Posts have been a little slow lately. Mostly that’s because I’ve been traveling around the country and focusing on getting some very cool new stuff out the door here at WhiteHat. However, I still have enough time to keep up on the news and latest chatter so figured why not discuss some of the more entertaining snippets:
1) Mark Potts (CTO of Software, HP) Information Week article offered a real gem when claiming they now have nine out of the world's top 11 security hackers by way of the SPI Dynamics acquisition. Classic statement! I can only imagine how the SPI engineering teams cringed at that one. :) Of course a few bloggers decided to poke a little fun, I mean who can blame them. Then a fellow co-worker here said tongue in cheek that by the same logic its possible that WhiteHat has 2 of the top 3. ;)
2) WASC’s Web Hacking Incidents Database project captured some press recently by releasing the annual report for 2007. For those unfamiliar with WHID, it’s an effort to keep track of web applications related security incidents, mostly those reported in the media. Simply put -- what the hackers hack, why and how. Ofer Shezaf (Breach Security) put a ton of effort into this and the results are well worth it. There are some really interesting statistics in there, especially when contrasted with other reports.
3) Most of us are already aware that the bad guys are hacking “trusted” websites and silently placing malware on them in effort to compromise their visitors Web browsers. This is a highly effect approach and many large name brand name websites have been used as launching pads. However, until I read Dan Goodin's Register article I wasn’t aware just how bad the problem had gotten:
“The findings come as Websense, a separate security firm that's based in San Diego, recently estimated that 51 per cent of websites hosting malicious code over the past six months were legitimate destinations that had been hacked, as opposed to sites specifically set up by criminals. Compromised websites can pose a greater risk because they often come with a degree of trust.”
Whoa. Most websites hosting malware are legit.