Feeds
6078 items (0 unread) in 72 feeds
-
Watchfire Application Security Insider
-
BlogSecurity
-
sirdarckcat
-
Google Online Security Blog
-
CGISecurity.com: Your Web Site and Application Security Resource
-
Switch/Twitch
-
mybeNi websecurity
-
cat slave diary
-
SecuriTeam Blogs
-
Curiouser and Curiouser
-
Alex's Corner
-
Billy (BK) Rios
-
Chris Shiflett
-
christian's weblog
-
funkatron.com
-
GNUCITIZEN
-
The Spanner
-
hackademix.net
-
Ruby on Rails Security Project
-
It's a shampoo world anyway
-
Web Security Blog
-
ha.ckers.org web application security lab
-
Yet Another Infosec Blog
-
PHP Security Blog
-
Security Thoughts
-
Sunnet Beskerming Security Advisories
-
Disenchant's Blog
-
Sylvan von Stuppe
-
Larholm.com
-
The Turkey Curse
-
Jeremiah Grossman
-
Anurag Agarwal - Application Security Evangelist
-
Ivan Ristic
-
deep inside | security & tools
-
omg.wtf.bbq.
-
BlueHat Security Briefings
-
Tactical Web Application Security
-
tssci security
-
Plynt Penetration Testing Blog
-
Michael Howard's Web Log
-
Security Retentive
-
BindShell.Net
-
Dominic White's .tHE pRODUCT
-
SecurityFocus News
-
Justice League
-
Schneier on Security
-
Rational Survivability
-
terminal23
-
1 Raindrop
-
hiredhacker.com
-
Matasano Chargen
-
-
Michael on Security - Musings on Information Security
-
Fortify blog
-
The Art of Software Security Assessment
-
GDS Security Blog
-
Vodun.org
-
Robert Penz Blog
-
Mark Curphey - SecurityBuddha.com
-
Liminal states
-
Security Ripcord
-
ModSecurity Blog
-
IBM Internet Security Systems Frequency X Blog
-
Suspekt...
Items by robert
CGISecurity.com: Your Web Site and Application Security Resource
-
Sacked Croydon hacker spied on former colleagues' e-mails
Posted: January 7th, 2009, 11:44am CST by Robert
Tags: Incidents [edit]
"An IT expert sacked for lying on his CV hacked into his company's computer system to spy on his former colleagues - and deleted vital information which led to the loss of jobs. Julius Oladiran, 46, was dismissed from after his employers discovered his boasts of a master's degree, and top... -
Twitter hacked via weak passwords to admin system
Posted: January 7th, 2009, 10:38am CST by Robert
Tags: Incidents [edit]
"A teenage hacker, known in the digital underground as GMZ, claims he obtained access to the micro-blogging site’s admin controls using a brute force dictionary attack. After guessing the login identity of an administrator, in part based on the large number of people she followed, GMZ ran an automated password guessing... -
CheckFree warns 5 million customers after DNS hack
Posted: January 6th, 2009, 7:52pm CST by Robert
Tags: Incidents [edit]
"Tolley wouldn't say what banks were affected by the hack, but the majority of these five million customers were CheckFree's own users, she said. In total, about 42 million customers access CheckFree's bill payment site, she said. Customers who went to CheckFree's Web sites between 12:35 a.m. and 10:10 a.m. on... -
Building a Web Application Security Program, Part 8: Putting It All Together
Posted: January 6th, 2009, 3:35pm CST by Robert
Tags: Articles [edit]
"Whew! This is our final post in this series on Building a Web Application Security Program (Part 1, Part 2, Part 3, Part 4, Part 5, Part 6, Part 7), and it’s time to put all the pieces together. Here are our guidelines for designing a program that meets the needs... -
Hackers Post Faked Report of Steve Jobs's Death
Posted: January 6th, 2009, 1:18pm CST by Robert
Tags: Funny [edit]
"MacRumors, one of the many sites which cover Apple's annual Macworld product launches, has had its live coverage infiltrated, with someone adding the false news of Steve Jobs's death to the blow-by-blow reports."Here's the very amusing screenshot of the incident.http://cache.gawker.com/assets/images/gawker/2009/01/macrumorshacked.jpgRead more: http://valleywag.gawker.com/5124580/hackers-post-faked-report-of-steve-jobss-death -
