Friday, February 25, 2011

But It Was Developed By A Third Party… Of Course It’s Secure!

Just as internally coded web applications should go through a standard Software Development Life Cycle {SDLC}, third party web applications should also be subjected to an SDLC. For example, an organization’s SDLC may dictate that all newly coded web applications must go through a grey box assessment before going live...

Read the rest on SecureState's new blog site http://blog.securestate.com/post/2011/02/25/But-It-Was-Developed-By-A-Third-Partye280a6-Of-Course-Ite28099s-Secure!.aspx

Read more!

Means, Opportunity, and Motive: Point Of Interaction Awareness

There have been numerous news stories about employees stealing credit card information before it is even entered into your information systems. These are usually occurring out on the sales floor. You can be fully compliant with the PCI DSS, but most of the offenses we are talking about occur outside the scope of what those requirements are designed to protect against. The following types of scenarios are happening every day at merchants worldwide...

Read more at SecureState's new blog http://blog.securestate.com/post/2011/02/24/Means-Opportunity-and-Motive-Point-Of-Interaction-Awareness.aspx

Read more!

New Module for the Metasploit Framework Released by SecureState

SecureState released a new module for the Metasploit Framework that allows users to brute force credentials on Microsoft OWA servers. The module, written in Ruby, forges HTTP requests (both GET and POST) to simulate a user logging into the web service. By checking the responses, the module determines whether the authentication succeeded and reports the information to the user. This is often useful on penetration tests when the attacker has a list of Active Directory users but no services that are using domain authentication.


Check it out on our new blog! http://blog.securestate.com/post/2011/02/24/New-Module-for-the-Metasploit-Framework-Released-by-SecureState.aspx

Read more!

Dispelling The Myths Of Facebook Privacy And Security

There are many misconceptions about the security of Facebook, Facebook applications, and the frequent scams that seem to plague the world’s largest social network. To help set the record straight, I would like to shed a bit of reality on the most common myths about Facebook security and privacy today. These are real examples of statements that I have encountered regarding Facebook and their privacy controls and security measures. Some have surprising truth to them and others are completely false and misleading. I’ve broken these myths into three areas: Facebook applications, privacy, and security myths.



Read more on our new blog http://blog.securestate.com/post/2011/02/21/Dispelling-The-Myths-Of-Facebook-Privacy-And-Security.aspx

Read more!

Visa Introduces Technology Innovation Program (TIP) for Merchants

Visa announced on February 9, 2011 that as of March 31, 2011, Visa will allow qualifying merchants outside the U.S. to discontinue their annual Payment Card Industry (PCI) On-Site Assessment. Visa has introduced the Technology Innovation Program (TIP), which essentially will apply to those merchants that meet the following requirements...

Read more on SecureState's new blog http://blog.securestate.com/post/2011/02/10/Visa-Introduces-Technology-Innovation-Program-(TIP)-for-Merchants.aspx

Read more!

FERPA, HIPAA’s Immature Cousin, Says ‘Happy Data Privacy Day!’

Today I thought it would be interesting to compare HIPAA and FERPA.


Learn more at our new blog site http://blog.securestate.com/post/2011/01/28/FERPA-HIPAAe28099s-Immature-Cousin-Says-e28098Happy-Data-Privacy-Day!e28099.aspx

Read more!

Small Goals Lead to Bigger Results

Why are there shelves, sometimes figuratively, sometimes literally, full of projects that money was spent on with little end result? Projects left incomplete, never verified as meeting their intended reasons for purchase?

Find out more at SecureState's new blog http://blog.securestate.com/post/2011/01/27/Small-Goals-Lead-to-Bigger-Results.aspx

Read more!

SiteScape Forums TCL Injection Exploit Released

SecureState released new details on a vulnerability regarding TCL code injection in SiteScape Enterprise Forums. This web application provides a large scale collaborative environment that many organizations use for communication and documentation. This vulnerability, originally released in 2007 as CVE 2007-6515, stated only that SiteScape could be exploited to execute Tool Command Language (TCL) commands.

Read more on our new blog http://blog.securestate.com/post/2011/01/12/SiteScape-Forums-TCL-Injection-Exploit-Released.aspx

Read more!