-
Iran accuses CNN of training hackers to launch DDOS attacks
"Iran's foreign ministry spokesman accused the cable network CNN of "officially" training people to "hack government and foreign ministry" websites on Monday, citing a CNN.com article that explained how hackers were launching distributed denial-of-service (DDOS) attacks on Iranian government sites. "They officially trained the people to come and hack Iran's government websites," spokesman Hassan Qashqavi…
-
Hacker cracks TinyURL rival, redirects millions of Twitter users
"A URL-shortening service that condenses long Web addresses for use on micro-blogging sites like Twitter was hacked over the weekend, sending millions of users to an unintended destination, a security researcher said today. After Cligs, a rival to the better known TinyURL and bit.ly shortening services, was attacked Sunday, more than 2.2 million Web addresses…
-
When XSS can cost you $10,000
"Did you hear the one about the hacker-free e-mail service that was so confident about its enhanced security measure that it offered up $10,000 to anyone who could hack into it? It got hacked. Here’s the part that’s really crazy, though. There was initially some question as to whether or not the team of three…
-
Astalavista.com hacked
"For those who don't know of Astalavista, it was a popular website for "hackers" with relatively low-quality content. It started in 1994, and was one of the first search engines for computer security information. It hosted software exploits, and quickly degenerated into a forum for sharing software cracks, spyware, and virii. Yes man, the historical…
-
Avsim Flight simulation site deleted by hacker, no backups….
"The site, which launched in 1996, covered all aspects of flight simulation, although its main focus was on Microsoft's Flight Simulator. The attack took down the site's two servers and the owners had not established an external backup system. The site's founder, Tom Allensworth, said that the site would be down for the foreseeable future…
-
Thousands of Vulnerabilities Detected In FAA’s Air Traffic Control Apps
"A government audit (PDF) has pinpointed more than 3,800 vulnerabilities — 763 of which are high-risk — in the Federal Aviation Administration's Web-based air traffic control system applications, including some that could potentially put air travel at risk. The U.S. Department of Transportation report, with the help of auditors from KPMG, determined that the ATC's…
-
McAfee site vulnerable to xss
"McAfee, widely recognized as one of the leading providers of online security software for both home and business, appears to be struggling to secure its own Web sites, which at the time of writing this post, allow anyone with enough tech savvy to covertly do whatever they want on, and with, the site. During tests…
-
Twitter hacked again….
Twitter has been hacked again and had it's administrative panel (which shouldn't be web accessible) breached. "This week, unauthorized access to Twitter was gained by an outside party. Our initial security reviews and investigations indicate that no account information was altered or removed in any way. However, we discovered that 10 individual accounts were viewed…
-
Amazon CSRF “hack” in detail?
UPDATE: According to an updated Wired news story this is a sham and no hacker was involved. RSnake recently posted an entry linking to the write up on how a Cross-Site Request Forgery flaw in amazon was used to get Gay and Lesbian books banned from amazon's site via their reputation system. From the person…
-
Two XSS Worms Slam Twitter
UPDATE: F-Secure has posted more detailed information. "Some 24 hours after a worm spread advertising on Twitter, the popular social networking website, a second worm emerged on Sunday. Both worms appear to be created by Mikeyy Mooney, a 17-year-old from Brooklyn, New York. The first worm emerged on Saturday when Twitter profiles began posting messages…
-
Netcraft confirms lynx growing in popularity due to browser security flaws
Netcraft firms that Lynx is gaining popularity due to the increase in browser security bugs. "Netcraft has observed a surge in popularity of the Lynx browser, particularly since the recent Pwn2Own competition, which was held at the CanSecWest conference in Vancouver last month. During the course of the competition, security researchers once again exposed fresh…
-
Metasploit shut down by FBI and DHS
After viewing the metasploit site this morning it appears the FBI and DHS has shut it down. According to sources HD Moore is on the run somewhere in Mexico.
