Category Index
- Hacking Incidents / Cybercrime
- Unpatched Vulnerabilities
- Software Updates
- Business Case for Security
- Web Technologies
- Network Security
- Mobile Security
- Privacy
- General
- Funny
Hacking Incidents / Cybercrime
Open Letter to RSA Customers [www.rsa.com]
Like any large company, EMC experiences and successfully repels multiple cyber attacks on its IT infrastructure every day. Recently, our security systems identified an extremely sophisticated cyber attack in progress being mounted against RSA. We took a variety of aggressive measures against the threat to protect our business and our customers, including further hardening of our IT infrastructure. We also immediately began an extensive investigation of the attack and are working closely with the appropriate authorities.
Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT). Our investigation also revealed that the attack resulted in certain information being extracted from RSA’s systems. Some of that information is specifically related to RSA’s SecurID two-factor authentication products
Japan earthquake search results already poisoned [www.net-security.org]
It didn’t take long for malware pushers to take advantage of Internet users’ hunger for news and videos from Japan after it was hit today by the most powerful earthquake in the last 100 years:
Rustock Botnet Flatlined, Spam Volumes Plummet [krebsonsecurity.com]
The global volume of junk e-mail sent worldwide took a massive nosedive today following what appears to be a coordinated takedown of the Rustock botnet, one of the world’s most active spam-generating machines.
For years, Rustock has been the most prolific purveyor of spam – mainly junk messages touting online pharmacies and male enhancement pills. But late Wednesday morning Eastern Time, dozens of Internet servers used to coordinate these spam campaigns ceased operating, apparently almost simultaneously.
Thousands in Europe Faced Theft by Phuket ATM ‘Skim Scam’ Gang [phuketwan.com]
FOUR tourists from Romania have been accused of perpetrating an ATM credit card scam that stretched from London to Latvia and on to Thailand, delivering them 100 million baht and involving the theft of about 7000 credit card details.
The four appeared today at Phuket’s Tourist Police HQ. One, Bogdan Constantin Ene, 23, demonstrated how the group had used a card reader and a hard-drive to buy expensive goods, gold and watches, and to send a treasure trove of items back to Romania.
US embassy warns of visa scams [www.newstalk.ie]
The US embassy in Dublin is warning about a scam involving visas.
It is investigating reports of fraudulent e-mails, websites and adverts offering Diversity Visas.
It says under no circumstances should anyone send any money to any address in order to participate in a visa lottery.
Telecinco (Spanish TV Channel) mainsite compromised [www.zone-h.org]
see also http://www.zone-h.org/mirror/id/13233611
Free, open source exploit kit offered online [www.net-security.org]
Among the various exploit kits for sale out there it seems there is one that aspiring cyber crooks can use for free.
Hackers caught cheating in virtual stock market game [www.cnet.com]
The profile page for Bouncr, one of the startups in the stock market game, and on the Startup Bus. Hackers were said to have used an illegitimate script to help three teams playing the game earn ill-gotten gains. Bouncr was not one of the teams.
AUSTIN, Texas–When I wrote a story a couple days ago about trying to game the virtual Startup Bus stock market game, I didn’t realize that I was playing in the minor leagues.
The major leagues, it turns out, was an organized hack that illegitimately benefited three of the teams that were leading the stock competition among each of the several dozen teams of ‘buspreneurs’ aboard the six coaches that made their way from cities around the U.S. to Austin for the South by Southwest conference.
As part of the Startup Bus project, each of the teams on board one of the six buses created a new product or application from scratch, with the intention of having it presentable by the time they reached the Texas capital. Each team’s business has shares that have been trading in the virtual stock market, and though the share prices didn’t have a lot to do with what players–largely folks unconnected with the Startup Bus–thought of the products, there was at least a sense that shares would go up based on legitimate demand for them.
Users of Internet Explorer (IE), Firefox, Safari and Opera won’t receive a Flash update from Adobe until next week. [www.networkworld.com]
MHTML vulnerability under active exploitation (Users browsing with the Internet Explorer browser are affected) [googleonlinesecurity.blogspot.com]
We’ve noticed some highly targeted and apparently politically motivated attacks against our users. We believe activists may have been a specific target. We’ve also seen attacks against users of another popular social site. All these attacks abuse a publicly-disclosed MHTML vulnerability for which an exploit was publicly posted in January 2011. Users browsing with the Internet Explorer browser are affected.
