-
Inside Safari 3.2’s anti-phishing features
An article over at macworld discusses the anti phishing features in the new safari. "The release of Safari 3.2 on November 13 displayed Apple’s penchant for cryptic release notes, as the company describes all three versions as featuring “protection from fraudulent phishing Web sites.” Let's decode that for you: Safari 3.2 offers an entirely new…
-
Oracle Forensics Part 7: Using the Oracle System Change Number in Forensic Investigations
David Litchfield has published a new tool and paper on forensics on Oracle Databases. From his email to the Websecurity mailing list. "I've just posted a new tool and paper for Oracle forensics. The tool, orablock, allows a forensic investigator to dump data from a "cold" Oracle data file – i.e. there's no need to…
-
Article: What the NSA thinks of .NET 2.0 Security
Romain Guacher to the SC-L mailing list that the NSA has published a massive 298 page unclassified document on .NET 2.0 security. From the introduction. "The purpose of this document is to inform administrators responsible for systems andnetwork security about the configurable security features available in the .NET Framework.To place some of the configuration options…
-
Automated security testing & its limitations
"The team I work in uses both automated scanners, along with a few humans testing (minimum of 2)… A good tester should know the weaknesses of the automated testers.. The problem with automated testers, is, simply put, they are not human. That is they will not have intuition that a given function in a website…
-
Automated security testing & its limitations
"The team I work in uses both automated scanners, along with a few humans testing (minimum of 2)… A good tester should know the weaknesses of the automated testers.. The problem with automated testers, is, simply put, they are not human. That is they will not have intuition that a given function in a website…
-
Metasploit Framework 3.2 Released
"Contact: H D Moore FOR IMMEDIATE RELEASE Email: hdm[at]metasploit.com Austin, Texas, November 19th, 2008 — The Metasploit Projectannounced today the free, world-wide availability of version 3.2 oftheir exploit development and attack framework. The latest versionis provided under a true open source software license (BSD) and…
-
Microsoft to offer free Antivirus
"Microsoft on Tuesday said it plans to kill off its Windows Live OneCare subscription security service in favor of a free offering that will feature a core of essential anti-malware tools while excluding peripheral services, such as PC tune up programs, found in OneCare. The move could help the software maker extend its footprint in…
-
Understanding How to Use the Microsoft’s Exploitability Index
"On Oct. 14, 2008, Microsoft added another piece of information to the bulletin summary to better help customers with their risk assessment process: the Exploitability Index. This section is a brief overview to explain how customers can integrate the Exploitability Index with the Severity Rating system into their own risk assessment process. The Exploitability Index…
-
Integrity-178B Secure OS Gets Highest NSA Rating, Goes Commercial
"An operating system used in military fighter planes has raised the bar for system security as a new commercial offering, after receiving the highest security rating by a National Security Agency (NSA)-run certification program. Green Hills Software announced that its Integrity-178B operating system was certified as EAL6+ and that the company had spun off a…
-
MS explains 7-year patch delay
"Microsoft has explained why it took seven years to patch a known vulnerability. Fixing the bug earlier would have taken out network applications and potential exploits alike, it explained. Security bulletin MS08-068 fixed a flaw in the SMB (Server Message Block) component of Windows, first demonstrated by Sir Dystic of Cult of the Dead Cow…
-
Firefox 3.0.4 Released to address multiple security flaws
A handful of security vulnerabilities have been fixed in the latest version of firefox. Fixed in Firefox 3.0.4 MFSA 2008-58 Parsing error in E4X default namespaceMFSA 2008-57 -moz-binding property bypasses security checks on codebase principalsMFSA 2008-56 nsXMLHttpRequest::NotifyEventListeners() same-origin violationMFSA 2008-55 Crash and remote code execution in nsFrameManagerMFSA…
-
.NET Framework rootkits – backdoors inside your framework
"The paper introduces a new method that enables an attacker to change the.NET language, and to hide malicious code inside its core. It covers various ways to develop rootkits for the .NET framework, sothat every EXE/DLL that runs on a modified Framework will behavedifferently than what it’s supposed to do. Code reviews will not detectbackdoors…
-
DNS inventor blames wrangling for insecure interweb
"DNSSec (Domain Name System Security Extension), which uses digital signatures to guard against forged requests, offers a means of making internet naming systems more secure. But even 15 years after the standard was developed its adoption remains low. Mockapetris blames problems in making the technology easy to deploy, delays in developing DNSSec-aware apps, and political…
-
Visa Card Features Buttons and Screen to Generate CCV Dynamically
A co worker sent me this link yesterday afternoon. "Using what appears to be Visa’s mutant hybrid of a credit card and a pocket calculator, users can enter their PIN into the card itself and have a security code generated on the fly. The method can stop thieves in two ways. Those who copy down…
-
WoW users targetted in mass site hack
"Kaspersky reports that the crackers are adding a JavaScript tag to the html of hacked sites. This causes surfers visiting the site to pull content from one of six gateway sites, which redirect to a server hosting malware located in China. A range of exploits are hosted on this site designed to take advantage of…
-
Google Android Phone passes typed content into rootshell!
