-
Posts Archive
This page contains links to all the posts on this site. If you are looking for tutorials and articles, they are in the articles and tutorials section.
DigiNotar and SSL certificate security
DigiNotar breach and its impact on SSL security
Have you fallen for the Microsoft support phone scam?
Did you get fooled by scam artists purporting to be Microsoft support personnel? If you did, this is what you need to do right away.
Why Chain-of-Trust is important when applying software updates
The reason Chain-of-Trust is important for software vendors when providing updates and patches.
Is your Anti-Virus program working properly?
Test your anti-virus software with the EICAR test file and see if it is doing its job properly.
Check if your account has been compromised
Check if your account has been compromised in the latest hack by Lulzsec.
Most common iPhone passcodes
Most common iPhone and iPad passcodes. The case of the usual suspects.
Most hacked environment – Interesting survey results
Interesting results form the Anti-Phishing Working Group survey shows that LAMP is the most hacked environment.
Rash of hacks across the world
What's up with the rash of attacks against some of the biggest names on the internet?
The recent Sony hacks and their causes
The causes of the Sony hacks and what to do to prevent these attacks.
Determine your PCI validation level
Answer the questions on this web page to find out your PCI validation level.
More on the RSA SecurID breach
More information on how the RSA breach started and spread within one of the biggest security companies in the world.
Minimizing the impact of the RSA SecurID breach
Steps you can take to minimize the impact of RSA's security breach involving SecurID
The case for storing passwords in unreadable form
Why passwords should never be stored in clear text.
When idiots attempt to attack websites
Handling attacks on your website and managing risk.
iOS device encryption may not protect as much as you expect
Your iOS device (iPhone/iPad) encryption may not be as effective at protecting sensitive data as you think.
Clarification on using MD5 and its impact on PCI DSS compliance
MD5 hashing is allowed by PCI DSS under certain circumstances.
Misconceptions on PCI DSS applicability
People still have misconceptions about whether or not PCI DSS applies to them.
Deleting Flash cookies made easier
Deleting Flash cookies will soon be an option when deleting browser history in FireFox and Chrome.
Safer web browsing with HTTPS
Browsing the web safely by forcing the use of HTTPS for all (or most) traffic.
Clarification on cardholder data and protections
PCI DSS v2.0 clarifies what constitutes cardholder data and how they need to be protected.
Chain of trust for installation & update files
Understanding and meeting the 'chain of trust' PA DSS requirement for installation files and updates.
Siemens’ password advice for Stuxnet victims
Siemens' advice on changing passwords for victims of the Stuxnet worm.
Data encryption best practices for PCI
Guidance from Visa on encryption algorithms and key strengths for protecting sensitive cardholder data.
Version 2 of PCI and PA DSS coming Oct 28, 2010
New versions of PCI and PA DSS being released Oct 28, 2010. Download a summary of changes.
Insider attacks – No one is safe
The risk of insider attacks and the importance of properly auditing all users.
CitiBank’s iPhone app stores account info
CitiBank's iPhone app stores account info
Storing PAN with other cardholder data
Clarification on whether cardholder name, expiration date, etc. need to be rendered unreadable if stored in conjunction with the PAN (Primary Account Number)
iTunes user accounts hacked
Apple iTunes user accounts were hacked over the July 4th holidays and unauthorized purchases made.
Does PA-DSS apply to you?
A few tips on when PA-DSS applies and when it does not apply to a payment application.
Why I prefer Microsoft Security Essentials
One more reason I prefer Microsoft Security Essentials over others for anti-virus/anti-malware solution.
Secure web search with Google
Overview of Google's new secure web search; what it does and what it does not do.
Lessons from the BP oil leak
The BP oil leak and what organizations can learn from this disaster.
GMail geolocation to alert about account hacks
GMail introduces geolocation to alert against account hacks.
Another Twitter hack
An unemployed Frenchman has hacked into Obama's Twitter account.
Wyndham hotels hacked again
Wyndham hotels hacked and card data stolen..again..
Malware in Firefox add-ons
Malware found in Firefox add-ons in the official repository.
More problems for Twitter
Twitter authentication credentials compromised, leading Twitter to push password resets for some users.
France wants to do away with passwords
France proposes to do away with passwords to keep the internet secure.
Poor online password practices
Lessons on password strength and password security from the RockYou breach.
Heartland settles for $60 Million
Heartland Payment Systems to pay Visa $60 million in damages related to the breach in 2008.
Twitter DNS attack
More information on how the Twitter DNS redirection happened.
Search engine results and security
A look at search engine results and how they can be manipulated to compromise your security.
