Showing posts from May, 2010

Secure search using Google

Google turns on SSL encryption for search (Source:

This is indeed a good gesture from Google. In the era where Google is considered a synonym for Search, ensuring privacy of users accessing Google's search features is indeed a gesture that can win the confidence (at-least partially) of critics who question Google's commitment  towards protecting end user privacy.
I believe, this move to ensure privacy of search and user information, especially from a company whose CEO has stated - "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place," is definitely a move in the right direction.

Though this is not the ONE step that ensures absolute privacy from all standpoints, this certainly ensures that ones personal information stays secure from (third-party)eavesdroppers. As mentioned earlier, Google has become the one stop where people can search for explanations of health issues, medical conditi…

Apple Syncs iPhone Security to Your Heart

The Dark Future of Tech: Apple Syncs iPhone Security to Your Heart (Source: Incorporating biometric features into iphone or devices of daily use certainly has its merits as well as demerits. It does certainly raise security to the next level wherein one's unique biometric identity becomes one's identitiy in the world of technology. Since biometric identities are unique, we would probably be heading in a direction where we would no longer require a password, access cards or even a key.

The uniqueness of biometric signatures that provide security and privacy to technology is the demerit as well. If I lose a key or if my password gets compromised, I can procure a new key/password and ensure that my security and privacy is safeguarded. However, What if my biometric signature/identity is compromised? Will I be able to change the way my heart beats, my finger print or the signature of my Iris?
What if I forget my phone which bears my biometric identity in a bar?…

Using XSS to perform XSS on another website using CSRF (XSS-CSRF-XSS)

Let us assume two websites A and B such that website A is vulnerable to XSS and CSRF and website B is vulnerable to XSS. In such a scenario if a user is logged in website A and browsing website B in another tab (in the same browser) then an attacker can inject a CSRF script in website B using XSS. This CSRF script would look something like this (if using GET, however a similar attack can be done with POST as well):<script> Do something malicious</script>
This CSRF script will get executed on website A while the user browses website B. It is easy to imagine what all can be substituted within the script tags and the resulting consequences. Interesting thing is to understand the applicability of such an attack. It can be used in cases where the attacker wants to perform stored based XSS on a website that only allows accounts for known users; one such example is financial institutions. However, it can be argued that DOM …

Hacked US Treasury websites serve visitors malware

Hacked US Treasury websites serve visitors malware (Source :
Another attack exploiting web application security to serve malicious code to visitors. Popular web sites are increasingly coming under attack, exploiting XSS vulnerabilities, to server malware to unknowing visitors who visit these sites.

Another take on Adobe product...

Windows needs a built-in PDF viewer, argues researcher (Source:

The idea sounds good to me, if I assume that windows products created by Microsoft are always bug free. However, this assumption is baseless and hence my opinion expressed in the last line is probably flawed. Every software is created by a human in front of a computer. "Known is a drop, unknown is an ocean (Source: unknown) " and hence I do not expect a software developer (whether from Adobe or Microsoft) to create a flawless/secure software.

Asking Microsoft to create a built in pdf reader with windows, for creating a secure computing environment, indirectly undermines the capabilities or effort put forth by Adobe. There are numerous pdf editors and softwares  available in the market. Adobe must probably put more effort to ensure that it produces more secure softwares. However, according to me, a reader by Microsoft is definitely not the fool proof solution.

Googles thumbs up to security...

Google personal suggest bug exposed user web history (Source:

Good approach by Google....Appreciating and encouraging the efforts of Infosec community...Unlike the recent comments by Verizon where security researchers were termed 'narcissistic vulnerability pimps'. Though I personally like the usage  as it is a good line for a t-shirt (as suggested by my friends and fellow researchers Ashrith Barthur & Ankur Chakraborthy), the remark was one that discourages the effort of the researchers and one that contradicts the very essence of security.
Kudos to Google. Indeed a good approach...setting an example for other players in the industry.

BitTorrent Analysis!!!

Bittorrent Analysis (Source:
 Interesting research that analyzes bittorrent traffic to find content providers.