A digital currency known as Bitcoin (BTC) has been causing a bit of a media stir of late due to its use for illicit purposes. Some readers of this blog will be familiar with and have used a digital currency of some form in the past to purchase goods online. Some may even remember failed digital currencies such as e-gold, which had operations suspended by US authorities after its proprietors were indicted on four counts of violating money laundering regulations back in 2007. With Bitcoin, we now have another multi-million dollar digital currency market without any central authority for regulation. (An in-depth explanation of Bitcoins is available on Wikipedia.)

On Tuesday, September 21 a cross-site scripting (XSS) vulnerability in Twitter became publicly known and was exploited by attackers, as well as many curious copycats with non-malicious intentions. An issue surrounding the parsing of attributes of posted links allowed JavaScript code to be executed whenever a user hovered over a link with the mouse. According to Twitter, the vulnerability had been patched a month ago, but resurfaced with a recent code change. Some users started to misuse the vulnerability as a new feature, adding things like rainbow-colored text boxes or harmless pop-up boxes to their tweets.

It comes as no surprise that this vulnerability was also used for malicious purposes. You can’t really blame users for getting infected, as they didn’t even click on the suspicious links. Rolling over any of the specially crafted links was sufficient to start the embedded...

Following an industry conference, I find it a good practice for me to reflect back on what I learned and observed and see how I can apply it to my current work. At the conference there is so much to learn and take in, so I find it helps to let it all marinate for a bit of time and then I can start to uncover the new learning once I’m back at my desk and away from the conference buzz. It’s now been nearly two weeks since BlackHat wrapped up and these are the topics and observations from the conference that have been swilling around in my head. I hope to explore these thoughts more with my industry colleagues and find my way to contribute to improving security industry best practices.
 
Cyber security professionals need an education

Education remains an area of concern for cyber security professionals. The perception is that universities are graduating computer scientists and other degreed professionals inadequately prepared to...

There has been a considerable amount of news activity purporting that Google is looking to do a full-scale migration away from using Microsoft products, citing security as the primary impetus. While I can’t say whether or not these reports are indeed true, the story does raise a couple of important issues when it comes to reasoning about how effective your IT security policies are.
 
The first misconception is that the main security risks are rooted in the underlying platform, whether it is Windows, Mac OS, Linux, etc. That might have been true five to seven years ago. The reality today, however, is that much of the attack activity we see is aimed “higher up in the stack.” The targets include applications that run on top of platforms (e.g., Web browsers), third-party add-ons that run on top of applications (e.g., browser extensions or plug-ins), and ultimately the human beings who operate the platform—who, unbeknownst even to themselves,...