It's funny - I too had a chat with someone fro...

2010-11-25T22:17:12.719+11:00

It's funny - I too had a chat with someone from Securus as Ruxcon after my talk that made me sit back and really challenge my thinking. :) They're a great bunch.

Yeah the Advertiser one I have actually seen first hand with nasty consequences. What really sucks is that because of the chain of companies that push these ads through their networks and downstream affiliates or partners, the reality is that if you are signed up to use these networks you are really at their mercy. When you look at it in terms of finding the weak link in the chain, it is a very bloody long chain believe me. :(

Paul Theriault (Stratsec) which delved into the tech detail at OWASP-AU Conference 2008 with Flash in particular, and this is of particular relevance in this area. What sucks is that there are very, very few technical controls that can solve the problem (when I looked at this it seemed contractual arrangements and liability transfer was the only way to do it really).

Most of those vulnerabilities would be readily detected through a standard web app test (i.e. most examples are related to lack of input validation as a root cause failure). Even if you never tested the app, you can risk assess the fact that these apps have unquantified security levels and will have a discernable business impact (depending on criticality) if something happens.

The problem with the social engineering stuff (e.g. PDF, USB keys) is you have to grapple with the human element and noticeably weaker desktop controls. That's a tougher argument to have with the business because it affects how people operate in the office.

Of course, a client side pentest can really add value here.... (ok I'll shut up now :).

- J.

Comments on Infamous Agenda: Threat vectors

It's funny - I too had a chat with someone fro...