-
Hacking 4 Zombies
“Transportation officials in Texas are scrambling to prevent hackers from changing messages on digital road signs after one sign in Austin was altered to read, “Zombies Ahead.” Chris Lippincott, director of media relations for the Texas Department of Transportation, confirmed that a portable traffic sign at Lamar Boulevard and West 15th Street, near the University…
-
Wired.com Image Viewer Hacked to Create Phony Steve Jobs Health Story
"A widely-circulated URL which points to a image that purports to be a Wired.com story about Steve Jobs health is a hack job. We won't provide the URL here, but the Twitterverse quickly surmised that the item was not correct. As have Mashable and Gizmodo. I've written a number of stories about Jobs health hoaxes…
-
How to Suck at Information Security
Lenny Zeltser from dshield has posted an amusing list of ways to suck at information security broken upin the following categories. – Security Policy and Compliance– Security Tools– Risk Management– Security Practices– Password Management Here's a snippet "Security Tools Deploy a security product out of the box without tuning it. Tune the IDS to be…
-
Hackers Post Faked Report of Steve Jobs’s Death
"MacRumors, one of the many sites which cover Apple's annual Macworld product launches, has had its live coverage infiltrated, with someone adding the false news of Steve Jobs's death to the blow-by-blow reports." Here's the very amusing screenshot of the incident.http://cache.gawker.com/assets/images/gawker/2009/01/macrumorshacked.jpg Read more: http://valleywag.gawker.com/5124580/hackers-post-faked-report-of-steve-jobss-death
-
Twitter Security Collapses; Obama, Fox and Britney Accounts Hacked
From Twitter's blog "The issue with these 33 accounts is different from the Phishing scam aimed at Twitter users this weekend. These accounts were compromised by an individual who hacked into some of the tools our support team uses to help people do things like edit the email address associated with their Twitter account when…
-
2009 Security Predictions Collection
I've been collecting a list of security predictions for 2009 that people on this list may find 'interesting'.Here they are Opinion: Security predictions for 2009http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9124621&source=rss_news 2009 Security Predictionshttp://www.sans.edu/resources/securitylab/2009_predictions.php Security predictions for 2009http://www.itworld.com/security/59948/security-predictions-2009 10 Security Predictions For 2009http://www.crn.com/security/212201985 The 2009 Security Prediction Prediction Listhttp://blogs.gartner.com/greg_young/2008/12/19/the-2009-security-prediction-prediction-list/ 2009 security predictions: Deja vu all over againhttp://www.infoworld.com/article/08/12/31/2009_security_predictions_Deja_vu_all_over_again_1.html 2009 – my security…
-
College students rig Victoria Secret online contest
"At Drexel University and a handful of other colleges, students created computer scripts to sway the contest—an online vote to nominate a university to receive its own clothing line—in their campuses’ favor. Tim Plunkett, a junior at Drexel, created a script that could cast 1,500 votes per second, according to The Daily Pennsylvanian, the University…
-
Google Android Phone passes typed content into rootshell!
"With the news that Google’s Android shipped with an embarrassing security hole being followed by a simple two-step method to ‘jailbreak’ the OS, you’d think that the company had ironed out most of the remaining bugs – but you’d be wrong. According to ZDnet‘s Ed Burnette, the open-source Linux-based smartphone platform recently shipped in T-Mobile’s…
-
Protecting a Web Application Against Attacks Through HTML Shared Files
A new whitepaper ‘Protecting a Web Application Against Attacks Through HTML Shared Files’ discusses the risks of user uploaded HTML files. You’ll notice this paper claims to have a ‘patent pending’ for the concept of splitting user uploaded files to another domain with a unique identifiers. "Many Web applications have a file-sharing feature that allows…
-
NASA hacker releases myspace song
"Pentagon hacker Gary McKinnon has stormed into the Myspace charts with a music video about his empathy for a girl with the world on her shoulders. Called Only a fool, and owing something to soulful house boys Cabaret Voltaire, the song reached number five in the myspace video chart within 48 hours of being posted.…
-
Kevin Mitnick Detained in Atlanta for having computer equipment on flight
If you know me you know I don’t like Atlanta and have many reasons (which I won’t go into here). I have another one to add to this list after reading a story about Kevin Mitnick being detained for having lots of computer equipment with him. "In his luggage, they found a MacBook Pro, a…
-
Humor: Worldwide SQL Protocol Advisory
The full disclosure mailing list is usually 95% junk but every once in awhile an amusing/informative post gets through. Today an amusing post came through regarding a ‘Worldwide SQL Protocol Advisory’. That’s not to say this post isn’t junk, but I found it amusing 🙂 Here’s a peek "II. Problem description The problem exists with…
-
DNS Vulnerability Leaked By Matasano Security After Being Asked Not To By Vulnerability Discoverer