Pak hackers plan attack on Indian cyber networks: Intel
Posted: January 6th, 2009, 12:21pm CST by Robert
Tags: Incidents [edit]
"After the Mumbai terror strikes, anti-India elements in Pakistan are now planning an attack on Indian computer networks, intelligence agencies have warned. Already Pakistani hackers are trying out a dry run against Indian networks through popular websites registered there after the Mumbai terror strikes, Home Ministry sources told PTI here today.... -
Paper: Security Assessment of the Internet Protocol
Posted: January 6th, 2009, 11:28am CST by Robert
Tags: Papers [edit]
The following was sent to the Full Disclosure mailing list last yesterday."In August 2008 the UK CPNI (United Kingdom's Centre for the Protection ofNational Infrastructure) published the document "Security Assessment of theInternet Protocol". The motivation of the aforementioned document isexplained in the Preface of the document itself. (The paper is availableat:... -
Israel hacks Arab TV station
Posted: January 6th, 2009, 11:22am CST by Robert
Tags: Incidents [edit]
"Israeli military forces have reportedly hacked into a Hamas-run TV station to broadcast propaganda. The hijack of the Al-Aqsa television station last weekend represents the latest phase in a war in cyberspace that has accompanied the ongoing conflict in Gaza. Al-Aqsa is known for featuring allegedly antisemitic childrens' cartoons as part... -
Twitter Security Collapses; Obama, Fox and Britney Accounts Hacked
Posted: January 5th, 2009, 12:04pm CST by Robert
Tags: Funny [edit]
From Twitter's blog"The issue with these 33 accounts is different from the Phishing scam aimed at Twitter users this weekend. These accounts were compromised by an individual who hacked into some of the tools our support team uses to help people do things like edit the email address associated with their... -
Security: The Number One Technology Failure of All Time
Posted: January 4th, 2009, 9:45pm CST by Robert
Tags: IndustryNews [edit]
"I was reading through an article last night about the 25 greatest blunders in technology history and was happily strolling through memory lane (what are Palm Pilots, PS/2s and Apple Newtons anyways? :p) and then got quite a surprise at the very end of the article. The number one technology failure... -
Police set to step up hacking of home PCs
Posted: January 4th, 2009, 8:44pm CST by Robert
Tags: Incidents [edit]
The Home Office has quietly adopted a new plan to allow police across Britain routinely to hack into people’s personal computers without a warrant. The move, which follows a decision by the European Union’s council of ministers in Brussels, has angered civil liberties groups and opposition MPs. They described it as...
Robert Penz Blog
-
Roy Firestein steals blog posts
Posted: January 1st, 2009, 3:14am CST by robert
Tags: [edit]
I can’t really believe it - that someone is that stupid to think nobody will notice it. Look at following two posts:
- Mine from the 30.12.2008
- Roy Firestein’s from the 31.12.2008
VS
They are 100% identical even the links to my previous posts are there. “…. .I’ve written previously (and also here)“. But he is not only copying from me. I copies from many other security bloggers! You need examples?
- Leap Second To Be Added End Of 2008 And Its Impact On Clustered Computers / Network (Original / his copy)
- Dear Internet, I love you (Original / his copy)
These are only the two posts newer then mine I just listed, but he is doing this for some time now. So be aware that he copies most likely also your blog posts.
PS: Only for my/our reference - links to his Linkedin Profile before he removes the link from his blog. Also his two other linked projects (sec-c.org and redsecurity.ca)
PPS: If these posts are only blog posts he reads, he should only put some lines of the post onto his blog and link to the original blogs!
