-
2009 Security Predictions Collection
I've been collecting a list of security predictions for 2009 that people on this list may find 'interesting'.Here they are Opinion: Security predictions for 2009http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9124621&source=rss_news 2009 Security Predictionshttp://www.sans.edu/resources/securitylab/2009_predictions.php Security predictions for 2009http://www.itworld.com/security/59948/security-predictions-2009 10 Security Predictions For 2009http://www.crn.com/security/212201985 The 2009 Security Prediction Prediction Listhttp://blogs.gartner.com/greg_young/2008/12/19/the-2009-security-prediction-prediction-list/ 2009 security predictions: Deja vu all over againhttp://www.infoworld.com/article/08/12/31/2009_security_predictions_Deja_vu_all_over_again_1.html 2009 – my security…
-
Computerworld Security predictions for 2009
"My predictions for information security in 2009 are just predictions, not recommendations. I am trying to guess what will happen, not suggesting what should happen. As always, take these with a grain of salt. Though these predictions are based on primary research and many, many discussions with chief security officers, they concern information security only…
-
MS08-067 Worm on the Loose
Dshield has published a report of a new MS08-067 worm spreading. "It does various things to install and hide itself on the infected computer. It removes any System Restore points that the user has set and disables the Windows Update Service. It looks for ADMIN$ shares on the local network and tries to brute force…
-
Thunderbird 2.0.0.19 Released With Security Fixes
MFSA 2008-60 – Crashes with evidence of memory corruption (rv:1.9.0.5/1.8.1.19) MFSA 2008-61 Information stealing via loadBindingDocument MFSA 2008-64 XMLHttpRequest 302 response disclosure MFSA 2008-65 Cross-domain data theft via script redirect error message| MFSA 2008-66 Errors parsing URLs with leading whitespace and control characters MFSA 2008-67 Escaped null characters ignored…
-
Hundreds of Israeli Websites Hacked in ‘Propaganda War’
"It didn't take long after Israel's bombing of Gaza began for cyberwarfare to erupt as well: over 300 Israeli Websites over the past few days have been hacked and defaced with anti-Israeli and anti-US messages in an online propaganda campaign, a security expert says. Gary Warner, director of research in computer forensics at the University…
-
Facebook, MySpace, Digg, and Ning Discuss Their Architectures
"Facebook, MySpace, Digg and Ning recently shared their trials and tribulations at the QCon conference in San Francisco, California. Dan Farino, chief systems architect at MySpace.com, said his site started with a very small architecture and scaled out. He focused on monitoring and administration on a Windows network and the challenge of keeping the system…
-
OWASP releases Application Security Verification Standard for developers, security pros, and buyers
"Now there's an open industry standard for Web application and Web service security: The Open Web Application Security Project (OWASP) Foundation has released the Application Security Verification Standard (ASVS). Mike Boberski, project lead and co-author of OWASP's ASVS Project, says the main goal of the standard is to provide a commercial and workable open standard…
-
MD5 considered harmful today: Creating a rogue CA certificate
UPDATE: I’ve added a link to the presentation slides and some other sites providing coverage of this. The following paper was published today at the CCC conference by Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, and Benne de Weger. “We have identified a vulnerability in the Internet Public Key…
-
Scammers Use Microsoft and IRS Open Redirects To Deploy Malware
"There is a new technique for luring unsuspecting users into installing viruses on their systems. Criminals will use a combination of Search Engine Optimization (SEO) techniques and common redirects that can be found on Microsoft.com and the IRS.gov websites. Here is how it works. When users are on the IRS website and click on an…
-
FBI issues code cracking challenge
"The FBI today challenged anyone in the online community to break a cipher code on its site. The code was created by FBI cryptanalysts. The bureau invited hackers to a similar code-cracking challenge last year and got tens of thousands of responses it said. A number of sites host such cipher challenges, including this one…
-
CastleCops Shuts Down
"In a blow to anti-phishing efforts, the famed CastleCops organization dedicated to fighting spam and phishing quietly shuttered its site last week. The all-volunteer organization investigated phishing and malware scams, and was credited with successfully derailing many of these attacks and phishing sites. CastleCops itself was also a constant target of distributed denial-of-service attacks and…
-
It’s unanimous, Web application security has arrived
Jeremiah Grossman has posted an entry discussing the various security reports and how they are labeling web application security as a primary concern. "It’s unanimous. Web application security is the #1 avenue of attack according to basically every industry data security report available (IBM, Websense, Sophos, MessageLabs, Cisco, APWG, MITRE, Symantec, Trend Micro, SecureWorks, ScanSafe,…
-
Top 9 Network Security Threats in 2009
"Malware, especially from compromised web sites, was a huge issue in 2008. Many legitimate sites such as MSNBC.com, History.com, ZDNet.com and many others suffered compromises, in some cases for days. Unlike the past, the sites looked normal, but unsuspecting web surfers with vulnerable systems were exploited when they visited these sites. Search engines were used,…
-
Top 5 cybersecurity news stories of 2008
"Data breaches continued to make their very public mark on cybersecurity news in 2008. And this time it wasn't TJX making headlines. Despite being PCI compliant, Hannaford Brothers supermarkets announced that 4.2 million credit and debit card numbers were pilfered from its servers. We also learned in 2008 that attackers aren't necessarily becoming more sophisticated.…
-
Fixing Both Missing HTTPOnly and Secure Cookie Flags with modsecurity
Ryan Barnett has posted an entry on identifying sessions lacking HTTPOnly and secure cookie flags on modsecurity. "In a previous post I showed how you can use both ModSecurity and Apache together to identify/modify SessionIDs that are missing the HTTPOnly flag. I received some feedback where people were asking how to accomplish the same thing but…
-
OllyDbg Version 2.0 – Beta 1 Released
"The first beta release. "Beta" means that there will be no significant changes till the final v2.00. Now it supports memory and hardware breakpoints. They are fully conditional, and the number of memory breakpoints is unlimited. Fast command emulation takes memory breakpoints into account. In fact, run trace may be much faster than the full-speed…
-
Are amateur genetic engineers dangerous?
