-
More companies seek third-party Web app code review, survey finds
"The OWASP Security Spending Benchmark Report surveyed about 50 organizations to determine their spending on secure coding; OWASP found that 61% of those surveyed had an independent third-party security review of software code to find flaws before Web applications are used live. The percentage surprised Boaz Gelbord, executive director of information security at Wireless Generation…
-
SWFScan – Free Flash Security Tool
"HP SWFScan is a free security tool to developers find and fix security vulnerabilities in applications developed with the Adobe Flash Platform. The tool is the first of its kind to decompile applications developed with the Flash platform and perform static analysis to understand their behaviors. This helps developers without security backgrounds identify vulnerabilities hidden…
-
Microsoft releases !exploitable crash evaluation tool
"Aiming to better identify bugs that could lead to security issues, Microsoft announced on Wednesday that it planned to release a tool to help developers classify and assess program crashes. The tool, known as !exploitable and pronounced "bang exploitable," is a plugin for the Windows debugger that categorizes crash information using two hashes, members of…
-
March Madness-related SEO Poisoning Leads To Rogue AV
"With only a few days left before the tournament starts, if a user searches for popular March Madness-related terms in Google, malicious URLs as high as the first result are returned. Search terms that currently exist within the Top 10 of Google's Hot Trends (the most popular search results) return these malicious URLs. If a…
-
Web Application Security Spending Relatively Unscathed By Poor Economy
"First the good news: Despite the global recession, two-thirds of organizations either have no plans to cut Web application security spending, or they expect their spending to increase this year. Now the bad news: Spending for security applications is less than 10 percent of the overall security budget in 36 percent of organizations, few of…
-
Malware installing rogue DHCP server
Sans published an entry about a new piece of malware that installs a rogue DHCP server that specifies a rogue DNS server, presumably for phishing and malware deployment. I wouldn't be surprised if this concept is fairly old but it appears to be the first time a common piece of malware is using this method.…
-
Browsers hacked in seconds in Pwn2Own contest
"Security researcher Charlie Miller held onto a vulnerability for an entire year, before using it on Wednesday to win $5,000 and an Apple laptop at the Pwn2Own contest here at the CanSecWest conference. Miller — a principal analyst at Independent Security Evaluators — found two flaws in Apple's Safari Web browser more than a year…
-
Hacker Disabled Offshore Oil Platform Leak-Detection System
"A Los Angeles federal grand jury indicted a disgruntled tech employee Tuesday on allegations of temporarily disabling a computer system detecting pipeline leaks for three oil derricks off the Southern California coast. Mario Azar, 28, faces a maximum 10-year term after being accused of purposely impairing a computer system that monitored for leaks on three…
-
BBC cybercrime probe backfires
"The BBC hacked into 22,000 computers as part of an investigation into cybercrime but the move quickly backfired, with legal experts claiming the broadcaster broke the law and security gurus saying the experiment went too far. The technology show Click acquired a network of 22,000 hijacked computers – known as a botnet – and ordered…
-
Revisiting Browser v. Middleware Attacks In The Era Of Deep Packet Inspection
Dan Kaminsky has just published his latest paper on middleware attacks that I recommend checking out. "For CanSecWest this year, I thought it’d be interesting to take a look at the realm of Deep Packet Inspectors. It turns out we were doing a lot of this around 2000 through 2002, and then…well, sort of stopped. …
-
Socket Capable Browser Plug-ins Result In Transparent Proxy Abuse
For over a year in my spare time I've been working on a abuse case against transparent proxies at my employer, and have just released my latest paper '"Socket Capable Browser Plugins Result In Transparent Proxy Abuse". When certain transparent proxy architectures are in use an attacker can achieve a partial Same Origin Policy Bypass…
-
Google Docs suffers serious security lapse
"Google confessed to a serious bug in its Docs sharing system over the weekend, but downplayed the security cockup by claiming only a tiny number of users had been affected. The internet search kingpin said that less than 0.05 per cent of Google Docs accounts were hit by a privacy breach after documents were shared…
-
Twitter SMS spoofing
"A fix against an SMS spoofing flaw involving micro-blogging service Twitter offers only partial protection. Tests by Heise Security found that providing a user knew the number of a phone associated with a Twitter account, it would be possible to use an SMS sender faking service to post fake status updates that appeared under a…
-
Dan Bernstein Confirms Security Flaw In Djbdns
"Dan Bernstein has just admitted that a security issue has been found in the djbdns software, one of most popular alternatives for the BIND nameserver. As part of the djbdns security guarantee, $1000 will be paid to Matthew Dempsky, the researcher that found the bug. The bug allows a nameserver running djbdns to be poisoned…
-
Firefox 3.0.7 fixes multiple security flaws
"Mozilla Corp. today patched eight security vulnerabilities in Firefox, half of them critical memory corruption flaws in the browser's layout and JavaScript engines. Firefox 3.0.7, the second security update this year to the open-source browser, fixes about the same number of bugs that Mozilla patched a month ago. Of the eight vulnerabilities, six were rated…
-
FRHack threatens to sue person using screenshots to criticize them?
