Hosting generously provided by
|
|
Google Home-brews Powerful Automatic Scanning Fuzzer
|
Posted 07/18/07 by Robert
"Google's security team is home-brewing a powerful combination scanner and fuzzing tool that experts say will be unique outside of the commercial domain.
In a posting on the Google security team's blog, Srinath Anantharaju said on July 16 that the security team has been working on a black-box fuzzing tool called Lemon, in the spirit of the word as it's used to denote defective products.
Fuzz testing, or fuzzing, is a black-box software testing technique in which malformed data is injected automatically to find implementation bugs in code. In particular, Google is targeting () bugs, according to Anantharaju."
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Zero-day sales not "fair" -- to researchers
|
Posted 07/18/07 by Robert
" Two years ago, Charles Miller found a remotely exploitable flaw in a common component of the Linux operating system, and as many enterprising vulnerability researchers are doing today, he decided to sell the information.
“ I don't think it fair that researchers don't have the information and contacts they need to sell their research. ”
Charles Miller, principal security consultant, Independent Security Evaluators
Having recently left the National Security Agency, the security professional decided to try his hand at selling the bug to the U.S. government. In a paper due to be presented next week at the Workshop on the Economics of Information Security, Miller -- now a principal security analyst at Independent Security Evaluators -- writes about the experience and analyzes the market for security vulnerabilities.
In the case of the Linux flaw, one agency offered him $10,000, while a second told him to name a price. When he said $80,000, his contact quickly agreed.
"The government official said he was not allowed to name a price, but that I should make an offer," Miller told SecurityFocus. "And when I did, he said OK, and I thought, 'Oh man, I could have gotten a lot more.'"
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Rant: Security 2.0 and Ethics 0.2 Beta
|
Posted 07/17/07 by Robert
UPDATE: There is a thread on the slackers forum talking about this below if you want to join in on the conversation.
FX from Phenoelit has posted an interesting rant on the ethics and hype in the security industry.
"The Web 2.0 has all the potential for the next big wave of FUD in security. First of all, it's not done yet. We are seeing new players on the Web but the general direction of developments is sketchy at best. One of the more solid observations is that the Web 2.0 is a work of composition from known technologies at a higher abstraction level than before. Most components are not reinvented but rearranged and adjusted. This leads to some of the lesser-known components and especially patterns [6] to be considered new, revolutionary developments [4].
The new Web primarily teaches us lessons we should already know. Basics like the fact that perimeter security cannot work in networked environments, since they wouldn't be networked if it did - think mesh-ups. Basics like: defence in depth is one of the few paradigms that actually have a chance to work in the wild and keep complex systems alive. But we knew that before, didn't we?"
Article Link:
Forum Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Tool: SQL Power Injector 1.2
|
Posted 07/16/07 by Robert
"SQL Power Injector is an application created in .Net 1.1 that helps the penetration tester to find and exploit SQL injections on a web page.
For now it is SQL Server, Oracle, MySQL, Sybase/Adaptive Server and DB2 compliant, but it is possible to use it with any existing DBMS when using the inline injection (Normal mode). Indeed, the normal mode is basically the SQL command that someone will put in the parameter sent to the server.
If the aspect of inline SQL injection is powerful in itself, its main strength dwells in the multithreaded automation of the injection. Not only there is a possibility to automate tedious and time consuming queries but you can also modify the query to get only what you want. It is obviously more useful in the blind SQL injection since the other ways to exploit the SQL injection vulnerability is more effusive and much faster when the results are displayed on the web page (union select in a HTML table and generated 500 error for instance).
The automation can be realized in two ways: comparing the expected result or by time delay. The first way is generally compared against an error or difference between positive condition with a negative one and the second way will turn out positive if the time delay sent to the server equals to the one parameterized in the application."
Announcement Link:
Download Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
HDIV: Struts 2 Security Plugin
|
Posted 07/15/07 by Robert
Gorka Vicente writes "HDIV 1.3 has just been released including Struts 2 support. HDIV is an open-source project that extends Struts (
Struts 1.x and Struts 2) behavior by adding web application level Security functionalities (Integrity, Confident
iality of non editable data and Generic Validations of the Editable Data), maintaining the API and Struts specif
ication.
