-
Under attack: 4,300 Indian websites defaced in H1 2010 -
More and more Indian websites are coming under threat from attackers and face the fear of getting defaced. In the first half of 2010, around 4,300 websites were reported to have been defaced in India. This threat has assumed significance in light of the fact that Indian companies are now increasing their online presence and tapping consumers through social networking sites
-
Pentagon computers attacked with flash drive -
A foreign spy agency pulled off the most serious breach of Pentagon computer networks ever by inserting a flash drive into a U.S. military laptop, a top defense official said Wednesday.
The previously classified incident, which took place in 2008 in the Middle East, was disclosed in a magazine article by Deputy Defense Secretary William J. Lynn and released by the Pentagon Wednesday. -
Errata Security: Adobe misses low hanging fruit in Reader
One of the most common features of "secure development" is the ability to avoid functions that are known to be dangerous, functions which have caused major vulnerabilities (such as Internet worms) in the past. These are functions developed in the 1970s, before their risks were understood. Now that we have suffered from these functions and understand the risks, we have come up with safer alternatives. Using these alternatives are cheap and easy, and they can save a development house endless embarrassment and remediation time. More importantly, while verifying that your code is "secure" is an essentially impossible task, verifying that your code contains no banned functions is easy. We call this the "low hanging fruit" of secure development.
One such bad function is "strcat." It copies data from one area of memory into another. However, it does not check that the target memory is big enough. Strcat continues copying beyond the bounds of the target memory, overwriting other parts of memory. Hackers can manipulate the overwritten areas in just the right way to break into the machine. With 48,000 hits on Google for strcat vulnerabilities, some dating back more than a decade, this is a well known potential security issue.
The most recent exploit in Adobe Reader, the "SING Table Parsing Vulnerability" (CVE-2010-2883) contains exactly this function. First found exploited in the wild by Mila Parkour, this vulnerability has seen weeks of front page coverage. Metasploit's Joshua Drake did a great writeup of the exploit, here. Chester Wisniewski of Sophos posted a video that clearly demonstrates what the attack looks like, here. While this particular version of the exploit does use javascript, disabling javascript will not fix the problem (unlike the fix for the recent Adobe Reader Flash attack.)
So why doesn't Adobe fix its low hanging fruit? Why does it continue to use these toxic functions? It's strange, hardware vendors are removing hazardous substances (RoHS) from devices, but software vendors aren't being similarly -
Update: E-voting machine woes stop some voters N.Y. - Computerworld
-
DRG SSH Username and Password Authentication Tag Clouds
DRG SSH Username and Password Authentication Tag Clouds
-
Compromising Twitter's OAuth security system
Twitter's extremely poor implementation of the OAuth standard offers a textbook example of how to do it wrong
-
In 2005, a company called CyberTrust—which has since been purchased by Verizon— gave Etisalat, the government-connected mobile company in the UAE, the right to verify that a site is valid. Here's why this is trouble: Since browsers now automatically trust Etisalat to confirm a site's identity, the company has the potential ability to fake a secure connection to any site Etisalat subscribers might visit using a man-in-the-middle scheme.
-
Chiuso il quotidiano online del Pdl «Attacco hacker ma torneremo» - Corriere della Sera
-
"The most significant new discovery is a universal Padding Oracle affecting every ASP.NET web application," Rizzo explains. "In short, you can decrypt cookies, view states, form authentication tickets, membership password, user data, and anything else encrypted using the framework's API.
"The vulnerabilities exploited affect the framework used by 25 per cent of the internet websites. -
Newest Adobe zero-day PDF exploit bypasses two Microsoft defenses | Security Central - InfoWorld
The exploit for a critical unpatched bug in Adobe Reader that's now circulating is "clever" and "impressive," security researchers said this week.
-
Microsoft closes hole used to attack industrial plants
Microsoft has credited security partners at Kaspersky Lab and Symantec for helping to close a critical Windows vulnerability that was being exploited by a sophisticated worm that has attacked industrial plants around the world.
-
Criminals 'go cloud' with attacks-as-a-service | Malware
Chinese group has opened up a site, called IM DDODS, that allows customers to sign in and order denial-of-service attacks
-
US-CERT Technical Cyber Security Alert TA10-257A -- Microsoft Updates for Multiple Vulnerabilities
Posted from Diigo. The rest of my favorite links are here.
Commenti
http://visualstudiomagazine.com/articles/2010/09/14/aspnet-security-hack.aspx