android

Surviving the Week 10/26/12, XSS reported as most frequent attack type

Redirect flaw on .gov sites leaves open door for phishers

At least 20,000 users have fallen victim to a spam campaign that uses shortened links to legitimate government sites to carry out a hoax. In the scams, users receive emails containing “1.usa.gov” short links and are redirected twice upon clicking — first, immediately past a legitimate government site, then, to websites that looks like a CNBC news articles touting “$4,000 a month” home-based business opportunities. NTOSpider reports on external resources shows how many external URL your application is pointing to. Scan your application with NTOSpider to find all possible vulnerabilities in the application –
http://www.scmagazine.com/redirect-flaw-on-gov-sites-leaves-open-door-for-phishers/article/264520/

FireHost Q3 Web Application Report — XSS Attacks Lead Pack As Most Frequent Attack Type

Cloud hosting company, FireHost, has announced the findings of its latest web application attack report which provides statistical analysis of the 15 million cyber-attacks blocked by its servers in the US and Europe during Q3 2012. The report looks at attacks from web applications, databases and websites of FireHost’s customers between July and September and offers an impression of the current internet security climate as a whole. The top 4 attacks that come out of the reports are Cross-site Scripting (XSS), Directory Traversal, SQL Injection, and Cross-site Request Forgery (CSRF). One of the most significant changes in attack traffic seen by FireHost between Q2 and Q3 2012 was a considerable rise in the number of cross-site attacks, in particular XSS and CSRF attacks rose to represent 64% of the group in the third quarter (a 28% increased penetration). XSS is now the most common attack type in the Superfecta, with CSRF now in second. FireHost’s servers blocked more than one million XSS attacks during this period alone, a figure which rose 69%, from 603,016 separate attacks in Q2 to 1,018,817 in Q3. CSRF attacks reached second place on the Superfecta at 843,517. Test your application with NTOSpider to find possible vulnerabilities in your application –
http://www.darkreading.com/security/news/240009508/firehost-q3-web-application-report-xss-attacks-lead-pack-as-most-frequent-attack-type.html

Adobe Pushes Security Updates For Shockwave Player

Adobe updated Adobe Shockwave Player 11.6.7.637 and earlier versions on Windows and Mac OS X to close vulnerabilities that could allow an attacker to run malicious code on the affected system. The patch fixed five buffer overflow vulnerabilities and an array out of bounds vulnerability in the software. Adobe generally does not provide a lot of information in its bulletins about the vulnerabilities beyond CVE numbers (CVE-2012-4172, CVE-2012-4173, CVE-2012-4174, CVE-2012-4175, CVE-2012-4176, CVE-2012-5273).
http://www.securityweek.com/adobe-pushes-security-updates-shockwave-player

snuck – Another tool to automate XSS Filter bypass

snuck is an automated tool that may definitely help in finding XSS vulnerabilities in web applications. It is based on Selenium and supports Mozilla Firefox, Google Chrome and Internet Explorer. The approach, it adopts, is based on the inspection of the injection’s reflection context and relies on a set of specialized and obfuscated attack vectors for filter evasion. In addition, XSS testing is performed in-browser, a real web browser is driven for reproducing the attacker’s behavior and possibly the victim’s.
http://code.google.com/p/snuck/

Andriod Developers – How Much Can We Trust?

android

A team of German academics have published a very detailed paper about web security on the Andriod platform.  The paper is titled, Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security and can be found at http://www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf.

The paper is well worth the read for a much better description of their study.  To summarize some of the findings.  The authors downloaded 13,500 apps from the Google Play store, those with top download counts.  Then they looked at apps that use HTTPS.  Of those, 790 apps implemented SSL but would accept any certificate.  284 of the apps would accept a certificate is if was signed by any approved CA but did not take into consideration of the site it was issued for.  Another noted problem with certificate acceptance, is that the apps generally provided no visual indication that SSL was being used.

All in all, the cumulative install base of confirmed vulnerable apps within this 13,500 sample lies between 39.5 and 185 million devices.  Take the time to read the paper in it’s entirety.

housseccon

Surviving the Week 10/19/12

Security Flaw Found in Steam

Hackers could have a new means of accessing your computer through a browser command that uses Valve’s software distribution system Steam. When your browser accesses a URL that begins with the command “steam://”, it will prompt your copy of steam to launch and perform some operation. Usually, such an operation would be to launch a game, or install or uninstall software. http://revuln.com/files/ReVuln_Steam_Browser_Protocol_Insecurity.pdf

Pacemaker Hacker Says Worm Could Possibly ‘Commit Mass Murder’

At Ruxcon BreakPoint security conference in Melbourne, Barnaby Jack showed how an attacker with a laptop, located up to 50 feet from a victim, could remotely hack a pacemaker and deliver an 830-volt shock. In the talk named “mass murder, Windows exploits, hacking Apple and owning spy agencies.” He was just one presenter and he showed a video that he doesn’t want released to the public since the manufacturer would be named. http://blogs.computerworld.com/cybercrime-and-hacking/21163/pacemaker-hacker-says-worm-could-possibly-commit-mass-murder

“White Hat” Hackers Gathered in Houston to Talk Strategy

The 3rd annual HouSecCon took place a week ago. With attendance up 40% from 2011, it was exciting to be a part of this growing event. I was invited to speak again this year. “Get off your AMF and don’t REST on JSON”. My mobile web app sec related talk happened to go over real well at the conference. So good in fact, that the local FOX 26 network highlighted the current state of mobile web application security in their 5 o clock broadcast. http://www.myfoxhouston.com/story/19799259/2012/10/11/white-hat-hackers-gather-in-houston-to-talk-strategy

housseccon

Can Science Stop Crime?

