"Security researchers in Germany continued to pull down exploit code from their sites last week, scrambling to comply with a German law that makes illegal the distribution of software that could be used to break into computers. The German law — referred to as 202(c) — went into effect on Sunday. Many experts have complained…

"Marc Maiffret, CTO and chief hacking officer at eEye, said in an interview today that the company would be entering the Web app security space "soon." "It's a natural progression for us to add Web app scanning," says Maiffret, who wouldn't divulge details of the new offering." "You can scan for missing patches and vulnerabilities,…

"Google's security team is home-brewing a powerful combination scanner and fuzzing tool that experts say will be unique outside of the commercial domain. In a posting on the Google security team's blog, Srinath Anantharaju said on July 16 that the security team has been working on a black-box fuzzing tool called Lemon, in the spirit…

"You'd think electronic financial trading would be extra secure, but not so much: One of the most popular application-layer protocols in the financial industry leaves these money applications wide open to attack, according to researchers. The application-layer FIX (financial information exchange) protocol is used by financial services firms, stock exchanges, and investment banks for automated…

I went to http://www.msn.com today and saw an article called ‘is Web 2.0 Safe?’. To my surprise it linked to an article where Jeremiah Grossman and Robert Hansen were quoted. The fact that MSN is linking to web security related articles really speaks to the change of the industry. "As users store more data online,…

"What if a Web researcher found a bug on your Website today — but was too afraid of the law to tell you? The Computer Security Institute (CSI) recently formed a working group of Web researchers, computer crime law experts, and U.S. Department of Justice agents to explore the effects of laws that might hinder…

Phrack is finally back! * Hijacking RDS TMC traffic information signal * Attacking the Core: Kernel Exploitation Notes * The revolution will be on YouTube * Automated vulnerability auditing in machine code * The use of set_head to defeat the wilderness * Cryptanalysis of DPA-128 * Mac OS X Wars – A XNU Hope *…

"Vendors should close all known security holes, whether publicly discussed or not. The idea behind this is that any existing security vulnerability should be closed to strengthen the product and protect consumers. Sounds great, right?" "The reader wrote to say that his company often sits on security bugs until they are publicly announced or until…

" When Web browsers first emerged as front-end interfaces to Web-based applications, it was in an era where application-layer attacks were few and far between. Today, the browser has become one of the most critical and most used pieces of software on everyone’s computer. Consequently, it has become the focus of attack. Despite the best…

DSHIELD has a published a writup about some of the places that JavaScript can exist called Javascript hiding everywhere. Some of those places include – Quicktime – Flash – PDF Files – MP3’s "Frequent readers will know that we often recommend to ease up on allowing scripting as it’s used by the bad guys. XSS…

"In a recent paper titled "Teaching an Old Dog New Tricks," security guru Marcus Ranum argues that independent "security researchers" who spend their time constantly looking for security bugs are a drain on the security community. He even has a name for these people: vulnerability pimps. He thinks that if these people were really serious…