CGISecurity.com: Your Web Site and Application Security Resource
-
2009 Security Predictions Collection
Posted: December 31st, 2008, 12:52pm CST by Robert
Tags: Funny [edit]
I've been collecting a list of security predictions for 2009 that people on this list may find 'interesting'.Here they areOpinion: Security predictions for 2009http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9124621&source=rss_news2009 Security Predictionshttp://www.sans.edu/resources/securitylab/2009_predictions.phpSecurity predictions for 2009http://www.itworld.com/security/59948/security-predictions-200910 Security Predictions For 2009http://www.crn.com/security/212201985The 2009 Security Prediction Prediction Listhttp://blogs.gartner.com/greg_young/2008/12/19/the-2009-security-prediction-prediction-list/2009 security predictions: Deja vu all over againhttp://www.infoworld.com/article/08/12/31/2009_security_predictions_Deja_vu_all_over_again_1.html2009 - my security predictionshttp://www.itpro.co.uk/blogs/danj/2008/12/10/2009-my-security-predictions/Tech: What will... -
Computerworld Security predictions for 2009
Posted: December 31st, 2008, 12:42pm CST by Robert
Tags: IndustryNews [edit]
"My predictions for information security in 2009 are just predictions, not recommendations. I am trying to guess what will happen, not suggesting what should happen. As always, take these with a grain of salt. Though these predictions are based on primary research and many, many discussions with chief security officers, they... -
MS08-067 Worm on the Loose
Posted: December 31st, 2008, 12:19pm CST by Robert
Tags: IndustryNews [edit]
Dshield has published a report of a new MS08-067 worm spreading."It does various things to install and hide itself on the infected computer. It removes any System Restore points that the user has set and disables the Windows Update Service. It looks for ADMIN$ shares on the local network and tries... -
Thunderbird 2.0.0.19 Released With Security Fixes
Posted: December 31st, 2008, 12:17pm CST by Robert
Tags: Browsers [edit]
MFSA 2008-60 - Crashes with evidence of memory corruption (rv:1.9.0.5/1.8.1.19) MFSA 2008-61 Information stealing via loadBindingDocument MFSA 2008-64 XMLHttpRequest 302 response disclosure MFSA 2008-65 Cross-domain data theft via script redirect error message| MFSA 2008-66 Errors parsing URLs with leading whitespace and control characters MFSA 2008-67 Escaped null characters ignored by CSS... -
Hundreds of Israeli Websites Hacked in 'Propaganda War'
Posted: December 31st, 2008, 11:51am CST by Robert
Tags: Incidents [edit]
"It didn't take long after Israel's bombing of Gaza began for cyberwarfare to erupt as well: over 300 Israeli Websites over the past few days have been hacked and defaced with anti-Israeli and anti-US messages in an online propaganda campaign, a security expert says. Gary Warner, director of research in computer... -
Facebook, MySpace, Digg, and Ning Discuss Their Architectures
Posted: December 30th, 2008, 3:34pm CST by Robert
Tags: Development [edit]
"Facebook, MySpace, Digg and Ning recently shared their trials and tribulations at the QCon conference in San Francisco, California. Dan Farino, chief systems architect at MySpace.com, said his site started with a very small architecture and scaled out. He focused on monitoring and administration on a Windows network and the challenge... -
OWASP releases Application Security Verification Standard for developers, security pros, and buyers
Posted: December 30th, 2008, 12:46pm CST by Robert
Tags: Announcements [edit]
"Now there's an open industry standard for Web application and Web service security: The Open Web Application Security Project (OWASP) Foundation has released the Application Security Verification Standard (ASVS). Mike Boberski, project lead and co-author of OWASP's ASVS Project, says the main goal of the standard is to provide a commercial... -
MD5 considered harmful today: Creating a rogue CA certificate
Posted: December 30th, 2008, 10:43am CST by Robert
Tags: Articles [edit]
UPDATE: I've added a link to the presentation slides and some other sites providing coverage of this.The following paper was published today at the CCC conference by Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, and Benne de Weger. "We have identified a vulnerability in the...
