Surviving the Week 6/15/2012

United States Department of Defense data leaked by Anonymous hackers

A group named “Wikiboat” attacked the website of the Department of Defense and gained access to some sensitive information. The information disclosure is the result of a SQL Injection. The leaked data includes some officials name, emails and phone numbers. If the web site of the DoD can be penetrated, it’s time to ask yourself if your application is secure against modern day attacks? Test your application with NTOSpider to find out -
http://thehackernews.com/2012/06/united-states-department-of-defense.html

The Biggest Cybersecurity Threat Just May Be Your Own Staff

According to a survey, 71% of IT management consider insider threats to be the greatest security risk to their companies. In modern days, very few ports are allowed inbound to companies network from evil-net and typically (80 & 443). Attacks from the web have increased over years which take advantage of application vulnerabilities. We have seen cases where a vulnerability in an application resulted in a complete compromise of the internal network.  Make your application more secure by testing it periodically with NTOSpider -
http://blogs.wsj.com/cio/2012/06/12/the-biggest-cybersecurity-threat-just-may-be-your-own-staff/?mod=wsjcio_hps_cioreport

Active Zero-Day Exploit Targets Internet Explorer Flaw

A new zero day vulnerability has been discovered in Internet Explorer. Microsoft released a patch for MS12-037 and CVE-2012-1875.  Patch IE with the highest of priority to protect you against this vulnerability -
http://blogs.mcafee.com/mcafee-labs/active-zero-day-exploit-targets-internet-explorer-flaw

A Tragically Comedic Security Flaw in MySQL

A flaw was discovered due to an assumption that the memcmp() function would always return a value within the range -128 to 127 (signed character). On some platforms and with certain optimizations enabled, this routine can return values outside of this range, eventually causing the code that compares a hashed password to sometimes return true even when the wrong password is specified. Since the authentication protocol generates a different hash each time this comparison is done, there is a 1 in 256 chance that ANY password would be accepted for authentication. MySQL Has released a patch for CVE-2012-2122.  Patch your MySQL to protect against comedic vulnerability -
https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql

Last updated by at .

About Dan Kuykendall

Dan Kuykendall is the CTO and Co-CEO at NT OBJECTives. Dan is a founder of NT OBJECTives and has been with the company for more than 10 years. He is responsible for the strategic direction and development of products and services and works closely with technology partners to make sure integrations are both deep and valuable. As a result of Dan’s dedication to security, technology innovation and software development, NTO application security scanning software is often recognized as the most accurate because of its sophisticated automation techniques. Dan joined NT OBJECTives from Foundstone, where he was responsible for the portal interface to the company’s flagship product, FoundScan. Prior to Foundstone, Dan was the founder of the Information Security team in the United States branches of Fortis. Dan is a regular blogger on web application security issues on ManVsWebApp.com and co-hosts An Information Security Place Podcast. His has presented on the topics of mobile and application security at many of the top security industry conferences such as ISSA (2011), B-Sides (2012-2013), OWASP AppSecUSA (2012), HouSecCon (2010-2012), ToorCon (2013) and THOTCON (2013). Dan has been involved with Web Application Security Consortium and is a regular contributor to many open source development projects including founding the RPM Builder, phpGroupWare and podPress projects. Connect with Dan on Google+

Leave a Reply

Your email address will not be published. Required fields are marked *