-
CastleCops Shuts Down
"In a blow to anti-phishing efforts, the famed CastleCops organization dedicated to fighting spam and phishing quietly shuttered its site last week. The all-volunteer organization investigated phishing and malware scams, and was credited with successfully derailing many of these attacks and phishing sites. CastleCops itself was also a constant target of distributed denial-of-service attacks and…
-
It’s unanimous, Web application security has arrived
Jeremiah Grossman has posted an entry discussing the various security reports and how they are labeling web application security as a primary concern. "It’s unanimous. Web application security is the #1 avenue of attack according to basically every industry data security report available (IBM, Websense, Sophos, MessageLabs, Cisco, APWG, MITRE, Symantec, Trend Micro, SecureWorks, ScanSafe,…
-
Top 9 Network Security Threats in 2009
"Malware, especially from compromised web sites, was a huge issue in 2008. Many legitimate sites such as MSNBC.com, History.com, ZDNet.com and many others suffered compromises, in some cases for days. Unlike the past, the sites looked normal, but unsuspecting web surfers with vulnerable systems were exploited when they visited these sites. Search engines were used,…
-
Top 5 cybersecurity news stories of 2008
"Data breaches continued to make their very public mark on cybersecurity news in 2008. And this time it wasn't TJX making headlines. Despite being PCI compliant, Hannaford Brothers supermarkets announced that 4.2 million credit and debit card numbers were pilfered from its servers. We also learned in 2008 that attackers aren't necessarily becoming more sophisticated.…
-
One Hacker’s Audacious Plan to Rule the Black Market in Stolen Credit Cards
"The heat in Max Butler's safe house was nearly unbearable. It was the equipment's fault. Butler had crammed several servers and laptops into the studio apartment high above San Francisco's Tenderloin neighborhood, and the mass of processors and displays produced a swelter that pulsed through the room. Butler brought in some fans, but they didn't…
-
Learning More About the Underground Economy: A Case-Study of Keyloggers and Dropzones
"German researchers have discovered more than 300 cybercrime servers full of stolen credentials on more than 170,000 people — and it is only the tip of the iceberg, they say. Researchers at the University of Mannheim's Laboratory for Dependable Distributed Systems were able to access nearly 100 so-called "dropzone" machines, and say the actual number…
-
Mod_Security Author Calls It Quits
The author of modsecurity Ivan Ristic has decided to leave Breach Security, the company that retains the rights for modsecurity. I interviewed Ivan in 2006 about the sale of Mod_security who eased concerns that it will remain open source. Based on email conversations with him he will not be leaving the appfirewall scene and will…
-
Google destroys SEO business by manually selecting sites
"Google this week admitted that its staff will pick and choose what appears in its search results. It's a historic statement – and nobody has yet grasped its significance. Not so very long ago, Google disclaimed responsibility for its search results by explaining that these were chosen by a computer algorithm. The disclaimer lives on…
-
Microsoft publishes uber patch to address 28 vulnerabilities
"Microsoft Corp. today patched 28 vulnerabilities, nearly all of them marked "critical," in the biggest batch of fixes it has issued since it switched to a regular monthly update schedule more than five years ago. Of the 28 bugs quashed today, Microsoft ranked 23 of them critical, the top rating in its four-step scoring system.…
-
Microsoft to offer free Antivirus
"Microsoft on Tuesday said it plans to kill off its Windows Live OneCare subscription security service in favor of a free offering that will feature a core of essential anti-malware tools while excluding peripheral services, such as PC tune up programs, found in OneCare. The move could help the software maker extend its footprint in…
-
Integrity-178B Secure OS Gets Highest NSA Rating, Goes Commercial
"An operating system used in military fighter planes has raised the bar for system security as a new commercial offering, after receiving the highest security rating by a National Security Agency (NSA)-run certification program. Green Hills Software announced that its Integrity-178B operating system was certified as EAL6+ and that the company had spun off a…
-
MS explains 7-year patch delay
"Microsoft has explained why it took seven years to patch a known vulnerability. Fixing the bug earlier would have taken out network applications and potential exploits alike, it explained. Security bulletin MS08-068 fixed a flaw in the SMB (Server Message Block) component of Windows, first demonstrated by Sir Dystic of Cult of the Dead Cow…
-
Firefox 3.0.4 Released to address multiple security flaws
A handful of security vulnerabilities have been fixed in the latest version of firefox. Fixed in Firefox 3.0.4 MFSA 2008-58 Parsing error in E4X default namespaceMFSA 2008-57 -moz-binding property bypasses security checks on codebase principalsMFSA 2008-56 nsXMLHttpRequest::NotifyEventListeners() same-origin violationMFSA 2008-55 Crash and remote code execution in nsFrameManagerMFSA…
-
DNS inventor blames wrangling for insecure interweb
"DNSSec (Domain Name System Security Extension), which uses digital signatures to guard against forged requests, offers a means of making internet naming systems more secure. But even 15 years after the standard was developed its adoption remains low. Mockapetris blames problems in making the technology easy to deploy, delays in developing DNSSec-aware apps, and political…
-
Visa Card Features Buttons and Screen to Generate CCV Dynamically
A co worker sent me this link yesterday afternoon. "Using what appears to be Visa’s mutant hybrid of a credit card and a pocket calculator, users can enter their PIN into the card itself and have a security code generated on the fly. The method can stop thieves in two ways. Those who copy down…
-
Google Android Phone passes typed content into rootshell!