For now, we recommend concerned users and corporations seriously consider deploying Microsoft’s temporary Fixit to block this attack until an official patch is available.
PHP ‘shmop_read()’ Remote Integer Overflow Vulnerability [www.securityfocus.com]
PHP is prone to an integer-overflow vulnerability because it fails to ensure that integer values are not overrun.
Successful exploits of this vulnerability allow remote attackers to execute arbitrary code in the context of a webserver affected by the issue. Failed attempts will likely result in denial-of-service conditions.
Versions prior to PHP 5.3.6 are vulnerable.
PHP 5.3.6 Released! [www.php.net]
The PHP development team would like to announce the immediate availability of PHP 5.3.6. This release focuses on improving the stability of the PHP 5.3.x branch with over 60 bug fixes, some of which are security related.
Google first to patch Flash bug with Chrome update [www.networkworld.com]
Takes advantage of deal with Adobe to push zero-day fix a week before others get protection
Google on Tuesday updated Chrome, patching a flaw in the browser’s copy of Flash Player.
The move let Chrome beat rival browsers to the punch: Users of Internet Explorer (IE), Firefox, Safari and Opera won’t receive a Flash update from Adobe until next week.
On Monday, Adobe announced that attackers are exploiting an unpatched, or ‘zero-day,’ vulnerability in Flash Player using malicious Microsoft Excel documents attached to e-mail messages. Adobe said it would patch Flash Player for Windows, Mac OS X and Linux sometime next week, but did not put a date on the calendar.
A critical vulnerability exists in Adobe Flash Player 10.2.152.33 and earlier versions (Adobe Flash Player 10.2.154.18 and earlier for Chrome users) for Windows, Macintosh, Linux and Solaris operating systems, Adobe Flash Player 10.1.106.16 and earlier versions for Android, and the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions of Reader and Acrobat for Windows and Macintosh operating systems.
What’s new in iTunes 10.2.1 [support.apple.com]
Sync with your iPhone, iPad, or iPod touch with iOS 4.3.
Improved Home Sharing. Browse and play from your iTunes libraries with Home Sharing on any iPhone, iPad, or iPod touch with iOS 4.3.
Resolves an issue whereby syncing photos to an iPhone, iPad, or iPod may take longer than expected.
PR10-08 Various XSS and information disclosure flaws within Adobe ColdFusion administration console [www.procheckup.com]
Pidgin 2.7.11 closes DoS bug [www.h-online.com]
The Pidgin development team has issued version 2.7.11 of its open source instant messenger application. According to security specialist Secunia, the maintenance and security update corrects a NULL pointer dereference error when processing certain YMSG (Yahoo!/Yahoo! JAPAN messenger) packets that could be used by an attacker to cause a denial-of-service (DoS) condition. Other changes include fixes for file transfers, adding MSN buddies and an issue affecting AIM and ICQ users that would prevent the application from displaying some buddies from a user’s buddy list. All users are advised to upgrade.
[SECURITY] [DSA 2190-1] wordpress security update [seclists.org]
Two XSS bugs and one potential information disclosure issue were discovered
in wordpress, a weblog manager.
The Common Vulnerabilities and Exposures project identifies the
following problems:
11th WhiteHat Website Security Statistic Report: Windows of Exposure [jeremiahgrossman.blogspot.com]
WhiteHat Security’s 11th Website Security Statistics Report, presents a statistical picture gleaned from over five years of vulnerability assessment results taken from over 3,000 websites across 400 organizations under WhiteHat Sentinel management. This represents the largest, most complete, and unique dataset of its kind. WhiteHat Security makes this report available specifically for organizations that aim to start or significantly improve their website security programs, prevent breaches, and data loss.
Top 3 Key Findings (Full list available in the report)
– Most websites were exposed to at least one serious* vulnerability every day of 2010, or nearly so (9-12 months of the year). Only 16% of websites were vulnerable less than 30 days of the year overall.
– During 2010, the average website had 230 serious* vulnerabilities.
