-
Researcher barred for demoing ATM security vuln
"A talk demonstrating security weaknesses in a widely used automatic teller machine has been pulled from next month's Black Hat conference after the machine vendor placed pressure on the speaker's employer. Juniper Networks, a provider of network devices and security services, said it delayed the talk by its employee Barnaby Jack at the request of…
-
Masked passwords must go?
"Websites should stop masking passwords as users type because it does not improve security and makes websites harder to use, according to two of the technology world's leading thinkers. Usability expert Jakob Nielsen and security expert Bruce Schneier both think websites should stop blanking out passwords as users type them in. They say the practice…
-
Blind Hacker Sentenced to 11 Years in Prison
"A legally blind Massachusetts phone hacker was sentenced Friday to over 11 years in federal prison, following his guilty plea on computer intrusion and witness intimidation charges earlier this year. Matthew Weigman, 19, was sentenced in Dallas by U.S. District Judge Barbara M.G. Lynn, according to the U.S. Attorney’s Office there. There is no parole…
-
Max Vision Pleads Guilty To Wire Fraud/Carding
"A San Francisco man pleaded guilty today in Pittsburgh this afternoon to federal charges of hacking into computer systems of financial institutions and other hackers to steal nearly 2 million credit card numbers, which were used to rack up more than $86 million in fraudulent charges. Max Ray Vision, formerly Max Ray Butler, pleaded guilty…
-
Generic Remote File Inclusion Attack Detection
"A big challenge for identifying web application attacks is to detect malicious activity that cannot easily be spotted using using signatures. Remote file inclusion (RFI) is a popular technique used to attack web applications (especially php applications) from a remote server. RFI attacks are extremely dangerous as they allow a client to to force an…
-
Session Attacks and ASP.NET – Part 2
"In Session Attacks and ASP.NET – Part 1, I introduced one type of attack against the session called Session Fixation as well as ASP.NET’s session architecture and authentication architecture. In this post, I’ll delve into a couple specific attack scenarios, cover risk reduction, and countermeasures." Read: https://blogs.sans.org/appsecstreetfighter/2009/06/24/session-attacks-and-aspnet-part-2/
-
FTP login credentials at major corporations breached
"A trojan has reportedly been uncovered that is harvesting FTP login data of major corporations, including the Bank of America, BBC, Amazon, Cisco, Monster.com, Symantec and McAfee. According to a report in the Friday edition of The Register, Jacques Erasmus, CTO at Prevx, an internet security vendor headquartered in the U.K., discovered a site where…
-
Article: The Problem of “Too Many Problems”
Rafal has a good post on the challenges security folks/sdl folks have when presenting their findings to business folks. "The presentation the next day kicked off as expected… we presented our executive summary, the methodology of our product validation and moved on to the specific findings. In this case, since there was so much wrong…
-
Google Chrome Fixes Buffer Overflow Vulnerability
"Google Chrome 2.0.172.33 has been released to the Stable and Beta channels. This release fixes a critical security issue and two other networking bugs. CVE-2009-2121: Buffer overflow processing HTTP responsesGoogle Chrome is vulnerable to a buffer overflow in handling certain responses from HTTP servers. A specially crafted response from a server could crash the browser and possibly…
-
Iran accuses CNN of training hackers to launch DDOS attacks
"Iran's foreign ministry spokesman accused the cable network CNN of "officially" training people to "hack government and foreign ministry" websites on Monday, citing a CNN.com article that explained how hackers were launching distributed denial-of-service (DDOS) attacks on Iranian government sites. "They officially trained the people to come and hack Iran's government websites," spokesman Hassan Qashqavi…
-
Browser Security: Lessons from Google Chrome
An article on security in Google's Chrome browser has been published. "The Web has become one of the primary ways people interact with their computers, connecting people with a diverse landscape of content, services, and applications. Users can find new and interesting content on the Web easily, but this presents a security challenge: malicious Web-site…
-
Stephen Watt/JimJones/Unix Terrorist to be Sentenced Monday
Original Photo (c) from sensepost, butchered by cgisecurity Watt (also known as Unix Terrorist and JimJones) pictured far right during a Defcon talk (video available). “Watt, a 7-foot-tall software engineer who was working for Morgan Stanley at the time the hacks occurred, pleaded guilty in December to creating a sniffing program dubbed “blabla” that Gonzalez…
-
Session Attacks and ASP.NET – Part 1
Sans has published part 1 of an article discussing Session Fixation attacks against .NET applications. "I’ve spent some time recently looking for updated information regarding session attacks as they apply to ASP.NET and am still not completely satisfied with how Microsoft has decided to implement session management in ASP.NET 2.0+ (haven’t looked at 4.0 beta…
-
Hacker cracks TinyURL rival, redirects millions of Twitter users
"A URL-shortening service that condenses long Web addresses for use on micro-blogging sites like Twitter was hacked over the weekend, sending millions of users to an unintended destination, a security researcher said today. After Cligs, a rival to the better known TinyURL and bit.ly shortening services, was attacked Sunday, more than 2.2 million Web addresses…
-
Article: ‘Setting the appropriate security defect handling expectations in development and QA
I have just published the following article on handling application security defects (vulnerabilities) in development and QA. "If you've worked in information security you've likely had to report a security defect to development in an effort to remediate the issue. Depending on your organization and its culture this can be a rather difficult task. As…
-
Phrack 66 is out!