"With the news that Google’s Android shipped with an embarrassing security hole being followed by a simple two-step method to ‘jailbreak’ the OS, you’d think that the company had ironed out most of the remaining bugs – but you’d be wrong. According to ZDnet‘s Ed Burnette, the open-source Linux-based smartphone platform recently shipped in T-Mobile’s…
-
Obama Pwns Mcain in election, hacker pwns them both
"The computer systems of both the Obama and McCain campaigns were victims of a sophisticated cyberattack by an unknown "foreign entity," prompting a federal investigation, NEWSWEEK reports today. At the Obama headquarters in midsummer, technology experts detected what they initially thought was a computer virus—a case of "phishing," a form of hacking often employed to…
-
Remote buffer overflow bug bites Linux Kernel Driver Wrapper
"A remote buffer overflow vulnerability in the Linux Kernel could be exploited by attackers to execute code or cripple affected systems, according to a Gentoo bug report that just became public. The flaw could allow malicious hackers to launch arbitrary code with kernel-level privileges. This could lead to complete system compromise or, in some cases…
-
Apache 2.2.10 Released to address XSS Vulnerability
"The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.2.10 of the Apache HTTP Server ("Apache"). This version of Apache is principally a bug and security fix release. The following potential security flaws are addressed: CVE-2008-2939: mod_proxy_ftp: Prevent XSS attacks when using wildcards in the…
-
OpenBSD 4.4 Released
"Nov 1, 2008. We are pleased to announce the official release of OpenBSD 4.4.This is our 24th release on CD-ROM (and 25th via FTP). We remainproud of OpenBSD’s record of more than ten years with only two remoteholes in the default install.As in our previous releases, 4.4 provides significant improvements,including new features, in nearly all…
-
Skein Hash Function
"Executive Summary Skein is a new family of cryptographic hash functions. Its design combines speed, security, simplicity, and a great deal of flexibility in a modular package that is easy to analyze. Skein is fast. Skein-512 — our primary proposal — hashes data at 6.1 clock cycles per byte on a 64-bit CPU. This means…
-
ICANN Terminates EstDomains Registrar Accreditation due to Fraud, Money Laundering Convictions
Gadi Evron posted the following link to the Full Disclosure list this morning which I thought was interesting. Read More: http://www.icann.org/correspondence/burnette-to-tsastsin-28oct08-en.pdf
-
Yahoo Security Flaw Fixed in hours
"Hours after Web analytics firm Netcraft (www.netcraft.com) announced a flaw on a Yahoo (www.yahoo.com) website used to steal users’ authentication cookies to gain access to Yahoo accounts, such as Yahoo Mail, the company blocked entry to hackers. In an email message to theWHIR Monday, Yahoo’s HotJobs division stated that the cross-site scripting vulnerability found on…
-
Why Microsoft’s SDL Missed MS08-067 in their own words
"No doubt you are aware of the out-of-band security bulletin issued by the Microsoft Security Response Center today, and like all security vulnerabilities, this is a vulnerability we can learn from and, if necessary, can use to shape future versions of the Security Development Lifecycle (SDL). Before I get into some of the details, it’s…
-
Emergency Microsoft Patch MS08-067 Issued, Exploit code in wild
The Patch: Microsoft has released the patch to windows update. Details: "This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit…
Favorite Links
- Security Templates (New)
- The Web Application Security Consortium
- QA Security
- The Web Security Mailing List
- Romain Gaucher’s Blog
- Jeremiah Grossman’s Blog
Popular Pages
WASC Threat Classification
- Abuse of Functionality
- Application Misconfiguration
- Brute Force Attack
- Content Spoofing
- Credential/Session Prediction
- Denial of Service
- Directory Indexing
- Information Leakage
- Remote File Inclusion Attack
- Routing Detour Attack
- SOAP Array Abuse
- XML Attribute Blowup
- XML Injection
- XML External Entity Attack