So I've lived in Atlanta for 3.6 years now and miss my old hometown of Nashua NH. A small town of NH with less than 90k residents. That is until I saw the following linked off of slashdot. "NASHUA A city man is charged with violating state wiretap laws by recording a...
Owasp Releases PHP Top 5
"PHP is a very popular language with many flawed security "features". Every PHP developer and hoster should understand the primary attack vectors being used by attackers against PHP applications. This article is the underlying research behind the SANS Top 20 2005's PHP section. The methodology used in the preparation of this article...
IBM offers free tools for application security
"The offerings consist of IBM Secure Shell Library for Java, which automatically allows customers to encrypt Java application data transferred from one server to another, and the Security Workbench Development Environment for Java, which lets developers test and validate applications." Download Link: http://www.alphaworks.ibm.com/tech/sshlite Article Link: http://www.scmagazine.com/uk/news/article/565999/ibm+offers+free+tools+application+security/
Ajax Security Basics Article
"Ajax is considered the next step in a progression towards the trumpeted, "Web 2.0." The purpose of this article is to introduce some of the security implications with modern Ajax web technologies. Though Ajax applications can be more difficult to test, security professionals already have most of relevant approaches and tools needed....
The Worry-Warts Guide to Web Application Security
"In How to Break Web Software: Functional and Security Testing of Web Applications and Web Services, Mike Andrews and James A. Whittaker tackle every category of Web software exploit. They reveal where to look for potential threats and attack vectors, how to rigorously test for each of them, and how to mitigate...
Cross Site Scripting Flaw Exploited in Paypal
"The scam works quite convincingly, by tricking users into accessing a URL hosted on the genuine PayPal web site. The URL uses SSL to encrypt information transmitted to and from the site, and a valid 256-bit SSL certificate is presented to confirm that the site does indeed belong to PayPal; however, some...
Ajax Storage: A Look at Flash Cookies and Internet Explorer Persistance
An Anonymous Employee Writes " Foundstone has an interesting write up on their site about Flash shared objects and other AJAX caching developments from a security angle. The Dojo JavaScript Framework already includes code to make use of this. These "cookies " can save larger amounts of data, can be accessed across...
Microsoft Releases 8 Patches on Security Patch Tuesday
"Of the eight most serious fixes, two affect Internet Explorer, one for JScript within Internet Explorer, one in Windows Media Player, two in Windows, one in Word, and another in PowerPoint. The patch for Word fixes a highly-publicized zero-day exploit that has already been used in several cyber attacks. The vulnerability can...
JavaScript worm targets Yahoo!
"A JavaScript worm that takes advantage of an unpatched vulnerability in Yahoo!'s webmail service has been discovered on the net. The JS-Yamanner worm spreads when a Windows user accesses Yahoo! Mail to open an email sent by the worm. The attack works because of a vulnerability in Yahoo! Mail that enables scripts...
Uninformed Issue 4 released
Issue #4 of uninformed has been released. This issue contains the following articles - Improving Automated Analysis of Windows x64 Binaries - Exploiting the Otherwise Non-Exploitable on Windows - Abusing Mach on Mac OS X - GREPEXEC: Grepping Executive Objects from Pool Memory - Anti-Virus Software Gone Wrong Issue Link: http://www.uninformed.org/?v=4
Review: CEH Via Self Study
Donald C. Donzal writes "I remember the first time I heard about the Certified Ethical Hacker certification. It was around the time that I was studying for my CISSP, and I was quite intrigued simply by the name of the certification. Upon first visiting the EC-Council website to find out more about...
Software poses terror threat to UK
"Leading IT consultants have warned the US military, government and "critical infrastructure agencies" that their widespread use of outsourced commercial software is putting the nation more at risk from a cyber terrorist attack. Security experts at the Cyber Defense Agency (CDA) believe that central agencies as well as gas, electricity, telecoms and...
Getting on the right side of IE 7 security
"But protecting the naïve user from the malicious attacker can mean the blameless developer loses a feature they were relying on. Vista Beta 2 secures what's just been renamed Internet Explorer 7+ by running it in a new protected mode, which restricts the changes IE can make to the registry and the...
Keystroke Logging Javascript
"A full disclosure post today had an exploit that used javascript in browsers to selectively "steal" keystrokes from the user typing and channeling it into the file upload field. " - ISC Article Link: http://isc.sans.org/diary.php?storyid=1386