Blizzard’s Two-Factor Authentication

Tuesday, July 1st, 2008

Blizzard's announcement of two-factor authentication for World of Warcraft is more significant than people realize. Passwords are obsolete. They are broken. We all recognize this, yet we aren't quite ready to give up on passwords because we haven't an easy alternative. World of Warcraft (WoW) is a good test case. It is ...

Cross Environment Hopping

Tuesday, July 1st, 2008

Our research team has identified a web-based attack technique that exploits the growing number of applications that require a web server being run on a local machine. Cross-Environment Hopping (CEH) is a result of this trend combined with the current limitations in browsers’ same-origin policy access restrictions. The CEH technique enables ...

Detecting SSH tunnels

Tuesday, July 1st, 2008

Italian researchers have published a paper on the Detection of Encrypted Tunnels across Network Boundaries. I came across it in a google search because I’ve been thinking of writing a program which does something similar. It doesn’t seem like anyone else has picked up on this research yet so I ...

New tools to block and eradicate SQL injection

Tuesday, June 24th, 2008

The MSRC released an advisory today that discusses the recent SQL injection attacks and announces three new tools to help identify and block these types of vulnerabilities. The advisory discusses the new tools, the purpose of each, and the way each complements the others. The goal of this blog post is ...

Securing Cross Site XMLHttpRequest

Monday, June 23rd, 2008

As I mentioned in my post on Cross Document Messaging, client side cross domain request is an important area of interest for AJAX developers looking for ways to avoid expensive server side proxying calls. While Cross Document Messaging is useful for allowing third party components or gadgets embedded in a ...