Amit Klein has written another fine paper involving using Flash to send http requests. "Flash player is a very popular browser add-on from Adobe (actually, Flash was invented by Macromedia, which was acquired by Adobe). This write-up covers mostly Flash 7 and Flash 8, together covering more than 94% of the Internet-enabled...
Using google to find software vulnerabilities
"Bugle is a collection of search queries which can help to identify software security bugs in source code available on the web. The list at the moment is rather small (you get the idea though), hopefully people will start sending more queries. Source code review is not a straight forward operation ,...
Ad Server hacked, 1 million myspace users owned
"An online banner advertisement that ran on MySpace.com and other sites over the past week used a Windows security flaw to infect more than a million users with spyware when people merely browsed the sites with unpatched versions of Windows," I actually wrote a paper 5 years ago describing this ability, long...
Malware Search Engine
"The new Malware Search engine provides a Web interface that allows anyone to enter the name of a known virus or Trojan and find Google results for Web sites hosting malicious executables. The release of the search engine was motivated in part by a recent announcement by Websense Security Labs, of San...
IIS 7 Shows Continued Security Push
"When IIS 6 was released as part of Windows Server 2003, it signaled a major change in the way that Microsoft approached security in its Web server. Versions of IIS prior to 6 were the main points of attack for major worms and viruses such as Nimda. With IIS 6, Microsoft moved...
Microsoft Patch Time Again
Multiple issues were addressed in this months patch Tuesday including * IIS ASP Local buffer overflow * Excel fixes * DHCP Client Service * Multiple Microsoft Office Issues Patch Link: Microsoft Windows Update
[NEW BOOK] Professional Pen Testing for Web Applications
Andres Andreu has just published a new book titled "Professional Pen Testing for Web Applications" by Wrox. "There is no such thing as "perfect security" when it comes to keeping all systems intact and functioning properly. Good penetration (pen) testing creates a balance that allows a system to be secure while simultaneously...
Voice Phishers Dialing for PayPal Dollars
"Internet security experts have discovered a new phishing scam that uses voice recordings to pilfer money from PayPal accounts. In the newest social engineering attack, identity thieves have spammed fake PayPal account compromise warnings to lure users into dialing a phone number and giving up credit card information. Unlike normal phishing e-mails,...
Zero Day Subscriptions: Using RSS and Atom feeds As Attack Delivery Systems
I will be giving a talk at Blackhat this year entitled "Zero Day Subscriptions: Using RSS and Atom feeds As Attack Delivery Systems". I'll also be available at the 'Web Application Security Consortium' Meet-up for those who want to chat. This presentation will discuss the use of RSS and Atom feeds as...
FBI Password Database Compromised by Consultant
"A government consultant, using computer programs easily found on the Internet, managed to crack the FBI's classified computer system and gain the passwords of 38,000 employees, including that of FBI Director Robert Mueller. The break-ins, which occurred four times in 2004, gave the consultant access to records in the Witness Protection program...
Browser Fun Security Blog
"This blog will serve as a dumping ground for browser-based security research and vulnerability disclosure. To kick off this blog, we are announcing the Month of Browser Bugs (MoBB), where we will publish a new browser hack, every day, for the entire month of July. The hacks we publish are carefully chosen...