A lot of what we security professionals do includes protecting information from being compromised (especially personal information). The shift towards more profit-driven computer crime has happened swiftly over the last decade, so it should come as no surprise that there is a booming underground market centered almost entirely around compromised financial and personal data. And, on the other end of the spectrum, we have laws and regulations to help minimize the leakage of this data in the first place. Plenty of research and documentation exists for the many ways we try to protect information, but there isn’t much (public) info on the underground market populated by the attackers and their associates who trade in illegally-gotten information. So, how do someone’s[…]

Ever wonder about how we came to have the technologies and programming languages used today? Yahoo’s senior JavaScript architect Douglas Crockford gave a presentation in early 2010 that traces the developments which brought us the beloved and hated language that powers client-side web behaviors. The video is nearly two hours and only the first in a series on JavaScript, but Crockford relates many interesting stories about the history of computing and notes patterns in how technology tends to develop. Check it out if you want to learn more about the background of that quirky yet powerful bit of tech we call JavaScript: Crockford on JavaScript: The Early Years

A vulnerability demonstration this week involving a technology that’s generating buzz reminded me of an important concept: Security is as much about implementation as the underlying technologies you use. You can put together several “secure” components and still build an insecure system. The example that reminded me of this relates to Bitcoin, a somewhat controversial form of digital currency that’s recently been discussed by several high-profile media outlets. I’m not going to talk about any specific merits or problems associated with Bitcoin, but note that it relies on mathematically solid encryption schemes to allow transactions while preventing theft. However, regardless of how strong your encryption, an insecure application using that encryption can introduce easily exploitable vulnerabilities. And Adam Baldwin of evilpacket[…]

OpenVPN isn’t anything new. But today I finally overcame a hurdle I had with trying to connect to our company VPN via my Android device. The OpenVPN for android project isn’t anything new; it’s actually been in the works since late 2009 if you follow it all the way back through a couple forks. The main issue that was holding me up wasn’t anything to do with Android-OpenVPN port itself. It was simply to do with the Android device I was using (thanks Samsung for crapping on us with the Galaxy S devices). A recent ROM update finally put the final pieces I needed into motion for being able to utilize OpenVPN. The main holdback was the lack of tun[…]

A little bird was heard saying that Google is finally taking a stance to try and reduce the amount of fragmentation its platform has suffered. We had a couple people at CTIA last week — people whose words carry weight — tell us off the record that the next major version of Android would take big strides toward stopping the ugly trend toward severe fragmentation that has plagued the platform for much of this and last year. You know, the kind of fragmentation that has already left users running not one, not two, not three, but four distinct versions of the little green guy (1.5, 1.6, 2.0, and 2.1) depending on a seemingly arbitrary formula of hardware, carrier, region, software[…]

A couple of weeks ago, we brought to your attention the newly released two-factor authentication that Google rolled out for all of its web-based products (Gmail, Google Docs, Google Calendar, etc). So now that it’s been out for a few weeks, and it’s finally had a chance to make its rounds to everyone’s accounts, let’s take a step back and see how it actually works.