-
Twitter response to xss worm attack
Twitter has posted an entry on it's xss worm issues this weekend. "On a weekend normally reserved for bunnies, a worm took center stage. A computer worm is a self-replicating computer program sometimes introduced by folks with malicious intent to do some harm to a network. Please note that no passwords, phone numbers, or other…
-
Two XSS Worms Slam Twitter
UPDATE: F-Secure has posted more detailed information. "Some 24 hours after a worm spread advertising on Twitter, the popular social networking website, a second worm emerged on Sunday. Both worms appear to be created by Mikeyy Mooney, a 17-year-old from Brooklyn, New York. The first worm emerged on Saturday when Twitter profiles began posting messages…
-
Electricity Grid in U.S. Penetrated By Spies
"Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials. The spies came from China, Russia and other countries, these officials said, and were believed to be on a mission to navigate the U.S. electrical system and its…
-
Facebook Fixes User Email Address Leakage
"Previously, when people typed in a legitimate e-mail address on Facebook's password reset page they got a message either saying that their password had been reset or that an e-mail with instructions on how to reset the password had been sent to their e-mail account, thus providing verification that the e-mail address is legitimate. When…
-
Paper: “Tracking GhostNet: Investigating a Cyber Espionage Network”
There's been a bunch of news regarding a new report published indicating a wide spread Chinese espionage network dubbed 'ghostnet'. From the paper "This report documents the GhostNet – a suspected cyber espionage network of over 1,295 infected computers in 103 countries, 30% of which are high-value targets, including ministries of foreign affairs, embassies, international…
-
March Madness-related SEO Poisoning Leads To Rogue AV
"With only a few days left before the tournament starts, if a user searches for popular March Madness-related terms in Google, malicious URLs as high as the first result are returned. Search terms that currently exist within the Top 10 of Google's Hot Trends (the most popular search results) return these malicious URLs. If a…
-
Browsers hacked in seconds in Pwn2Own contest
"Security researcher Charlie Miller held onto a vulnerability for an entire year, before using it on Wednesday to win $5,000 and an Apple laptop at the Pwn2Own contest here at the CanSecWest conference. Miller — a principal analyst at Independent Security Evaluators — found two flaws in Apple's Safari Web browser more than a year…
-
Hacker Disabled Offshore Oil Platform Leak-Detection System
"A Los Angeles federal grand jury indicted a disgruntled tech employee Tuesday on allegations of temporarily disabling a computer system detecting pipeline leaks for three oil derricks off the Southern California coast. Mario Azar, 28, faces a maximum 10-year term after being accused of purposely impairing a computer system that monitored for leaks on three…
-
BBC cybercrime probe backfires
"The BBC hacked into 22,000 computers as part of an investigation into cybercrime but the move quickly backfired, with legal experts claiming the broadcaster broke the law and security gurus saying the experiment went too far. The technology show Click acquired a network of 22,000 hijacked computers – known as a botnet – and ordered…
-
Google Docs suffers serious security lapse
"Google confessed to a serious bug in its Docs sharing system over the weekend, but downplayed the security cockup by claiming only a tiny number of users had been affected. The internet search kingpin said that less than 0.05 per cent of Google Docs accounts were hit by a privacy breach after documents were shared…
-
Twitter SMS spoofing
"A fix against an SMS spoofing flaw involving micro-blogging service Twitter offers only partial protection. Tests by Heise Security found that providing a user knew the number of a phone associated with a Twitter account, it would be possible to use an SMS sender faking service to post fake status updates that appeared under a…
-
New Gmail Flaw Lets Attacker Control ‘Change Password’ Function
"A researcher today released a proof-of-concept for a vulnerability he discovered in Google Gmail that lets an attacker change a Gmail user's password, wage a denial-of-service attack on the account, or even access other Gmail users' email. The cross-site request forgery (CSRF) flaw — which researcher Vicente Aguilera Diaz from Madrid-based Internet Security Auditors first…
-
Google Blackhat SEO Hack
"Today’s aggressive and spooky abuse of trusted giants reveals just how sophisticated and manipulative these guys have become. By following Google Trends, and with some sharp SEO skills to take advantage of Google’s famed real-time indexing, Scammers are directly targeting Google’s search results, trusted by as many as 70 percent of Internet searchers. McAfee researcher…
-
Gary McKinnon set to face extradition after Crown Prosecution Service ruling