Robert Penz Blog
-
All SSL Sites are fake-able with new real world MD5 collision attack [Update]
Posted: December 30th, 2008, 10:12am CST by robert
Tags: [edit]
You really should look at this video of a presentation (in English) which was just given at the 25C3 in Berlin. Alexander Sotirov, Marc Stevens and Jacob Appelbaum have generated an intermediate certificate which is “signed” by RapidSSL which is shipped with all browsers. As there is no limit which certificates can be signed by which CA, it is possible to fake any SSL site!!
The good news is that they don’t indent to release the private key.
Basically they took the 2007 shown theoretical MD5 collision attack and improved it and the major part: They took it onto a real world CA. They used the RapidSSL CA as they still use MD5 and have a nice automatic and predictable generation process. It takes always 6 seconds to generate one and they increment the serial number of the certificates by one every time. As for the collision attack it is important to previously know the timestamp and the serial number. Both was not that hard at RapidSSL, specially if you did some requests at Sunday night. Here is the link to a document from the guys describing it more in detail.
Ok, this time it maybe the good guys but who can prove to me that nobody else did this, as it cost them under 700 Euros. And removing all MD5 signing CAs is also not a solution at this point of time as up to 30% of the websites are signed by such CA’s. And for server admins it is also almost impossible to find CAs which report which hash functions they use. And there is still the revoke list problem, I’ve written previously (and also here).
CGISecurity.com: Your Web Site and Application Security Resource
-
Scammers Use Microsoft and IRS Open Redirects To Deploy Malware
Posted: December 29th, 2008, 6:09pm CST by Robert
Tags: SEO [edit]
"There is a new technique for luring unsuspecting users into installing viruses on their systems. Criminals will use a combination of Search Engine Optimization (SEO) techniques and common redirects that can be found on Microsoft.com and the IRS.gov websites. Here is how it works. When users are on the IRS website... -
FBI issues code cracking challenge
Posted: December 29th, 2008, 5:31pm CST by Robert
Tags: Cryptography [edit]
"The FBI today challenged anyone in the online community to break a cipher code on its site. The code was created by FBI cryptanalysts. The bureau invited hackers to a similar code-cracking challenge last year and got tens of thousands of responses it said. A number of sites host such cipher... -
CastleCops Shuts Down
Posted: December 29th, 2008, 4:12pm CST by Robert
Tags: IndustryNews [edit]
"In a blow to anti-phishing efforts, the famed CastleCops organization dedicated to fighting spam and phishing quietly shuttered its site last week. The all-volunteer organization investigated phishing and malware scams, and was credited with successfully derailing many of these attacks and phishing sites. CastleCops itself was also a constant target of... -
It’s unanimous, Web application security has arrived
Posted: December 29th, 2008, 12:59pm CST by Robert
Tags: IndustryNews [edit]
Jeremiah Grossman has posted an entry discussing the various security reports and how they are labeling web application security as a primary concern. "It’s unanimous. Web application security is the #1 avenue of attack according to basically every industry data security report available (IBM, Websense, Sophos, MessageLabs, Cisco, APWG, MITRE, Symantec,... -
Top 9 Network Security Threats in 2009
Posted: December 29th, 2008, 11:35am CST by Robert
Tags: IndustryNews [edit]
