It is with great sadness that I post news stating that Netscape will receive no more updates after February 1, 2008. I've been a long netscape user (since 1995). "AOL has a long history on the internet, being one of the first companies to really get people online. Throughout its lifetime, it...
xmitm: xml man in the middle tool
An interesting post on intercepting flash XMPP traffic. "This post is a result of ideas and tools developed during the review of client-side applications that use the XMPP protocol to communicate with a server (opening a raw socket, not using HTTP as a transport). The only way we could think of getting...
IsecPartners Molests Flash, Adobe in therapy
"Researchers from Google and a well-known security firm have documented serious vulnerabilities in Adobe Flash content which leave tens of thousands of websites susceptible to attacks that steal the personal details of visitors. The security bugs reside in Flash applets, the ubiquitous building blocks for movies and graphics that animate sites across...
Blackhat SEO: Servers Hacked to Boost Google Rank
"Attackers have hacked the servers of Australian Web hosting provider MD Web Hosting (mdwebhosting.com.au), embedding malicious code to spawn "link farms" on its customers' sites, according to news site, Australian IT (australianit.news.com.au)." "The hackers gained access to about five servers which failed to have the correct security profiles. To make matters worse,...
Orkut XSS worm in the wild
According to ISC orkut has been striken with a persistant XSS worm via the user profiles. Will be updating this as new information breaks so stay tuned! So far no news at the orkut blog UPDATE A few news articles have started to pop up regarding this. "Google's Orkut social networking site...
Cracking passwords the Web application way: A rundown of web based haxoring tools
This article reviews various tools that can be used to brute force web forms and web based auth. "This mish-mash of security is the basis of Web login vulnerabilities and why passwords are often easily cracked. Be it form-based, HTTP Basic, or NT LAN Manager (NTLM) (the three main types of authentication...
F-Secure Forum Defaced
Security vendor F-Secure was defaced a few days ago by a turkish defacement crew. "So how did this happen? The server itself is quite well hardened, but the web forum software had an unannounced security patch silently released by the vendor nine days ago. The defacement gang learned of the vulnerability and...
Facebook Tracks Down Hackers
"Most recently, Facebook has chased down three hackers who attempted to break into its site to access personal information back in June, according to InformationWeek. Although Facebook filed charges immediately following the attacks, up until now all the defendants have been John Does. The company managed to unmask three of them by...
SquirrelMail Server Compromised, Sourcecode Modified
According to the Squirrelmail website some of the packages available for download on their site had been modified by an outside intruder. If you are running 1.4.11 or 1.4.12 you are urged to upgrade immediately. From their site "Due to the package compromise of 1.4.11, and 1.4.12, we are forced to release...
Facebook Sues Canadian Porn Company Over Screen Scraping
"Facebook alleges that in June servers controlled by the defendants used automated scripts to make more than 200,000 requests for personal information stored on Facebook's site. The allegations are contained in an amended lawsuit filed earlier this month in U.S. District Court in San Jose, California. The company first filed suit back...
How microsoft.com works
"If you've ever wondered how microsoft.com uses our technology then read on. I recently came across some good information from the folks over at the Operations team at Microsoft.com. The thread basically talks about how we use IIS, Firewalls and Windows Server 2008. I think as we come up to launch next...
eEye co-founder Marc Maiffret Leaves The Company
"Marc Maiffret has left eEye Digital Security, the security company he launched ten years ago that used some of his hacking tools as the basis for its flagship product, Retina Network Scanner. Maiffret actually left eEye back in September, but is only just now going public with the news. He's currently gearing...
WASC Script Mapping Project released
Romain Gaucher writes "The Web Application Security Consortium is pleased to announce the first results of the Script Mapping project! At this stage in the project we were able to cover most of the test cases for Internet Explorer 7, Firefox 2 and Safari 3. The results can be found on the...
Performing Distributed Brute Forcing of CSRF vulnerable login pages
Update: Apparently this is described in a paper by sensepost that I wasn't aware of. Check out there paper at http://www.sensepost.com/research/squeeza/dc-15-meer_and_slaviero-WP.pdf. We know that CSRF is bad, and that if your application is performing an important action to utilize a random token associated with the users session. I started thinking a bit...
Did Iceland Teen Call Secret White House Phone?
"Introducing himself as Ólafur Ragnar Grímsson, the actual president of Iceland, Atlason found President George W. Bush's allegedly secret telephone number and phoned, requesting a private meeting with him. "I just wanted to talk to him, have a chat, invite him to Iceland and see what he'd say," Vífill told ABC News....
Hackers Launch Major Attack on US Military Labs
"Hackers have succeeded in breaking into the computer systems of two of the U.S.' most important science labs, the Oak Ridge National Laboratory (ORNL) in Tennessee and Los Alamos National Laboratory in New Mexico. In what a spokesperson for the Oak Ridge facility described as a "sophisticated cyber attack," it appears that...
Cross-build injection attacks
" Injection-based attacks have proven effective, yielding access to private data or possible control over a compromised machine. Software vendors are in a continual race to fix the holes that allow these attacks to succeed. But what if a hacker could inject malicious code when a program is actually compiled and created?...
Tools: SWFIntruder released
Stefano writes "The first release of SWFIntruder has been released today by Stefano Di Paola, CTO of Minded Security. SWFIntruder (pronounced Swiff Intruder) is the first tool specifically developed for analyzing and testing security of Flash applications at runtime. It helps to find flaws in Flash applications using the methodology originally described...
Why crawling doesn't matter
tssci has a VERY long post about crawling in relation to vuln assessments. "This post isn’t intended to be a retort to Jeremiah Grossman’s post last month on Why crawling matters, but more of a follow-up post to my latest blog entry on Why pen-testing doesn’t matter. Hint: both pen-testing and crawling...
Google Wants Your Help to Fight Malware
"Google has created one of the most powerful search tools in the history of Web humanity. One of its goals along the way was to archive all of human knowledge. Another was to not be evil. But the company discovered that at the intersection of archiving all human knowledge and not being...
Chinese Hackers Accused of Attacking Shell, Rolls Royce
" Britain's domestic intelligence agency is warning that cybercrime perpetrated by China is on the rise following hacking attacks against Rolls-Royce and Royal Dutch Shell. The agency, known as MI5, recently sent letters to some 300 banks, accounting and legal firms warning that "state organizations" of China were plying their networks for...