I've been collecting a list of security predictions for 2009 that people on this list may find 'interesting'. Here they are Opinion: Security predictions for 2009 http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9124621&source=rss_news 2009 Security Predictions http://www.sans.edu/resources/securitylab/2009_predictions.php Security predictions for 2009 http://www.itworld.com/security/59948/security-predictions-2009 10 Security Predictions For 2009 http://www.crn.com/security/212201985 The 2009 Security Prediction Prediction List http://blogs.gartner.com/greg_young/2008/12/19/the-2009-security-prediction-prediction-list/ 2009 security predictions:...
"My predictions for information security in 2009 are just predictions, not recommendations. I am trying to guess what will happen, not suggesting what should happen. As always, take these with a grain of salt. Though these predictions are based on primary research and many, many discussions with chief security officers, they concern...
Dshield has published a report of a new MS08-067 worm spreading. "It does various things to install and hide itself on the infected computer. It removes any System Restore points that the user has set and disables the Windows Update Service. It looks for ADMIN$ shares on the local network and tries...
MFSA 2008-60 - Crashes with evidence of memory corruption (rv:1.9.0.5/1.8.1.19) MFSA 2008-61 Information stealing via loadBindingDocument MFSA 2008-64 XMLHttpRequest 302 response disclosure MFSA 2008-65 Cross-domain data theft via script redirect error message| MFSA 2008-66 Errors parsing URLs with leading whitespace and control characters MFSA 2008-67 Escaped null characters ignored by CSS parser...
"It didn't take long after Israel's bombing of Gaza began for cyberwarfare to erupt as well: over 300 Israeli Websites over the past few days have been hacked and defaced with anti-Israeli and anti-US messages in an online propaganda campaign, a security expert says. Gary Warner, director of research in computer forensics...
"Facebook, MySpace, Digg and Ning recently shared their trials and tribulations at the QCon conference in San Francisco, California. Dan Farino, chief systems architect at MySpace.com, said his site started with a very small architecture and scaled out. He focused on monitoring and administration on a Windows network and the challenge of...
"Now there's an open industry standard for Web application and Web service security: The Open Web Application Security Project (OWASP) Foundation has released the Application Security Verification Standard (ASVS). Mike Boberski, project lead and co-author of OWASP's ASVS Project, says the main goal of the standard is to provide a commercial and...
UPDATE: I've added a link to the presentation slides and some other sites providing coverage of this. The following paper was published today at the CCC conference by Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, and Benne de Weger. "We have identified a vulnerability in the...
"There is a new technique for luring unsuspecting users into installing viruses on their systems. Criminals will use a combination of Search Engine Optimization (SEO) techniques and common redirects that can be found on Microsoft.com and the IRS.gov websites. Here is how it works. When users are on the IRS website and...
"The FBI today challenged anyone in the online community to break a cipher code on its site. The code was created by FBI cryptanalysts. The bureau invited hackers to a similar code-cracking challenge last year and got tens of thousands of responses it said. A number of sites host such cipher challenges,...
"In a blow to anti-phishing efforts, the famed CastleCops organization dedicated to fighting spam and phishing quietly shuttered its site last week. The all-volunteer organization investigated phishing and malware scams, and was credited with successfully derailing many of these attacks and phishing sites. CastleCops itself was also a constant target of distributed...
Jeremiah Grossman has posted an entry discussing the various security reports and how they are labeling web application security as a primary concern. "It’s unanimous. Web application security is the #1 avenue of attack according to basically every industry data security report available (IBM, Websense, Sophos, MessageLabs, Cisco, APWG, MITRE, Symantec, Trend...
"Malware, especially from compromised web sites, was a huge issue in 2008. Many legitimate sites such as MSNBC.com, History.com, ZDNet.com and many others suffered compromises, in some cases for days. Unlike the past, the sites looked normal, but unsuspecting web surfers with vulnerable systems were exploited when they visited these sites. Search...
"Data breaches continued to make their very public mark on cybersecurity news in 2008. And this time it wasn't TJX making headlines. Despite being PCI compliant, Hannaford Brothers supermarkets announced that 4.2 million credit and debit card numbers were pilfered from its servers. We also learned in 2008 that attackers aren't necessarily...
Ryan Barnett has posted an entry on identifying sessions lacking HTTPOnly and secure cookie flags on modsecurity. "In a previous post I showed how you can use both ModSecurity and Apache together to identify/modify SessionIDs that are missing the HTTPOnly flag. I received some feedback where people were asking how to accomplish...