Introduction TCLH Phrack Prophile on The PaX Team TCLH Phrack World News TCLH Abusing the Objective C runtime nemo Backdooring Juniper Firewalls Graeme Exploiting DLmalloc frees in 2009 huku Persistent BIOS infection aLS and Alfredo Exploiting UMA : FreeBSD kernel heap exploits argp and karl Exploiting TCP Persist Timer Infiniteness ithilgore Malloc Des-Maleficarum blackngel A…
-
SHA-1 collisions achievable
"The researchers, from Macquarie University in Sydney, Australia, found a way to break the SHA-1 algorithm in significantly fewer tries than previously required. Although the hash function was previously believed to withstand attempts numbering 263, the researchers have been able to whittle that down to 252, a number that puts practical attacks well within grasp…
-
Microsoft Security Bulletin Summary for June 2009
Patch Tuesday is here again. Here's the rundown of what was fixed. MS09-018 Vulnerabilities in Active Directory Could Allow Remote Code Execution (971055) This security update resolves two privately reported vulnerabilities in implementations of Active Directory on Microsoft Windows 2000 Server and Windows Server 2003, and Active Directory Application Mode (ADAM) when installed on Windows…
-
New paper by Amit Klein (Trusteer) – Temporary user tracking in major browsers and Cross-domain information leakage and attacks
Amit Klein posted the following to the web security mailing list yesterday. "User tracking across domains, processes (in some cases) and windows/tabs is demonstrated by exploiting several vulnerabilities in major browsers (Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, and to a limited extent Google Chrome). Additionally, new cross-domain information leakage, and cross domain attacks are…
-
100,000 sites deleted in hack, software company boss commits suicide
"The boss of Indian software firm LxLabs was found dead in a suspected suicide on Monday. Reports of the death of K T Ligesh, 32, come in the wake of the exploitation of a critical vulnerability in HyperVM, a virtualization application made by LXLabs, to wipe out data on 100,000 sites hosted by the UK…
-
T-Mobile confirms hackers’ info is legit
"The information posted over the weekend by hackers who claimed to have hacked T-Mobile is legit, T-Mobile now says. But, it's not clear that the hackers have the full access to T-Mobile systems they claim. On Saturday, hackers posted what appear to be logfiles taken from T-Mobile's networks to the Full Disclosure mailing list, claiming…
-
When XSS can cost you $10,000
"Did you hear the one about the hacker-free e-mail service that was so confident about its enhanced security measure that it offered up $10,000 to anyone who could hack into it? It got hacked. Here’s the part that’s really crazy, though. There was initially some question as to whether or not the team of three…
-
Astalavista.com hacked
"For those who don't know of Astalavista, it was a popular website for "hackers" with relatively low-quality content. It started in 1994, and was one of the first search engines for computer security information. It hosted software exploits, and quickly degenerated into a forum for sharing software cracks, spyware, and virii. Yes man, the historical…
-
PayPal Software Security Podcast
Gary McGraw posted the following to the secure coding mailing list today. "Episode 6 of the Reality Check security podcast features our own Andy Steingruebl chatting with me about Paypal's software security initiative. This was a fun episode for me, because though I have known Andy for a while I had little insight into his…
-
Report: Mass Injection Attack Affects 40,000 Websites
"Researchers at Websense have discovered a mass injection attack that is redirecting Web browsers to a malware-bearing site. According to a weekend report by researchers at Websense, thousands of legitimate Web sites have been discovered to be injected with malicious Javascript, obfuscated code that leads to an active exploit site. "The active exploit site uses…
Favorite Links
- Security Templates (New)
- The Web Application Security Consortium
- QA Security
- The Web Security Mailing List
- Romain Gaucher’s Blog
- Jeremiah Grossman’s Blog
Popular Pages
WASC Threat Classification
- Abuse of Functionality
- Application Misconfiguration
- Brute Force Attack
- Content Spoofing
- Credential/Session Prediction
- Denial of Service
- Directory Indexing
- Information Leakage
- Remote File Inclusion Attack
- Routing Detour Attack
- SOAP Array Abuse
- XML Attribute Blowup
- XML Injection
- XML External Entity Attack