Articles on Web Security

Below are my perspectives on web security, drawn from my work as a security leader and practitioner.

• Web Security Free Online Tools for Looking up Potentially Malicious Websites
  A curated list of free online tools for investigating potentially malicious websites, ranging from services that provide historical reputation data to those that examine URLs in real time. Options...
• Tools Common Failures of Information Security Tools (Part 1)
  Security tools have side effects like medicine. Network firewalls cause connectivity issues; WAFs block legitimate traffic after site updates and are difficult to troubleshoot; antivirus tools may...
• Social Networking How Clickjacking Attacks Work
  Clickjacking tricks users into clicking invisible elements from other sites—commonly used to propagate Facebook links. Advanced variations can de-anonymize visitors by capturing their identity when...
• Authentication We Still Suck at Protecting Logon Credentials
  Recent breaches at Lockheed Martin, Mt. Gox, PBS, and Sony PlayStation show we still fail at protecting credentials. Attackers compromise them via remote password guessing, SQL injection to retrieve...
• Malware Malvertising: How Malicious Ad Campaigns Are Protected
  Attackers protect malvertising campaigns by obfuscating JavaScript and ActionScript code and timing attacks for weekends when ad network staff aren't working. Malicious logic activates after...
• Social Engineering The Targeted Attack Potential of Vanity Web Searches
  Vanity web searches create targeted attack opportunities. Attackers can create pages with a target's name, wait for Google indexing, then add malware knowing the person will visit when alerts...