"The first beta release. "Beta" means that there will be no significant changes till the final v2.00. Now it supports memory and hardware breakpoints. They are fully conditional, and the number of memory breakpoints is unlimited. Fast command emulation takes memory breakpoints into account. In fact, run trace may be much faster...
I came across an interesting article discussing the dangers of amateur genetic engineers. "A group of so-called “bio-hackers” is setting up a community laboratory called DIYbio in Cambridge, MA. They want to provide publicly available lab space to budding amateur bio-engineers that need equipment and experiment space for their projects. The project...
"The State Bank of India, the country’s largest bank, has had to shut down its corporate website after overseas hackers tried to break in. While the bank said that transactions took place through www.onlinesbi.com, a senior SBI source said that the transactions were slow as the entire system was under watch. The...
"Microsoft is warning users of a zero-day vulnerability discovered in SQL Server, and that exploits of the flaw have already been published. The software giant yesterday issued a security advisory outlining a flaw that could allow remote code execution on many versions of SQL Server. The company has not had time to...
"The heat in Max Butler's safe house was nearly unbearable. It was the equipment's fault. Butler had crammed several servers and laptops into the studio apartment high above San Francisco's Tenderloin neighborhood, and the mass of processors and displays produced a swelter that pulsed through the room. Butler brought in some fans,...
Michael Howard from Microsoft has posted information on the recent IE bug and why Microsoft's SDL failed to discover it. "Every bug is an opportunity to learn, and the security update that fixed the data binding bug that affected Internet Explorer users is no exception. The Common Vulnerabilities and Exposures (CVE) entry...
"German researchers have discovered more than 300 cybercrime servers full of stolen credentials on more than 170,000 people -- and it is only the tip of the iceberg, they say. Researchers at the University of Mannheim's Laboratory for Dependable Distributed Systems were able to access nearly 100 so-called "dropzone" machines, and say...
"Once again confirming the trend of having more legitimate sites serving exploits and malware than purely malicious ones, Chinese hackers have been keeping themselves busy during the last couple of days, launching massive SQL injection attacks affecting over 100,000 web sites. The SQL injection attacks serving the just patched Internet Explorer XML...
"Using the software security framework introduced in October (A Software Security Framework: Working Towards a Realistic Maturity Model), we interviewed nine executives running top software security programs in order to gather real data from real programs. Our goal is to create a maturity model based on these data, and we're busy working...
"Robert C. Seacord and David Chisnall discuss the CERT C Secure Coding standard, developing C standards, and the future of the language and its offshoots. I recently had the opportunity to interview Robert Seacord, author of the recently-published The CERT C Secure Coding Standard. Robert has been deeply involved with C and...
OWASP released the following press release today. "The OWASP testing guide version 3 has been officially released. This project is part of the OWASP 2008 Summer of Code that started on April 2008. The guide resulted in a 349 page book and is the contribution of a team of 21 authors, 4...
"Mozilla has told Firefox users that it will no longer be updating version 2 of the browser and they should upgrade to version 3 right away. The warning came alongside a security update patching ten problems, four of them critical. The critical problems involve cross-site scripting. That’s a serious concern as it...
"Microsoft will push out an emergency security patch for Internet Explorer on Wednesday, addressing a critical security hole currently being exploited in the wild. Redmond issued advanced notice for tomorrow's fix, describing the out-of-cycle patch as protection from "remote code execution." Unscheduled updates are pretty rare for Microsoft, stressing the potentially serious...
"Mozilla has rushed out updates to plug a few critical holes in versions 2 and 3 of its popular open source Firefox browser. Firefox 3.0.5 fixes three critical security flaws in the browser, while 2.0.0.19 stitches four critical vulns. Mozilla said that XSS vulnerabilities in SessionStore, XSS and so-called JavaScript “privilege escalation”...
"A glaring vulnerability on the American Express website has unnecessarily put visitors at risk for more than two weeks and violates industry regulations governing credit card companies, a security researcher says. Among other things, the cross-site scripting (XSS) error on americanexpress.com allows attackers to steal users' authentication cookies, which are used to...
"Last week, Sun released a patch for a vulnerability I reported to them. The patch I’m talking about fixes the “GIFAR” issue. I was unable to speak on the issue at Black Hat (for various reasons), but Nate McFeters did a great job of presenting the concept of GIFARs at Black Hat...
"Internationalized Resource Identifiers (IRI’s) are a new take on the old URI (Uniform Resource Identifier), which through RFC 3986 restricted domain names to a subset of ASCII characters - mainly lower and upper case letters, numbers, and some punctuation. IRI’s were forecasted many years ago by Martin Dürst and Michel Suignard, and...
