-
What videogames teach us about security
Forbes has an interesting interview with Gary McGraw on how computer games provide insight into the motives and mindset of an attacker. "What problem do these trust boundaries pose? In this case, the gamer is the attacker and what they’re doing is cheating in the virtual world to generate wealth that they can sell…
-
Silverlight 2 Released
From the asp.net blog. "Today we shipped the final release of Silverlight 2. You can download Silverlight 2, as well the Visual Studio 2008 and Expression Blend 2 tool support to target it, here. Cross Platform / Cross Browser .NET Development Silverlight 2 is a cross-platform browser plugin that enables rich media experiences and .NET…
-
Dave Aitel on Static Analysis Tools
Dave Aitel has posted to dailydave with his thoughts on Static Analysis Industry. From his email "So OWASP was dominated by lots of talk from and about static code analysis tools. I wandered around with a friend of mine at the various booths (CodeSecure [1], Fortify[2], IBM AppScan[3], Ounce Labs) and tried them all while…
-
Details of Clickjacking Attack Revealed With Online Spying Demo
"A researcher has “hacked” the mysterious clickjacking attack and today posted a demonstration in his blog on how the Web-borne attack works. Details of the dangerous clickjacking attack have been closely held by the two researchers who discovered it — Jeremiah Grossman and Robert “RSnake” Hansen — at the request of Adobe, which wanted more…
-
R.I.P. Captcha’s: Gmail, Hotmail, Etc…
XRumer was recently released putting another nail in the CAPTCHA Coffin. "The decline in CAPTCHA efficacy has been an ongoing story in 2008, as hackers and malware authors have steadily found ways to chip away at the protection these security practices were once thought to offer. Now, new findings indicate that both Gmail and Windows…
-
PHP 5.3 and Delayed Cross Site Request Forgeries/Hijacking
"Although PHP 5.3 is still in alpha stage and certain features like the PHAR extension or the whole namespace support are still topics of endless discussions it already contains smaller changes that could improve the security of PHP applications a lot. One of these small changes is the introduction of a new php ini directive…
-
Fyodor speculates on new TCP Flaw
Fyoder (the author of nmap if you’ve been sleeping under a rock) has posted a write up on the recent TCP Dos flaw. UPDATE: According to a post by Robert Lee this isn’t the issue. "Robert Lee and Jack Louis recently went public claiming to have discovered a new and devastating denial of service (DoS)…
-
Kevin Mitnick Detained in Atlanta for having computer equipment on flight
If you know me you know I don’t like Atlanta and have many reasons (which I won’t go into here). I have another one to add to this list after reading a story about Kevin Mitnick being detained for having lots of computer equipment with him. "In his luggage, they found a MacBook Pro, a…
-
Firefox 3.0.2 released to address multiple security flaws
Firefox 3.0.2 has been released which addresses the following security flaws. MFSA 2008-44 resource: traversal vulnerabilitiesMFSA 2008-43 BOM characters stripped from JavaScript before execution MFSA 2008-42 Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17) MFSA 2008-41 Privilege escalation via XPCnativeWrapper pollution MFSA 2008-40 Forced mouse drag…
-
Mark Russinovich on the Future of Security
"Windows IT people everywhere owe thanks to Dr. Mark Russinovich, now a technical fellow at Microsoft and his less-famous partner Bryce Cogswell. Russinovich is famous both as an author, making the technical details of Windows accessible to the rest of us who dare to think we are technical, and as a programmer, writing utilities that…
-
Off Topic: Hackers claim break-in to Palin’s e-mail account
While this is off topic for this site I do find it amusing 🙂 "Hackers broke into the Yahoo! e-mail account that Republican vice presidential candidate Sarah Palin used for official business as Alaska’s governor, revealing as evidence a few inconsequential personal messages she has received since John McCain selected her as his running mate.…
-
Adobe yanks speech exposing critical ‘clickjacking’ vulns
"In another event for the "internet is broken" files, two prominent security researchers have pulled a scheduled talk that was to demonstrate critical holes affecting anyone who uses a browser to surf the web. Jeremiah Grossman and Robert "RSnake" Hansen say they planned to demonstrate serious "clickjacking" vulnerabilities involving every major browser during a presentation…
-
Mozilla security chief: Apple should open up
"Mozilla’s security chief said Apple should disclose more information about the steps it takes to protect customers from malware and other computer-born threats. At a security conference on Monday, Window Snyder said open communication about recently reported vulnerabilities and ongoing processes for locking down products is a core responsibility of security departments at every software…
-
Microsoft IE8 and Google Chrome – Processes are the New Threads