"Malware, especially from compromised web sites, was a huge issue in 2008. Many legitimate sites such as MSNBC.com, History.com, ZDNet.com and many others suffered compromises, in some cases for days. Unlike the past, the sites looked normal, but unsuspecting web surfers with vulnerable systems were exploited when they visited these sites.... -
Top 5 cybersecurity news stories of 2008
Posted: December 29th, 2008, 11:07am CST by Robert
Tags: Incidents [edit]
"Data breaches continued to make their very public mark on cybersecurity news in 2008. And this time it wasn't TJX making headlines. Despite being PCI compliant, Hannaford Brothers supermarkets announced that 4.2 million credit and debit card numbers were pilfered from its servers. We also learned in 2008 that attackers aren't... -
Fixing Both Missing HTTPOnly and Secure Cookie Flags with modsecurity
Posted: December 28th, 2008, 6:04pm CST by Robert
Tags: Vendors [edit]
Ryan Barnett has posted an entry on identifying sessions lacking HTTPOnly and secure cookie flags on modsecurity."In a previous post I showed how you can use both ModSecurity and Apache together to identify/modify SessionIDs that are missing the HTTPOnly flag. I received some feedback where people were asking how to accomplish... -
OllyDbg Version 2.0 - Beta 1 Released
Posted: December 28th, 2008, 5:57pm CST by Robert
Tags: Announcements [edit]
"The first beta release. "Beta" means that there will be no significant changes till the final v2.00. Now it supports memory and hardware breakpoints. They are fully conditional, and the number of memory breakpoints is unlimited. Fast command emulation takes memory breakpoints into account. In fact, run trace may be much... -
Are amateur genetic engineers dangerous?
Posted: December 28th, 2008, 5:41pm CST by Robert
Tags: Off Topic [edit]
I came across an interesting article discussing the dangers of amateur genetic engineers. "A group of so-called “bio-hackers” is setting up a community laboratory called DIYbio in Cambridge, MA. They want to provide publicly available lab space to budding amateur bio-engineers that need equipment and experiment space for their projects. The... -
State Bank of India shuts down website after hackers break in
Posted: December 28th, 2008, 5:30pm CST by Robert
Tags: Incidents [edit]
"The State Bank of India, the country’s largest bank, has had to shut down its corporate website after overseas hackers tried to break in.While the bank said that transactions took place through www.onlinesbi.com, a senior SBI source said that the transactions were slow as the entire system was under watch. The... -
Zero-Day SQL Server Flaw Could Allow Remote Code Execution
Posted: December 28th, 2008, 5:29pm CST by Robert
Tags: Vulns [edit]
"Microsoft is warning users of a zero-day vulnerability discovered in SQL Server, and that exploits of the flaw have already been published. The software giant yesterday issued a security advisory outlining a flaw that could allow remote code execution on many versions of SQL Server. The company has not had time...
Robert Penz Blog
-
Tips for running Kubuntu 8.10 (Intrepid) on an EeePC 901go
Posted: December 26th, 2008, 2:29am CST by robert
Tags: [edit]
As I’ve written before I got an Asus EeePC 901go for Christmas and of course I’ve installed Kubuntu (8.10 / Intrepid) on it. In this post I’m going to share the tricks I used to get it running well.
- I’ve attached a USB CD drive and installed Kubuntu from the alternative CD. The kernel on this CD is not able to get any networking to work, but this is no problem. The installed kernel will get the LAN running.
- Set noatime, nodiratime for your partitions. Take also a look at this post.
- When the installation is finished you should update your system, as this didn’t work with the install kernel.
- To get all devices running you need a special kernel for your EeePC. I recommend the usage of this kernel, take a look at the installation howto. I’m using the lean kernel.