– In 2010, 64% of websites had at least one Information Leakage vulnerability, which overtook Cross-Site Scripting as the most prevalent vulnerability by a few tenths of a percent.
Cost Of Data Breaches Up Again, Ponemon Study Says [www.darkreading.com]
Cost per breached record hits $214; average breach costs $7.2 million
Everything’s more expensive these days — and experiencing a major corporate data breach is no exception.
The Ponemon Institute and Symantec earlier this week released the findings of the ‘2010 Annual Study: U.S. Cost of a Data Breach,’ which reveals data breaches grew more costly for the fifth year in a row.
The average organizational cost of a data breach increased to $7.2 million and cost companies an average of $214 per compromised record, markedly higher when compared to $204 in 2009, according to the researchers.
‘Every year I predict that the costs will go down, and every year, I’m wrong,’ quipped Larry Ponemon, founder of the Ponemon Institute. ‘We did see some leveling off last year, but the overall costs are still on the rise.’
How not to handle a data breach [www.infoworld.com]
Press the panic button as soon as you find evidence customer data has been compromised, and you’ll pay the price
A brand-new Ponemon Institute study [PDF] sponsored by Symantec finds that data breach victims often move too quickly, wasting lots of money and losing customers unnecessarily.
According to Ponemon’s ‘Annual Study: U.S. Costs of a Data Breach,’ companies that respond to data breaches by immediately notifying their users end up spending 54 percent more per record than companies that move more slowly. Forty-three percent of surveyed companies notified customers within one month of discovering the breach, but these companies ended up with per record costs of $268, up 22 percent from 2009. Companies that took longer than a month spent only $174 per record, down 11 percent from 2009.
WASC WHID Semi-Annual Report for 2010: July – December [blog.spiderlabs.com]
SpiderLabs just released our WASC Web Hacking Incident Database (WHID) Semiannual Report for 2010 (July – December). You can download the full report here (registration required). In this report, we analyze the WHID events from the 2nd half of the year and provide information such as top:
…
Report Summary Findings
An analysis of 75 Web hacking incidents from the second half of 2010 conducted by Trustwave’s SpiderLabs team shows the following trends and findings:
* A steep rise in attacks aimed at causing downtime – currently the new no. 1 outcome (up 21% from previous reporting period). This is mainly a result of ideological hacking efforts utilizing distributed denial of service (DDoS) attacks as part of the Anonymous Group versus Anti-Piracy and WikiLeaks events.
* Corresponding to downtime outcomes, denial of service attacks made the largest jump for Attack Methods to no. 1 (up 22% from the previous reporting period).
* Organizations have not properly implemented nor tested anti-automation defenses for their Web application architecture to ensure application availability during denial of service (DoS) attacks.
The Lowry seeks token system to boost security [www.computing.co.uk]
Manchester-based arts centre The Lowry is looking to procure a tokenisation system to ensure it becomes fully PCI-DSS compliant.
The process of becoming compliant with the security standard will have taken four years in total and should be completed by the end of this year.
The tokenisation system will provide The Lowry with a number that relates to a customer’s credit card details but the details themselves will not be stored on the centre’s premises. Instead, they will be stored by an external token-providing company such as Yes Pay.
The centre has to make this final move because it is reliant on a web developer, Scottish company Web Advertising, for its web ticketing system and Web Advertising’s platform is not PCI-compliant.
Apple’s Role in Japan during the Tohoku Earthquake (a few steps beyond disaster recovery planning) [kevinrose.com]
Wow, this email is from a friend of mine that works for Apple in Japan… makes me happy Apple went the extra mile here, check out his story below:
Sentinel SecurityCheck offers organizations 30 days of continuous assessment to identify all website vulnerabilities and mitigate leading risk for data breaches; Participating companies gain access to WhiteHat Security’s verified vulnerability results and personalized guidance on website risk management
SANTA CLARA, Calif. – March 15, 2011 – WhiteHat Security, the leading provider of website risk management solutions, today announced Sentinel SecurityCheck, a new, complimentary and risk-free program designed to help companies discover the benefits of continuous verified vulnerability assessments, identify their website vulnerabilities and understand their website security posture. The 30 day website security evaluation leverages the WhiteHat Sentinel Software-as-a-Service website vulnerability management platform to offer the world’s most advanced technology and security expertise available. Organizations will benefit from the accurate and verified vulnerability information that highlights real-world and real-time risks to their websites.
Spot the Vuln – Curiosity [software-security.sans.org]
From About.com (a New York Time Company website):
Privacy and security while browsing the Web is important to all of us, as evidenced by the fervent voting in this category. The five finalists featured an impressive selection of tools intended to make everday life on the Web safer.
After more than three weeks of non-stop action, the readers have made their decision. The reigning champion in the 2011 Best Privacy/Security Add-On category, for the second year in a row, is NoScript!
Summary: These 11 proven practices for efficient, lightweight peer code review are based on a study at Cisco Systems using SmartBear CodeCollaborator. They can help you ensure that your reviews both improve your code and make the most of your developers’ time.
Our team at SmartBear Software® has spent years researching existing code review studies and collecting ‘lessons learned’ from more than 6000 programmers at more than 100 companies. Clearly, people find bugs when they review code, but the reviews often take too long to be practical. We used the information gleaned through years of experience to create the concept of lightweight code review. By using lightweight code review techniques, developers can review code in one-fifth the time needed for full, formal code reviews. We also developed a theory for best practices to employ for optimal review efficiency and value. This article outlines those practices.
1. Review fewer than 200-400 lines of code at a time.
2. Aim for an inspection rate of fewer than 300-500 LOC per hour.
3. Take enough time for a proper, slow review, but not more than 60-90 minutes.
4. Be sure that authors annotate source code before the review begins.
5. Establish quantifiable goals for code review and capture metrics so you can improve your processes.
6. Use checklists, because they substantially improve results for both authors and reviewers.
7. Verify that the defects are actually fixed.
8. Foster a good code review culture in which finding defects is viewed positively.
9. Beware of the Big Brother effect.
10. Review at least part of the code, even if you can’t do all of it, to benefit from The Ego Effect.
11. Adopt lightweight, tool-assisted code reviews.
IronBee versus ModSecurity [blog.ivanristic.com]
After spending a couple of weeks talking about IronBee to anyone willing to listen, I have assembled a list of commonly asked questions. Not unexpectedly, the question that tops the list is about the difference between ModSecurity and IronBee.
With IronBee we had a luxury of starting a brand new project with a wealth of experience and a clear idea of what we want to achieve long-term. (This is completely the opposite from where I was when I started ModSecurity.) Thus, we were able to look at our goals and choose the best path to reach them. Because so much of our lives were spent with ModSecurity, the first thing we did was look at its successes and limitations, with the idea that we should keep what’s good and improve what’s not as good. Two not so good things of ModSecurity stuck out: the lack of a community of developers and the fact that ModSecurity runs only in the Apache web server.
nostromo nhttpd directory traversal leading to arbitrary command execution [www.redteam-pentesting.de]
During a penetration test, RedTeam Pentesting discovered a directory
traversal vulnerability leading to arbitrary command execution in the
nostromo HTTP server.
Exploiting the unexploitable XSS with clickjacking [blog.kotowicz.net]
Clickjacking needs some loving. Contrary to what is being thought, it’s not only used for Facebook viral scams. As shown by last year’s Paul Stone’s studies, now it’s not only just hide-the-button-and-follow-the-mouse trick. It even got the more accurate name of UI Redressing (which is right, as attackers are not after your clicks, they profit from playing with the UI of the victim application). In this post we’ll play a game to see how advanced UI-Redressing attacks look like and how an attacker may trigger an unexploitable XSS flaw in an application.
Gaining Administrative Privileges on any Blogger.com Account, 1337$ (Google Reward Program) [www.nirgoldshlager.com]
This is my first post in my blog and also my first post regarding my security vulnerabilities findings in Google Reward Program,
In the last 2 months, I participated in Google reward program and found some High, Serious vulnerabilities,
(First, I want to mention that Google has the best professional, brilliant security team, It amazing how much Google care about security and do a amazing job to secure their sites, Thanks Adam, Google Security Team for giving me the chance to show my skills :))
Oracle Java Unsigned Applet Applet2ClassLoader Remote Code Execution Vulnerability (ZDI-11-084 explained) [fhoguin.com]
This vulnerability allows an untrusted applet to gain all privileges. Untrusted applets launch without user interaction (other than visiting a web page containing the
Fuzzmarking: Towards Hard Security Metrics For Software Quality? [dankaminsky.com]
As they say: “If you can’t measure it, you can’t manage it.”
There’s a serious push in the industry right now for security metrics. People really want to know what works – because this ain’t it. But where can we find hard data?
What about fuzzers – the automated, randomized testers that have been so good at finding bugs through sheer brute force?
Burp Suite Tutorial – The Intruder Tool [www.securityninja.co.uk]
Hi everyone,
I have been spending some time this week reviewing some of the old Security Ninja blog posts now that we are getting close to our second birthday. I wanted to create a list of things I’ve promised to write about but never got around to doing.
The first item on my list is a tutorial for the Burp Suite. If you Google “Burp Suite Tutorial” my blog post from 2008 saying I was going to write a tutorial is the 7th result returned. The old Security Ninja blog has received over 2,000 visits to that blog post including an additional 30 visits so far in March.
Spot the Vuln – Flag – Cross Site Scripting [software-security.sans.org]
This week’s cross site scripting vulnerability is somewhat unusual in that it exists in javascript, rather than server side. The checkPlain function is used to output encode data fetched via Ajax/XHR (for instance, dynamically loading a new article). It seems to do the job, however the String.replace function in javascript only replaces the first instance by default; any additional instances of the character will remain intact.
Windows Vista, 7 and Server 2008 includes a feature called integrity levels, which is arguably the most under-appreciated security mechanism built into the operating system. Yet, it provides powerful ways for mitigating the risks of computer attacks and malware infections. For instance, integrity levels can shield processes from keyloggers; they can also protect files from being accessed by malware running on an infected system.
Another potent benefit of integrity levels is the ability to limit the capabilities of an exploit that manages to compromise an application. This is what I’d like to discuss in the note below.
IPv6 videos [www.youtube.com]
Internet Explorer Administration Kit 9 [www.microsoft.com]
Brief Description
The Internet Explorer Administration Kit (IEAK) 9 simplifies the creation, deployment and management of customized Internet Explorer 9 packages. IEAK 9 can be used to configure the out-of-box Internet Explorer 9 experience or to manage user settings after Internet Explorer 9 deployment.
BRAIN [campaigns.f-secure.com]
Searching for the first PC virus in Pakistan
[NSE] http-wp-plugins, retrieve installed WordPress plugins [seclists.org]
With 2.4M downloads and counting
(http://wordpress.org/download/counter/), WordPress definitively
deserves its script.
When it comes to security, a CMS is less vulnerable itself than its
(numerous) third-party plugins and WordPress has more than 13.000.
This script tries to list those probably installed on a given blog by
brute forcing the wp-content directory. The dictionnary it uses has the
13.405 existing plugins to date, sorted by popularity. Despite Nmap does
its best to parallelize the queries, it could take an hour to test them
all so by default the script will just test the 100 most popular ones.
Of course, an option is provided so that the user can tweak this from
any number to all.
DDOS protection strategies [rakkhi.blogspot.com]
Distributed Denial of Service (DDOS) has drawn attention lately with incidents ranging from Anonymous taking down the Visa and Mastercard sites as retribution for cutting donations to Wikileaks, to WordPress being attacked by the Chinese. A talk at the DC4420 meetup in London described DDOS as the modern political protest, comparable to a crowd protesting on Oxford street. The protest means that some people cannot go shopping, and there is media attention drawn to the cause; Paypal goes down for a few hours, the techblogs, Twitter and eventually old media play a similar role. In addition, the few million the site loses to downtime means that they may think twice about bowing to pressure so quickly from a US senator. Regardless of motives, if you operate a major website today, especially one where every minute of downtime has an impact to the bottom line, DDOS protection is something you have to think about.
Vulnerable by Design [g0tmi1k.blogspot.com]
Pentest lab. ‘Hacker’ training. Deliberately insecure applications challenge thingys.