"Two weeks ago, when security researcher Dan Kaminsky announced a devastating flaw in the internet's address lookup system, he took the unusual step of admonishing his peers not to publicly speculate on the specifics. The concern, he said, was that online discussions about how the vulnerability worked could teach black hat hackers how to exploit…
-
Cool hack: Man exploits random deposit verification flows to steal $50,000
"A California man has been indicted for an inventive scheme that allegedly siphoned $50,000 from online brokerage houses E-trade and Schwab.com in six months — a few pennies at a time. Michael Largent, of Plumas Lake, California, allegedly exploited a loophole in a common procedure both companies follow when a customer links his brokerage account…
-
Hacked: Turning a women’s fashion website into a porn site
"HACKERS have turned a bitchy blog about the world of women's magazines into a porn site. The blog by a mystery woman who calls herself “MagHag” has become a must-read for industry insiders, due to its salacious gossip about the editors of Madison, Vogue, Harper's Bazaar, Cosmopolitan and Shop Til You Drop. Those magazine editors…
-
Barack Obama site XSSed, redirected to Hillary’s website
"Yes Cross Site Scripting (XSS) errors are all over the place. And YES they can affect very prominent web sites. The discussion forum area on Barackobama.com is allegedly the victim of a XSS exploit that redirected comments from Obama's site to….HillaryClinton.com. A hacker going by the alias of 'Mox' has claimed responsibility for the exploit.…
-
Scanless PCI security scanning available
"Using a combination of fines and incentives the payment card brands have working hard to boost PCI-DSS compliance rates among merchants. Meanwhile, ASVs have been doing their part by offering their services at drastically reduced prices and curtailing the security checklist to make certification as easy as possible. Every merchant who signs up is able…
-
Gopher/Archie gaining popularity due to increase in web based attacks
Due to the increase in devastating vulnerabilities abusing AJAX and Google to hack the web more users are switching to 'safer' alternatives such as Gopher and Archie. Johnny Long was quoted as saying 'My next book on Archie hacking 'Jughead for idiots' will be out in late 2008 and I promise it will contain many…
-
Hackers Flood Epilepsy Web Forum With Flashing Lights
"Unknown miscreants had a good time two weekends ago when they posted hundreds of flashing animated images onto discussion boards hosted by the Landover, Md.-based Epilepsy Foundation. Flashing lights or bold moving patterns can trigger often violent seizures among 3 percent of the estimated 50 million epileptics worldwide. "I was on the phone when it…
-
Paris Hilton pwned via facebook flaw
"A security lapse on Facebook has allowed its users to gain access to vast libraries of private photographs, including one of Paris Hilton drinking beer with her friends. A Canadian hacker exploited a recent upgrade to the networking site's privacy settings to view pictures that were intended to be private, including some of Paris Hilton…
-
Antivirus Vendor TrendMicro Has Website SQL Injected, Malware Uploaded
TrendMicro had its website sql injected and malware uploaded. A simple google search for 'fuckjp.js' shows trendmicro listed. "A Trend Micro spokesman confirmed that the company's site had been hacked Thursday, saying that the attack took place earlier in the week. "A portion of our site — some pages were attacked," said Mike Sweeny, a…
-
RIAA SQL Injected, website deleted
The RIAA website was apparently vulnerable to a SQL Injection vulnerability and had it's website deleted. "It’s a weekend, and a holiday weekend to boot, so the site might stay this way for some time. Someone apparently used SQL injection to wipe, and we do mean wipe, the website of the Recording Industry Association of…
-
Most Dorky Christmas Card Ever
I got the following christmas card from IOActive and thought that it was so amusing that I'd post it here (message excluded) Outside Inside
-
F-Secure Forum Defaced
Security vendor F-Secure was defaced a few days ago by a turkish defacement crew. "So how did this happen? The server itself is quite well hardened, but the web forum software had an unannounced security patch silently released by the vendor nine days ago. The defacement gang learned of the vulnerability and went through the…
-
Did Iceland Teen Call Secret White House Phone?
"Introducing himself as Ólafur Ragnar Grímsson, the actual president of Iceland, Atlason found President George W. Bush's allegedly secret telephone number and phoned, requesting a private meeting with him. "I just wanted to talk to him, have a chat, invite him to Iceland and see what he'd say," Vífill told ABC News. A White House…
Favorite Links
- Security Templates (New)
- The Web Application Security Consortium
- QA Security
- The Web Security Mailing List
- Romain Gaucher’s Blog
- Jeremiah Grossman’s Blog
Popular Pages
WASC Threat Classification
- Abuse of Functionality
- Application Misconfiguration
- Brute Force Attack
- Content Spoofing
- Credential/Session Prediction
- Denial of Service
- Directory Indexing
- Information Leakage
- Remote File Inclusion Attack
- Routing Detour Attack
- SOAP Array Abuse
- XML Attribute Blowup
- XML Injection
- XML External Entity Attack