"I happened to install Google Chrome (Alpha) the same day I installed Internet Explorer 8 (Beta). I noticed immediately, as I’m sure many of you have, that both browsers isolate tabs in different processes. Unix folks have known about the flexibility of forking a process forever. In Unix, fork() is just about the easiest thing…
-
DNS Vulnerability Leaked By Matasano Security After Being Asked Not To By Vulnerability Discoverer
"Two weeks ago, when security researcher Dan Kaminsky announced a devastating flaw in the internet's address lookup system, he took the unusual step of admonishing his peers not to publicly speculate on the specifics. The concern, he said, was that online discussions about how the vulnerability worked could teach black hat hackers how to exploit…
-
GRSecurity Author Outlines Lack of Full Vulnerability Disclosure by Linux Kernel Developers
From the 'If you don't know, now you know, !@#$!' department The following email was sent to the full disclosure mailing list today by Brad Spengler, the author of GRSecurity. "I doubt many of you are following the "discussions" (if they can be called that) that have been going on on LWN for the past…
-
Widescale DNS flaw discovered
A pretty nasty DNS vulnerability has been discovered in 81 products by Dan Kaminsky. This vulnerability type seems to be the same described by Amit Klein and involves abusing the PRNG involved in transactions on DNS queries. Long story short if you run a vulnerable caching DNS server you can have your cache poisoned. From…
-
OFF Topic: A farewell to Bill gates
Today marks bill gates last day working in technology at microsoft. To celebrate this day I've created this tribute to bill from different moments in his life. Bill gates age 13 with paul allen Bill with the Microsoft Jr. Mafia Bill likes to drive way to fast Bill enjoying some Pie Bill gates fighting Steve…
-
How NOT to handle finding vulnerabilities at your company
UPDATED Link to Steve's interview with CrYpTiC_MauleR added below. At first I wasn't going to post about this but since it doesn't seem to be dying I will. Long story short 1. A Low level techie finds weaknesses/vulnerabilities at the company he works for (TJX) 2. ?He reports these issues to who he thinks should…
-
Whitepaper: DoS Attacks Using SQl Wildcards
Ferruh Mavituna has just published a whitepaper titled "DoS Attacks Using SQL Wildcards" where he discusses CPU utilization based dos against SQL Server where user data is thrown into sql statements. That is all. Whitepaper Link: http://www.portcullis-security.com/uplds/wildcard_attacks.pdf
-
Apache Debates the Apache UTF-7 XSS
There is a great debate on the bugtraq mailing list regarding the apache utf7 xss issue. In this debate William Rowe (Apache) discusses why the Apache utf7 vulnerability is in fact not a vulnerability in Apache but in Internet Explorer for not following specifications properly. William first posted to bugtraq http://seclists.org/bugtraq/2008/May/0166.html with the following "Internet…
-
Bots Use SQL Injection Tool in Web Attack and Rant
"The Asprox botnet, a relatively small botnet known mainly for sending phishing emails, has been spotted in the last few days installing an SQL injection attack tool on its bots. The bots then Google for .asp pages with specific terms — and then hit the sites found in the search return with SQL injection attacks,…
-
Automatic Patch-Based Exploit Generation
"The automatic patch-based exploit generation problem is: given a program P and a patched version of the program P', automatically generate an exploit for the potentially unknown vulnerability present in P but fixed in P'. In this paper, we propose techniques for automatic patch-based exploit generation, and show that our techniques can automatically generate exploits…
-
Google bots now submit forms in effort to find new pages
"Google's search bots, which scour the web constantly for new pages, have begun a new, more active phase of their indexing jobs. In a blog post last week, Jayant Madhavan and Alon Halevy of Google's crawling and indexing team said the company has begun an experiment in which its indexing software experimentally enters text in…
-
Microsoft admits it knew about, didn’t patch, bugs
"Microsoft Corp.'s security team today acknowledged that it knew of bugs in its Jet Database Engine as far bask as 2005 but did not patch the problems because it thought it had blocked the obvious attack vectors. A researcher at Symantec Corp. said Microsoft should have fixed the flaws years ago. In a post to…
Favorite Links
- Security Templates (New)
- The Web Application Security Consortium
- QA Security
- The Web Security Mailing List
- Romain Gaucher’s Blog
- Jeremiah Grossman’s Blog
Popular Pages
WASC Threat Classification
- Abuse of Functionality
- Application Misconfiguration
- Brute Force Attack
- Content Spoofing
- Credential/Session Prediction
- Denial of Service
- Directory Indexing
- Information Leakage
- Remote File Inclusion Attack
- Routing Detour Attack
- SOAP Array Abuse
- XML Attribute Blowup
- XML Injection
- XML External Entity Attack