-
‘Human error’ shuts down Google
"THE world’s biggest internet search engine temporarily shut down today, leaving hundreds of millions of surfers stranded in cyberspace. Google broke down for forty minutes this afternoon, paralysing everything from internet-dating to people checking out the latest news. Anyone searching for a site using Google was blocked with the warning: “This site may harm your…
-
Microsoft Open Sources Web Sandbox
Sacha Writes "Microsoft has announced plans to release the code of its Web Sandbox project under the open source Apache Software License. The Web Sandbox project aims to mitigate some of the security risks that are associated with building Web mashups that mix in untrusted content from third-party sources. The task of isolating untrusted code…
-
DEC ‘hacker’ questions McKinnon political bandwagon
" Boris Johnson's outspoken defence of Gary McKinnon in his extradition fight has been criticised by a former security consultant, who complains he was denied such support when he himself was charged with hacking offences. Daniel Cuthbert was convicted in October 2005 of breaking the Computer Misuse Act by "hacking" into a tsunami appeal website…
-
IT admin plotted to erase Fannie Mae Data
"A fired computer engineer for Fannie Mae has been arrested and charged with planting a malicious software script designed to permanently destroy millions of dollars worth of data from all 4,000 servers operated by the mortgage giant. Rajendrasinh Babubahai Makwana, 35, of Virginia, concealed the Unix script on Fannie Mae's main administrative server on October…
-
Hacking 4 Zombies
“Transportation officials in Texas are scrambling to prevent hackers from changing messages on digital road signs after one sign in Austin was altered to read, “Zombies Ahead.” Chris Lippincott, director of media relations for the Texas Department of Transportation, confirmed that a portable traffic sign at Lamar Boulevard and West 15th Street, near the University…
-
Heartland Sniffer Hid In Unallocated Portion Of Disk
"The sniffer malware that surreptitiously siphoned tons of payment card data from card processor Heartland Payment Systems hid in an unallocated portion of a server’s disk. The malware, which was ultimately detected courtesy of a trail of temp files, was hidden so well that it eluded two different teams of forensic investigators brought in to…
-
Microsoft Fixes Clickjacking in IE8?
"Microsoft has introduced a release client version of its latest browser, Internet Explorer 8 (IE8), and the new iteration of the application includes several security improvements, including a noteworthy attempt to address the emerging problem of clickjacking attacks. For those who don't recall, clickjacking is a relatively new technique — first detailed in mid-2008 by…
-
Web Application Scanners Comparison
anantasec posted a scanner comparison to the web security mailing list today. "In the past weeks, I've performed an evaluation/comparison of three popular web vulnerability scanners.This evaluation was ordered by apenetration testing company that will remain anonymous. The vendorswere not contacted during or after the evaluation. The applications (web scanners) included in this evaluation are:–…
-
Isreali Government Utilized SEO To Control Criticism
"In what may prove to be one of the ways global conflicts are fought in the 21st century, Israel used search engine optimization (SEO) to halt the online backlash it was receiving during the recent conflict in Gaza. As well as some search engine optimization work (SEO) done by a Texas company for the Israeli…
-
BOFH-loving botmaster wants life as security consultant
"An American security consultant who stole hundreds of thousands of online bank passwords by employing a massive botnet that he often administered from work deserves at least five years in prison, prosecutors have told a federal judge. The request for a minimum 60-month sentence, followed by five years of supervised release, came in the case…
-
OWASP interviews Gary McGraw
Gary posted the following to the SC-L list today. "hi sc-l, OWASP just posted an interview with me as part of their budding podcast series. It's nice to have the tables turned after doing all the Silver Bullet (and Reality Check) interviews! It's also nice to be able to answer some of the questions that…
-
Solving CAPTCHA with HTML5 canvas, JavaScript and neural network
Solving CAPTCHA with neural networks is not new; this is actually a glorified OCR… What is new, is to do it in JavaScript using the new HTML5 canvas capabilities and pre-calibrated neural network. John Resig, creator of jQuery, analyzes a very neat piece of GreaseMonkey script which cracks CAPTCHA using new client-side technologies: “A pretty…
-
Monster.com: yet another breach
Monster.com has recently experienced yet another breach. "As is the case with many companies that maintain large databases of information, Monster is the target of illegal attempts to access and extract information from its database. We recently learned our database was illegally accessed and certain contact and account data were taken, including Monster user IDs…
-
Wired.com Image Viewer Hacked to Create Phony Steve Jobs Health Story
"A widely-circulated URL which points to a image that purports to be a Wired.com story about Steve Jobs health is a hack job. We won't provide the URL here, but the Twitterverse quickly surmised that the item was not correct. As have Mashable and Gizmodo. I've written a number of stories about Jobs health hoaxes…
-
Security metrics on flaws detected during architectural review?
