"Google has fixed a vulnerability in their Gmail web based email service which would have allowed internet attackers to steal mail messages from users without being noticed. The attack works by forcing a logged-in user to add a mail filter to their Gmail account, thereby allowing their mail to be forwarded to...
Free Automated Web Application Firewall From Armorlogic
"Armorlogic, the Danish web application firewall provider, announces Profense™ Base, the only automated web application firewall available for free. And there is no catch. Free means free for commercial as well as non-commercial use, without time limitation." "ISO images and software licenses are available from www.armorlogic.com." I've never heard of this company...
Gmail cookie vulnerability exposes user's privacy
"Petko Petkov of "ethical hacking" group GNUCitizen has developed a proof-of-concept program to steal contacts and incoming e-mails from Google Gmail users. "This can be used to forward all your incoming e-mail," Pure Hacking security researcher Chris Gatford said. "It's just a proof of concept at the moment, but what they're demonstrating...
Weak Encryption Faulted in TJX Breach
"TJX’s failure to upgrade its encryption system allowed the electronic eavesdropping beginning in July 2005 and continuing for a year and a half, the report says. At least 45 million credit and debit cards were exposed to potential fraud, according to an Associated Press story" Article Link: http://www.itbusinessedge.com/blogs/hdw/?p=945
New security flaw found in Microsoft's MFC library
"A new moderately critical vulnerability has been reported that affects two application programming interfaces (APIs) used in Windows XP. The flaw is in the MFC42 and MFC71 libraries that together handle searches across the Windows file system. These interfaces are used by applications that were developed using the Microsoft Foundation Classes libraries,...
Uninformed Journal Release Announcement: Volume 8
"Uninformed is pleased to announce the release of its eighth volume. This volume includes 6 articles on a variety of topics:" Real-time Steganography with RTP PatchGuard Reloaded: A Brief Analysis of PatchGuard Version 3 Getting out of Jail: Escaping Internet Explorer Protected Mode OS X Kernel-mode Exploitation in a Weekend A Catalog...
10 tips for securing Apache
"Even with Apache's focus on producing a secure product, the Web server can still be vulnerable to any number of attacks if you fail to take some security precautions as you build your server. In this article, Scott Lowe provides you with 10 tips that will help you keep your Apache Web...
Blackhat SEO faces 3 years in prison for insulting the president
From the nypost " A hacker faces up to three years in prison for making the Polish president's Web page turn up in searches for the slang word for "penis." Marek W., 23, has been charged with insulting President Lech Kaczynski. Marek created a program that caused the official home page of...
Second life URI Handler vulnerability
PDP has a good example of when the non web world can be exploited by web world functionality. In his writeup he described how second life's URI handler can be used to steal the encrypted password hash that can be replayed and used to login to a users account. "Keep in mind...
Ameritrade leaks over 6million customer records
"TD Ameritrade Holding Corp. said Friday one of its databases was hacked and contact information for more than 6.3 million customers was stolen. A spokeswoman for the Omaha-based brokerage firm said more sensitive information in the same database, including Social Security numbers and account data, does not appear to have been taken....
5 amusing security vendor moments
This list was created based off of real security vendor interactions that I and a friend have experienced. 1.Customer: Have you had a security evaluation of your product? Vendor: Yes, Kevin Mitnick has performed a pen test against our product. (sorry kevin! :) 2. The vendor comes to your office and pitches...
Microsoft Release 4 Security Fixes
"Microsoft Corp. released four software patches Tuesday to fix security flaws, including one that could allow hackers to take over computers running the company's instant messaging programs. Only one of the flaws carried the company's most severe "critical" rating, but it only applies to the Windows 2000 operating system. To be affected,...
CGISecurity turns 7
I'm happy to announce CGISecurity's 7th year providing website, and application security news as of this week. What started out as an excuse to learn about web based vulnerabilities has really evolved. Here are a few things to put into perspective - The following terms hadn't been coined yet - CSRF/XSRF/Cross-site Request...
Ad-based Trojan hits MySpace, Bebo and others
Another article on malware being served up via advertising companies. "Users of high profile sites including MySpace, The Sun, Bebo and PhotoBucket have been exposed to a Trojan hidden within adverts. The sites all ran advertising in recent weeks from the Right Media online ad exchange which were unknowingly infected with the...
Yahoo accidentally dishes out trojans via banner ads
"An ad company that Yahoo owns, Right Media, served up some particular advertisements several million times that ended up being loaded with Trojans. These ads, while all over the Internet, were most prominently featured on MySpace and PhotoBucket – not shady warez sites. The issues began last month, and according to ScanSafe...
Apache 1.3.39, 2.0.61, and 2.2.6 Released to Address XSS Vulnerability in mod_status
A XSS vulnerability has been discovered in apache. "Cross-site scripting (XSS) vulnerability in mod_status.c in the mod_status module in Apache HTTP Server (httpd), when ExtendedStatus is enabled and a public server-status page is used, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving charsets with browsers that...
Warcraft.net and Battle.net get hacked by polite hacker
As a Diablo2 fan I just had to post this. " Blizzard's Warcraft.net and Battle.net websites have recently come under attack from an Algerian hacker who went by the name of "LeHackeur". This hacker added an extra file on the sites' main servers, which displayed an image of a skull, as well...
Why bug hunt should be for sale
"As the director of strategy for online auction Web site WabiSabiLabi (WSLabi), Preatoni hopes to redefine the role of hackers from one that is out to destroy the intellectual property others create, to one that can contribute positively to the field of Internet security. Also the CEO of Domina Security and founder...
Encrypting .NET configuration files through code
"Encryption support for configuration files was added to the .NET Framework beginning with version 2.0. The .NET Framework libraries include full support for controlling encryption and decryption in code. I include examples in both VB.NET and C# to demonstrate the encrypting and decryption of configuration file sections. Encrypting configuration data improves application...
OWASP & WASC AppSec 2007
"OWASP and WASC have joined forces for this year's AppSec 2007 conference being held at eBay in San Jose, CA on Nov 12-15. A huge concentration of industry leading experts will be in attendance presenting high quality web application security content. AppSec 2007 offers a unique opportunity for security professionals, software developers,...
Chinese military hacked into Pentagon
"The Chinese military hacked into a Pentagon computer network earlier this year in the most successful cyber attack ever on the US defence department, according to US officials. The Pentagon acknowledged shutting down part of a computer system serving the office of Robert Gates, the defence secretary, in June, but refused to...
Rolling Review: N-Stalker Web App Scanner
"The range of products calling themselves "security scanners" is so broad that the designation is flirting with irrelevance. You have your vulnerability assessment software, which uses large databases of known vulnerabilities. Then there are penetration-testing applications that focus on fewer vulnerabilities but include the ability to exploit flaws instead of just identify...