HDIV 1.3 release has been added as a Struts 2 Plugin in . You
can download an example (showcase) to understand how HDIV works (
)
In addition, there is also a quick introduction about HDIV using the OWASP top ten 2007 as a reference
You can get more details about HDIV in "
Download Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Dangerous Java flaw threatens virtually everything
|
Posted 07/13/07 by Robert
"Google's Security team has discovered vulnerabilities in the Sun Java Runtime Environment that threatens the security of all platforms, browsers and even mobile devices.
"This is as bad as it gets," said Chris Gatford, a security expert from penetration testing firm Pure Hacking.
"It’s a pretty significant weakness, which will have a considerable impact if the exploit codes come to fruition quickly. It could affect a lot of organizations and users," Gatford told ZDNet Australia.
Australia's Computer Emergency Response Team (AusCERT) analyst, Robert Lowe, warned that anyone using the Java Runtime Environment or Java Development Kit is at risk."
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Greek spies plant rootkit in a phone exchange
|
Posted 07/12/07 by Robert
"A highly sophisticated spying operation that tapped into the mobile phones of Greece's prime minister and other top government officials has highlighted weaknesses in telecommunications systems that still use decades-old computer code.
The spying case, where the calls of around 100 people using Vodafone’s network were secretly tapped, remains unsolved and is still being investigated. Also complicating the case are question marks over the suicide in March 2005 of a top engineer at Vodafone Group in Greece in charge of network planning."
There is also a detailed writup well worth reading. From that article
"The cellphone bugging began sometime during the fevered run-up to the August 2004 Olympic Games in Athens. It remained undetected until 24 January 2005, when one of Vodafone's telephone switches generated a sequence of error messages indicating that text messages originating from another cellphone operator had gone undelivered. The switch is a computer-controlled component of a phone network that connects two telephone lines to complete a telephone call. To diagnose the failures, which seemed highly unusual but reasonably innocuous at the time, Vodafone contacted the maker of the switches, the Swedish telecommunications equipment manufacturer Ericsson.
We now know that the illegally implanted software, which was eventually found in a total of four of Vodafone's Greek switches, created parallel streams of digitized voice for the tapped phone calls. One stream was the ordinary one, between the two calling parties. The other stream, an exact copy, was directed to other cellphones, allowing the tappers to listen in on the conversations on the cellphones, and probably also to record them. The software also routed location and other information about those phone calls to these shadow handsets via automated text messages."
Detailed writup:
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Article: Java security: Is it getting worse?
|
Posted 07/11/07 by Robert
" Java has long boasted a reputation for being a secure programming language. Lately, however, that reputation has come into question. Java has been accused of being susceptible to cross-site scripting (XSS) and other similar input attacks like SQL injection.
Is the security of Java itself getting worse, or is the security of Web applications using Java weakening? Are XSS attacks enabled by poor Java coding, or poor Web application design? In this tip, we'll examine Java's security capabilities, the recent exploits that have caused some to question Java and best practices to keep Java applications safe.
Java has a number of built-in security features that don't exist in other languages. For example, it checks the size of input data, which prevents buffer overflows, a common exploit where an attacker floods an application with more data than it can handle. A buffer overflow can crash an application or, if crafted properly, ignite a process which allows malicious access into a system.
Unlike other languages, such as C and assembly, Java automatically cleans up after itself. After an application closes, Java clears out memory used by the application with a garbage collection system. This process, which works silently in the background, prevents other exploits that can take down an application by overloading its memory. "
Paper Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Microsoft Patch Tuesday Addresses .NET Vuln
|
Posted 07/11/07 by Robert
"The critical update covers flaws in Excel, Windows Active Directory, and .NET Framework. All create a possible means for hackers to inject hostile code onto vulnerable systems (remote code execution). Separate security bugs in Internet Information Server (Microsoft's web server software) and Microsoft Office Publisher also carry the same risk but earn a lower classification of "important" from Redmond. Microsoft's security gnomes have also addressed a "moderate" security bug in Windows firewall that creates an information disclosure risk."
