Almost all of the applications we use have one big thing in common: they all use a username and password combination. A common theme we see is the re-use of usernames across multiple sites and many sites don’t even consider a username as sensitive information. The password, however, is supposed to be the key to …
“What do you think about privacy?” That’s the question I asked my wife last week. We had just received an email from Target explaining that our personal data was stolen along with 70 million other customers in their latest breach. The week before we had received notification from our bank that both of our cards …
Later this month I will be presenting a free webcast: “Vulnerabilities in Your Medical Practice: Security Testing for Healthcare”. I’ll be talking about the HIPAA Security Rule, the potential impact at the practice level and actions that can be taken to comply with these requirements and protect your data. The webcast is scheduled for the …
Webcast: Vulnerabilities in Your Medical Practice: Security Testing for HealthcareRead More »
There has been a lot of buzz around the Healthcare.gov website and the possible security vulnerabilities that it has. While many people focus on the political side of the story, or just the vulnerabilities themselves, there is a bigger issue here. An issue that spreads further than just Healthcare.gov or even government sites, but to …
Its more than Healthcare.gov: Lets fix the problemRead More »
Secure Ideas has tested hundreds, if not thousands, of applications over the years we have been in business. Based on this experience, along with our public classes and presentations around application security, Dave Kennedy of TrustedSec asked me to review the details of security flaws within HealthCare.gov. As part of this review, Dave provided a …
HealthCare.gov: Basic Security Failures and IT BloopersRead More »
This post may seem timely in light of the recent Snapchat compromise. Although Snapchat’s breach appears to be due to some poor assumptions around an “internal” Snapchat API, it is not the type of traditional web service that I was thinking about when I was planning this post. This said, Snapchat’s API is still technically …
Later this month I will be presenting a free webcast on ModSecurity and how we can make better use of it. This is going to be very close to the presentation that I gave at MIRcon 2013. Some of the ideas that we’ll cover are from what we’ve been calling Tactical Security Ops. In this …
Webcast: Defending Against Web App Attacks Using ModSecurityRead More »
Secure Ideas is excited to announce that I will be speaking as part of a panel later this month. On January 30th in Denver, Colorado, the Addressing the Real Issues Around Compliance in the Cloud panel will be held at Mile High Station. This panel will run from 4pm to 6pm. Faced with HIPAA, PCI, FISMA …
Charlotte ISSA will be hosting a two-day Samurai-WTF (Web Testing Framework) course led by myself (Jason Gillam of Secure Ideas) January 21st and 22nd. Students will learn the latest Samurai-WTF open source tools and the latest manual techniques to perform an end-to-end penetration test. After a quick overview of pen testing methodology, the instructors will …
Recently during a penetration test, I discovered a Linksys WRT54G wireless router that had been installed on a customer’s network. Surprisingly, this device was accessible from the Internet with default credentials. Watching the client list, I noticed several clients connecting on & off throughout the day. We all know that this is bad, but how …