- Now you should install eeepc-config (
apt-get install eeepc-config), which will allow you do en-/disable the webcam, wifi, … . Just try it out. Press the two most right buttons above the keyboard. The Fn-Keys work now also. Cool! - You’ll also notice that sometimes on high I/O activity the whole system will hang for seconds. This is because of the I/O scheduler, as the default one is optimized for hard disks and not for flash. This wiki page describes how you can change this. I’ve set it in
/boot/grub/menu.lstand added the echo line to/etc/init.d/bootmisc.sh(add the beginning of the do_start function) - As it seems the ath5k driver for the WLAN is more or less useless. It has a real poor performance but the biggest problem is that it has a package loss between 5-10% on my WiFi. To solve this it is best to go back to the old madwifi driver. Here is the mini howto:Go do
http://snapshots.madwifi-project.org/madwifi-hal-0.10.5.6/and download the newest version there. In my case I did following:wget http://snapshots.madwifi-project.org/madwifi-hal-0.10.5.6/madwifi-hal-0.10.5.6-r3879-20081204.tar.gzNow extract it:
$ tar xzf madwifi-hal-0.10.5.6-r3879-20081204.tar.gz
$ cd madwifi-hal-0.10.5.6-r3879-20081204/
Now we need some packages installed:
sudo apt-get install build-essential
sudo apt-get install linux-headers-eeepc-lean
And now the actual compiling and installationsudo ./madwifi-unload
sudo ./find-madwifi-modules.sh $(uname -r)
cd ..
sudo make
sudo make installAt last we need to add
blacklist ath5kto/etc/modprobe.d/blacklist-eeepcand appendath_pcito/etc/modules. After a reboot you should have a working WLAN. - The UMTS card ( a Huawei E620 USB Modem) works without any problems. Take a look here for get it to work on the command line. I was not able to get it to work with the KNetworkManager. PS (For my Austrian Reader): Here is a link to a site in German with the Init Strings and User/Password combinations needed for the various Austrian providers.
Following items are not resolved to my satisfaction - I need to look further into these topics
- (K)Ubuntu Intrepid seems to have a poor graphics performance and rendering errors on Intel 945 systems, which is build in the 901go. The rendering errors happens most often at the start of non KDE apps like Firefox. Here is a link to the Bug Report. I’ll post here if I find a fix or workaround.
- I’m used to the fact that I can scroll through web pages with moving slowly on the right side of my touchpad. That doesn’t work currently on my 901go.
- Get the UMTS dialing working with the KNetworkManager.
I’ll add additional tips as soon as I need and find them. Please also post tips and tricks you know for the Asus EeePC 901go. Thx.
PS: I’m running KDE 4.2 Beta2 on my 901go and I really can recommend it! Get it from there.
-
Home partition encryption with LUKS under Linux
Posted: December 25th, 2008, 11:00am CST by robert
Tags: [edit]
I’m often asked how I crypt my notebooks. I normally crypt only my home partition and sometimes (more on servers in remote locations, than on notebooks) the swap partition. I use for this Linux Unified Key Setup (Luks), as it allows up to 8 passwords for a partition and you can change them without reformatting the partition. It also stores the used encryption method so you can use it also for encrypting external hard disks and you don’t need to keep track which encryption algorithms you used for it.
First you install your notebook with a swap and a root partition, but leave space for a /home partition. After the installation is finished you create the partition e.g. with cfdisk or fdisk. You need to restart your system after creating a new partition. In my example I call it /dev/sda3. Now you can tell cryptsetp (which you need to install on Ubuntu with apt-get install cryptsetup, reboot after installing it if the setup does not work) to create a container with following command
cryptsetup --cipher aes-cbc-essiv:sha256 --key-size 128 luksFormat /dev/sda3After you did this, you need to open the container with
cryptsetup luksOpen /dev/sda3 homeNow you can format the container:
mkfs.ext3 -m 0 /dev/mapper/homeps: -m 0 means that no blocks are reserved for root, as it is our home partition.
Now you need to go to the console of your system (
ALT-CTRL-F1) and login there and stop the X server (log off before that
). On Ubuntu you do this by calling /etc/init.d/gdm stopon Kubuntu/etc/init.d/kdm stop.Now you can mount the new partition on a temporary location and copy your home directory over.
mount /dev/mapper/home /mnt/
cp -a /home/* /mnt/.Now we need to unmount it and close the crypto container.
umount /mnt/
cryptsetup luksClose homeNow we need to configure the system that it is launched at the boot time. Add following line to
/etc/crypttab:home /dev/sda3 none luksand in your
/etc/fstabyou add following:/dev/mapper/home /home ext3 noatime,nodiratime 0 0Now everything is done. Reboot your system and you will be prompted for the password of your home partition. If you don’t enter it your system will use the “old” home directory.