Paper Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Paper: DNS Pinning and Web Proxies
|
Posted 07/10/07 by Robert
"DNS-based attacks can be used to perform a partial breach of browser same origin restrictions in some situations, enabling a malicious web site to perform two-way interaction with a different domain.
The attacks that are normally conceived against browser-based DNS pinning are capable of being resolved through additional safeguards within browsers. However, the same attacks can also be performed against web proxies, where browser DNS pinning does not apply. Corporate web users accessing the Internet via a proxy are at risk from such attacks.
There are various ways in which DNS-based attacks against web proxies could potentially be prevented through changes to proxy and browser software. Each of the fixes considered suffers from important shortcomings. In the meantime, there are other defences that organisations and individuals can employ to prevent attacks against them."
Paper Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
XSS cross webmail worm
|
Posted 07/9/07 by Robert
Rosario Valotta writes in to tell us "I realized a PoC of what I define a XWW - Cross webmail worm, based on exploitation of XSS vulnerabilities.
Detailed informations and a video can be found at:
"
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Securing Firefox: How to avoid hacker attacks on Mozilla's browser
|
Posted 07/9/07 by Robert
"Security problems with Microsoft's dominant Internet Explorer browser helped pave the way for Mozilla Firefox to emerge as an alternative for Web surfers.
However, Firefox users should be aware that hackers can exploit software flaws and design features to launch attacks.
The following configuration changes, recommended by CERT/CC, can disable various features and set up the browser to run in a secure state, limiting the damage from malware attacks. "
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Average zero-day bug has 348-day lifespan, exec says
|
Posted 07/9/07 by Robert
"The average zero-day (0day) bug has a lifespan of 348 days before it is discovered or patched, and some vulnerabilities live on for much longer, according to security vendor Immunity Inc.'s chief executive officer.
Zero-day bugs are vulnerabilities that have not been patched or made public. When discovered and not disclosed, these bugs can be used by hackers and criminals to break into corporate systems to steal or change data. As a result, there is a thriving market for zero-day bugs.
"Huge amounts of money are being offering to zero-day discoverers for their zero-days," said Justine Aitel, Immunity's CEO, speaking in Singapore at the SyScan '07 security conference.
Immunity, which buys but does not disclose zero-day bugs, keeps tabs on how long the bugs it buys last before they are made public or patched. While the average bug has a lifespan of 348 days, the shortest-lived bugs are made public in 99 days. Those with the longest lifespan remain undetected for 1,080 days, or nearly three years, Aitel said.
"Bugs die when they go public, and they die when they get patched," she said. "
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Hacking Capitalism: electronic financial trading
|
Posted 07/9/07 by Robert
"You'd think electronic financial trading would be extra secure, but not so much: One of the most popular application-layer protocols in the financial industry leaves these money applications wide open to attack, according to researchers.
The application-layer FIX (financial information exchange) protocol is used by financial services firms, stock exchanges, and investment banks for automated financial trading. But apps written to the protocol can be vulnerable to denial-of-service, session hijacking, and man-in-the middle attacks over the Internet, as well as an attacker actually able to "watch" the transactions, says David Goldsmith, CEO of Matasano Security, who will present the firm's new research on FIX at the upcoming Black Hat USA briefings later this month.
Goldsmith says he can't divulge details on the specific vulnerabilities Matasano found in applications deploying FIX, as well as other financial industry-specific protocols, but the bottom line is that these protocols weren't built with security in mind. "For the most part, when you look under the hood of these protocols, we find almost no means of security," he says. The FIX spec, for instance, barely touches on how to secure data as it travels over the Internet. "
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
MPack Reveals Stingy Web Hosts
|
Posted 07/5/07 by Robert
"According to reports, thousands of Web sites, predominantly in Italy, were recently compromised using the MPack malware kit, which contained iframe tags that pointed surfers towards hacker-controlled Web sites.
