During the month of October, I spoke at HouSecCon, ToorCon and OWASP AppSec USA with an emphasis on why newer technologies, like REST, AJAX, JSON and GWT create challenges for modern web scanners and how security professional can determine if scanners are effectively scanning and attacking them.
18 of 24 Major Federal Agencies Have Reported Inadequate Information Security Controls – GAO Report
The U.S. Government Accountability Office (GAO) found in its August 2012 report that “18 of 24 major federal agencies have reported inadequate information security controls,” and “inspectors general at 22 of these agencies identified information security as a major management challenge for their agency.” And in its September 2012 report on mobile security, GAO found that malware aimed at mobile devices alone has risen 185% in less than a year. Talk about scary.
The newest version of our web application security scanner, NTOSpider 6, includes Universal Translator Technology which has the ability to understand the new formats, protocols and development technologies being used in today’s mobile and modern browser-based applications.
Ford Website Hacked by NullCrew, User Credentials Leaked Online
The hackers claim to have leveraged a SQL Injection vulnerability in order to gain access to the databases behind the social.ford.com subdomain. As a result of the breach, database and table names, customer usernames – represented by email addresses – and encrypted passwords have been leaked. Test your application with NTOSpider to find security vulnerabilities including SQL Injection.
To test SQL Injection further, You can use our free tool, SQL Invader. Details of NTO SQL Invader can be found at
South Carolina Hit in Massive Cyberattack – 3.6 Million Tax Payers Exposed
On October 10, the S.C. Division of Information Technology informed the S.C. Department of Revenue of a potential cyber attack involving the personal information of taxpayers. Six days later, investigators uncovered two attempts to probe the system in early September, as well as a previous attempt that was made in late August. In mid-September, two other intrusions occurred that authorities believe were the first times the intruder or intruders obtained data. No other intrusions have been uncovered at this time, and on Oct. 20, the vulnerability in the system was closed, according to the DOR.
US and Canada Launch Joint Cybersecurity Plan
Canada and the United States announced Friday they were launching a joint cybsersecurity plan to protect their digital infrastructure from online threats. The action plan, under the auspices of the US Department of Homeland Security and Public Safety Canada, aims to better protect critical digital infrastructure and improve the response to cyber incidents.
On Cybersecurity, Small Businesses Flirting with Disaster
U.S. small businesses are hiding behind the belief they have done enough to secure themselves against hackers and malware when in reality many are vulnerable to attacks that could doom their businesses, according to a recent survey. The survey, sponsored by the National Cyber Security Alliance (NCSA) and Symantec, found that 77% of 1,015 small businesses think they are safe from cyber attacks. The survey defines small business as a company with less than 250 employees. Use NTOSpider on-demand to test your application. NTOSpider on-demand allows small and medium business to scan their applications effectively without requiring any security staff. Our consulting team can help you verify the scan results
Number of XSS, SQL Injection, File include and other high risk vulnerabilities in some of the very commonly used platform/applications
Drupal Time Spent 6.x / 7.x XSS / CSRF / SQL Injection – http://packetstormsecurity.org/files/117660
Drupal MailChimp 7.x Cross Site Scripting – http://packetstormsecurity.org/files/117666 WordPress GRAND Flash Album Gallery SQL Injection / Disclosure / File Overwrite – http://packetstormsecurity.org/files/117665
WordPress Easy Webinar Blind SQL Injection – http://packetstormsecurity.org/files/117706
WordPress FoxyPress 0.4.2.5 XSS / CSRF / SQL Injection – http://packetstormsecurity.org/files/117768
NASA Tri-Agency Climate Education (TrACE) 1.0 XSS – http://packetstormsecurity.org/files/117692
NASA Tri-Agency Climate Education (TrACE) 1.0 SQL Injection – http://packetstormsecurity.org/files/117693
Joomla Quiz Cross Site Scripting / SQL Injection – http://packetstormsecurity.org/files/117770
Oracle Java Font Processing “maxPointCount” Heap Overflow – http://packetstormsecurity.org/files/117659
VaM Shop 1.69 Cross Site Scripting / SQL Injection – http://packetstormsecurity.org/files/117649
ClanSphere 2011.3 Local File Inclusion / Remote Code Execution – http://packetstormsecurity.org/files/117655
Inout Article Base Ultimate SQL Injection / CSRF – http://packetstormsecurity.org/files/117656
Bitweaver 2.8.1 Cross Site Scripting / Local File Inclusion – http://packetstormsecurity.org/files/117668
Inventory 1.0 SQL Injection – http://packetstormsecurity.org/files/117682
Layton Helpbox 4.4.0 SQL Injection – http://packetstormsecurity.org/files/117684
Layton Helpbox 4.4.0 Stored Cross Site Scripting – http://packetstormsecurity.org/files/117688
Layton Helpbox 4.4.0 Cross Site Scripting – http://packetstormsecurity.org/files/117690
VicBlog Path Disclosure / SQL Injection – http://packetstormsecurity.org/files/117709
Gramophone 0.01b1 Cross Site Scripting – http://packetstormsecurity.org/files/117710
TP-LINK TL-WR841N Local File Inclusion – http://packetstormsecurity.org/files/117749
NetCat CMS 5.0.1 Cross Site Scripting / HTTP Parameter Pollution – http://packetstormsecurity.org/files/117772
Citrix XenServer 6.0.2 Privilege Escalation – http://packetstormsecurity.org/files/117767
PG Dating Pro CMS 1.0 Cross Site Scripting / SQL Injection – http://packetstormsecurity.org/files/117771
Endpoint Protector 22.214.171.124 Cross Site Scripting – http://packetstormsecurity.org/files/117765