"Opera pushed out an update to its popular web browser on Tuesday that fixes vulnerabilities it described as "extremely severe". The update fixes seven security bugs, some of which were previously known. Version 9.63 of the browser addresses separate code injection risks stemming from flaws in HTML parsing and text inputing, respectively....
"The Metasploit Decloak Engine is now back online with a handful of new updates and bug fixes. Decloak identifies the real IP address of a web user, regardless of proxy settings, using a combination of client-side technologies and custom services. The first version was announced in June of 2006 and was eventually...
"CAT.NET - Community Technology Preview CAT.NET is a managed code static analysis tool for finding security vulnerabilities. It's exactly the same tool we use internally to scan all of our Line of Business (LOB) applications; it runs as a Visual Studio plug-in or as a stand-alone application. It was engineered by this...
"Google's new web browser may be fast and slim, but the password management features it offers are full of bugs. Chapin Information Services (CIS) reported critical vulnerabilities in this software during its beta period, all of which were unfixed at release time. Among the problems are three in particular that, when combined,...
The author of modsecurity Ivan Ristic has decided to leave Breach Security, the company that retains the rights for modsecurity. I interviewed Ivan in 2006 about the sale of Mod_security who eased concerns that it will remain open source. Based on email conversations with him he will not be leaving the appfirewall...
"Some of the most recent iterations of the XHR specifications at w3c have made some excellent security choices that will lock down the JavaScript HTTPOnly edge-case exposure vectors. The latest editorial draft of the XHR w3c spec http://dev.w3.org/2006/webapi/XMLHttpRequest/ • prevents creating set-cookie/2 headers via setRequestHeader() in a case insensitive way. (but XHR...
From tssci "This week, I was doing an internal penetration test for a client of a web service, which is used by applications loaded on kiosk machines around the country. I didn’t have much time to do the test, so I had a couple advantages, like having network access to the service,...
There is a write up at Coding Insecurity on filtering non ascii characters to prevent XSS attacks. "I have been working on a medium-sized development project lately and, came across a peculiar phenomenon where I could execute scripts on a page without the use of less-than (<) or greater-than (>) symbols. Instead...
"Google this week admitted that its staff will pick and choose what appears in its search results. It's a historic statement - and nobody has yet grasped its significance. Not so very long ago, Google disclaimed responsibility for its search results by explaining that these were chosen by a computer algorithm. The...
Jeremiah has published an entry on budgeting for web application security in your company. "“Budgeting” is a word I’ve been hearing a lot of questions about recently, which is another data point demonstrating that Web application security and software security are increasingly becoming a top of mind issue. The challenge that many...
Rafel Ivgi has published an extensive list of IE8 XSS filter evasions. "Aspect9 has discovered several vulnerabilities in Microsoft Windows Internet Explorer 8.0 Beta 2. This new version of Microsoft's famous browser includes new security improvements such as a Cross Site Scripting(XSS) filter. This version also includes a new object that safely...
Michal Zalewski from google has published an an extremely in depth guide describing the various behavioral differences between the major browsers. "I am happy to announce the availability of our "Browser Security Handbook" - a comprehensive, 60-page document meant to provide web application developers and information security researchers with a one-stop reference...
"Microsoft Corp. today patched 28 vulnerabilities, nearly all of them marked "critical," in the biggest batch of fixes it has issued since it switched to a regular monthly update schedule more than five years ago. Of the 28 bugs quashed today, Microsoft ranked 23 of them critical, the top rating in its...
F-Secure has posted the following blog entry at securityfocus. "There has been a lot of talk (link 1, link 2, link 3) during the last few days about a support article that seemingly appeared on the Apple website. In the article, Apple advised users to install an anti-virus software to make sure...
"The Carnegie-Mellon University team behind the reCAPTCHA service is continuing to expand its effort to mix basic security and useful work. CAPTCHAs are the distorted text that helps various online services ensure that the entity opening an account is a human, not a bot bent on using the service to dish out...
In this issue. The future of AV: looking for the good while stopping the bad Eight holes in Windows login controls Extended validation and online security: EV SSL gets the green light Interview with Giles Hogben, an expert on identity and authentication technologies working at ENISA Web filtering in a Web 2.0...
"At Drexel University and a handful of other colleges, students created computer scripts to sway the contest—an online vote to nominate a university to receive its own clothing line—in their campuses’ favor. Tim Plunkett, a junior at Drexel, created a script that could cast 1,500 votes per second, according to The Daily...
I came across an interesting post at freedom-to-tinker discussing the impacts of google's flu monitoring program. "My concern today is whether Flu Trends can be manipulated. The system makes inferences from how people search, but people can change their search behavior. What if a person or a small group set out to...