A security researcher at the SANS Institute's Internet Storm Centre says that only one of the Web sites hosted on the machine had to contain a vulnerable PHP script for the rest of the sites to become infected and often the root cause of the problem is when a Web hosting provider doesn't spend as much as it could on necessary hardware to add an extra layer of protective virtualization. The researcher adds that a good precaution to take is to make sure the hosting provider uses chroot or suExec, which ensures that individual Web sites are not compromised by others sharing the same physical server."
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Security on AIR: Local file access through JavaScript
|
Posted 07/3/07 by Robert
Fukami to outlining some risks with Adobe's AIR platform.
I can tell you first hand that these sorts of applications are going to start popping on on many large sites in the next
year....
"In general every file on local file system can be accessed by AIR apps. This includes reading, writing, appending or deletion as well as testing for file and directory existence. Another interesting feature is the possibility to overwrite calling files inside compiled AIR application during runtime."
Post Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
CIA legend claims Belfast and Dublin major centres of industrial espionage
|
Posted 07/3/07 by Robert
"A former top CIA agent has claimed Belfast and Dublin are world centres of industrial espionage where top corporations can buy secret information on their rivals.
Bob Baer, whose life inspired the spy movie Syriana starring George Clooney, said Ireland was "just like Berlin during the Cold War".
In an interview for RTE radio documentary Highway 101, Baer says Dublin is now the place where firms go if they need solutions to problems with the Russian Mafia.
"When I was in the CIA, Ireland was never a target, but, since then, I know that it has become a centre for commercial spying, which is very interesting," said Baer
"There is also a lot of data available in Northern Ireland. I don't know why that is, but I know it is going on.
"If I want to know about you, if I want cellphone records for example, I get your landline and do a data search to get your cell number in Ireland very easily. If I want to know everyone you have talked to in the last six months, there is a service in Dublin where I can buy that information. "
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Nearly 30,000 Malicious Web Sites Appear Each Day
|
Posted 07/2/07 by Robert
"The number of malicious Web sites has skyrocketed over the past few months, going from 5,000 new ones a day in April to nearly 30,000 a day now.
"This certainly is a huge increase," said Carole Theriault, a senior security consultant with Sophos, Inc., in an e-mail to InformationWeek. "In June, we saw it climb to 9,500 a day and then this huge jump up 29,000."
"The IFrame malware was a major Web site infector in June.
IFrame, which injects malicious HTML files onto Web pages, actually topped Sophos' chart for June's Top 10 Web Threats, accounting for nearly two-thirds of the world's infected Web pages. Earlier this month, hackers used the IFrame to attack multiple Italian Web sites. Sophos reported that more than 10,000 Web pages were infected in the attack, most of which were on compromised legitimate sites hosted in Italy. Victim Web sites included Italian city councils, employment services and tourism sites. Most of the affected pages appear to be hosted by one of the largest ISPs in Italy, noted Sophos. "
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Month of Search Engines Bugs Results Published
|
Posted 07/2/07 by Robert
"In the project took part 33 search engines (30 web engines and 3 local engines) of 19 vendors, some vendors have several engines. The list of project’s participants (in order of appearance): Meta, Yahoo, HotBot, Gigablast, MSN, Clusty, Yandex, Yandex.Server (local engine), Search Europe, Rambler, Ask.com, Ezilon, AltaVista, AltaVista local (local engine), MetaCrawler, Mamma, Google, Google Custom Search Engine (local engine), My Way, Lycos, Aport, Netscape Search, WebCrawler, Dogpile, AOL Search, My Search, My Web Search, LookSmart, DMOZ (Open Directory Project), InfoSpace, Euroseek, Kelkoo, Excite.
Altogether there were published 104 vulnerabilities in mentioned engines. Including Cross-Site Scripting (as XSS, and as HTML Injection), Full path disclosure, Content Spoofing and Information disclosure vulnerabilities. It is without taking into account redirectors in search engines (altogether there were published 23 redirectors).
