It is with great sadness that I post news stating that Netscape will receive no more updates after February 1, 2008. I've been a long netscape user (since 1995). "AOL has a long history on the internet, being one of the first companies to really get people online. Throughout its lifetime, it...
An interesting post on intercepting flash XMPP traffic. "This post is a result of ideas and tools developed during the review of client-side applications that use the XMPP protocol to communicate with a server (opening a raw socket, not using HTTP as a transport). The only way we could think of getting...
"Researchers from Google and a well-known security firm have documented serious vulnerabilities in Adobe Flash content which leave tens of thousands of websites susceptible to attacks that steal the personal details of visitors. The security bugs reside in Flash applets, the ubiquitous building blocks for movies and graphics that animate sites across...
"Attackers have hacked the servers of Australian Web hosting provider MD Web Hosting (mdwebhosting.com.au), embedding malicious code to spawn "link farms" on its customers' sites, according to news site, Australian IT (australianit.news.com.au)." "The hackers gained access to about five servers which failed to have the correct security profiles. To make matters worse,...
According to ISC orkut has been striken with a persistant XSS worm via the user profiles. Will be updating this as new information breaks so stay tuned! So far no news at the orkut blog UPDATE A few news articles have started to pop up regarding this. "Google's Orkut social networking site...
This article reviews various tools that can be used to brute force web forms and web based auth. "This mish-mash of security is the basis of Web login vulnerabilities and why passwords are often easily cracked. Be it form-based, HTTP Basic, or NT LAN Manager (NTLM) (the three main types of authentication...
Security vendor F-Secure was defaced a few days ago by a turkish defacement crew. "So how did this happen? The server itself is quite well hardened, but the web forum software had an unannounced security patch silently released by the vendor nine days ago. The defacement gang learned of the vulnerability and...
"Most recently, Facebook has chased down three hackers who attempted to break into its site to access personal information back in June, according to InformationWeek. Although Facebook filed charges immediately following the attacks, up until now all the defendants have been John Does. The company managed to unmask three of them by...
According to the Squirrelmail website some of the packages available for download on their site had been modified by an outside intruder. If you are running 1.4.11 or 1.4.12 you are urged to upgrade immediately. From their site "Due to the package compromise of 1.4.11, and 1.4.12, we are forced to release...
"Facebook alleges that in June servers controlled by the defendants used automated scripts to make more than 200,000 requests for personal information stored on Facebook's site. The allegations are contained in an amended lawsuit filed earlier this month in U.S. District Court in San Jose, California. The company first filed suit back...
"If you've ever wondered how microsoft.com uses our technology then read on. I recently came across some good information from the folks over at the Operations team at Microsoft.com. The thread basically talks about how we use IIS, Firewalls and Windows Server 2008. I think as we come up to launch next...
"Marc Maiffret has left eEye Digital Security, the security company he launched ten years ago that used some of his hacking tools as the basis for its flagship product, Retina Network Scanner. Maiffret actually left eEye back in September, but is only just now going public with the news. He's currently gearing...
Romain Gaucher writes "The Web Application Security Consortium is pleased to announce the first results of the Script Mapping project! At this stage in the project we were able to cover most of the test cases for Internet Explorer 7, Firefox 2 and Safari 3. The results can be found on the...
Update: Apparently this is described in a paper by sensepost that I wasn't aware of. Check out there paper at http://www.sensepost.com/research/squeeza/dc-15-meer_and_slaviero-WP.pdf. We know that CSRF is bad, and that if your application is performing an important action to utilize a random token associated with the users session. I started thinking a bit...
"Introducing himself as Ólafur Ragnar Grímsson, the actual president of Iceland, Atlason found President George W. Bush's allegedly secret telephone number and phoned, requesting a private meeting with him. "I just wanted to talk to him, have a chat, invite him to Iceland and see what he'd say," Vífill told ABC News....
"Hackers have succeeded in breaking into the computer systems of two of the U.S.' most important science labs, the Oak Ridge National Laboratory (ORNL) in Tennessee and Los Alamos National Laboratory in New Mexico. In what a spokesperson for the Oak Ridge facility described as a "sophisticated cyber attack," it appears that...
" Injection-based attacks have proven effective, yielding access to private data or possible control over a compromised machine. Software vendors are in a continual race to fix the holes that allow these attacks to succeed. But what if a hacker could inject malicious code when a program is actually compiled and created?...
Stefano writes "The first release of SWFIntruder has been released today by Stefano Di Paola, CTO of Minded Security. SWFIntruder (pronounced Swiff Intruder) is the first tool specifically developed for analyzing and testing security of Flash applications at runtime. It helps to find flaws in Flash applications using the methodology originally described...
tssci has a VERY long post about crawling in relation to vuln assessments. "This post isn’t intended to be a retort to Jeremiah Grossman’s post last month on Why crawling matters, but more of a follow-up post to my latest blog entry on Why pen-testing doesn’t matter. Hint: both pen-testing and crawling...
"Google has created one of the most powerful search tools in the history of Web humanity. One of its goals along the way was to archive all of human knowledge. Another was to not be evil. But the company discovered that at the intersection of archiving all human knowledge and not being...
" Britain's domestic intelligence agency is warning that cybercrime perpetrated by China is on the rise following hacking attacks against Rolls-Royce and Royal Dutch Shell. The agency, known as MI5, recently sent letters to some 300 banks, accounting and legal firms warning that "state organizations" of China were plying their networks for...