"Hacker Gary McKinnon is set to face extradition to the US following a Crown Prosecution Service ruling. The service has refused to bring charges against him after a decision found that there was sufficient evidence to prosecute him, the evidence is not reflected in the criminality that is alleged by the American authorities. McKinnon was…
-
Bot Busts Newest Hotmail CAPTCHA
"The botnet, or collection of compromised PCs, can decipher Live Hotmail's CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) registration safeguard in about 20 seconds, said Websense Inc. security researcher Sumeet Prasad. CAPTCHA is the term for the distorted characters that many Web sites, such as e-mail services and blogs, use…
-
Wikileaks Accidentially Leaks Its Donor List
"What's Wikileaks, the net's foremost document leaking site, supposed to do when a whistle-blower submits a list of email addresses belonging to the site's confidential donors as a leaked document? That's exactly the conundrum Wikileaks faced this week after someone from the controversial whistle-blowing site sent an emergency fund-raising appeal on Saturday to previous donors.…
-
MS09-002 exploit in the wild
Sans is reporting the MS09-002 exploit is in the wild. "Several AV vendors reported about MS09-002 exploits in the wild. We can confirm this – the exploit for the CVE-2009-0075 vulnerability (Uninitialized Memory Corruption) in Internet Explorer 7 is definitely in the wild and working as charm on an unpatched Windows XP machine. Initially there…
-
Popular Security Website Hit By Big DDoS Attack
"Several renowned white-hat hacker security sites have been hit during the past few days with a distributed denial-of-service attack (DDoS). Immunity, Milw0rm, and Packet Storm were in the clear as of this posting, but attackers were still hammering away at Metasploit. The attackers behind the DDoS — which began on Feb. 6 and continued through…
-
Security Vendor Kasperky Hacked Via SQL Injection
A security lapse at Kaspersky has exposed a wealth of proprietary information about the anti-virus provider's products and customers, according to a blogger, who posted screen shots and other details that appeared to substantiate the claims. In a posting made Saturday, the hacker claimed a simple SQL injection gave access to a database containing "users,…
-
Revising netflix’s CSRF
Dave Ferguson writes "Back in 2006, I put out some findings about CSRF on Netflix's web site. I thought people might be interested to know that I revisited the issue recently and was shocked to find Netflixstill hasn't fixed all their CSRF issues, at least when it comes to movie queues. You can read more…
-
Attacker flaunts details of phpBB hack
"In a post on Blogger on Saturday, a person who claims to have breached the Web site of open-source online community software phpBB gave a detailed account of how he did it. Using a vulnerability in PHPlist publicly disclosed on January 14, the attacker gained access to the password and configuration files for the server,…
-
PHPBB Server Compromised, Team Apologies
"We took area51.phpBB.com down along with phpBB.com to ensure integrity and prevent further damage. While we actively work to bring phpBB.com back online, we would also like to inform you of the damage that has been done. The attacker gained entry through the PHPList application and was able to dump a complete backup of the…
-
Black hats poison Google video search
"Instead of video clips, researchers at Trend Micro discovered that around 400,000 queries returning malicious results that lead to a single redirection point, which leads onto an array of maliciously constructed websites designed to load malware onto vulnerable Windows PCs. The strain of malware spread using the attack – named as AQPlay-A by Trend Micro…
-
DEC ‘hacker’ questions McKinnon political bandwagon
" Boris Johnson's outspoken defence of Gary McKinnon in his extradition fight has been criticised by a former security consultant, who complains he was denied such support when he himself was charged with hacking offences. Daniel Cuthbert was convicted in October 2005 of breaking the Computer Misuse Act by "hacking" into a tsunami appeal website…
-
IT admin plotted to erase Fannie Mae Data
"A fired computer engineer for Fannie Mae has been arrested and charged with planting a malicious software script designed to permanently destroy millions of dollars worth of data from all 4,000 servers operated by the mortgage giant. Rajendrasinh Babubahai Makwana, 35, of Virginia, concealed the Unix script on Fannie Mae's main administrative server on October…
Favorite Links
- Security Templates (New)
- The Web Application Security Consortium
- QA Security
- The Web Security Mailing List
- Romain Gaucher’s Blog
- Jeremiah Grossman’s Blog
Popular Pages
WASC Threat Classification
- Abuse of Functionality
- Application Misconfiguration
- Brute Force Attack
- Content Spoofing
- Credential/Session Prediction
- Denial of Service
- Directory Indexing
- Information Leakage
- Remote File Inclusion Attack
- Routing Detour Attack
- SOAP Array Abuse
- XML Attribute Blowup
- XML Injection
- XML External Entity Attack