"Despite it looking like a short period of time between the release of Windows Vista and the first Service Pack, it is actually longer than the amount of time that it took for Windows 2000 and XP to have their first Service Pack releases. Download size and hard drive space requirements have...
New Zealand Herald website defaced via XSS to promote hacker con
"The New Zealand Herald's website fell victim to a page spoofing stunt earlier today, by hackers wanting to publicise their upcoming Kiwicon security conference in November. In this case, the spoofing meant the hackers displayed a parody of a Herald article to users, rather than a real one, when surfers called up...
Microsoft Opens Whitehat Hacker Blog on MSDN
Microsoft has started a Microsoft Employee Whitehat hacker blog. "Welcome to a new blog from Microsoft. The focus of this blog is likely to be a little different from most other blogs you'll see on blogs.msdn.com. Microsoft employs some of the best hackers in the world and actively recruits them and develops...
China Government 1, Germany Government 0
"CHINESE spies have hacked into German government department computer systems, media reports say. The reports emerged as German Chancellor Angela Merkel arrived in China. The Chinese Foreign Ministry reacted by saying China prohibited attacks on computer networks. "The Chinese Government has always opposed and prohibited any criminal activity that breaks down computer...
Monster attack steals user data
"US job website Monster.com has suffered an online attack with the personal data of hundreds of thousands of users stolen, says a security firm. A computer program was used to access the employers' section of the website using stolen log-in credentials. Symantec said the log-ins were used to harvest user names, e-mail...
JSON, Ajax & Web 2.0: Sounds like a classical reinvention, but this volatile trio opens the door to serious vulnerabilities
"Now that Web 2.0 hype is at full tilt, much ado's being made over Ajax framework vulnerabilities and other new-fangled bugs. A prime example of this phenomenon is the spectacular Javascript hijacking vulnerability discovered by Fortify Software (login required). Every security bug like this deserves some ink, but too much focus on...
Cenzic Patent Case Worries Web Researchers, Vendors
"A patent infringement lawsuit recently filed by Cenzic against SPI Dynamics has Web application security companies and researchers on edge. If successful, the suit -- which centers around Cenzic's patent on a Web application vulnerability scanning technology -- could mean trouble for other scanner vendors, as well as researchers who develop scanning...
Oracle Forensics Papers Released
David Litchfield has published multiple papers on Oracle Database Forensics. From his site "Since the state of California passed the Database Security Breach Notification Act (SB 1386) in 2003 another 34 states have passed similar legislation with more set to follow. In January 2007 TJX announced they had suffered a database security...
Blog Security
I stumbled upon a site yesterday dealing with blog security specifically and felt it was worth posting. "BlogSecurity is the only organization that deals with web blog security exclusively. We understand that it is difficult to keep track of the latest security vulnerabilties and version updates, and we believe you shouldn’t have...
Facebook source code leaked
"Facebook source code has been leaked on the Web, and that's raising some serious issues about the site's security and data privacy. Source code from the social networking site's main index page appeared on a blog called Facebook Secrets recently and remained there Tuesday. The blog does not contain any other postings....
USA Today fun with XSS
clpwn.com has found an XSS vulnerability in USAToday and has been having fun with it to *post* fake news stories. First a description of the group "Hardcore WEB HACKING and 0day browser security stuff from wannabe elite hackers TEAM CLPWN..." Now about the vuln "The underground hacker team CLPWN has exposed a...
WASC Announcement: Web Application Security Scanner Evaluation Criteria Call for Participants
The Web Application Security Consortium is pleased to announce a new project " Web Application Security Scanner Evaluation Criteria (WASSEC)". Currently WASC is seeking volunteers from various sections of the community including penetration testers, scanner vendors, security researchers and also end users to contribute to the project. A brief description of the...
German sites close, as anti-hacking law arrives
"Security researchers in Germany continued to pull down exploit code from their sites last week, scrambling to comply with a German law that makes illegal the distribution of software that could be used to break into computers. The German law -- referred to as 202(c) -- went into effect on Sunday. Many...
UN Hacked via SQL Injection
The UN was defaced with a political message and hackademix has published it was via a sql injection vulnerability. "While most of us may agree with the message, many will object to the spelling, and specifically to the dont used instead of don.t. There.s a technical reason for the missing apostrophe, though,...
Anti DNS Pinning/DNS Rebinding is the new industry buzz(word)
Anti-DNS Pinning/DNS Rebinding is the new security hot topic lately and I wouldn't expect the marketingfest to end anytime soon. "While previous attacks using JavaScript could send data to a network, the attack investigated by Stanford -- known as domain-name service (DNS) rebinding -- could send and receive data from the local...
Raising the bar: dynamic JavaScript obfuscation
"Couple of days ago one of our readers, Daniel Kluge, pointed us to a web page with some heavily obfuscated JavaScript code. The operation was typical and consisted of a compromised site that had an obfuscated iframe which pointed to the final web site serving various exploits. The obfuscation of the iframe...
My experience at blackhat/defcon
Vegas was interesting this year to say the least. For starters I finally got to attend NOT as a vendor which I gotta say was pretty nice. Here are the talks I attended. Intranet Invasion With Anti-DNS Pinning It's All About The Timing Tactical Exploitation (Part 1) Dangling Pointer IsGameOver(), anyone? The...
eEye Gets Gets Into Web Application Security Space
"Marc Maiffret, CTO and chief hacking officer at eEye, said in an interview today that the company would be entering the Web app security space "soon." "It's a natural progression for us to add Web app scanning," says Maiffret, who wouldn't divulge details of the new offering." "You can scan for missing...
Mozilla Releases JavaScript Fuzzer at Blackhat
"Mozilla has been using an open-source application security testing tool, known as a fuzzer, for JavaScript to detect and fix dozens of security bugs in Firefox, Mozilla director of ecosystem development Window Snyder said Thursday at the Black Hat USA 2007 conference in Las Vegas. The JavaScript fuzzer found 280 bugs in...
Undercover reporter ousted at defcon, probably pretty f@!ked
UPDATE: Her myspace page was linked off of defconpics.org and shortly after has been removed from myspace. No word on how it was removed at this time. An NBC reporter (Michelle Madigan Associate Producer of NBC Dateline) was found to be trying to find hackers for hire and recording them with a...
Joanna Rutkowska Pwns challengers at blackhat
"In their presentation, titled "Don't Tell Joanna, The Virtualized Rootkit Is Dead," the researchers detailed how to use counters that are external to a system to detect a virtualized rootkit's pull on CPU resources or other telltale footprints. It's got to be an external counter, given that a virtualized rootkit sits at...