HackDig : Dig high-quality web security articles for hacker

BYOD Makes Application Security a Matter of National Security

Several publications have commented on a new study from Harvard’s Berkman Center for Internet and Society. The study was called “Don’t Panic: Making Progress on the ‘Going Dark’ Debate.” Apple and others have designed products with so-called “end-to-end encryption,” meaning that a message between two users can
Publish At:2016-02-12 14:05 | Read:4111 | Comments:0 | Tags:Industry Observations Technical Insight Vulnerabilities Web

NSA Directorates

An earlier post made the point that security problems can come from subdivisions of an organization pursuing incompatible goals. In the Cold War, for example, lack of coordination between the CIA and the State Department allowed the KGB to identify undercover agents. The Guardian reports that the NSA is reorganizing to address this issue. Previously, its off
Publish At:2016-02-05 19:20 | Read:2558 | Comments:0 | Tags:Industry Observations Technical Insight Tools and Applicatio

Top 10 Web Hacking Techniques of 2015

With 2015 coming to a close, the time comes for us to pay homage to top tier security researchers from the past year and properly acknowledge all of the hard work that has been given back to the infosec community. We do this through a nifty yearly process known as The Top 10 Web Hacking Techniques. Every year the security community produces a stunning number
Publish At:2016-01-12 16:40 | Read:2353 | Comments:0 | Tags:Technical Insight Tools and Applications Vulnerabilities Web

HTTP Methods

Much of the internet operates on HTTP, Hyper Text Transfer Protocol. With HTTP, the user sends a request and the server replies with its response. These requests are like the pneumatic tubes at the bank — a delivery system for the ultimate content. A user clicks a link; a request is sent to the server; the server replies with a response; the response h
Publish At:2015-12-30 03:10 | Read:5320 | Comments:0 | Tags:Technical Insight Tools and Applications Vulnerabilities Web

“Insufficient Authorization – The Basics” Webinar Questions – Part I

Recently we offered webinar on a really interesting Insufficient Authorization vulnerability: a site that allows the user to live chat with a customer service representative updated the transcript using a request parameter that an attacker could have manipulated in order to view a different transcript, potentially giving access to a great deal of confidentia
Publish At:2015-12-12 01:10 | Read:2994 | Comments:0 | Tags:Technical Insight Tools and Applications True Stories of the

The Ad Blocking Wars: Ad Blockers vs. Ad-Tech

More and more people find online ads to be annoying, invasive, dangerous, insulting, distracting, expensive, and just understandable, and have decided to install an ad blocker. In fact, the number of people using ad blockers is skyrocketing. According to PageFair’s 2015 Ad Blocking Report, there are now 198 million active adblock users around the world with
Publish At:2015-12-03 00:10 | Read:2859 | Comments:0 | Tags:Industry Observations Technical Insight Tools and Applicatio

“Crash Course – PCI DSS 3.1 is here. Are you ready?” Part II

Thanks to all who attended our recent webinar, “Crash Course – PCI DSS 3.1 is here. Are you ready?”. During the stream, there were a number of great questions asked by attendees that didn’t get answered due to the limited time. This blog post is a means to answer many of those questions. Still have questions? Want to know more about
Publish At:2015-12-01 12:00 | Read:2936 | Comments:0 | Tags:Industry Observations Technical Insight Tools and Applicatio

URLs are content

Justifications for the federal government’s controversial mass surveillance programs have involved the distinction between the contents of communications and associated “meta-data” about those communications. Finding out that two people spoke on the phone requires less red tape than listening to the conversations themselves. While “
Publish At:2015-11-30 17:55 | Read:3252 | Comments:0 | Tags:Industry Observations Technical Insight Tools and Applicatio

Saving Systems from SQLi

There is absolutely nothing special about the TalkTalk breach — and that is the problem. If you didn’t already see the news about TalkTalk, a UK-based provider of telephone and broadband services, their customer database was hacked and reportedly 4 million records were pilfered. A major organization’s website is hacked, millions of records containing PII are
Publish At:2015-10-27 22:15 | Read:2724 | Comments:0 | Tags:Industry Observations Technical Insight Vulnerabilities Web

University Networks

The Atlantic Monthly just published a piece about the computer security challenges facing universities. Those challenges are serious: “Universities are extremely attractive targets,” explained Richard Bejtlich, the Chief Security Strategist at FireEye, which acquired Mandiant, the firm that investigated the hacking incident at the [New York] Times. “The sor
Publish At:2015-10-19 16:15 | Read:2918 | Comments:0 | Tags:Technical Insight Vulnerabilities Web Application Security a

When departments work at cross-purposes

Back in August, we wrote about how self-discipline can be one of the hardest parts of security, as illustrated by Snowden and the NSA. Just recently, Salon published an article about similar issues that plagued the CIA during the Cold War: How to explain the KGB’s amazing success identifying CIA agents in the field? So many of their agents were being uncov
Publish At:2015-10-08 03:05 | Read:3934 | Comments:0 | Tags:Technical Insight Web Application Security CIA Cold War KGB

Complexity and Storage Slow Attackers Down

Back in 2013, WhiteHat founder Jeremiah Grossman forgot an important password, and Jeremi Gosney of Stricture Consulting Group helped him crack it. Gosney knows password cracking, and he’s up for a challenge, but he knew it’d be futile trying to crack the leaked Ashley Madison passwords. Dean Pierce gave it a shot, and Ars Technica provides some context. A
Publish At:2015-08-31 12:50 | Read:1731 | Comments:0 | Tags:Technical Insight Tools and Applications Vulnerabilities Web

The Death of the Full Stack Developer

When I got started in computer security, back in 1995, there wasn’t much to it — but there wasn’t much to web applications themselves. If you wanted to be a web application developer, you had to know a few basic skills. These are the kinds of things a developer would need to build a somewhat complex website back in the day: ISP/Service Provide
Publish At:2015-08-28 14:30 | Read:2908 | Comments:0 | Tags:Industry Observations Technical Insight Vulnerabilities Web

Developers and Security Tools

A recent study from NC State states that, “the two things that were most strongly associated with using security tools were peer influence and corporate culture. As a former developer, and as someone who has reviewed the source code of countless web applications, I can say these tools are almost impossible to use for the average developer. Security tools are
Publish At:2015-08-27 20:55 | Read:2035 | Comments:0 | Tags:Technical Insight Vulnerabilities Web Application Security a

It Can Happen to Anyone

Earlier this summer, The Intercept published some details about the NSA’s XKEYSCORE program. Those details included some security issues around logging and authorization: As hard as software developers may try, it’s nearly impossible to write bug-free source code. To compensate for this, developers often rely on multiple layers of security; if attackers can
Publish At:2015-08-19 19:25 | Read:3153 | Comments:0 | Tags:Technical Insight Vulnerabilities Web Application Security A

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud