Surviving the Week 11/2/12, Ford website hacked by NullCrew

We’re a bit late this week on our Surviving the Week post, because we’ve been busy with our recent product launch of NTOSpider 6.

During the month of October, I spoke at HouSecCon, ToorCon and OWASP AppSec USA with an emphasis on why newer technologies,  like REST, AJAX, JSON and GWT create challenges for modern web scanners and how security professional can determine if scanners are effectively scanning and attacking them.

18 of 24 Major Federal Agencies Have Reported Inadequate Information Security Controls – GAO Report

The U.S. Government Accountability Office (GAO) found in its August 2012 report that “18 of 24 major federal agencies have reported inadequate information security controls,” and “inspectors general at 22 of these agencies identified information security as a major management challenge for their agency.” And in its September 2012 report on mobile security, GAO found that malware aimed at mobile devices alone has risen 185% in less than a year. Talk about scary.

The newest version of our web application security scanner, NTOSpider 6, includes Universal Translator Technology which has the ability to understand the new formats, protocols and development technologies being used in today’s mobile and modern browser-based applications.
http://gov.aol.com/2012/10/22/gao-report-cybersecurity/

Ford Website Hacked by NullCrew, User Credentials Leaked Online

nullcrew

The hackers claim to have leveraged a SQL Injection vulnerability in order to gain access to the databases behind the social.ford.com subdomain. As a result of the breach, database and table names, customer usernames – represented by email addresses – and encrypted passwords have been leaked. Test your application with NTOSpider to find security vulnerabilities including SQL Injection.
http://news.softpedia.com/news/Ford-Website-Hacked-by-NullCrew-User-Credentials-Leaked-Online-302688.shtml

To test SQL Injection further, You can use our free tool, SQL Invader. Details of NTO SQL Invader can be found at
http://www.ntobjectives.com/go/nto-sql-invader-free-download/

South Carolina Hit in Massive Cyberattack – 3.6 Million Tax Payers Exposed

On October 10, the S.C. Division of Information Technology informed the S.C. Department of Revenue of a potential cyber attack involving the personal information of taxpayers. Six days later, investigators uncovered two attempts to probe the system in early September, as well as a previous attempt that was made in late August. In mid-September, two other intrusions occurred that authorities believe were the first times the intruder or intruders obtained data. No other intrusions have been uncovered at this time, and on Oct. 20, the vulnerability in the system was closed, according to the DOR.
http://www.securityweek.com/south-carolina-hit-massive-cyberattack

US and Canada Launch Joint Cybersecurity Plan

Canada and the United States announced Friday they were launching a joint cybsersecurity plan to protect their digital infrastructure from online threats. The action plan, under the auspices of the US Department of Homeland Security and Public Safety Canada, aims to better protect critical digital infrastructure and improve the response to cyber incidents.
http://www.securityweek.com/us-canada-launch-joint-cybersecurity-plan

On Cybersecurity, Small Businesses Flirting with Disaster

U.S. small businesses are hiding behind the belief they have done enough to secure themselves against hackers and malware when in reality many are vulnerable to attacks that could doom their businesses, according to a recent survey. The survey, sponsored by the National Cyber Security Alliance (NCSA) and Symantec, found that 77% of 1,015 small businesses think they are safe from cyber attacks. The survey defines small business as a company with less than 250 employees. Use NTOSpider on-demand to test your application. NTOSpider on-demand allows small and medium business to scan their applications effectively without requiring any security staff. Our consulting team can help you verify the scan results
http://www.zdnet.com/on-cybersecurity-small-businesses-flirting-with-disaster-survey-finds-7000005891/

Number of XSS, SQL Injection, File include and other high risk vulnerabilities in some of the very commonly used platform/applications

Drupal Time Spent 6.x / 7.x XSS / CSRF / SQL Injection – http://packetstormsecurity.org/files/117660

Drupal MailChimp 7.x Cross Site Scripting – http://packetstormsecurity.org/files/117666 WordPress GRAND Flash Album Gallery SQL Injection / Disclosure / File Overwrite – http://packetstormsecurity.org/files/117665

WordPress Easy Webinar Blind SQL Injection – http://packetstormsecurity.org/files/117706

WordPress FoxyPress 0.4.2.5 XSS / CSRF / SQL Injection – http://packetstormsecurity.org/files/117768

NASA Tri-Agency Climate Education (TrACE) 1.0 XSS – http://packetstormsecurity.org/files/117692

NASA Tri-Agency Climate Education (TrACE) 1.0 SQL Injection – http://packetstormsecurity.org/files/117693

Joomla Quiz Cross Site Scripting / SQL Injection – http://packetstormsecurity.org/files/117770

Oracle Java Font Processing “maxPointCount” Heap Overflow – http://packetstormsecurity.org/files/117659

VaM Shop 1.69 Cross Site Scripting / SQL Injection – http://packetstormsecurity.org/files/117649

ClanSphere 2011.3 Local File Inclusion / Remote Code Execution – http://packetstormsecurity.org/files/117655

Inout Article Base Ultimate SQL Injection / CSRF – http://packetstormsecurity.org/files/117656

Bitweaver 2.8.1 Cross Site Scripting / Local File Inclusion – http://packetstormsecurity.org/files/117668

Inventory 1.0 SQL Injection – http://packetstormsecurity.org/files/117682

Layton Helpbox 4.4.0 SQL Injection – http://packetstormsecurity.org/files/117684

Layton Helpbox 4.4.0 Stored Cross Site Scripting – http://packetstormsecurity.org/files/117688

Layton Helpbox 4.4.0 Cross Site Scripting – http://packetstormsecurity.org/files/117690

VicBlog Path Disclosure / SQL Injection – http://packetstormsecurity.org/files/117709

Gramophone 0.01b1 Cross Site Scripting – http://packetstormsecurity.org/files/117710

TP-LINK TL-WR841N Local File Inclusion – http://packetstormsecurity.org/files/117749

NetCat CMS 5.0.1 Cross Site Scripting / HTTP Parameter Pollution – http://packetstormsecurity.org/files/117772

Citrix XenServer 6.0.2 Privilege Escalation – http://packetstormsecurity.org/files/117767

PG Dating Pro CMS 1.0 Cross Site Scripting / SQL Injection – http://packetstormsecurity.org/files/117771

Endpoint Protector 4.0.4.2 Cross Site Scripting – http://packetstormsecurity.org/files/117765

 

facebooktwittergoogle_plusredditpinterestlinkedin
About Dan Kuykendall 159 Articles
Connect with Dan on Google+

Be the first to comment

Leave a Reply

Your email address will not be published.


*