Ten of Application Security industry’s coolest, most interesting, important, and entertaining links from the past week — in no particular order. Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution Three Steps to a Rational Security Budget Hackvertor and JSReg Multiple DOM-Based XSS in Dojo Toolkit SDK Weak security ID questions put e-mail at risk XSS demo for stealing passwords from the Firefox password manager …because you can’t get enough of clickjacking A gentle introduction to return-oriented programming Facebook Adds Code for Clickjacking Prevention Notes Richard Bejtlich OWASP Podcast WhiteHat Security is a leading provider of website security services.

View original post here:
Best of Application Security (Friday, Mar. 12)

F-Secure has an additional blog that launched today. It’s called Safe and Savvy .

Read the original:
Be Savvy, Get Six Months of Internet Security

ATM skimmers are installed like this: Video source: Spiegel.de & German Federal Criminal Office (Bundeskriminalamt) On 10/03/10 At 12:06 PM

See the original post:
How are ATM skimmers installed?

As ” JiLsi ” — one of the online criminals from Darkmarket — was sentenced last week to almost five years in prison, we have received some media queries on the case. In particular, one journalist wanted to know what JiLsi (aka Renu Subramaniam), Matrix001 (aka Markus Kellerer) and Cha0 (aka Çağatay Evyapan) looked like when they were posting to the Darkmarket forum.

Here is the original post:
Darkmarket Avatars

The creators of the SymbOS.Exy family of threats are at it again. They have resurfaced with yet another signed Symbian threat: SymbOS.Exy.E .

See the original post:
A Touch of Mobile Threat Déjà Vu

Ten of Application Security industry’s coolest, most interesting, important, and entertaining links from the past week — in no particular order. Microsoft’s Many Eyeballs and the Security Development Lifecycle A Comparison of DBIR with UK breach report Infrastructure vs

More here:
Best of Application Security (Friday, Feb. 19)

Ten of Application Security industry’s coolest, most interesting, important, and entertaining links from the past week — in no particular order. Accuracy and Time Costs of Web Application Security Scanner Report The Web won’t be safe, let alone secure, unless we break it Why don’t websites default to SSL/TLS?

Go here to read the rest:
Best of Application Security (Friday, Feb. 5)

Updates February 9th will bring numerous Microsoft Updates, 13 bulletins addressing 26 vulnerabilities. All versions of Windows are affected.

Go here to read the rest:
Microsoft Updates and Vulnerabilities

We’ve received some questions regarding Apple’s iPad , and whether or not the lack of Adobe Flash support is for security reasons. Well, no, we don’t think so.

Read this article:
Is the lack of iPad Flash support for security?

Facebook recently rolled out new privacy settings that provides additional publishing controls. For example, Facebook users can now publish a photo to a selected list of friends.

Link:
Facebook Privacy Doesn’t Really Exist