Call it what you will, but what happens when you want to try out your new set of skills? Do you want to be compare results from a tool when it’s used in different environments? What if you want to explore a system (that is legal to do so!) that you have no knowledge about (because you didn’t set it up!)…
If any of that sounds helpful, below is a small collection of different environments, so if you want to go from ‘boot to root’, ‘capture the flag’ or just to dig around as much as you want to try out the odd thing here and there. These will allow you to do so and without getting in trouble for doing it!
BackTrack 5 – Release Date and Tool Suggestions [www.backtrack-linux.org]
As BackTrack 5 development rolls on full steam ahead, we’ve been getting numerous questions about the future release. We thought we’d publish a blog post with general information about BT5 for the impatient. The codename of this release will be “revolution”, for a bunch of reasons.
BackTrack 5 will be based on Ubuntu Lucid (10.04 LTS), and will (finally) support both 32 bit and 64 bit architectures. We will be officially supporting KDE 4, Gnome and Fluxbox while providing users streamlined ISO downloads of each Desktop Environment (DE). Tool integration from our repositories will be seamless with all our supported DE’s, including the specific DE menu structure.
VNC passwords and Metasploit and DES [carnal0wnage.attackresearch.com]
inside your meterpreter shell run getvncpw
meterpreter > run getvncpw
[*] Searching for VNC Passwords in the registry….
[*] FOUND in HKLMSoftwareRealVNCWinVNC4 -=> 3290e903b5bf3769 =>
Nmap? In my Metasploit? It’s more likely than you’d think! [blog.metasploit.com]
If you’ve been paying any attention to the open source security software space, you’ve probably noticed that one of our favorite tools, nmap, ships with a pretty serious scipting engine. NSE allows users to run scripted interactions on discovered services, and lately, the repository of those scripts has exploded. As of the 5.50 release of nmap, there are 177 scripts and 54 supporting libraries, covering all sorts of protocols you’re likely run into during a pen-test engagement.
Windows Credentials Editor (WCE) v1.1 is out! [seclists.org]
Windows Credentials Editor (WCE) allows to list logon sessions and add,
change, list and
delete associated credentials (ex.: LM/NT hashes).
This can be used, for example, to perform pass-the-hash on Windows and also
obtain NT/LM hashes from memory (credentials not stored locally
including domain credentials from interactive logons, services, remote
desktop connections, etc.) which can be used in further attacks.
Supports Windows XP, 2003, Vista, 7 and 2008.
Device and data protection for Android. [www.whispersys.com]
WhisperCore is a secure Android platform dedicated to providing the security and management features necessary for transforming a consumer phone into an enterprise-class device.
Full disk encryption for your phone.
WhisperCore provides device-level encryption for your phone, protecting all of your data when it counts most.
By default, WhisperCore encrypts your entire data partition at the device level, and can optionally be enabled for your phone’s SD card as well.
Cardkey system exploited using an Android app [www.youtube.com]
Sn0wbreeze 2.3 Jailbreaks iOS 4.3 Running Devices [www.techtree.com]
It is a tethered jailbreak so it requires a Windows PC every time you wish to reboot your device
Apple released the iOS 4.3 update for the recent iOS devices on March 10 and within a week, we have a jailbreak for the update. The new version of sn0wbreeze 2.3 beta 1 tool created by iH8sn0w, an iOS platform jailbreak developer, will let users jailbreak their iPhone 4, iPhone 3GS, iPod touch 4th gen and iPad. All these iOS devices can be jailbroken only on the Windows platform and that leaves out Mac users. What is interesting is that the jailbreak developer has promised to bring multi-touch gestures to these iOS devices.
This is not the Android Market Security Tool you are looking for [intrepidusgroup.com]
We have been actively following and analyzing the spate of Android malware in the Android Market place. The most recent outbreak to light up the blog-o-sphere has been the Droid Dream outbreak. Google’s response to this was to launch a search and destroy mission. They created and pushed a tool to all handsets that were infected with Droid Dream. The Android Market Security Tool (AMST) was pushed to devices that were known to have downloaded and installed infected applications. This tool disinfects the compromised handsets by eradicating all remnants of the Droid Dream trojan. However, what we found quite interesting, is that shortly after the release of AMST, a trojaned version of the AMST appeared and is making the rounds on the internet! (Yo dawg…)
Apple security update leaves iPhone 3G users unprotected [www.theregister.co.uk]
Security FAIL
Apple is leaving some of its older mobile devices unprotected with its latest patch batch.