"With the news that Google’s Android shipped with an embarrassing security hole being followed by a simple two-step method to ‘jailbreak’ the OS, you’d think that the company had ironed out most of the remaining bugs – but you’d be wrong. According to ZDnet‘s Ed Burnette, the open-source Linux-based smartphone platform recently shipped in T-Mobile’s…
-
Phishing and Security
Below are a list of phishing resources that I’ve gathered that I’ve decided to stick in one central location. If I’m missing a link please let me know by filling out our Contact Form. Sites: Anti-Phishing Working Group "Our mission is to provide a resource for information on the problem and solutions for phishing and…
-
.NET (dotnet) Security
Code Security and Cracking: Building Security Awareness in .NET Assemblies : Part 1 – Learn to break a .NET Assembly Building Security Awareness in .NET Assemblies : Part 2 – Learn to protect your .NET assemblies from being tampered Building Security Awareness in .NET Assemblies : Part 3 – Learn to break Strong Name .NET…
-
XML Security
Misc: Guide to XML Web Services Security (PDF) Getting Started with XML Security, November – 28 – 2002 Enabling XML security: An introduction to XML encryption and XML signature, September 2001 Exploring XML Encryption, Part 1: Demonstrating the secure exchange of structured data, March 2002 Exploring XML Encryption, Part 2: Implement an XML Encryption engine,…
-
Java Security
Sun stuff: Sun j2EE Building Biometric Authentication for J2EE, Web, and Enterprise Applications Sun Java 2 Platform Enterprise Edition Specification, v1.3 Java Security API Chronology of security-related bugs and issues, 11/19/02 Low Level Security in Java Java Security FAQ Java security articles: Patterns-Driven Security Design for J2EE Applications and Web Services Security Patterns for J2EE…
-
XUL Browser Overlay Demo
"There is no Data, there is only XUL" How this POC works 1. Fires up a new window with my copy of browser.xul modified (This file is sitting on attacker.com) 2. Utilizes the XUL skin to emulate what your browser looks like (nothing more!). 3. Hooks certain js events in XUL skin to perform actions…
-
Application Firewalls
Apache Mod_Security IIS URL Scan
-
Browser Security
News Firefox Zero-Day Code Execution Hoax? Browser Cache: Goodies For Hackers, internetnews Microsoft Defends IE 7’s RSS Security Browser Security News (http://www.browsersecuritynews.com) eWeek Browser Security Section Tools, Downloads and Online Tools Online Browser Security Tester Jasons Browser Security Tests Internet Explorer High Encryption Pack Browser Fun Security Blog and tools Browser Vendor Websites (Get security…
-
BEA Weblogic Security
Bea Documentation: Weblogic Vendor Page Official Vendor Security Advisories Introduction to WebLogic Security, BEA Managing WebLogic Security, BEA BEA WebLogic Security Framework: Working with Your Security Eco-System (PDF) WebLogic Server 7.0 Security,BEA WebLogic Web Services Security – A Look Under the Hood, BEA Programming WebLogic Security Locking Down a Production Environment Developing Security Providers for…
-
IBM Websphere Security
IBM resources IBM WebSphere V5.0 Security: WebSphere Handbook Series, 2002 (PDF)(9 megs) (HTML) IBM WebSphere V4.0 Advanced Edition Security (PDF) (HTML) Security Cache properties: Websphere Application Server IBM Websphere Advisory information Known security issues Considerations when developing custom macros General security considerations Misc: WebSphere Production Administration and Security Cross Platform Security using IBM’s Webpshere; take…
Favorite Links
- Security Templates (New)
- The Web Application Security Consortium
- QA Security
- The Web Security Mailing List
- Romain Gaucher’s Blog
- Jeremiah Grossman’s Blog
Popular Pages
WASC Threat Classification
- Abuse of Functionality
- Application Misconfiguration
- Brute Force Attack
- Content Spoofing
- Credential/Session Prediction
- Denial of Service
- Directory Indexing
- Information Leakage
- Remote File Inclusion Attack
- Routing Detour Attack
- SOAP Array Abuse
- XML Attribute Blowup
- XML Injection
- XML External Entity Attack