"There’s been a lot of noise and violent thrashing over the last couple days regarding a flaw that was originally believed to be a flaw in Microsoft’s IIS (Internet Information Server), but has since been pointed out as simply a well thought out SQL Injection attack. For those of you who aren’t...
"The automatic patch-based exploit generation problem is: given a program P and a patched version of the program P', automatically generate an exploit for the potentially unknown vulnerability present in P but fixed in P'. In this paper, we propose techniques for automatic patch-based exploit generation, and show that our techniques can...
"When developing applications it isn't enough to think about how they will be used. You must also consider how they will be misused -- or abused -- so that you can prevent attacks. Kevin Beaver gives some examples of Web application weak spo ts that your development team should consider." Article Link:...
"Big Brother isn't what he used to be. George Orwell extrapolated his totalitarian state from the 1940s. Today's information society looks nothing like Orwell's world, and watching and intimidating a population today isn't anything like what Winston Smith experienced. Data collection in Nineteen Eighty-Four was deliberate; today's is inadvertent. In the information...
SANS reports "Microsoft has just put out an advisory for a privilege escalation vulnerability in Windows that affects IIS and potential SQL server (951306). Basically, authenticated users can use this vulnerability to become LocalSystem. This is probably more of a problem for shared hosting environments were clients could upload malicious code to...
"Large numbers of legitimate Web sites, including government sites in the U.K. and some operated by the United Nations, have been hacked and are serving up malware, a security researcher said today as massive JavaScript attacks last detected in March resume. "They're using the same techniques as last month, of an SQL...
"HACKERS have turned a bitchy blog about the world of women's magazines into a porn site. The blog by a mystery woman who calls herself “MagHag” has become a must-read for industry insiders, due to its salacious gossip about the editors of Madison, Vogue, Harper's Bazaar, Cosmopolitan and Shop Til You Drop....
"Yes Cross Site Scripting (XSS) errors are all over the place. And YES they can affect very prominent web sites. The discussion forum area on Barackobama.com is allegedly the victim of a XSS exploit that redirected comments from Obama's site to....HillaryClinton.com. A hacker going by the alias of 'Mox' has claimed responsibility...
"When users visit a website like Wired.com, the DNS system maps the domain name into an IP address such as 72.246.49.48. But if a particular site does not exist, the DNS server tells the browser that there's no such listing and a simple error message should be displayed. But starting in August...
"For the last few years, Captcha, the Completely Automated Public Turing test to tell Computers and Humans Apart, has been one of our main lines of defense against the machines that want to impersonate us. Recently, though, the various most popular Captcha implementations have been cracked. Bots with character-recognition ability have gotten...
"A software developer in the US used his programming skills to propose to his girlfriend by altering a copy of the game she was playing. Bernie Peng spent a month hacking the code in Bejeweled so that when Tammy Li attained a particular score a ring appeared along with the marriage proposal....
"Google's search bots, which scour the web constantly for new pages, have begun a new, more active phase of their indexing jobs. In a blog post last week, Jayant Madhavan and Alon Halevy of Google's crawling and indexing team said the company has begun an experiment in which its indexing software experimentally...
"More than a decade after serious holes were discovered in the internet's address lookup system, end users remain vulnerable to so-called domain name system cache poisoning, a security researcher has warned. Developers of the software that handles DNS lookups have scrambled to patch buggy code that could allow the attacks, but not...
My week at RSA has been fairly interesting. One of the highlights was getting to see an enigma at the NSA booth. Here is a short video I made of the NSA Museum employee explaining how it works.
"WarGames: The Dead Code stars Matt Lanter as a computer geek named Will Farmer who engages a government super-computer named R.I.P.L.E.Y. and enters in a game of online terrorist-attack simulation (yes, instead of global thermonuclear war from the original movie). But apparently the game is actually part of a sophisticated piece of...
"Using a combination of fines and incentives the payment card brands have working hard to boost PCI-DSS compliance rates among merchants. Meanwhile, ASVs have been doing their part by offering their services at drastically reduced prices and curtailing the security checklist to make certification as easy as possible. Every merchant who signs...
Due to the increase in devastating vulnerabilities abusing AJAX and Google to hack the web more users are switching to 'safer' alternatives such as Gopher and Archie. Johnny Long was quoted as saying 'My next book on Archie hacking 'Jughead for idiots' will be out in late 2008 and I promise it...