I recently attended a private event where there was a talk on security metrics. Security metrics can be used to determine if action x is reducing risk y. Software security metrics typically involve counting the number of defects discovered over time to see if things are getting better. Most of these metrics involve issues discovered…
-
PCI Is Meaningless, But We Still Need It
There's a good rant at informationweek on PCI. "The Heartland Payment Systems breach demonstrates that PCI is bunk. Unfortunately, unless something better comes along, bunk is better than nothing. The PCI compliance program is like a Zen koan: it's a proposition that can't be understood rationally. Unlike a koan, however, pondering on PCI won't eventually…
-
British hacker gang ‘tried to steal £229m from Japanese bank’
"A six-strong hacker gang attempted to plunder £229million from a Japanese bank in an audacious high-tech scam, a court heard. A crooked security guard at Japanese bank Sumitomo Mitsui let alleged computer hackers into the building in the dead of night where they installed spy software on computers used for multi-million pound cash transfers, the…
-
New Website Changes
Some of you may have noticed the changes this site has undergone in the past 2 months. Here's a rundown of the new additions. – New site design– RSS feeds with partial story content– ATOM Feeds have been added – News content archived on a per month basis – User comments on a per story…
-
Payment Processor Breach May Be Largest Ever
The Washington Post reports today a new breach: "A data breach last year at Princeton, N.J., payment processor Heartland Payment Systems may have led to the theft of more than 100 million credit and debit card accounts, the company said today." More info on the article.
-
Single drive wipe protects data, research finds
An article at securityfocus claims a single drive wipe is enough to prevent electron microscopes from recovering drive data. "A computer forensics specialist has a message for security-minded computer users: A single wipe will make drives impossible to read. In research published on Thursday, auditor Craig Wright tested the ability of a special type of…
-
Site Migration To New Hoster
I am migrating this site to a new hoster so you may notice some strangeness on the site in the next day (including the site not working). Additionally the RSS feed which currently points to cgisecurity.net will change to cgisecurity.com so you may see double entries in your rss reader.
-
What is HTML Injection?
HTML Injection refers to injecting HTML code into a web servers response to alter the content to the end user. This is also known as Cross Site Scripting. See ‘Cross Site Scripting’ What is Cross Site Scripting?
-
What is a CGI Scanner?
“Automated security program that searches for well-known vulnerabilities in web servers and off-the-shelf web application software. Often CGI Scanners are not very “stateful” in their analysis and only test a series HTTP requests against known CGI strings” – Web Application Security Consortium Glossary CGI Scanners are very simple tools which look for common CGI’s or…
-
What is a Web Application Security Scanner?
“Web Application Vulnerability Scanner: An automated security program that searches for software vulnerabilities within web applications.” – Web Application Security Consortium Glossary Web Application Security Scanners will check a website’s applications for common security problems such as Cross Site Scripting, SQL Injection, Directory Traversal, Misconfigurations, and remote command execution vulnerabilities. Typically Web Application Security scanners…
-
What is a Web Application Firewall?
“An intermediary device, sitting between a web-client and a web server, analyzing OSI Layer-7 messages for violations in the programmed security policy. A web application firewall is used as a security device protecting the web server from attack.” – Web Application Security Consortium Glossary Standard firewalls are designed to restrict access to certain ports, or…
Favorite Links
- Security Templates (New)
- The Web Application Security Consortium
- QA Security
- The Web Security Mailing List
- Romain Gaucher’s Blog
- Jeremiah Grossman’s Blog
Popular Pages
WASC Threat Classification
- Abuse of Functionality
- Application Misconfiguration
- Brute Force Attack
- Content Spoofing
- Credential/Session Prediction
- Denial of Service
- Directory Indexing
- Information Leakage
- Remote File Inclusion Attack
- Routing Detour Attack
- SOAP Array Abuse
- XML Attribute Blowup
- XML Injection
- XML External Entity Attack