Massive debit-card fraud in BC
Massive fraud hits debit-card users in British Columbia, Canada
Insider threat: T-Mobile staff sold customer data
T-Mobile employees reportedly sold customer data to brokers who in turn sold the data to competing phone firms.
MD5, PCI-DSS and Security
Clarification on the use of MD5 hashing algorithm, and how it impacts PCI compliance and security.
Misuse of session tokens by programmers
How programmers promote session hijacking vulnerabilities by misusing session-ids
Files and documents as confetti
Workers toss files, documents during Yankee victory parade.
NASA IT security vulnerability report
Some details from a GAO report that says NASA IT security is inadequate
Using a LiveCD/USB for safe online banking
Pros and cons of using a Linux LiveCD/USB to ensure security for online banking.
Update on stolen webmail accounts
Update on the Hotmail account compromise that revealed an interesting fact about passwords
Phishing attack compromises Hotmail accounts
Microsoft Hotmail accounts have been compromised by a phishing attack.
Logo for PCI Compliance?
Opinion on the calls for a PCI compliance logo.
PCI Compliance does not equal security
Why being PCI compliant does not mean you are secure.
Using device fingerprints for security
A look at device fingerprinting, its strengths and weaknesses and uses in security
Tapping Skype VoIP calls
A program that intercepts Skype VoIP calls is finally here. A trojan program intercepts Skype calls, records them as mp3 files and uploads them to pre-defined locations.
A look at Spyglass Software Surveyor Enterprise
An overview of Spyglass Software's Surveyor Enterprise, a tool that can help you identify sensitive data within a network.
Data security in development and testing
A quick look at a report on data security in development and testing from the Ponemon Institute
Stealing Credit Card Numbers
Man arrested for stealing 130 Million credit card numbers using SQL Injection attack.
OWASP Security Summit Update
Photos from the OWASP Security Summit at Stanford University.
Speaking at OWASP Security Summit
Siva Ram is speaking at the OWASP Application Security Summit on security of web application sessions.
Risk from shortened URLs
A look at why shortened URLs can cause problems and what you can do about it.
Wireless keylogger – Keykeriki
A keylogger for wireless keyboards has been developed. This will have an impact on privacy and possibly compliance.
Problems with identifying breaches
Some of the reasons that data breaches are not identified as soon as they happen.
Social networks and (in)security
Social networking sites such as Facebook and LinkedIn can be more effectively used to launch attacks against organizations.
Domino’s gives away pizzas
Domino's gave away 11000 free pizzas because a customer who ordered online put in the word "bailout" as a coupon code.
Cyber spying network unearthed
A major cyber-spying operation has been unearthed involving about 1295 computers belonging to government agencies, embassies and others in 103 countries.
BBC botnet controversy
A lot of people are outraged at the BBC using a botnet to show how easy it is to takeover computers and launch attacks. Are they justified?
Caught within the PCI-DSS box
PCI-DSS compliance can dominate an organization's security posture. Learn to look outside the PCI-DSS box.
Misconceptions about PCI-DSS
An attempt to clarify some of the misconceptions about PCI-DSS
QSA Training and ISACA Winter Conference
A general news update: Attended QSA training and the ISACA Winter Conference
Data breaches in 2008
A quick look at data breaches that happened in 2008 and the most obvious causes.
Is the Web Application Firewall (WAF) a silver bullet?
An overview of web application firewalls (WAF) and why they cannot replace secure coding practices.
Obama’s new phone
Obama's new hi-tech phone: One of the perks of being President of the USA.
Heartland data breach
Heartland Payment Systems, a process of credit card transactions has disclosed that its systems have been broken into, resulting in millions of cards being compromised.
Top programming errors
The top 25 programming error that lead to security breaches in web applications/sites.
A peek at AppScan Developer Edition
A quick overview of IBM Rational's new application vulnerability scanning tool for developers.
The need to follow good practices
Blogging service JournalSpace is no more because they did not follow good practices. What happened here?
Is it “goodbye MD5″?
Real life exploits showing two different messages resulting in the same MD5 hash value seem to suggest an end to the use of MD5 for all practical purposes.
Web app security – Where do I start?
You have been tasked with making your applications secure. Where and how do you start?
Giving away sensitive information
The pitfalls of not removing data from your phone before throwing them away..
Malware on Mac?
Did Apple remove an advisory about Mac users using anti-virus software for selfish reasons?
Obama’s cellphone records breached
Every organization is worried about hackers breaking into the network from outside. What about insider threats?
Alan Greenspan shocked
Why was Alan Greenspan shocked that all the financial companies that failed did not regulate themselves?
Does compliance mean anything?
Does compliance mean anything? Or is it just something companies do because they have to?