Showing posts from January, 2009

Online finance flaw: one flaw to rule them all

Flaws in SAAS offerings and the inherent risks

What if dozens (even hundreds) of banks all used one vendor's solution to provide online banking services?
What if that solution had a security flaw thus affecting all users of said solution? A finding of considerable concern, yes?

I must preface this discussion with the fact that the vendor in question has proven to be trustworthy, capable, reputable, responsible, and responsive.
Precision Computer Systems, a FISERV company, provides outsourced online banking solutions to a plethora of banks.
My desire to discuss the vulnerability with Precision Computer Systems (PCS) was forwarded to FISERV for consideration, and the reply came directly from the Vice President | Head of Security.
"As you might imagine, no higher priority exists for our organization than the protection of our client’s information, and that of their customers. To that end, we’ll always welcome constructive feedback such as yours with enthusiasm."
As responses to …

Adeona Article in Linux Magazine

I'm pleased to announce that an article I've written regarding the open source laptop tracking and recovery offering Adeona is available in Issue 100 (March 2009) of Linux Magazine.

Adeona is the private, reliable, open source system for tracking the location of your lost or stolen laptop. With no dependency on a proprietary, central service, Adeona only needs to be installed on your laptop to help increase your sense of mobile device safekeeping. | digg | Submit to Slashdot

PHPIDS: Attack Me, Please!

Of the many projects I've had the pleasure of reviewing for toolsmith over the past few years, one of my absolute favorites is PHPIDS.
PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application.
The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to.
More specifically, PHPIDS enables you to see who is attacking your site and how, and all without the tedious trawling of logfiles or searching hacker forums for your domain.
PHPIDS is subject to minor releases every few months, and the release of 0.5.4 (the last minor release before 0.6) just before Christmas reminded me to invite you, dear reader, to kick the crap out of it.
Give it all you've got, beat on it. Really. That's the idea.
The PHPIDS Demo Smoketest will test how 1337 your mad web app testing skills are and g…

The McAfee Secure Standard has been published

McAfee has alerted me that the McAfee Secure Standard has been published on the McAfee Secure (formerly ScanAlert Hacker Safe) website.
The McAfee SECURE Standard
Joe Pierini and Kirk Lawrence started this process with me prior to their departure from McAfee, and work continued in their absence, largely at the hands of Will M., who's been communicative and inclusive in their stead.
I applaud McAfee for staying true to their commitment to publish the McAfee Secure Standard.
While I may not agree with everything in it, a standard is better than no standard.
That said, my concerns with the Standard as discussed earlier remain unaddressed.
First, you will find that remediation of what McAfee deftly refers to as Client Side Vulnerabilities is Optional. The Client Side Vulnerabilities category includes the entire family of script insertions.
Clarified, this means that merchants displaying the McAfee Secure trustmark are under no obligation to repair such vulnerabilities; the trustmark wil…

Online finance flaw: Merrill Lynch not bullish on XSS & CSRF vulnerabilies

Updated: 1/16/09 See update below.

Perhaps, now that they're a Bank of America property, better web site security is in store for Merrill Lynch. In the's where the trouble begins.
Prompted by headlines from December 21st stating that $1.6B Of Bank Bailout Went To Execs, I thought I'd take a look at the most egregious amongst those receiving a bailout courtesy of taxpayers.
I'd also like to explore what web app vulns mean to Sarbanes-Oxley (SOX) compliance; I've posed some questions below.

Here's all you really need to know:
John A. Thain, chief executive officer of Merrill Lynch, topped all corporate bank bosses with $83 million in earnings last year. Thain, a former chief operating officer for Goldman Sachs, took the reins of the company in December 2007, avoiding the blame for a year in which Merrill lost $7.8 billion. Since he began work late in the year, he earned $57,692 in salary, a $15 million signing bonus and an additional $68 million in st…