"A talk demonstrating security weaknesses in a widely used automatic teller machine has been pulled from next month's Black Hat conference after the machine vendor placed pressure on the speaker's employer. Juniper Networks, a provider of network devices and security services, said it delayed the talk by its employee Barnaby Jack at...
Masked passwords must go?
"Websites should stop masking passwords as users type because it does not improve security and makes websites harder to use, according to two of the technology world's leading thinkers. Usability expert Jakob Nielsen and security expert Bruce Schneier both think websites should stop blanking out passwords as users type them in. They...
Blind Hacker Sentenced to 11 Years in Prison
"A legally blind Massachusetts phone hacker was sentenced Friday to over 11 years in federal prison, following his guilty plea on computer intrusion and witness intimidation charges earlier this year. Matthew Weigman, 19, was sentenced in Dallas by U.S. District Judge Barbara M.G. Lynn, according to the U.S. Attorney’s Office there. There...
Max Vision Pleads Guilty To Wire Fraud/Carding
"A San Francisco man pleaded guilty today in Pittsburgh this afternoon to federal charges of hacking into computer systems of financial institutions and other hackers to steal nearly 2 million credit card numbers, which were used to rack up more than $86 million in fraudulent charges. Max Ray Vision, formerly Max Ray...
Generic Remote File Inclusion Attack Detection
"A big challenge for identifying web application attacks is to detect malicious activity that cannot easily be spotted using using signatures. Remote file inclusion (RFI) is a popular technique used to attack web applications (especially php applications) from a remote server. RFI attacks are extremely dangerous as they allow a client to...
Session Attacks and ASP.NET - Part 2
"In Session Attacks and ASP.NET - Part 1, I introduced one type of attack against the session called Session Fixation as well as ASP.NET’s session architecture and authentication architecture. In this post, I’ll delve into a couple specific attack scenarios, cover risk reduction, and countermeasures." Read: https://blogs.sans.org/appsecstreetfighter/2009/06/24/session-attacks-and-aspnet-part-2/
FTP login credentials at major corporations breached
"A trojan has reportedly been uncovered that is harvesting FTP login data of major corporations, including the Bank of America, BBC, Amazon, Cisco, Monster.com, Symantec and McAfee. According to a report in the Friday edition of The Register, Jacques Erasmus, CTO at Prevx, an internet security vendor headquartered in the U.K., discovered...
Article: The Problem of "Too Many Problems"
Rafal has a good post on the challenges security folks/sdl folks have when presenting their findings to business folks. "The presentation the next day kicked off as expected... we presented our executive summary, the methodology of our product validation and moved on to the specific findings. In this case, since there was...
Google Chrome Fixes Buffer Overflow Vulnerability
"Google Chrome 2.0.172.33 has been released to the Stable and Beta channels. This release fixes a critical security issue and two other networking bugs. CVE-2009-2121: Buffer overflow processing HTTP responsesGoogle Chrome is vulnerable to a buffer overflow in handling certain responses from HTTP servers. A specially crafted response from a server could...
Iran accuses CNN of training hackers to launch DDOS attacks
"Iran's foreign ministry spokesman accused the cable network CNN of "officially" training people to "hack government and foreign ministry" websites on Monday, citing a CNN.com article that explained how hackers were launching distributed denial-of-service (DDOS) attacks on Iranian government sites. "They officially trained the people to come and hack Iran's government websites,"...
Browser Security: Lessons from Google Chrome
An article on security in Google's Chrome browser has been published. "The Web has become one of the primary ways people interact with their computers, connecting people with a diverse landscape of content, services, and applications. Users can find new and interesting content on the Web easily, but this presents a security...
Stephen Watt/JimJones/Unix Terrorist to be Sentenced Monday
Original Photo (c) from sensepost, butchered by cgisecurity Watt (also known as Unix Terrorist and JimJones) pictured far right during a Defcon talk (video available). "Watt, a 7-foot-tall software engineer who was working for Morgan Stanley at the time the hacks occurred, pleaded guilty in December to creating a sniffing program dubbed...
Session Attacks and ASP.NET - Part 1
Sans has published part 1 of an article discussing Session Fixation attacks against .NET applications. "I’ve spent some time recently looking for updated information regarding session attacks as they apply to ASP.NET and am still not completely satisfied with how Microsoft has decided to implement session management in ASP.NET 2.0+ (haven’t looked...