University of Washington computer scientist, Tadayoshi Kohno (@yoshi_kohno), was featured in PBS’s NOVA scienceNOW on Wednesday (October 17) for his work that shows how easy it is for a bad guy to highjack not just your laptop but your kids’ toys, medical devices, even your car. http://www.pbs.org/wgbh/nova/tech/can-science-stop-crime.html

The Cloud is a Scary Place

Security lapses in XSS, CSRF, SQLi, or authentication bypass are not always easy to uncover for cloud companies such as Paypal, Facebook, Mozilla, Google, and Twitter. With bug bounties in place, the opportunity to discover security vulnerabilities can offer significant gain for white hats. http://www.zdnet.com/hacking-google-the-three-israeli-white-hats-rooting-out-the-webs-security-holes-7000005542/

the cloud

Surviving the Week 10/12/12, The cloud is a scary place

The Cloud is a Scary Place

the cloud

Security lapses in XSS, CSRF, SQLi, or authentication bypass are not always easy to uncover for cloud companies such as Paypal, Facebook, Mozilla, Google, and Twitter. But with bug bounties in place, the opportunity to discover security vulnerabilities can offer significant gain for white hats all over the world.

SQL Invader is a free tool from NT OBJECTives that gives you the ability to quickly and easily exploit or demonstrate SQL Injection vulnerabilities in web applications.

http://www.zdnet.com/hacking-google-the-three-israeli-white-hats-rooting-out-the-webs-security-holes-7000005542/

“White Hat” Hackers Gather in Houston to Talk Strategy

The 3rd annual HouSecCon took place this week. With attendance up 40% from 2011, it was exciting to be a part of this growing event. I was invited to speak again this year. My topic, “Get off your AMF and don’t REST on JSON”.

My mobile web app sec related talk happened to go over real well at the conference. So good in fact, that the local FOX 26 News highlighted the current state of mobile web application security in their 5 o clock broadcast.
http://www.myfoxhouston.com/story/19799259/2012/10/11/white-hat-hackers-gather-in-houston-to-talk-strategy

Can Science Stop Crime?

University of Washington computer scientist, Tadayoshi Kohno (@yoshi_kohno), will be featured in PBS’s NOVA scienceNOW on Wednesday (October 17) for his work that shows how easy it is for someone to highjack not just your laptop but your kids’ toys, medical devices, even your car.
http://www.pbs.org/wgbh/nova/tech/can-science-stop-crime.html

 

Surviving the Week 10/5/12, Enterprises Struggle With Business Logic Attacks, Survey Finds

Enterprises Struggle With Business Logic Attacks, Survey Finds

A new survey emphasizes how business logic attacks can slip under the radar of development teams and cost enterprises time and money. More than 600 IT professionals were included in the survey. According to the survey, 88 percent said business logic abuse is equally or more important than any other security issues facing their company today
http://www.securityweek.com/enterprises-struggle-business-logic-attacks-survey-finds

NT OBJECTives recently addressed the top 10 business logic flaws in this helpful white paper, “Attacking and Exploiting the Top 10 Business Logic Attack Vectors”.
http://www.ntobjectives.com/go/business-logic-attack-vectors-white-paper

TypeScript Is Microsoft’s Attempt At Making JavaScript Application Development Easier

JavaScript has been one of the core technologies of HTML5. Microsoft has been aggressively pushing HTML5 in Internet Explorer 10. So what happens when you take Microsoft’s desire to create another proprietary programming language and their insistence on HTML5? You get TypeScript, the company’s own version of JavaScript.
http://www.webpronews.com/typescript-is-microsofts-answer-to-javascript-2012-10

What are the challenges with SAST that don’t need a better engine

Many people and CIOs are under the impression that SAST can solve all the problems in security. Here is a list of problems with SAST engines, which have nothing to do with the core engine –  http://diniscruz.blogspot.in/2012/10/what-are-challenges-with-sast-that-dont.html

Web security protocol HSTS wins proposed standard status

A Web security protocol designed to protect Internet users from Internet hijacking of unencrypted web sites has won approval as a proposed standard. A steering group for the Internet Engineering Task Force (IETF) gave its blessing to a draft of HTTP Strict Transport Security (HSTS), an opt-in security enhancement in which Web sites prompt browsers to always interact over a secure connection.
http://news.cnet.com/8301-1009_3-57524915-83/web-security-protocol-hsts-wins-proposed-standard-status/

A Number of SQL Injection, Code Injection and XSS Posted This Week

It’s another week where a number of SQL Injection, XSS and Code execution vulnerabilities were made public in some of the widely used applications, i.e. WordPress, Oracle Identity Management and Drupal. Here is a list of some of the critical vulnerabilities discovered during this week.

InduSoft Web Studio Arbitrary Upload Remote Code Execution – http://packetstormsecurity.org/files/117113
Oracle Identity Management 10g Cross Site Scripting – http://packetstormsecurity.org/files/117110
Drupal Hostip 6.x / 7.x Cross Site Scripting – http://packetstormsecurity.org/files/117084
WordPress Spider 1.0.1 SQL Injection / XSS – http://packetstormsecurity.org/files/117078
Omnistar Mailer 7.2 SQL Injection / Cross Site Scripting – http://packetstormsecurity.org/files/117079
PHPTax 0.8 Remote Code Execution – http://packetstormsecurity.org/files/117082
Drupal Twitter Pull 6.x / 7.x Cross Site Scripting – http://packetstormsecurity.org/files/117107
phpMyBitTorrent 2.04 SQL Injection / Local File Inclusion – http://packetstormsecurity.org/files/117102
Template CMS 2.1.1 Cross Site Request Forgery / Cross Site Scripting – http://packetstormsecurity.org/files/117104
WordPress Premium Theme XSS Vulnerability – http://www.f-secure.com/weblog/archives/00002438.html