I came across an interesting article discussing the dangers of amateur genetic engineers. "A group of so-called “bio-hackers” is setting up a community laboratory called DIYbio in Cambridge, MA. They want to provide publicly available lab space to budding amateur bio-engineers that need equipment and experiment space for their projects. The project was co-founded by…
-
State Bank of India shuts down website after hackers break in
"The State Bank of India, the country’s largest bank, has had to shut down its corporate website after overseas hackers tried to break in. While the bank said that transactions took place through http://www.onlinesbi.com, a senior SBI source said that the transactions were slow as the entire system was under watch. The country’s largest bank…
-
Zero-Day SQL Server Flaw Could Allow Remote Code Execution
"Microsoft is warning users of a zero-day vulnerability discovered in SQL Server, and that exploits of the flaw have already been published. The software giant yesterday issued a security advisory outlining a flaw that could allow remote code execution on many versions of SQL Server. The company has not had time to develop a patch,…
-
One Hacker’s Audacious Plan to Rule the Black Market in Stolen Credit Cards
"The heat in Max Butler's safe house was nearly unbearable. It was the equipment's fault. Butler had crammed several servers and laptops into the studio apartment high above San Francisco's Tenderloin neighborhood, and the mass of processors and displays produced a swelter that pulsed through the room. Butler brought in some fans, but they didn't…
-
MS08-078 and the SDL
Michael Howard from Microsoft has posted information on the recent IE bug and why Microsoft's SDL failed to discover it. "Every bug is an opportunity to learn, and the security update that fixed the data binding bug that affected Internet Explorer users is no exception. The Common Vulnerabilities and Exposures (CVE) entry for this bug…
-
Learning More About the Underground Economy: A Case-Study of Keyloggers and Dropzones
"German researchers have discovered more than 300 cybercrime servers full of stolen credentials on more than 170,000 people — and it is only the tip of the iceberg, they say. Researchers at the University of Mannheim's Laboratory for Dependable Distributed Systems were able to access nearly 100 so-called "dropzone" machines, and say the actual number…
-
Book Review of “Apache Security”
By Robert Auger Author: Ivan Ristic Pages: 432 Publisher: O’Reilly (March 15, 2005) ISBN: 0596007248 Price: $34.95 Intro This book was written by Ivan Ristic, the author of the popular Apache web application firewall module mod_security. Naturally this book does discuss how to use mod_security to harden your system, but I’m happy to report it…
-
Challenges faced by automated web application security assessment tools
Challenges faced by automated web application security assessment tools By Robert Auger (11/11/2006) Introduction There are many challenges that web application security scanners face that are widely known within the industry however may not be so obvious to someone evaluating a product. For starters if you think you can just download, install, and run a…
-
Anatomy of the Web Application Worm
Disclaimer: This paper is meant for educational use only and should not be used to create, modify, orproduce anything that may damage, or could assist in damaging a computer or network. This paperis theoretical and was not written to give people ideas on creating internet worms, but insteadmake them aware of the dangers worms produce,…
Favorite Links
- Security Templates (New)
- The Web Application Security Consortium
- QA Security
- The Web Security Mailing List
- Romain Gaucher’s Blog
- Jeremiah Grossman’s Blog
Popular Pages
WASC Threat Classification
- Abuse of Functionality
- Application Misconfiguration
- Brute Force Attack
- Content Spoofing
- Credential/Session Prediction
- Denial of Service
- Directory Indexing
- Information Leakage
- Remote File Inclusion Attack
- Routing Detour Attack
- SOAP Array Abuse
- XML Attribute Blowup
- XML Injection
- XML External Entity Attack