Is it really necessary to include long, detailed error messages that help attackers figure out everything there is to know about your system? Here is a little technique I use that involves using a unique, random tag instead. It helps me find the error message in my code more quickly, and it reveals almost nothing to an attacker. Read More...

In a recent survey on the cost of cyber crime, results, not surprisingly, showed that Web threats were still the leading cause of concern, affecting 100% of the companies surveyed. The ability to mitigate the attacks, however, remains disproportionately ineffective compared to the ability to defend against malware and viruses.
Read More...

These ten misconceptions represent the ones I often find myself helping people at many levels, from executive to developer, to understand. Knowing them can help you achieve your security goals, and be a smarter user or customer of security products and services.

1. It's encrypted, so it's secure.
2. Get it working, then make it secure.
3. The more tests the better.
4. Open source is more secure because more people have looked it.
5. Algorithm X is better than algorithm Y.
6. No one knows my algorithm, so it must be secure.
7. Once a piece of code is deemed secure in one system, is secure for use everywhere.
8. There are dozens of random number generators out there, all of them adequate.
9. Red teams need access to the code to do their jobs.
10. If it wasn't broken into, it must be safe.

Read on to learn why these are indeed misconceptions, and why they can be dangerous.
Read More...

I discovered a dirty trick the other day, and I thought I would share it with the tech community to get some feedback on practical defenses. The trick essentially allows a crafty Webmaster to get some common data from you, such as name and email address, in a slightly devious way without your full consent.

Read More...

All this time that I was complaining about my PC crashing, Blue Screens of Death, and various email bugs, I was looking at things all wrong. While I was busy complaining, engineers were actually busy saving us from the eventual Cyberwar. It's true. Read on, but I warn you, a sense of humor is required. 
Read More...

Because my email address appears on many papers, presentations, and Web sites, I get hundreds of SPAMs a day to my personal address. In the end I found that limiting the exposure of my email address reduced SPAM significantly, and I have some recommendations for anyone in experiencing similar difficulties who is looking to "hide" their email address from non-human observers.
Read More...

I recently briefed the OWASP forum in NYC, and I received some great feedback that I'd like to address en mass.

1) Embedded = or ≠ Secure, which is it?
2) How is HYDRA's security posture transferred to the servers it protects?

Allow me to answer your questions, and take you on a journey exploring embedded systems security in general. But be warned, there's math involved...

Read More...

As a Mac user and an information security expert, one of the most common questions I am asked these days is wether or not it is safe to run Windows on the new Intel-based Macs. Assuming people have generally accepted the poor state of desktop security, I suppose the real question they mean to ask is whether or not a vulnerability on the Windows side could impact the Mac side.

The short of my answer is that yes, it could. Although the operating systems run in different partitions (simplifying it here) of the hard drive, there is no theoretical reason why someone could not create a low-level piece of code on either side to access any random portions of the drive and thus impact the other.

So how safe is it? And is a Mac really more secure than a PC to begin with? Read More...

Password Branching creates multiple passwords from a single seed password. This technique is useful in situations where you must remember many passwords, such as logins to multiple Web sites. Say, for example, you regularly purchase songs from the iTunes Music Store, and you also have an online email account with Yahoo. It would be unwise to make both passwords the same, because a security incident with one vendor would lead to exposing your personal information from both vendors. The average person has to remember passwords to dozens of e-commerce and other sites, as well as passwords at work and sometimes for home computers as well. That same average person has a short term memory that can recall only nine passwords, and then only if they are simple. Simple passwords that are easy to recall are often just as simple to guess or crack. Read More...