-
PHPBB flaw used to infect infect 200,000 websites with pr0n, fake trojan codec
"Hot on the heels of a recent hack in which 10,000 sites were compromised, researchers have disclosed a new large-scale attack.. Researchers at McAfee estimated that the attack has been active for roughly one week, and in that time frame has managed to place itself on roughly 200,000 web pages. Most of the infected pages…
-
Antivirus Vendor TrendMicro Has Website SQL Injected, Malware Uploaded
TrendMicro had its website sql injected and malware uploaded. A simple google search for 'fuckjp.js' shows trendmicro listed. "A Trend Micro spokesman confirmed that the company's site had been hacked Thursday, saying that the attack took place earlier in the week. "A portion of our site — some pages were attacked," said Mike Sweeny, a…
-
Browser makers focus on reducing malware and phishing
"Microsoft unveiled two security features that will debut in the next version of its browser, Internet Explorer 8: the Safety Filter, which warns users of potentially malicious Web activity, and domain highlighting, which uses bold text to highlight the real domain of any Web site. The software giant stressed that the features were part of…
-
ActiveX Vulnerability Pwns MySpace, Facebook users
"A buffer overflow enabled hackers to exploit the Aurigma ActiveX image uploading software used by Facebook, MySpace and other social networking sites, " said Rachwald. "The bad news is that this exploit is being used in a hacker toolkit currently being offered for download on several Chinese language sites, meaning that novices have been able…
-
Netscape Assinated by AOL
It is with great sadness that I post news stating that Netscape will receive no more updates after February 1, 2008. I've been a long netscape user (since 1995). "AOL has a long history on the internet, being one of the first companies to really get people online. Throughout its lifetime, it has been involved…
-
eEye co-founder Marc Maiffret Leaves The Company
"Marc Maiffret has left eEye Digital Security, the security company he launched ten years ago that used some of his hacking tools as the basis for its flagship product, Retina Network Scanner. Maiffret actually left eEye back in September, but is only just now going public with the news. He's currently gearing up to launch…
-
Google Wants Your Help to Fight Malware
"Google has created one of the most powerful search tools in the history of Web humanity. One of its goals along the way was to archive all of human knowledge. Another was to not be evil. But the company discovered that at the intersection of archiving all human knowledge and not being evil is malware.…
-
AppsecInc Granted Database Encryption Patent
United States Patent 7266699 was issued to AppSecInc. From the patent "The invention provides a transparent encryption infrastructure which allows the user to point-and-click on columns and tables to encrypt data. The creation of triggers and views are also easily implemented, to encrypt and decrypt data, to manage the encryption keys and to grant and…
-
Haxors and suits: 10 Tips for bridging the gap
"There is a Great Divide in the realm of information technology. I'm not talking about Windows versus Linux or Java versus .NET-no, nothing like that. The gap I'm referring to is between software developers and the people who manage them – what I call hackers and suits. Let's clarify one thing first: The word hacker…
-
Russian Business Network Is Haven For Online Crime
The Russian Business Network is an ISP in St. Petersburg allowing for hosting of 'anything'. "The Russian Business Network sells Web site hosting to people engaged in criminal activity, the security experts say. Groups operating through the company's computers are thought to be responsible for about half of last year's incidents of "phishing" — ID-theft…
-
The new security disclosure landscape
Rain Forest Puppy has written an article on vuln disclosure discussing ethics. "simply put: NO MATTER YOUR INTENTIONS, LOOKING FOR SECURITY VULNERABILITIES IN THIRD-PARTY WEB SITES (without permission) IS ILLEGAL PER THE LAWS OF YOUR COUNTRY. Period. That statement is so important, I will repeat it: NO MATTER YOUR INTENTIONS, LOOKING FOR SECURITY VULNERABILITIES IN…
-
Gmail cookie vulnerability exposes user’s privacy
"Petko Petkov of "ethical hacking" group GNUCitizen has developed a proof-of-concept program to steal contacts and incoming e-mails from Google Gmail users. "This can be used to forward all your incoming e-mail," Pure Hacking security researcher Chris Gatford said. "It's just a proof of concept at the moment, but what they're demonstrating is the potential…
-
Blackhat SEO faces 3 years in prison for insulting the president
From the nypost " A hacker faces up to three years in prison for making the Polish president's Web page turn up in searches for the slang word for "penis." Marek W., 23, has been charged with insulting President Lech Kaczynski. Marek created a program that caused the official home page of the president to…
-
Ameritrade leaks over 6million customer records