Results of the projects: fixed 44 vulnerabilities from 104 (without taking into account redirectors). It is 42,31% fixed vulnerabilities. Owners of search engines have a place for improvements of their engines’ security.
Note, that from all search engines vendors only two thanked me (from 19 vendors of 33 search engines), for time that I spent on them, for searching vulnerabilities in their systems and for helping of improvement of their engines’ security (these were Rambler and Ezilon). But all others owners of search engines even didn’t think (were lazy) to do that. That is very unethical from their side and they need to work under their ethic and culture."
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
UCD School of Medicine hacked
|
Posted 07/1/07 by Robert
"According to officials, 1,120 applicant records for the 2007-2008 class at the UC Davis School of Veterinary Medicine have been hacked, in what marks the first time an example of unauthorized access to the university's computer systems has been coupled with evidence of attempted fraud.
According to the university, the incident was discovered on June 15 when admitted students found that accounts had already been set up in their names. Subsequent investigation found that the hacker had accessed information including the names, birthdates and Social Security numbers of the victims in question.
In addition, the university suspects that information of 375 veterinary applicants from the 2004-2005 school year may have been illegally accessed.
Lieutenant John D. Johnson III, a member of the UC Davis Police force, said they received no reports of anyone using the stolen information.
"Anyone who has reason to believe that their information has been used unlawfully is encouraged to contact the UC Davis Police Department as soon as possible," Johnson said in an e-mail interview.
Currently, the UC Davis police force is working with the Sacramento Valley Hi-Tech Crimes Task Force to find the culprit."
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Hacker Defaces Microsoft U.K. Web Page
|
Posted 06/29/07 by Robert
"A hacker managed a rare feat Wednesday, successfully attacking a Web page within Microsoft's U.K. domain and replacing the page with several graphics related to Saudi Arabia.
The hacked page was a U.K. events page here. It has since been fixed. According to the security site Zone-h, a attack is the likely culprit. Zone-h reported the hack methodology: "Most probably, the attacker exploited the site by means of SQL injection to insert the HTML code "" in a field belonging to the table which gets read every time a new page is generated." This would work on a page utilizing Microsoft's SQL Server. "
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Is Web 2.0 Safe?
|
Posted 06/28/07 by Robert
I went to www.msn.com today and saw an article called 'is Web 2.0 Safe?'. To my surprise it linked to an article
where and
were quoted. The fact that MSN is linking to web security related articles really speaks to the change of the industry.
"As users store more data online, hackers are finding ways to break into the new service sites. experts say the problems are deep-seated.
Samy Kamkar was really just trying to impress girls. Instead, he made Web hacking history.
Kamkar created what is considered the first Web 2.0 worm--a virulent bug that no firewall could block, and which ultimately forced MySpace.com to temporarily shut down. The Samy worm (named after Kamkar) was among the more prominent of a new generation of Web attacks that some security experts fear may slow the fast-evolving collaborative model of Internet development known as Web 2.0.
Kamkar was looking for a way to circumvent MySpace's content-posting restrictions to jazz up his profile when he found a bug that essentially allowed him to control the browser of anyone who visited his MySpace page. "A Chipotle burrito and a few clicks" later, Kamkar says, he created the fastest-spreading Web-based worm of all time.
Within 20 hours, the worm had spread to approximately 1 million MySpace users, forcing them to select Kamkar as their "hero" in their profile page. News Corporation, the site's owner, had to pull down MySpace to fix the problem, and Kamkar later received three years' probation in Los Angeles Superior Court. "
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Microsoft Security Grunt voted #6 on Worst Jobs in Science 2007 by Popular Science
|
Posted 06/26/07 by Robert
Popular Science has voted 'Microsoft Security Grunt' as the 6th worst job in science to have.