I found the following post fairly amusing and had to link it here. "A few days ago I complained about the incredibly awkward IT Security Girl of the Year award that will be dished out later this year at the French IT security conference FRHACK. Apparently the FRHACK organizers did not like what I wrote…
-
The return of L0phtCrack
"More than two years after Symantec pulled the plug on L0phtCrack, the venerable password cracking tool is being prepped for a return to the spotlight. The original creators of L0phtCrack has reacquired the tool with plans to release a new version at next week’s SOURCE Boston conference. A teaser post on the l0phtcrack.com Web site…
-
New Gmail Flaw Lets Attacker Control ‘Change Password’ Function
"A researcher today released a proof-of-concept for a vulnerability he discovered in Google Gmail that lets an attacker change a Gmail user's password, wage a denial-of-service attack on the account, or even access other Gmail users' email. The cross-site request forgery (CSRF) flaw — which researcher Vicente Aguilera Diaz from Madrid-based Internet Security Auditors first…
-
Opera 9.64 Security Updates and Enhancements
From Opera's changelog Fixed an issue where specially crafted JPEG images ccould be used to execute arbitrary code, as reported by Tavis Ormandy of the Google Security Team; see our advisory Fixed an issue where plug-ins could be used to allow cross domain scripting, as reported by Adam Barth; details will be disclosed at a…
-
Caching bugs exposed in second biggest DNS server
"For years, cryptographer Daniel J. Bernstein has touted his djbdns as so secure he promised a $1,000 bounty to anyone who can poke holes in the domain name resolution software. Now it could be time to pay up, as researchers said they've uncovered several vulnerabilities in the package that could lead end users to fraudulent…
-
Google Blackhat SEO Hack
"Today’s aggressive and spooky abuse of trusted giants reveals just how sophisticated and manipulative these guys have become. By following Google Trends, and with some sharp SEO skills to take advantage of Google’s famed real-time indexing, Scammers are directly targeting Google’s search results, trusted by as many as 70 percent of Internet searchers. McAfee researcher…
-
Gary McKinnon set to face extradition after Crown Prosecution Service ruling
"Hacker Gary McKinnon is set to face extradition to the US following a Crown Prosecution Service ruling. The service has refused to bring charges against him after a decision found that there was sufficient evidence to prosecute him, the evidence is not reflected in the criminality that is alleged by the American authorities. McKinnon was…
-
Apple goes public with security in Safari 4
"Apple announced on Tuesday the public availability of its next browser, Safari 4, seemingly adding a host of new security features to the program along with speedier Javascript processing and additional eye candy, such as cover flow. The security features are not new, however. The company quietly added anti-malware and phishing protection, as well as…
-
CERT Advisory VU#435052: An Architectural Flaw Involving Transparent Proxies
For the past year in my spare time I've been researching a flaw involving transparent proxies and today CERT has published an advisory for this issue. If you have a vulnerable proxy on your intranet NOW is the time to patch (details of affected vendors in the cert advisory). QBIK New Zealand SmoothWall Squid Ziproxy…
-
The Multi-Principal OS Construction of the Gazelle Web Browser
I was reading slashdot and saw that Microsoft has released a paper outlining a new secure browser architecture. From the abstract "Web browsers originated as applications that people used to view static web sites sequentially. Asweb sites evolved into dynamic web applications composing content from various web sites, browsershave become multi-principal operating environments with resources…
Favorite Links
- Security Templates (New)
- The Web Application Security Consortium
- QA Security
- The Web Security Mailing List
- Romain Gaucher’s Blog
- Jeremiah Grossman’s Blog
Popular Pages
WASC Threat Classification
- Abuse of Functionality
- Application Misconfiguration
- Brute Force Attack
- Content Spoofing
- Credential/Session Prediction
- Denial of Service
- Directory Indexing
- Information Leakage
- Remote File Inclusion Attack
- Routing Detour Attack
- SOAP Array Abuse
- XML Attribute Blowup
- XML Injection
- XML External Entity Attack