"TD Ameritrade Holding Corp. said Friday one of its databases was hacked and contact information for more than 6.3 million customers was stolen. A spokeswoman for the Omaha-based brokerage firm said more sensitive information in the same database, including Social Security numbers and account data, does not appear to have been taken. The company would…
-
Ad-based Trojan hits MySpace, Bebo and others
Another article on malware being served up via advertising companies. "Users of high profile sites including MySpace, The Sun, Bebo and PhotoBucket have been exposed to a Trojan hidden within adverts. The sites all ran advertising in recent weeks from the Right Media online ad exchange which were unknowingly infected with the Downloader.VBS.Agent.n Trojan." Article…
-
CGISecurity turns 7
I'm happy to announce CGISecurity's 7th year providing website, and application security news as of this week. What started out as an excuse to learn about web based vulnerabilities has really evolved. Here are a few things to put into perspective – The following terms hadn't been coined yet – CSRF/XSRF/Cross-site Request Forgery – XST…
-
Yahoo accidentally dishes out trojans via banner ads
"An ad company that Yahoo owns, Right Media, served up some particular advertisements several million times that ended up being loaded with Trojans. These ads, while all over the Internet, were most prominently featured on MySpace and PhotoBucket – not shady warez sites. The issues began last month, and according to ScanSafe the articles were…
-
Why bug hunt should be for sale
"As the director of strategy for online auction Web site WabiSabiLabi (WSLabi), Preatoni hopes to redefine the role of hackers from one that is out to destroy the intellectual property others create, to one that can contribute positively to the field of Internet security. Also the CEO of Domina Security and founder of cyber crime…
-
OWASP & WASC AppSec 2007
"OWASP and WASC have joined forces for this year's AppSec 2007 conference being held at eBay in San Jose, CA on Nov 12-15. A huge concentration of industry leading experts will be in attendance presenting high quality web application security content. AppSec 2007 offers a unique opportunity for security professionals, software developers, and IT managers…
-
OWASP & WASC AppSec 2007
"OWASP and WASC have joined forces for this year's AppSec 2007 conference being held at eBay in San Jose, CA on Nov 12-15. A huge concentration of industry leading experts will be in attendance presenting high quality web application security content. AppSec 2007 offers a unique opportunity for security professionals, software developers, and IT managers…
-
Vista SP1 Coming In Q1 2008
"Despite it looking like a short period of time between the release of Windows Vista and the first Service Pack, it is actually longer than the amount of time that it took for Windows 2000 and XP to have their first Service Pack releases. Download size and hard drive space requirements have also been hinted…
-
New Zealand Herald website defaced via XSS to promote hacker con
"The New Zealand Herald's website fell victim to a page spoofing stunt earlier today, by hackers wanting to publicise their upcoming Kiwicon security conference in November. In this case, the spoofing meant the hackers displayed a parody of a Herald article to users, rather than a real one, when surfers called up an article on…
-
Microsoft Opens Whitehat Hacker Blog on MSDN
Microsoft has started a Microsoft Employee Whitehat hacker blog. "Welcome to a new blog from Microsoft. The focus of this blog is likely to be a little different from most other blogs you'll see on blogs.msdn.com. Microsoft employs some of the best hackers in the world and actively recruits them and develops them. They work…
-
Cenzic Patent Case Worries Web Researchers, Vendors
"A patent infringement lawsuit recently filed by Cenzic against SPI Dynamics has Web application security companies and researchers on edge. If successful, the suit — which centers around Cenzic's patent on a Web application vulnerability scanning technology — could mean trouble for other scanner vendors, as well as researchers who develop scanning techniques. Cenzic, which…
-
Blog Security
I stumbled upon a site yesterday dealing with blog security specifically and felt it was worth posting. "BlogSecurity is the only organization that deals with web blog security exclusively. We understand that it is difficult to keep track of the latest security vulnerabilties and version updates, and we believe you shouldn’t have to." "Our aim…
Favorite Links
- Security Templates (New)
- The Web Application Security Consortium
- QA Security
- The Web Security Mailing List
- Romain Gaucher’s Blog
- Jeremiah Grossman’s Blog
Popular Pages
WASC Threat Classification
- Abuse of Functionality
- Application Misconfiguration
- Brute Force Attack
- Content Spoofing
- Credential/Session Prediction
- Denial of Service
- Directory Indexing
- Information Leakage
- Remote File Inclusion Attack
- Routing Detour Attack
- SOAP Array Abuse
- XML Attribute Blowup
- XML Injection
- XML External Entity Attack