"Do you flinch when your inbox dings? The people manning secure@microsoft .com receive approximately 100,000 dings a year, each one a message that something in the Microsoft empire may have gone terribly wrong. Teams of Microsoft Security Response Center employees toil 365 days a year to fix the kinks in Windows, Internet Explorer, Office and all the behemoth’s other products. It’s tedious work. Each product can have multiple versions in multiple languages, and each needs its own repairs (by one estimate, Explorer alone has 300 different configurations). Plus, to most hackers, crippling Microsoft is the geek equivalent of taking down the Death Star, so the assault is relentless. "
That is some funny shit right there :)
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Rolling Reviews: Cenzic Hailstorm Enterprise Application Risk Controller
|
Posted 06/25/07 by Robert
First the and now Networkcomputing
has posted the review for Cenzic's Hailstorm .
"We continue our ongoing review of Web application scanners with a look at Cenzic Hailstorm. While it performed relatively well, Cenzic's ARC Web Interface could use some gussying up.
Cenzic's Hailstorm Enterprise Application Risk Controller isn't what we'd call eye candy. Fortunately, this Rolling Review isn't a beauty contest-Ajax apps pose potentially ugly security risks, and we wanted scanners that go beyond finding flaws in conventional Web applications."
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Quicken Backdoor Discovered
|
Posted 06/23/07 by Robert
"A Russian firm that provides password-recovery services says it has found a backdoor in the encryption mechanism that Quicken uses to secure password-protected files, a feature that makes millions of users of the personal finance program more vulnerable to government spooks or other highly determined snoops.
Elcomsoft, which made waves in 2001 after it circulated software that circumvented digital rights management protections in Adobe's eBooks, said the latest version of its Advanced Intuit Password Recovery product allows users to remove password protection from Quicken files."
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Pixy - An Open-Source Vulnerability Scanner for PHP Applications
|
Posted 06/22/07 by Robert
"The Secure Systems Lab at the Technical University of Vienna has released the newest version of Pixy, an open-source
vulnerability scanner. Here are some of the highlights:
- detection of SQL injection and XSS vulnerabilities in PHP source code
- automatic resolution of file inclusions
- computation of dependence graphs that help you understand the causes of reported vulnerabilities
- static analysis engine (flow-sensitive, interprocedural, context-sensitive)
- platform-independent (written in Java)
Pixy can be downloaded for free from . "
Tool Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Designing a crypto attack on the Ccrp...
|
Posted 06/21/07 by Robert
Piotr Musial writes
"Ccrp was designed to be a highly secure private key encryptor for small files and messages, and uses bit-move logic as the primary
means of "scrambling" the plaintext. Ccrp also uses a lookup table instead of a pseudorandom bit generator, and so to obtain good se
curity with that method, the performance of the code is more on the order of a public key program than the private key types that pe
ople use for whole-disk encryption. (...)"
If you want to read more go to our site:
http://hakin9.org/en/haking/download.html"
As a reminder to our viewers if you found something cool, please submit it and we'll post if it if we agree
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Tools: sqlninja 0.1.2 released
|
Posted 06/21/07 by Robert
icesurfer writes
"Hello fellow security enthusiasts,
a new version of sqlninja is out at sourceforge !
Introduction
============
sqlninja is a tool to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its
main goal is to provide a remote shell on the vulnerable DB server, even in a very hostile environment. It should be used by penetr
ation testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered. It
is released under the GPLv2, it is written in perl and runs on Unix-like boxes.
You can find it, together with a flash demo of its features, at the address
What's new
==========
# Test mode, that checks whether the configuration is correct and the injection is successful
# Debug option, which allows to print SQL commands and raw HTTP request/response data. Useful when things are not working and you wa
nt to see what's going on under the hood
# Files are uploaded to %TEMP%, bypassing possible write restrictions
# A simplified way to configure the injection parameters
# Interactive config file generation
What's not so new
=================
# Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability)
# Bruteforce of 'sa' password
# Privilege escalation to 'sa' if its password has been found
# Creation of a custom xp_cmdshell if the original one has been disabled
# Upload of netcat.exe (or any other executable) using only 100% ASCII GET/POST requests, so no need for FTP connections
# TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of t
he target
network and use it for a reverse shell
# Direct and reverse bindshell, both TCP and UDP
# DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external
hostnames
Tool Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Department of Homeland Security gets Pwned, and pwned, and pwned
|
Posted 06/21/07 by Robert
"The Homeland Security Department, the lead U.S. agency for fighting cyber threats, suffered more than 800 hacker break-ins, virus outbreaks and other computer security problems over two years, senior officials acknowledged to Congress.
