Information Filled Under ‘Web Service Security’ Category
I had a funny thought while talking with some folks from Intel about what the future state of of information security would look like and how that relates to what our favorite nerdy show, Star Trek, has to say on the topic. This is meant to be a funny post, but there may be some truth buried in here somewhere too. Without further ado: Physical security will always be a problem: How many times have we seen people open up random access panels on the Enterprise and start pulling out chips when something goes awry or just start swapping them out right and left?
See the original post:
What Star Trek Predicts About The Future of Information Security
If my Ukrainian “fan club” can exploit weaknesses in the online ad publishing model for scareware serving purposes , anyone else could. Yesterday, the NYTimes.com posted a note to readers , confirming that a malvertisement campaign somehow made on their web site, resulting in the automatic exposure of users to scareware: ” Some nytimes.com readers have reported seeing a pop-up box warning them about a virus and directing them to a site that claims to offer antivirus software
See the original post here:
Ukrainian "Fan Club" Features Malvertisement at NYTimes.com
Web servers are one of the most targeted public faces of an organization. Securing a web server is as important as securing the website or web application itself and the network around it. Although securing a web server can be a daunting operation and requires specialist expertise, it is not an impossible task to achieve
Here is the original post:
How to secure web servers and database servers
One of the other things Jabra and I talked about that worried a lot of people was the fact that Google’s Safe Browsing software (built into Firefox and Chrome) could be used to track them. Safe Browsing is designed to protect you from phishing and malware sites by using a blacklist approach that gets downloaded to your browser on a regular basis. In an experiment that I let run for 24 hours, I watched the amount of connections Firefox made out to Google.
See the original post here:
Google Safe-Browsing and Chrome Privacy Leak
Three men, responsible for the largest data security breach in U.S. history, stole 130 million credit and debit card numbers from five leading companies. They took advantage of a coding error, and allegedly used a SQL injection attack to compromise a web application, which was used as the starting point to help them bypass company network firewalls and gain access over companies’ networks. One of the main problems large enterprises are facing is that although SQL injection errors are relatively easy to find, they are difficult and costly to fix. Developers need to have proper security skills, and keep security in mind when developing custom web applications. Although automated web vulnerability scanners such as Acunetix WVS must always be accompanied by manual penetration testing, they help developers in saving time in securing their web applications and sharpen their security skills, to develop secure web applications before they are pushed into a production environment.
Read the original here:
SQL injection used in the largest data security breach in U.S. history to date
BlackHat USA 2009; Eduardo Vela Nava ( sirdarckcat ) and David Lindsay presented a paper entitled “ Our Favorite XSS Filters and How to Attack Them ”. Very interesting paper, you should definitely take a look at it. In this paper, besides other things, they presented a very interesting way to bypass XSS filters using Unicode charcters.
View post:
Security risks associated with utf8_decode and XSS filters
The following is a brief summary of all of my posts at ZDNet’s Zero Day for July. You can also go through previous summaries for June , May , April , March , February , January , December , November , October , September , August and July , as well as subscribe to my personal RSS feed or Zero Day’s main feed . Notable articles include – Manchester City Council pays $2.4m in Conficker clean up costs ; Transmitter.C mobile malware spreading in the wild and Does free antivirus offer a false feeling of security?
See the original post here:
Summarizing Zero Day’s Posts for July
A Security Bulletin has been posted in regards to the Adobe Flash Player issues last mentioned in the Adobe PSIRT blogs on July 28 (” Impact of Microsoft ATL vulnerability on Adobe Products “, CVE-2009-0901, CVE-2009-2495, CVE-2009-2493) and July 22 (” Update on Adobe Reader, Acrobat and Flash Player Issue “, CVE-2009-1862). Adobe categorizes these as critical issues and recommends affected users patch their installations. This posting is provided “AS IS” with no warranties and confers no rights.
Read the rest here:
Security Bulletin Posted for Adobe Flash Player
With the release of Acunetix WVS Version 6.5 latest build; 20090728 (http://www.acunetix.com/support/build-history.htm), we announce that Acunetix WVS has better support for web applications with CAPTCHA, single sign-on and Two factor authentication mechanisms.
Continued here:
New Acunetix WVS V6.5 build; better support for CAPTCHA and modern authentication mechanisms
Computers are increasingly mobile and, to serve them, more and more public spaces (cafes, airports, libraries, etc.) offer their customers WiFi access. When a web browser on such a network requests a resource, it is implicitly trusting the hotspot not to interfere with the communication. A malicious computer hooked up to the network could alter the traffic, however, and this can have some unpleasant consequences. HTTP Man-In-The-Middle (MITM) attacks Consider your typical online banking session: you type “www.mybank.com” into the address bar, hit enter, and wait for the site to load. When it shows up, you enter your password, do your banking, then log out. This process is more-or-less automatic for many people, and the subtleties of the process disappear in the background. More specifically, these are the steps for logging into the bank’s site: You type “www.mybank.com” into the address bar and hit enter
Continued here:
Locking up the valuables: Opt-in security with ForceTLS
Part twenty three of the diverse portfolio of fake security software series, will once again summarize the scareware domains currently in circulation, delivered through the usual channels – blackhat SEO, compromises of legitimate web sites, comment spam and bogus adult web sites, with an emphasis on a yet another bogus company acting as a front-end to an affiliate network – AK Network Commerce Ltd . Scareware remains the dominant monetization tactic applied by cybercriminals automatically abusing Web 2.0 properties. The latest scareware domains are as follows: scanyourcomputeronlinev1 .com – 78.46.251.41; 83.133.126.155; 91.212.107.5; 94.102.48.29; 78.46.251.41 – Email: info@chinainindia.org.in promalwarescannerv2 .com – Email: info@researchcmr.com spywarefolderscannerv2 .com Email: willpan@glamoxcon.com antivirusscannerv10 .com – Email: mohammed32@yahoo.com scanyourcomputeronlinev1 .com – Email: info@chinainindia.org.in folder-antivirus-scanv1 .com – Email: info@duebamet.com personalfolderscanv2 .com – Email: hfbeauty@yahoo.com spywarefolderscannerv2 .com – Email: willpan@glamoxcon.com privatevirusscannerv2 .com – Email: hfbeauty@yahoo.com secure-antivirus-scanv3 .com – Email: info@duebamet.com bestfoldervirusscanv3 .com – Email: alfonso-li@sohun.com antispyware-scannerv3 .com – Email: willpan@glamoxcon.com liveantimalwarescannerv3 .com – Email: hongkong@campusparis.org onlinespywarescannerv3 .com – Email: Peng@pradac.cn onlineantivirusscanv4 .com – Email: Peng@pradac.cn onlineantispywarescanv6 .com – Email: czoao@hotmail.com antivirus-scannerv6 .com – Email: paul.smith@acdc.cn antivirusonlinescanv9 .com – Email: info@chinainindia.org.in antimalwarescannerv9 .com – Email: mohammed32@yahoo.com antispywarescannerv9 .com – Email: mohammed32@yahoo.com bestcomputerscanv7 .com – Email: cgrenier@reclamation.com in5id .com – 67.212.71.196 – Email: getoony@gmail.com goscantune .com – Email: canrcnad@gmail.com in5ch .com – Email: getoony@gmail.com goscanback .com – Email: alcnafuch@gmail.com goscanlook .com – Email: chinrfi@gmail.com gotunescan .com – Email: canrcnad@gmail.com gofatescan .com – Email: alcnafuch@gmail.com gobackscan .com – Email: alcnafuch@gmail.com goparkscan .com – Email: canrcnad@gmail.com in5st .com – Email: getoony@gmail.com gagtemple .info – Email: tiermity@gmail.com strelyk .info – Email: tiermity@gmail.com mixsoul .info – Email: tiermity@gmail.com loacher .info – Email: tiermity@gmail.com unvelir .info – Email: tiermity@gmail.com lendshaft .info – Email: tiermity@gmail.com goironscan .com – 209.44.126.152 – Email: aloxier@gmail.com metascan4 .com – Email: exmcon@gmail.com notescan4 .com – Email: exmcon@gmail.com genscan4 .com – Email: exmcon@gmail.com scanlist6 .com – Email: exmcon@gmail.com goscanpark .com – Email: exmcon@gmail.com gobackscan .com – Email: exmcon@gmail.com gomapscan .com – Email: exmcon@gmail.com scan4gen .com – Email: exmcon@gmail.com namearra .info – Email: stnorvel@gmail.com xtraroom .info – Email: stnorvel@gmail.com sundalet .info – Email: stnorvel@gmail.com privacy-centre .org – 89.208.136.91 – Email: acapz@freebbmail.com prvacy-centre .org – Email: acapz@freebbmail.com privacy-centar .org – Email: acapz@freebbmail.com prvacy-centar .org – Email: acapz@freebbmail.com privacy-ceter .org – Email: acapz@freebbmail.com prvacy-ceter .org – Email: acapz@freebbmail.com privacy-center .org – Email: acapz@freebbmail.com prvacy-center .org – Email: acapz@freebbmail.com privacy-centor .org – Email: acapz@freebbmail.com privacy-centr .org – Email: acapz@freebbmail.com prvacy-centr .org – Email: acapz@freebbmail.com pcenter56 .com privacyupdate447 .com – Email: prv54@lycos.com pcenter57 .com personalonlinescanv3 .com – 78.46.251.41 – Email: vms@hellofm.in antivirusfolderscanv5
More here:
A Diverse Portfolio of Fake Security Software – Part Twenty Three
A Security Advisory has been posted in regards to the Adobe Reader, Acrobat and Flash Player issue discussed in the Adobe PSIRT blog on July 21 (” Potential Adobe Reader, Acrobat, and Flash Player issue “, CVE-2009-1862). A critical vulnerability exists in the current versions of Flash Player (v9.0.159.0 and v10.0.22.87) for Windows, Macintosh and Linux operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat v9.x for Windows, Macintosh and UNIX operating systems. This vulnerability (CVE-2009-1862) could cause a crash and potentially allow an attacker to take control of the affected system
More here:
Update on Adobe Reader, Acrobat and Flash Player Issue
Earlier on this year, a report from SANS institute showed that two of the twenty five most dangerous programming errors, led to more than 1.5 million website security breaches in 2008. The report is a joint effort from more than 30 US and international cyber security organizations, such as CERT, Red hat and Department of Homeland Security. The programming errors have been categorized in three categories; Category: Insecure Interaction between Components (9 errors) Category: Risky Resource Management (9 errors) Category: Porous Defenses (7 errors) As SANS Director Mason Brown said, every programming team must have the processes in place to find, fix, or avoid these problems and have the tools needed to verify their code is as free of these errors, as automated tools can verify. From this report, one can clearly conclude that security awareness and secure coding training are indeed a must. Also, programmers need automated testing tools to help them measure the security of the software they are writing and automatically train them to write secure code, since unfortunately, most of the errors are not well understood by the programmers themselves. Read the full SANS’s report here
In a previous post , we linked to an article which gave an in-depth explanation of SQL injection vulnerabilities, and what impact such vulnerabilities can have on your web application. Now, that you know what they are and what their impact could be, how can you find out if your website is vulnerable to SQL injection attacks?
See the original post here:
How to check web applications for SQL injection vulnerabilities
Department of Defence and other investigators, are investigating two U.S. Army web server breaches which were never publicly disclosed. On 19th September 2007, and 26th January 2008, a Turkish hacker group known as “m0sted” successfully probed 2 U.S.
Go here to see the original:
U.S. Dept. of Defence publishes attack details of two successful U.S. Army web servers breaches
File upload forms, nowadays can be found allover the internet. In social network web applications, such as Facebook and Twitter, in blogs, forums, e-banking sites, YouTube and also in corporate support portals, to give the opportunity to the end user to efficiently share files with corporate employees. Users are allowed to upload images, videos, avatars and many other types of files. Though, the more functionality provided to the end user, the greater is the risk of having a vulnerable web application and the chance that such functionality will be abused from malicious users, to gain access to a specific website, or to compromise a server is very high. The following white paper, talks about a number of common security issues and vulnerabilities encountered while auditing file upload forms in several well known web applications. It also explains how to build secure file upload forms.
Continue reading here:
Why File Upload Forms are a major security threat
Cult of The Dead Cow – the hacker group, who gave the world, Back Orfice have once again brought out a tool worthy of notice – and your legitimate use. Goolag. Yes – a play on Google, using Dorks (According to Johnny.ihackstuff's, site “We call them 'googledorks': Inept or foolish people as revealed by Google.”)
Read the original post:
Google your own ‘hack’