Hacker cracks TinyURL rival, redirects millions of Twitter users
"A URL-shortening service that condenses long Web addresses for use on micro-blogging sites like Twitter was hacked over the weekend, sending millions of users to an unintended destination, a security researcher said today. After Cligs, a rival to the better known TinyURL and bit.ly shortening services, was attacked Sunday, more than 2.2...
Article: 'Setting the appropriate security defect handling expectations in development and QA
I have just published the following article on handling application security defects (vulnerabilities) in development and QA. "If you've worked in information security you've likely had to report a security defect to development in an effort to remediate the issue. Depending on your organization and its culture this can be a rather...
Phrack 66 is out!
IntroductionTCLH Phrack Prophile on The PaX TeamTCLH Phrack World NewsTCLH Abusing the Objective C runtimenemo Backdooring Juniper FirewallsGraeme Exploiting DLmalloc frees in 2009huku Persistent BIOS infectionaLS and Alfredo Exploiting UMA : FreeBSD kernel heap exploitsargp and karl Exploiting TCP Persist Timer Infinitenessithilgore Malloc Des-Maleficarumblackngel A Real SMM RootkitCore Collapse Alphanumeric RISC ARM...
SHA-1 collisions achievable
"The researchers, from Macquarie University in Sydney, Australia, found a way to break the SHA-1 algorithm in significantly fewer tries than previously required. Although the hash function was previously believed to withstand attempts numbering 263, the researchers have been able to whittle that down to 252, a number that puts practical attacks...
Microsoft Security Bulletin Summary for June 2009
Patch Tuesday is here again. Here's the rundown of what was fixed. MS09-018 Vulnerabilities in Active Directory Could Allow Remote Code Execution (971055) This security update resolves two privately reported vulnerabilities in implementations of Active Directory on Microsoft Windows 2000 Server and Windows Server 2003, and Active Directory Application Mode (ADAM) when...
New paper by Amit Klein (Trusteer) - Temporary user tracking in major browsers and Cross-domain information leakage and attacks
Amit Klein posted the following to the web security mailing list yesterday. "User tracking across domains, processes (in some cases) and windows/tabs is demonstrated by exploiting several vulnerabilities in major browsers (Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, and to a limited extent Google Chrome). Additionally, new cross-domain information leakage, and cross...
100,000 sites deleted in hack, software company boss commits suicide
"The boss of Indian software firm LxLabs was found dead in a suspected suicide on Monday. Reports of the death of K T Ligesh, 32, come in the wake of the exploitation of a critical vulnerability in HyperVM, a virtualization application made by LXLabs, to wipe out data on 100,000 sites hosted...
T-Mobile confirms hackers' info is legit
"The information posted over the weekend by hackers who claimed to have hacked T-Mobile is legit, T-Mobile now says. But, it's not clear that the hackers have the full access to T-Mobile systems they claim. On Saturday, hackers posted what appear to be logfiles taken from T-Mobile's networks to the Full Disclosure...
When XSS can cost you $10,000
"Did you hear the one about the hacker-free e-mail service that was so confident about its enhanced security measure that it offered up $10,000 to anyone who could hack into it? It got hacked. Here’s the part that’s really crazy, though. There was initially some question as to whether or not the...
Astalavista.com hacked
"For those who don't know of Astalavista, it was a popular website for "hackers" with relatively low-quality content. It started in 1994, and was one of the first search engines for computer security information. It hosted software exploits, and quickly degenerated into a forum for sharing software cracks, spyware, and virii. Yes...
PayPal Software Security Podcast
Gary McGraw posted the following to the secure coding mailing list today. "Episode 6 of the Reality Check security podcast features our own Andy Steingruebl chatting with me about Paypal's software security initiative. This was a fun episode for me, because though I have known Andy for a while I had little...
Report: Mass Injection Attack Affects 40,000 Websites
"Researchers at Websense have discovered a mass injection attack that is redirecting Web browsers to a malware-bearing site. According to a weekend report by researchers at Websense, thousands of legitimate Web sites have been discovered to be injected with malicious Javascript, obfuscated code that leads to an active exploit site. "The active...
Insecure Magazine 21 (June) Released
Insecure magazine 21 has been released and covers the following. Malicious PDF: Get owned without opening Review: IronKey Personal Windows 7 security features: Building on Vista Using Wireshark to capture and analyze wireless traffic "Unclonable" RFID - a technical overview Secure development principles Q&A: Ron Gula on Nessus and Tenable Network Security...