In one instance, hacker tools for stealing passwords and other files were found on two internal Homeland Security computer systems. The agency's headquarters sought forensic help from the department's own Security Operations Center and the U.S. Computer Emergency Readiness Team it operates with Carnegie Mellon University.
In other cases, computer workstations in the Coast Guard and the Transportation Security Administration were infected with malicious software detected trying to communicate with outsiders; laptops were discovered missing; and agency Web sites suffered break-ins."
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
New security breach revealed: Los Alamos National Labs
|
Posted 06/20/07 by Robert
"Reports of a major breach of security involving the board of directors of the corporation managing Los Alamos National Laboratory came to light Thursday.
The chairman of the House Energy and Commerce Committee that oversees the nuclear complex wrote to Energy Secretary Samuel Bodman citing information obtained by committee staff from sources outside the department.
The letter expressed concern that information about the breach, reported on Jan. 19, 2007, was withheld from the committee, despite two subcommittee hearings that were held in the meantime for the express purpose of investigating security practices at LANL.
Largely because of a series of security problems in the past, the contracts for LANL and its sister laboratory Lawrence Livermore National Laboratory were put out to bid. LANL's contract was awarded to Los Alamos National Security, (LANS), LLC, and they assumed responsibility on June 1, 2006.
"Apparently, open e-mail networks were used by several LANS officials to share classified information relating to the characteristics of nuclear material in nuclear weapons,"
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Gangs infect 10,000 websites to steal users' bank details
|
Posted 06/20/07 by Robert
"Hackers have launched an assault on websites in Italy and around the world dubbed the Italian Job in a move seen by internet security experts as the next step in the escalating problem of cyber crime.
Gangs presumed to be based in eastern Europe have probably infected more than 10,000 web pages on popular websites including travel agents, hotels, charities and government departments. Most of the sites are in Italy, though the attack has also spread to Spain and the US.
Using an attack tool kit available for £350 on the internet from Russia, the attackers implanted codes that download a "keylogger" onto the computer of anyone opening up those sites. The keylogger allows the hackers to monitor any activity on the infected machine - in effect to control the computer. That gives them access to any bank details, credit card information or passwords that are entered."
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Article: Secure file upload in PHP web applications
|
Posted 06/19/07 by Robert
A good article by Alla Bezroutchko has been published describing how to handle file uploads in PHP, specifically for sites
dealing with image uploads. Check it out below.
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Cenzic Patents the obvious: Fault Injection!
|
Posted 06/18/07 by Robert
I monitor google news for anything application security related and found the following announced today by Cenzic.
"the U.S. Patent and Trademark Office (PTO) has issued the company U.S. Patent No. , focused on fault injection technology, which is commonly used by most security assessment scanners." - Cenzic
Cenzic is not the first application security scanner for starters so there is plenty of prior art already out there. I'm not sure
how they are going to enforce their patent exactly. Reading further along
"We are very pleased to receive this patent, which protects Cenzic's role as the only company that has patents on Fault
Injection, a key component of all application security testing solutions. In the upcoming weeks, we'll be looking at other
vendors in this space to understand the implications of this patent vis-à-vis the methodology used by these other
players."
I wish cenzic luck in trying to bully errr identify the implications of other vendors. If any vendor here is reading this be
sure to check out Web bandit written by Global Hell Circa 1998. I don't recall the link but it is available online somewhere. Here is
an abstract of the patent.
"A method of testing a target in a network by fault injection, includes: defining a transaction baseline; modifying at least one of an order and a structure of the transaction baseline to obtain a modified transaction with malformed grammar; and transmitting the modified transaction to a target. The method may further include, receiving a feedback from the target to determine fault occurrence. An apparatus for testing a target in a network by fault injection, includes: a driver configured to generate patterns, where a pattern can generate a plurality of packets for transmission to the target, the pattern being represented by an expression with a literal string and a wild character class; and a network interface coupled to the driver and configured to transmit and receive network traffic. "
Under this patent QA tools would be in violation of this as well.
