"Unknown miscreants had a good time two weekends ago when they posted hundreds of flashing animated images onto discussion boards hosted by the Landover, Md.-based Epilepsy Foundation. Flashing lights or bold moving patterns can trigger often violent seizures among 3 percent of the estimated 50 million epileptics worldwide. "I was on the...
Web developers, fix thy Flash
"While software makers have taken steps to close the security holes, Web site owners continue to host older files created by older authoring programs that are vulnerable to cross-site scripting (XSS) attacks, Rich Cannings, information security engineer of search giant Google, told security professionals attending the conference on Wednesday. Using a specially-crafted...
Blackhat SEO: XSS the trick that keeps on kicking
"Last week's massive IFRAME injection attack is slowly turning into a what looks like a large scale web application vulnerabilities audit of high profile sites. Following the timely news coverage, Symantec's rating for the attack as medium risk, StopBadware commenting on XP Antivirus 2008, and US-CERT issuing a warning about the incident,...
The essentials of Web application threat modeling
"A critical part of Web application security is mapping out what's at risk -- a process called threat modelling. The term "threat" modelling is actually a misnomer. It's more like "vulnerability" or "risk" modelling, since we're technically looking at weaknesses and their consequences -- not the actual indication of intent to cause...
Microsoft admits it knew about, didn't patch, bugs
"Microsoft Corp.'s security team today acknowledged that it knew of bugs in its Jet Database Engine as far bask as 2005 but did not patch the problems because it thought it had blocked the obvious attack vectors. A researcher at Symantec Corp. said Microsoft should have fixed the flaws years ago. In...
Paris Hilton pwned via facebook flaw
"A security lapse on Facebook has allowed its users to gain access to vast libraries of private photographs, including one of Paris Hilton drinking beer with her friends. A Canadian hacker exploited a recent upgrade to the networking site's privacy settings to view pictures that were intended to be private, including some...
WASC Beerfest 2008 @ RSA April 9th
Announcement Link: http://jeremiahgrossman.blogspot.com/2008/03/wasc-rsa-meet-up-2008.html
PHPBB flaw used to infect infect 200,000 websites with pr0n, fake trojan codec
"Hot on the heels of a recent hack in which 10,000 sites were compromised, researchers have disclosed a new large-scale attack.. Researchers at McAfee estimated that the attack has been active for roughly one week, and in that time frame has managed to place itself on roughly 200,000 web pages. Most of...
Antivirus Vendor TrendMicro Has Website SQL Injected, Malware Uploaded
TrendMicro had its website sql injected and malware uploaded. A simple google search for 'fuckjp.js' shows trendmicro listed. "A Trend Micro spokesman confirmed that the company's site had been hacked Thursday, saying that the attack took place earlier in the week. "A portion of our site -- some pages were attacked," said...
Browser makers focus on reducing malware and phishing
"Microsoft unveiled two security features that will debut in the next version of its browser, Internet Explorer 8: the Safety Filter, which warns users of potentially malicious Web activity, and domain highlighting, which uses bold text to highlight the real domain of any Web site. The software giant stressed that the features...
ActiveX Vulnerability Pwns MySpace, Facebook users
"A buffer overflow enabled hackers to exploit the Aurigma ActiveX image uploading software used by Facebook, MySpace and other social networking sites, " said Rachwald. "The bad news is that this exploit is being used in a hacker toolkit currently being offered for download on several Chinese language sites, meaning that novices...
Orkut Worm v2.0
"The Scrapkut worm uses active code injection to spread between victims and their friends on Orkut. The malicious code appears on a victim’s scrapbook, containing a link to a supposed YouTube video. People who click on the link are redirected to an external site hosting malware that's disguised as a Flash upgrade....