As some of our readers are well aware, last year many leading browsers finally closed a major privacy hole involving browser history that has been around for more than ten years.  Essentially, would-be trackers used JavaScripts to scan links with functions like getComputedStyle() to determine whether each hyperlink was styled as a visited site or unvisited (e.g. visited links are often purple and unvisited are blue).  This practice represents a serious threat, since not only can stints of browsing history be logged, but individual users can be tracked and identified with ease (this is one of several ways you can be tracked without cookies).  Since this practice of changing styles for visited links has been around since the early days of[…]

If you’re new to the world of testing web application security, you may not be aware of the many great Firefox add-ons available that greatly help such endeavors. While others have compiled similar lists in the past, I thought this week would be a good time for me to share a few of the favorite tools I use in my own web app work. HttpFox: I’ve blogged about this one in the past; it lists for you every HTTP request made during a given browser session, with details on headers, cookies, parameters, responses, and more. Very handy to monitor traffic when you’re browsing around an app. HackBar: Another one I’ve mentioned before, the HackBar is a swiss-army knife that gives[…]

I hesitate to say that visio is only useful in pen-testing, because it can also be useful in developing a secure architecture, or a web page, and really just putting all the moving parts onto your screen (or paper) so that you can look at the big picture. I use Visio to diagram networks and web pages that I’m looking at. The network diagramming is pretty obvious – a lot of people use Visio for network diagrams anyway. Where the value comes for security folks is in the details you’re willing to add to the diagram – what ports are open on the firewall and what servers do they go to? Another use for Visio is mapping out web pages.[…]

The UCLA Health System was just fined $865,000 for HIPAA violations. That probably sounds like an awful lot, but in truth it isn’t. It’s awfully difficult to find exact figures on regulatory fines – companies tend to be rather tight-lipped on the subject, after all. But on the scale of companies and business fines, and knowing that companies in general, and hospitals in particular, are generally good at cushioning themselves against such damage, it’s just not that much. Also, HIPAA is considered something of a paper tiger. Although HIPAA was passed in 1996, there weren’t any fines issued until 2006. While there have been quite a few fines and even criminal prosecutions since then, and the UCLA fine is the[…]