More information at the full patent text link below. All I can say is UGH. (Pokes his eye out)
Patent Full text:
Press Release Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Image attack on MySpace boosts phishing exposure
|
Posted 06/14/07 by Robert
"The number of page views garnered by fraudulent sites climbed by a factor of five in March and April, fueled by a phishing scheme targeting MySpace users, stated a Google analysis published on Monday.
The attack used a modification to the style sheet of a user's profile to place a transparent image over the page, causing a click on a link -- or anywhere else on the page -- to redirect the visitor to a fake MySpace login page, Colin Whittaker of Google's Anti-Phishing Team, stated on the search giant's security blog.
"The effectiveness of the attack and the increasing sophistication of the phishing pages, some of which were hosted on botnets and were near perfect duplications of MySpace's login page, meant that we needed to switch tactics to combat this new threat," Whittaker stated."
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Ensuring Web application security during a company merger
|
Posted 06/14/07 by Robert
"When two organizations merge, it's certain that they will have different security philosophies, policies, technologies and requirements regarding Web application security. For example, an ecommerce site that allows customers to track order progress has to permit deeper access into the back-end system than one that merely generates an email once the order is completed. Change control could be another area of conflict if one organization has embraced blog and wiki technologies to communicate with employees and customers.
Because of each company's separate approaches and needs, a combined team from both organizations must be charged with assessing the new entity's risk exposure and setting targets for the merged Web security operation. "
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Yahoo Hacker Uses Story to Find, Exploit Bug
|
Posted 06/12/07 by Robert
"Exploit code has hit the Internet for the critical flaws in Yahoo Messenger that could enable a remote hacker to take control of a user's system.
Yahoo Inc. was quick out of the gate and released a fix for the vulnerabilities last Friday, just two days after the flaws were publicly disclosed. The trouble is that Terrell Karlsten, a spokeswoman for Yahoo, apparently disclosed too much information about the bugs in an interview with InformationWeek.
And that information helped lead a hacker, who identifies himself only as "Danny," right to the flawed code. "
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Sun JRE Vulnerabilities
|
Posted 06/12/07 by Robert
"A buffer overflow vulnerability in the image parsing code in the Java Runtime Environment may allow an untrusted applet or application to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet."
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Two Universities Hit By Security Breaches
|
Posted 06/12/07 by Robert
"Two universities suffered security breaches that compromised the security of sensitive personal information on students and faculty.
Both the University of Iowa and the University of Virginia announced last Friday that they have been sending out notifications about the breaches.
The University of Virginia said its investigation has shown that on 54 separate days between May 20, 2005 and April 19, 2007, a hacker broke into the network and accessed the records of 5,735 faculty members. The school called in the FBI to work on the case alongside the university police and its IT workers. "
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
IIS 5.x Vuln Exploit released
|
Posted 06/11/07 by Robert
I just found out about this myself and hadn't seen any news on it so posting it here (better late than never!).
A vulnerability has been discovered in IIS5 that Microsoft apparently isn't going to fix allowing
an attacker to gain accesses to resources behind NTLM and Basic Auth. Microsoft is suggesting upgrading to IIS6
to address the issue.
From SANS
"The exploit was discovered on December 15, 2006, and made public since the end of May 2007. The design of IIS 5.x allows to bypass basic authentication by using the hit highlight feature.
Microsoft's response seems to be a bit atypical for them as it includes a section on how to reproduce the exploit. In other words: Microsoft is telling the world how to exploit their products being used by their customers. Not that the worst of those interested in it did not already know, but the one thing we need from Microsoft is not the exploit, but the patch or at least a decent work-around. And that patch is lacking. Their only defensive advice is to upgrade to IIS 6.0."
See the SANs site for alternative fix suggestions.
SANS Link:
Microsoft Link:
Advisory Link: | |
