems we face in IT, security and software development can be solved if we simply turn to business leaders to see how it’s done. In particular, I’m talking about a…
The Rise of Backdoored WordPress Plugins
It all started a few months ago when I was visiting Lester Chan’s website looking for some information about one of his plugins. Lester Chan has written a good number of very popular WordPress plugins that are used by millions of people. Some of the…
What’s Your Take on Cloud Security?
One of the most common questions I get is “What’s your take on cloud security?” Well, my answer is relatively straightforward: never assume that all’s well just because someone says it is. In other words trust but verify.
Going Beyond Confirmed Web Security Flaws
As I wrote in my previous post about low-hanging fruit and the 2011 Verizon Data Breach Report, I’m a strong believer in finding out where your Web systems are bleeding and focusing on those issues first. It’s the basic principle of triage – finding, and…