- Recent
- Popular
- Tags (0)
- Subscribers (2)
- Petko Was Playing With Fireâ¦
-
As you probably have heard, security expert Petko D. Petkov (pdp), founder of GNUCITIZEN, had his GMail account violated and raided.
He told me he did not believe it had been a classic man in the middle attack, as many of us speculated during the past days, and interviewed by Dan Goodin he blamed XSS:
In an email exchange, Petkov said he suspected his Gmail account was accessed through a cross-si [...] - Bad Sushi: Beating Phishers at their Own Game
-
Help Net Security has posted an interview with me and Billy Rios titled Spies in the Phishing Underground.
If you enjoyed the interview, and if you want more details and screen-shots, check out our talk at the Federal Black Hat Briefings 2008 [February 20]. The title of the talk is Bad Sushi: Beating Phishers at their Own Game. Following is a brief description:
This talk will expose the tools and tactics used by the phishing und [...]
- Is framework-level SQL query caching dangerous?
-
I was in a bookshop a few months ago and picked up a book about Ruby on Rails, and though I sadly didn't buy it (having already bought more books than I wanted to carry) and I've forgotten it's name, there was an interesting gem in there that stuck in my head.
Ruby on Rails' main method of performing SQL queries (ActiveRecord) since 2.0, by default, caches the results of SELECT queries (though it does string-level matching of queries, so they need to be completely identical, rather than functionaly identical) untill a relevant update query updates the table.
I haven't had a chance to delve into the source to see how granularly the cache is updated (i.e. if a row in the cache was not updated in an update, is the cache still invalidated sinc ethe table was updated?), bu [...] - My Black Hat Talk
-
I will give you some heads up what to expect from my Black Hat talk. If you are interested, you might want to attend. I prefer smaller but active audience. And of course I expect some interesting conversations after the talk if you are still awake.
My talk is on Client-side Security issues. In fact, it is titled Client-side Security and I must confess I’ve made a horrible decision when choosing this title. It does not fit the talk that much although, the fact is that I am talking about a lot of client-side security problems and even some which affect the server-side due to problems o [...]
- This blog is dead
-
This blog is finally dead.
Because the domain name limited me to blog about PHP security only I moved to the domain suspekt.org that I own for many years now. Please update all your links and feeds to point to the new URL where I will continue blogging on a regular basis. [...]