Blog (Default)

Dec 25th, 2007

Comments: 0
Category: Uncategorized
Read More

Practical use of CSRF attacks in the wild

http://www.davidairey.co.uk/google-gmail-security-hijack/ Here’s an example of bad-guys using CSRF attacks try and extort money from domain name holders. Interestingly it’s the first example of practical use of this kind of attack I’ve seen. Although the vulnerability in GMail that seems to have been exploited is now fixed, I bet this won’t be the last time we […]

Dec 8th, 2007

Comments: 0
Category: Software Security
Read More

What 2008 may bring…

Well as is kinda traditional in December various security bloggers have started predicting what 2008 will bring (there’s some interesting thoughts and and links to more predictions here). For my 0.02 of your local currency, I think that next years big topic will be Software Security. A lot of the things we’re seeing happen in […]

Dec 8th, 2007

Comments: 0
Category: Misc.
Read More

long time no blog

Well a combination of holidays/moving server and some problems with my new host (hopefully all sorted now!) have left me not blogging for a while now, but should be back to normal, erratic, service!

Nov 2nd, 2007

Comments: 1
Category: Hardware
Read More

Yay for Cool new tech.

Got my Asus EEE PC delivered today! It’s a nice little mini notebook which runs Linux out of the box and best of all only costs £219 ! Initially there’s a pretty simplistic interface provided (It’s targetted at school kids rather than power users) but there’s a great wiki and forum over at eee User […]

Oct 6th, 2007

Comments: 0
Category: Uncategorized
Read More

Password Policy Funnies

User Friendly have been running a series of cartoons on password policies 🙂 Password policy at it’s worst! A great old one’s approach to the problem of password complexity! Passwords on monitors

Oct 6th, 2007

Comments: 0
Category: General Security
Read More

Risk Assessed Password Policies – Account Lockout

The last piece of the puzzle when it comes to password policies is the account lockout . Also this is another area where a tighter policy doesn’t necessarily lead to improved security. A lot of companies go for 3 incorrect attempts, and this does lead to a lot of lockouts on Monday mornings and consequently […]

Sep 27th, 2007

Comments: 0
Category: General Security
Read More

Risk Assessed Password Policies – Password Strength

The next stop in my trip through password policies and some of the mistakes that are made is password strength (length and complexity). It seems that for a lot of IT and IT Security people, there’s one inevitable truth about password strength which is you can’t have too strong passwords. Unfortunately not true. Like any […]

Sep 25th, 2007

Comments: 0
Category: Uncategorized
Read More

Risk Assessed Password Policies – Overview

I jumped in earlier talking about password rotation policies without actually mentioning why I think password policies are so important, so I’ll back up and cover that now. The use of passwords as authenticators for computer systems has been around for a very long time, and for quite some period the security industry has had […]

Sep 25th, 2007

Comments: 0
Category: Uncategorized
Read More

Risk Assessed Password Policies – Password Rotation

I’ve been meaning to blog about some of the reading I’ve been doing recently on password policies, but an article in the latest Insecure Magazine tipped me over the edge into writing.. In the article on password management on page 59 the author mentions some elements of a “best practices” password policy which include password […]