-
Announcing month of new security buzzwords
In the tradition of Month of Bugs we’re pleased to announce the month of security buzzwords, complete with abbreviations. #1 Remote Command Injection (RCI) #2 Remote Filestream Inclusion (RFSI) #3 Cam Jacking (CJ) #4 Cross-Port Request Forgery (XPRF) #5 Cross-Site Fixation (XSF) #6 HTTP Gerbiling (HTTP-Gerbil) #7 Host Request Splitting (HRS) #8 Double Credential Reflection…
-
New cert program for Application Security Specialists
A new certification program has just been launched, and is brought to you by the same people who brought us ScanLessPCI “The Institute is the industry’s leading authority for Certified ASS’s. Our curriculum complies with the highest industry standards while still reflecting the operational realities of securing applications in the modern enterprise. For far too…
-
Browsers hacked in seconds in Pwn2Own contest
"Security researcher Charlie Miller held onto a vulnerability for an entire year, before using it on Wednesday to win $5,000 and an Apple laptop at the Pwn2Own contest here at the CanSecWest conference. Miller — a principal analyst at Independent Security Evaluators — found two flaws in Apple's Safari Web browser more than a year…
-
BBC cybercrime probe backfires
"The BBC hacked into 22,000 computers as part of an investigation into cybercrime but the move quickly backfired, with legal experts claiming the broadcaster broke the law and security gurus saying the experiment went too far. The technology show Click acquired a network of 22,000 hijacked computers – known as a botnet – and ordered…
-
Proxy Attack Stupid Buzzword Contest
I just released a paper on an attack vector against certain transparent proxy architectures via the use of client side plugins with sockets support. If you've been reading this site for awhile you can probably tell that I frown upon new industry buzzwords and often make fun of new silly sounding terms. Rather than selecting…
-
FRHack threatens to sue person using screenshots to criticize them?
I found the following post fairly amusing and had to link it here. "A few days ago I complained about the incredibly awkward IT Security Girl of the Year award that will be dished out later this year at the French IT security conference FRHACK. Apparently the FRHACK organizers did not like what I wrote…
-
Wikileaks Accidentially Leaks Its Donor List
"What's Wikileaks, the net's foremost document leaking site, supposed to do when a whistle-blower submits a list of email addresses belonging to the site's confidential donors as a leaked document? That's exactly the conundrum Wikileaks faced this week after someone from the controversial whistle-blowing site sent an emergency fund-raising appeal on Saturday to previous donors.…
-
Top-10 Vulnerability Discoverers of All Time (as well as 2008)
"Who discovers the most security vulnerabilities? That’s one of the more frequent questions I’ve encountered over the past few years. Funnily enough there’s usually a high correlation between the timing of my being asked and the latest marketing blitzkrieg customers may have encountered (not from IBM of course). It seems that every major (and not-so-major)…
-
Defacement archive Zone-h gets defaced
"Defacement archive Zone-h.org has itself been defaced. The hack – claimed in the names of Cyber-Terrorist, HeLL cYbEr, and Jurm – involved posting a link to a YouTube video and dancing babies on the site's altered home page. The Arab language video, featuring an ad promoting nappies, replaced the site's usual content of information security…
-
F-Secure Hacked Via XSS, SQL injection
"A Romanian hacker site said on Wednesday it was able to breach the website of Helsinki-based security firm F-Secure just as it had gained access to the sites of two other security companies earlier in the week. F-Secure is "vulnerable to SQL Injection plus Cross Site Scripting," an entry on the HackersBlog site said. "Fortunately,…
-
Security Vendor Kasperky Hacked Via SQL Injection
A security lapse at Kaspersky has exposed a wealth of proprietary information about the anti-virus provider's products and customers, according to a blogger, who posted screen shots and other details that appeared to substantiate the claims. In a posting made Saturday, the hacker claimed a simple SQL injection gave access to a database containing "users,…
-
Attacker flaunts details of phpBB hack
"In a post on Blogger on Saturday, a person who claims to have breached the Web site of open-source online community software phpBB gave a detailed account of how he did it. Using a vulnerability in PHPlist publicly disclosed on January 14, the attacker gained access to the password and configuration files for the server,…
Favorite Links
- Security Templates (New)
- The Web Application Security Consortium
- QA Security
- The Web Security Mailing List
- Romain Gaucher’s Blog
- Jeremiah Grossman’s Blog
Popular Pages
WASC Threat Classification
- Abuse of Functionality
- Application Misconfiguration
- Brute Force Attack
- Content Spoofing
- Credential/Session Prediction
- Denial of Service
- Directory Indexing
- Information Leakage
- Remote File Inclusion Attack
- Routing Detour Attack
- SOAP Array Abuse
- XML Attribute Blowup
- XML Injection
- XML External Entity Attack