There’s a new full disclosure website in town – http://www.vs-db.info names and shames those with web application vulnerabilities (like SQL injection, XSS, XSRF, CRLF injection, etc.), without providing enough details for exploit.

I looked over the FBI’s Internet Crime Complaint Center’s annual report covering 2009. There wasn’t a whole lot that was interesting (electronic crime is on the rise), but one thing caught my eye. One page 6 there is a chart showing the number of cases divided up by the monetary loss associated with it. Only 7.5% of the cases involved damages of more than $10,000 and only 1% involved damages of over $100,000. Gone I suppose are the days of the million dollar heists, replaced instead by the facilitation of many smaller crimes. The scammers are only making money because they steal in bulk.

Lest this blog turn into nothing more than a source of announcements, I figured I’d post something that has been eating me up for ages. Anyone who knows me knows that I hate passwords with a passion. They’re easy to break, easy to social engineer, and provide a false sense of security. People trade them for candy bars, reuse them, and don’t pick ones that are hard to guess. As soon as they become hard to guess, they also become hard to remember, leading to lots of helpdesk calls for password resets. All of these (and other) issues stem from one single root cause – passwords move the security role from the IT security department to the end users. We IT security people are constantly trying to make new rules for the end users to make sure they protect their passwords, but the problem is that while all these rules make sense to us, the end users are not IT security experts. They don’t have the background, experience, knowhow, etc. Expecting the end users to manage security of a system they don’t even understand is a huge mistake. And yet, for some reason, that’s what we do when we use passwords as the single factor needed to access sensitive data.

Although not strictly related to the infosec field, I’ve found that at least in the DC area a lot of infosec professionals need security clearances, and a lot of budding infosec professionals are always asking questions about them. The University of Fairfax has put out a very good security clearance handbook which addresses most of the issues you’d want to know about. You can download it directly from here.