Hacker Defaces Microsoft U.K. Web Page

"A hacker managed a rare feat Wednesday, successfully attacking a Web page within Microsoft's U.K. domain and replacing the page with several graphics related to Saudi Arabia. The hacked page was a U.K. events page here. It has since been fixed. According to the security site Zone-h, a SQL injection attack is...

Is Web 2.0 Safe?

I went to www.msn.com today and saw an article called 'is Web 2.0 Safe?'. To my surprise it linked to an article where Jeremiah Grossman and Robert Hansen were quoted. The fact that MSN is linking to web security related articles really speaks to the change of the industry. "As users store...

Microsoft Security Grunt voted #6 on Worst Jobs in Science 2007 by Popular Science

Popular Science has voted 'Microsoft Security Grunt' as the 6th worst job in science to have. "Do you flinch when your inbox dings? The people manning secure@microsoft .com receive approximately 100,000 dings a year, each one a message that something in the Microsoft empire may have gone terribly wrong. Teams of Microsoft...

Rolling Reviews: Cenzic Hailstorm Enterprise Application Risk Controller

First the review of SPI Dynamics Webinspect was posted and now Networkcomputing has posted the review for Cenzic's Hailstorm ARC product. "We continue our ongoing review of Web application scanners with a look at Cenzic Hailstorm. While it performed relatively well, Cenzic's ARC Web Interface could use some gussying up. Cenzic's Hailstorm...

Quicken Backdoor Discovered

"A Russian firm that provides password-recovery services says it has found a backdoor in the encryption mechanism that Quicken uses to secure password-protected files, a feature that makes millions of users of the personal finance program more vulnerable to government spooks or other highly determined snoops. Elcomsoft, which made waves in 2001...

Pixy - An Open-Source Vulnerability Scanner for PHP Applications

"The Secure Systems Lab at the Technical University of Vienna has released the newest version of Pixy, an open-source vulnerability scanner. Here are some of the highlights: - detection of SQL injection and XSS vulnerabilities in PHP source code - automatic resolution of file inclusions - computation of dependence graphs that help...

Department of Homeland Security gets Pwned, and pwned, and pwned

"The Homeland Security Department, the lead U.S. agency for fighting cyber threats, suffered more than 800 hacker break-ins, virus outbreaks and other computer security problems over two years, senior officials acknowledged to Congress. In one instance, hacker tools for stealing passwords and other files were found on two internal Homeland Security computer...

Tools: sqlninja 0.1.2 released

icesurfer writes "Hello fellow security enthusiasts, a new version of sqlninja is out at sourceforge ! Introduction ============ sqlninja is a tool to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote shell on the vulnerable DB...

Designing a crypto attack on the Ccrp...

Piotr Musial writes "Ccrp was designed to be a highly secure private key encryptor for small files and messages, and uses bit-move logic as the primary means of "scrambling" the plaintext. Ccrp also uses a lookup table instead of a pseudorandom bit generator, and so to obtain good se curity with that...

Gangs infect 10,000 websites to steal users' bank details

"Hackers have launched an assault on websites in Italy and around the world dubbed the Italian Job in a move seen by internet security experts as the next step in the escalating problem of cyber crime. Gangs presumed to be based in eastern Europe have probably infected more than 10,000 web pages...

New security breach revealed: Los Alamos National Labs

"Reports of a major breach of security involving the board of directors of the corporation managing Los Alamos National Laboratory came to light Thursday. The chairman of the House Energy and Commerce Committee that oversees the nuclear complex wrote to Energy Secretary Samuel Bodman citing information obtained by committee staff from sources...

Article: Secure file upload in PHP web applications

A good article by Alla Bezroutchko has been published describing how to handle file uploads in PHP, specifically for sites dealing with image uploads. Check it out below. Article Link: http://www.net-security.org/dl/articles/php-file-upload.pdf

Cenzic Patents the obvious: Fault Injection!

I monitor google news for anything application security related and found the following announced today by Cenzic. "the U.S. Patent and Trademark Office (PTO) has issued the company U.S. Patent No. 7,185,232, focused on fault injection technology, which is commonly used by most security assessment scanners." - Cenzic Cenzic is not the...

