I always get a bit antsy about hacking researching vulnerabilities when I travel, and this time is no exception. Often I notice “glitches” or abnormalities which I want to investigate, but since I’m in the middle of riding my motorcycle from Canada to Argentina, infosec has been on the back burner. Recently I took advantage [...]
Archive for the ‘security’ Category
Incorrect time setting could leak iOS 5 album pictures
Posted in iPhone, security on December 31, 2011 | 22 Comments »
PGP Online Store Customer Data Exposure
Posted in security, tagged PGP on November 15, 2009 | Leave a Comment »
A PGP Online Store vulnerability could have allowed hackers to harvest PGP Corporation‘s customer data. Exposed data included each customer’s full contact info (name, physical address, email address, telephone number, etc), the PGP product & version level purchased by the customer, and the customer’s operating system (Windows or Mac). For some customers, partial credit card [...]
Update to Google Docs security issues
Posted in security, tagged google, Google Docs, privacy on November 13, 2009 | 1 Comment »
Back in March I wrote about a few security issues with Google Docs while keeping some details private. Google Security and the Google Docs product management team engaged me immediately after the issues became public, and kept me well informed of their findings through several days of productive exchange of ideas. I’m used to getting [...]
Security issues with Google Docs
Posted in security, Uncategorized, tagged google, Google Docs, privacy on March 26, 2009 | 25 Comments »
[Update 11/13: Please see my follow-up to these issues.] [Update 3/26: I'm now in contact with Google Security.] [Update 3/28: I'm aware of Google's official response to the issues raised in this blog. I am continuing to share my findings with Google Security and appreciate the excellent feedback they are providing me. It would be [...]
Chinks in the Armor
Posted in security, Uncategorized, tagged defense in depth, xss on March 23, 2009 | Leave a Comment »
Defense-in-depth is a cornerstone of any information security strategy. Corporate networks are routinely segmented into various zones such as “public”, “DMZ”, “extranet” and “intranet” to contain sensitive information deep within several protection domains. Failure of one control should not compromise the entire system. Defense-in-depth is everywhere. Border routers filter spoofing attacks. The firewalls behind them [...]
Security Compliance
Posted in security, Uncategorized, tagged audit, compliance on March 22, 2009 | Leave a Comment »
Having served on a national information security standards working group, I’m keenly aware that compliance is a major driver — if not the primary driver — for security initiatives today. Compliance rules work best when the threat for inaction is tangible and immediate. Usually, the threat is “we will fail external audit unless we comply [...]
Google Suggest vs. Privacy
Posted in security, tagged google, privacy, suggest on September 3, 2008 | Leave a Comment »
Since Google launched Chrome yesterday, much have been said on the blogosphere about its privacy implications. The issue is Google can log your search keystrokes as you type, even prior you hitting that Enter key to submit the search. But since Google Suggest is now enabled by default, this behavior is actually no different than [...]
Moore’s law == SSL
Posted in security, tagged freebsd, openssl, poweredge, sc1435, security, ssl on September 2, 2008 | Leave a Comment »
When it comes to security, Moore’s law usually benefits crackers: faster brute-force is an obvious benefit. One win for “the good guys” is in regards to SSL. Not so long ago, implementing SSL was so expensive compute-wise we had to deploy special cryptographic accelerator cards either on our load-balancers or on our edge servers. One [...]