-
BasKet: A KDE application for implementing the “Getting Things Done” method
Posted: December 24th, 2008, 8:51am CST by robert
Tags: [edit]
Are you also using a Post-It application (like KNotes) on your computer to store your ideas and todos? At least I do, but I found a better application. Welcome to BasKet Node Pads. It takes your notes, but it also lets share them with others. You can integrate it into Kontact and store not only text but also images, links, email addresses, files and you can even pick a from screen. After you stored you ideas, todos, ….. you surely want to access them easily. BasKet supports this by a full text search or it also allows you to set tags and intelligent todo list management.
Maybe your ideas are secret, if so you should use the buildin encryption of BasKet. And best of all, it is OpenSource and you can download it for KDE or it is already shipped with your distribution of choice.
Ah, before I forget it. One of the various ways you can use BasKet is to implement the “Getting Things Done” method to get more organized. Get more information by reading Wikipedia article or this wikisummaries book summary.
ps: Merry Christmas and a happy New Year!
CGISecurity.com: Your Web Site and Application Security Resource
-
One Hacker's Audacious Plan to Rule the Black Market in Stolen Credit Cards
Posted: December 22nd, 2008, 8:10pm CST by Robert
Tags: Incidents [edit]
"The heat in Max Butler's safe house was nearly unbearable. It was the equipment's fault. Butler had crammed several servers and laptops into the studio apartment high above San Francisco's Tenderloin neighborhood, and the mass of processors and displays produced a swelter that pulsed through the room. Butler brought in some... -
MS08-078 and the SDL
Posted: December 19th, 2008, 12:01pm CST by Robert
Tags: SDL [edit]
Michael Howard from Microsoft has posted information on the recent IE bug and why Microsoft's SDL failed to discover it."Every bug is an opportunity to learn, and the security update that fixed the data binding bug that affected Internet Explorer users is no exception. The Common Vulnerabilities and Exposures (CVE) entry... -
Learning More About the Underground Economy: A Case-Study of Keyloggers and Dropzones
Posted: December 19th, 2008, 11:16am CST by Robert
Tags: Incidents [edit]
"German researchers have discovered more than 300 cybercrime servers full of stolen credentials on more than 170,000 people -- and it is only the tip of the iceberg, they say. Researchers at the University of Mannheim's Laboratory for Dependable Distributed Systems were able to access nearly 100 so-called "dropzone" machines, and... -
Thousands of legitimate sites SQL injected to serve IE exploit
Posted: December 18th, 2008, 11:29am CST by Robert
Tags: Browsers [edit]
"Once again confirming the trend of having more legitimate sites serving exploits and malware than purely malicious ones, Chinese hackers have been keeping themselves busy during the last couple of days, launching massive SQL injection attacks affecting over 100,000 web sites. The SQL injection attacks serving the just patched Internet Explorer... -
Software [In]security: Software Security Top 10 Surprises
Posted: December 18th, 2008, 11:24am CST by Robert
Tags: Articles [edit]
"Using the software security framework introduced in October (A Software Security Framework: Working Towards a Realistic Maturity Model), we interviewed nine executives running top software security programs in order to gather real data from real programs. Our goal is to create a maturity model based on these data, and we're busy... -
Interview: Robert Seacord on the CERT C Secure Coding Standard
Posted: December 18th, 2008, 11:22am CST by Robert
Tags: Defense [edit]
"Robert C. Seacord and David Chisnall discuss the CERT C Secure Coding standard, developing C standards, and the future of the language and its offshoots.I recently had the opportunity to interview Robert Seacord, author of the recently-published The CERT C Secure Coding Standard. Robert has been deeply involved with C and... -