Ensuring Web application security during a company merger

"When two organizations merge, it's certain that they will have different security philosophies, policies, technologies and requirements regarding Web application security. For example, an ecommerce site that allows customers to track order progress has to permit deeper access into the back-end system than one that merely generates an email once the order...

Image attack on MySpace boosts phishing exposure

"The number of page views garnered by fraudulent sites climbed by a factor of five in March and April, fueled by a phishing scheme targeting MySpace users, stated a Google analysis published on Monday. The attack used a modification to the style sheet of a user's profile to place a transparent image...

Yahoo Hacker Uses Story to Find, Exploit Bug

"Exploit code has hit the Internet for the critical flaws in Yahoo Messenger that could enable a remote hacker to take control of a user's system. Yahoo Inc. was quick out of the gate and released a fix for the vulnerabilities last Friday, just two days after the flaws were publicly disclosed....

Two Universities Hit By Security Breaches

"Two universities suffered security breaches that compromised the security of sensitive personal information on students and faculty. Both the University of Iowa and the University of Virginia announced last Friday that they have been sending out notifications about the breaches. The University of Virginia said its investigation has shown that on 54...

Sun JRE Vulnerabilities

"A buffer overflow vulnerability in the image parsing code in the Java Runtime Environment may allow an untrusted applet or application to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted...

Rolling Reviews: SPI Dynamics WebInspect

For a long long time I have intentionally not posted news about commercial products or services however know that many of you who frequent this site are interested in those sorts of things. Part of the reason why I haven't posted news on commercial products is that I used to work for...

Using industry best practices for effective security training

"Improved employee understanding of appropriate behaviors and best practices for enhanced information security reduces security risks and helps ensure compliance with regulations such as Sarbanes-Oxley, HIPAA, the Payment Card Industry Data Security Standards (PCI DSS) and others. But merely providing security training is not enough. Organizations need to know if training programs...

Laws Threaten Security Researchers

"What if a Web researcher found a bug on your Website today -- but was too afraid of the law to tell you? The Computer Security Institute (CSI) recently formed a working group of Web researchers, computer crime law experts, and U.S. Department of Justice agents to explore the effects of laws...

IIS 5.x Vuln Exploit released

I just found out about this myself and hadn't seen any news on it so posting it here (better late than never!). A vulnerability has been discovered in IIS5 that Microsoft apparently isn't going to fix allowing an attacker to gain accesses to resources behind NTLM and Basic Auth. Microsoft is suggesting...

Announcement: WASC and OWASP Joint Blackhat Vegas Party

This year OWASP and WASC have decided to have a joint party at Blackhat vegas. I'll be there with many of the other appsec industry people. RSVP if you want to attend!

Incorrect configuration can open Web sites to application security attacks

Bryan Sullivan has just published Incorrect configuration can open Web sites to application security attacks the second half of Debugging Application Security Vulnerabilities in Web.config Files. I've worked with Bryan at SPI Dynamics and he's a really sharp guy. As a matter of fact I'm helping to peer review an ajax security...

Tool: untidy XML Fuzzer beta 2 is out

"untidy is general purpose XML Fuzzer. It takes a string representation of a XML as input and generates a set of modified, potentially invalid, XMLs based on the input." Tool Link: http://untidy.sourceforge.net/

Cross-Site Scripting: Attackers' New Favorite Flaw

"For years buffer overflow has been the favorite target of online attackers, but no more: Cross-site scripting is now the biggest culprit That's the scoop from Mitre Corp., which later this week will release its latest findings about the flaws behind publicly-disclosed vulnerabilities. The number two favorite flaw is SQL injection, says...

Unpatched input validation flaw in Firefox 2.0.0.4

Thor Larholm writes "Firefox 2.0.0.4 fixed a directory traversal vulnerability that allowed you to read local files. However, the patch only works for the Windows version of Firefox and actually re-introduces a previously fixed input validation flaw." More information at http://larholm.com/2007/06/04/unpatched-input-validation-flaw-in-firefox-2004/ Link to this Story: Unpatched input validation flaw in Firefox 2.0.0.4
Looking for something else or having a hard time finding a story? We recently moved things around so please use the search bar on the right!