Surviving the Week 11/2/12, Ford website hacked by NullCrew

We’re a bit late this week on our Surviving the Week post, because we’ve been busy with our recent product launch of NTOSpider 6.

During the month of October, I spoke at HouSecCon, ToorCon and OWASP AppSec USA with an emphasis on why newer technologies,  like REST, AJAX, JSON and GWT create challenges for modern web scanners and how security professional can determine if scanners are effectively scanning and attacking them.

18 of 24 Major Federal Agencies Have Reported Inadequate Information Security Controls – GAO Report

The U.S. Government Accountability Office (GAO) found in its August 2012 report that “18 of 24 major federal agencies have reported inadequate information security controls,” and “inspectors general at 22 of these agencies identified information security as a major management challenge for their agency.” And in its September 2012 report on mobile security, GAO found that malware aimed at mobile devices alone has risen 185% in less than a year. Talk about scary.

The newest version of our web application security scanner, NTOSpider 6, includes Universal Translator Technology which has the ability to understand the new formats, protocols and development technologies being used in today’s mobile and modern browser-based applications.

Ford Website Hacked by NullCrew, User Credentials Leaked Online


The hackers claim to have leveraged a SQL Injection vulnerability in order to gain access to the databases behind the subdomain. As a result of the breach, database and table names, customer usernames – represented by email addresses – and encrypted passwords have been leaked. Test your application with NTOSpider to find security vulnerabilities including SQL Injection.

To test SQL Injection further, You can use our free tool, SQL Invader. Details of NTO SQL Invader can be found at

South Carolina Hit in Massive Cyberattack – 3.6 Million Tax Payers Exposed

On October 10, the S.C. Division of Information Technology informed the S.C. Department of Revenue of a potential cyber attack involving the personal information of taxpayers. Six days later, investigators uncovered two attempts to probe the system in early September, as well as a previous attempt that was made in late August. In mid-September, two other intrusions occurred that authorities believe were the first times the intruder or intruders obtained data. No other intrusions have been uncovered at this time, and on Oct. 20, the vulnerability in the system was closed, according to the DOR.

US and Canada Launch Joint Cybersecurity Plan

Canada and the United States announced Friday they were launching a joint cybsersecurity plan to protect their digital infrastructure from online threats. The action plan, under the auspices of the US Department of Homeland Security and Public Safety Canada, aims to better protect critical digital infrastructure and improve the response to cyber incidents.

On Cybersecurity, Small Businesses Flirting with Disaster

U.S. small businesses are hiding behind the belief they have done enough to secure themselves against hackers and malware when in reality many are vulnerable to attacks that could doom their businesses, according to a recent survey. The survey, sponsored by the National Cyber Security Alliance (NCSA) and Symantec, found that 77% of 1,015 small businesses think they are safe from cyber attacks. The survey defines small business as a company with less than 250 employees. Use NTOSpider on-demand to test your application. NTOSpider on-demand allows small and medium business to scan their applications effectively without requiring any security staff. Our consulting team can help you verify the scan results

Number of XSS, SQL Injection, File include and other high risk vulnerabilities in some of the very commonly used platform/applications

Drupal Time Spent 6.x / 7.x XSS / CSRF / SQL Injection –

Drupal MailChimp 7.x Cross Site Scripting – WordPress GRAND Flash Album Gallery SQL Injection / Disclosure / File Overwrite –

WordPress Easy Webinar Blind SQL Injection –

WordPress FoxyPress XSS / CSRF / SQL Injection –

NASA Tri-Agency Climate Education (TrACE) 1.0 XSS –

NASA Tri-Agency Climate Education (TrACE) 1.0 SQL Injection –

Joomla Quiz Cross Site Scripting / SQL Injection –

Oracle Java Font Processing “maxPointCount” Heap Overflow –

VaM Shop 1.69 Cross Site Scripting / SQL Injection –

ClanSphere 2011.3 Local File Inclusion / Remote Code Execution –

Inout Article Base Ultimate SQL Injection / CSRF –

Bitweaver 2.8.1 Cross Site Scripting / Local File Inclusion –

Inventory 1.0 SQL Injection –

Layton Helpbox 4.4.0 SQL Injection –

Layton Helpbox 4.4.0 Stored Cross Site Scripting –

Layton Helpbox 4.4.0 Cross Site Scripting –

VicBlog Path Disclosure / SQL Injection –

Gramophone 0.01b1 Cross Site Scripting –

TP-LINK TL-WR841N Local File Inclusion –

NetCat CMS 5.0.1 Cross Site Scripting / HTTP Parameter Pollution –

Citrix XenServer 6.0.2 Privilege Escalation –

PG Dating Pro CMS 1.0 Cross Site Scripting / SQL Injection –

Endpoint Protector Cross Site Scripting –


About Dan Kuykendall 159 Articles
Connect with Dan on Google+

Be the first to comment

Leave a Reply

Your email address will not be published.