The first posts date from 2010. As of 2011, Rishi Narang writes about security at least six times a year. This no-frills blog is an example of the value of Internet as a marketing and personal branding vehicle. He published in 2013 two articles with detailed and useful hands-on content about the (in)security of session "cookies" in renowned places like Outlook, Google, Twitter, Linkedin, Facebook and Yahoo. Both articles were accompanied by a video, a proof of concept "script" to "guess" those "cookies" and a summarizing table of the analyzed "cookies".
The three conclusions drawn from these two articles on "cookie-based" session maintenance are:
- "Cookies" need to expire on the server that sends them, at least when the session expires and, preferably, periodically.
- The preference of using HTTPS and HTTP as transport protocol.
- These session "cookies" need to be created in a truly random manner.
The popular security publication SC magazine reported the vulnerabilities that Rishi Narang found in those big Internet names and published a link to his blog. Surely he has received an invitation to share his analysis and contribute to improving the security of some of these companies' cookies or the proposal to join a web development security provider.
In short, wtfuzz.com card is an excellent presentation of an inquisitive security professional.
Outside the typical IT security, in this blog you can find a non-technical article titled "It's you and me". It was published in October 2012. It talks about human emotions and differences between women and men. Perhaps this is why Rishi defines himself as a cyber psychology researcher?
Vulnerable tower... and cookies? |
You can also read this entry in Spanish.