Hackers “are learning that it’s not so easy to write secure code,” Toro says. “Most of us in the business of securing our applications and systems know that bulletproofing software is an
extremely expensive and exhaustive undertaking. Malware creators who have to look to their own defences would have to slow down the production of new attacks.”
FYI, if you want to know what it looks like when you hack a hacker, look no further than the seminal 1995 film Hackers.
Very interesting - both technically as well as looking into the moral justifications the botnet operator provides. But equally interesting is the discussion on Hacker News: http://news.ycombinator.com/item?id=3960034. Especially the discussion on the Verified
by Visa (3D Secure) system and how the goal is basically to move liability onto the consumer and off of the merchant or credit card company.
2010 Jul 5, 4:23Cross-site scripting attack on YouTube over the weekend: "That turned out to be as simple as using two script tags in a row (<script><script>fun scripting stuff goes here!), as noted by
2010 Jun 20, 1:18Protocol for doing distributed commenting and implemented by Google Buzz! "This document defines a lightweight, robust, and secure protocol for sending unsolicited notifications — especially comments
and responses on syndicated feed content — to specified endpoints; along with rules to enable resulting content to itself be syndicated robustly and securely."commentblogatomrssgooglebuzzsalmonreferencespecificationprotocolsyndicationtechnical
2009 Dec 8, 12:02"This illustration, from the September 10, 1910 New York Tribune, imagines the rooftop burglars of the future. 'BURGLARS LEARN TO HANDLE THE AEROPLANE WITH PRECISION AND SILENCE: Our artist
takes a look into the future and foresees the time when roofs must be secured as carefully as any other part of the home.'"humorhistoryburglarcrimenewspapernews
2009 Aug 21, 3:13"At Black Hat USA 2009 and Defcon 17 Nathan Hamiel and Shawn Moyer introduced an attack called Dynamic Cross-Site Request Forgery (CSRF). This white paper discusses the attack and discusses several
Dynamic CSRF attack vectors." Seems to require sites trying to secure CSRF scenarios using session IDs in their URLs.securitycsrfresearchbrowserwebtechnical
2009 Apr 23, 2:22Review of mime sniffing based XSS attacks with recommended protections for both web sites and browsers. Also, surprising to me since I rarely see it in this sort of a paper, thought and stats on the
compat. affects of their recommended changes for browsers. Very happy to see that in there!websecurityiebrowserxsssniffmimefirefoxchromesafarihtmlhtml5