Security Weekly News 30 December 2010 – Summary

Feedback and/or contributions to make this better are appreciated and welcome

Highlighted quotes of the week:

“Real IT/security talent will work where they make a difference, not where they reduce costs, “align w/business,” or serve other lame ends.” – Richard Bejtlich

“woodworking tools do not make chairs == security tools do not make security.” – Rafal Los

“Sec guys cannot avoid IE use in the enterprise. But we could secure it a bit by using EMET. M$ should give support, though.” – Román Medina-Heigl Hernández

“TSA bodyscans/pat-downs are to national security what WAF’s DLP’s and NAC’s are to infosec.” – Wim Remes

“To enforce a security policy for users without explanation is like forcing kids to eat vegetables… It will #fail” – Xavier Mertens

“…only 1 cookie was marked as both SECURE and HTTPOnly. Clearly these cookies should be rotated after an actual login, but why establish a session at all if you aren’t going to protect it with these basic cookie flags?” – Michael Coates

“Avg # of days in a year a website is vulnerable to at least 1 *serious vulnerability: 200” – Jeremiah Grossman

“Any dictator would admire the uniformity and obedience of the U.S. media.” – Noam Chomsky

“MD5, which usually poses a serious computational challenge to reverse