OWASP testing Guide Version 3.0 Released
Posted: December 17th, 2008, 5:29pm CST by Robert
Tags: Announcements [edit]
OWASP released the following press release today."The OWASP testing guide version 3 has been officially released.This project is part of the OWASP 2008 Summer of Code that started on April 2008. The guide resulted in a 349 page book and is the contribution of a team of 21 authors, 4 reviewers... -
Firefox Halting 2.x security patching/support, urges users to upgrade to 3.0 or get pwned
Posted: December 17th, 2008, 2:37pm CST by Robert
Tags: Announcements [edit]
"Mozilla has told Firefox users that it will no longer be updating version 2 of the browser and they should upgrade to version 3 right away. The warning came alongside a security update patching ten problems, four of them critical. The critical problems involve cross-site scripting. That’s a serious concern as... -
Microsoft issues emergency patch for IE
Posted: December 17th, 2008, 1:11pm CST by Robert
Tags: Browsers [edit]
"Microsoft will push out an emergency security patch for Internet Explorer on Wednesday, addressing a critical security hole currently being exploited in the wild. Redmond issued advanced notice for tomorrow's fix, describing the out-of-cycle patch as protection from "remote code execution." Unscheduled updates are pretty rare for Microsoft, stressing the potentially... -
FireFox 3.0.5 fixes three critical security flaws
Posted: December 17th, 2008, 12:30pm CST by Robert
Tags: Browsers [edit]
"Mozilla has rushed out updates to plug a few critical holes in versions 2 and 3 of its popular open source Firefox browser. Firefox 3.0.5 fixes three critical security flaws in the browser, while 2.0.0.19 stitches four critical vulns. Mozilla said that XSS vulnerabilities in SessionStore, XSS and so-called JavaScript “privilege... -
American Express web bug exposes card holders
Posted: December 17th, 2008, 11:35am CST by Robert
Tags: Incidents [edit]
"A glaring vulnerability on the American Express website has unnecessarily put visitors at risk for more than two weeks and violates industry regulations governing credit card companies, a security researcher says. Among other things, the cross-site scripting (XSS) error on americanexpress.com allows attackers to steal users' authentication cookies, which are used... -
SUN Fixes GIFARs
Posted: December 17th, 2008, 11:35am CST by Robert
Tags: Vulns [edit]
"Last week, Sun released a patch for a vulnerability I reported to them. The patch I’m talking about fixes the “GIFAR” issue. I was unable to speak on the issue at Black Hat (for various reasons), but Nate McFeters did a great job of presenting the concept of GIFARs at Black... -
Unicode attacks and test cases: IDN and IRI display, normalization and anti-spoofing
Posted: December 17th, 2008, 11:33am CST by Robert
Tags: Defense [edit]
"Internationalized Resource Identifiers (IRI’s) are a new take on the old URI (Uniform Resource Identifier), which through RFC 3986 restricted domain names to a subset of ASCII characters - mainly lower and upper case letters, numbers, and some punctuation. IRI’s were forecasted many years ago by Martin Dürst and Michel Suignard,... -
Opera releases update for 'extremely severe' vulns
Posted: December 16th, 2008, 1:39pm CST by Robert
Tags: Browsers [edit]
"Opera pushed out an update to its popular web browser on Tuesday that fixes vulnerabilities it described as "extremely severe". The update fixes seven security bugs, some of which were previously known. Version 9.63 of the browser addresses separate code injection risks stemming from flaws in HTML parsing and text inputing,... -
Metasploit Decloaking Engine
Posted: December 15th, 2008, 3:58pm CST by Robert
Tags: Research [edit]
"The Metasploit Decloak Engine is now back online with a handful of new updates and bug fixes. Decloak identifies the real IP address of a web user, regardless of proxy settings, using a combination of client-side technologies and custom services. The first version was announced in June of 2006 and was...