An iOS 4.3 update, which includes a number of critical security fixes, is incompatible with the still widely used iPhone 3G and older versions of the iPod Touch. The latest version of Apple’s mobile software can only be applied on the iPhone 3GSs and later models; the iPod Touch 3rd generation and later models; as well as all versions of the iPad.
SMS application with spoofer-id capabilities (Spanish) [www.cheatsms.com]
BlackBerry hole: RIM recommends workaround [www.h-online.com]
In response to last week’s disclosure of an (integer overflow) hole in the BlackBerry browser, Research In Motion (RIM) has recommended that users disable JavaScript. While this doesn’t close the hole, it reportedly prevents potential exploits from injecting and executing arbitrary code. However, RIM said that the measure may also hamper the display and interactivity of certain web pages. Alternatively, the company suggests to completely disable the browser. The admins of corporate smartphones can reportedly do so remotely by appropriately configuring the ‘IT policy rules’.
Dropbox Mobile: Less Secure Than Dropbox Desktop [grepular.com]
I know some of the people who read this blog use Dropbox. Those of you who don’t, should look it up; it’s a really simple cross platform app for syncing files between machines, sharing files and folders with other people, or simply providing near real-time automatic online backups with revision control.
Out of curiosity, I fired up tcpdump on my router to have a look at the traffic my Android phone’s Dropbox client was transferring during usage. To my surprise, I noticed that all file metadata was sent in the clear.
Apple bans iPhone 3G patch omission talk from forum [www.theregister.co.uk]
Policy talk is off limits, sunshine
Hacking Cars with MP3 Files [www.schneier.com]
Impressive research:
By adding extra code to a digital music file, they were able to turn a song burned to CD into a Trojan horse. When played on the car’s stereo, this song could alter the firmware of the car’s stereo system, giving attackers an entry point to change other components on the car.
So You Got an AV Alert. Now What? [isc.sans.edu]
What do you do when you receive an antivirus alert on your home system?
You’re checking your mail in the morning before heading to work, you click on a link sent to you by a friend and your AV throws up an alert. What do you do next?
Making Twitter more secure: HTTPS [blog.twitter.com]
Today, we’re taking an important step to make it easier to manage the security of your Twitter experience – we are adding a user setting that lets you always use HTTPS when accessing Twitter.com. Using HTTPS for your favorite Internet services is particularly important when using them over unsecured WiFi connections.
For some time, users have been able to use Twitter via HTTPS by going to https://twitter.com. We’ve made it simpler for users to do this by adding the option to always use HTTPS.
To turn on HTTPS, go to your settings and check the box next to “Always use HTTPS,” which is at the bottom of the page. This will improve the security of your account and better protect your information if you’re using Twitter over an unsecured Internet connection, like a public WiFi network, where someone may be able to eavesdrop on your site activity. In the future, we hope to make HTTPS the default setting.
Dutch judge says that surfing on open Wifi is legal [www.itsecurity.be]
I guess we have done it al at one stage. If you surf on an open Wifi network in an airport, a bar, or from your neighbor, then in most countries you are committing an illegal act.
A Dutch judge now has said in a ruling that if you only use access to a router (and you don’t pass by a computer) then you are not really doing something illegal.
China trains army of messenger pigeons [www.telegraph.co.uk]
China is training 10,000 messenger pigeons to deliver vital military communications in the event of the country’s communication systems breaking down.
According to the Chinese state media, the pigeons are being trained by a special unit of the People’s Liberation Army in the central city of Chengdu.
‘They will be primarily called upon to conduct special military missions between troops stationed at our borders,’ said Chen Hong, an air force expert, to China Central Television (CCTV), the state broadcaster.
Removal of unused courses in FAS import script [www.net-security.org]
When anonymous letters were written by hand, graphologists were called in to identify the likely author. In this day and age when most such mail is sent electronically, it may be difficult to prove that a particular person has written the e-mail(s) in question.
HOWTO Accurately Determine Bug Priorities [www.goer.org]
Sax’n The World… [www.youtube.com]
HBGary planned to BLOW THE BALLS OFF OF NMAP! [seclists.org]
Fellow Nmap Developers:
A serious competitive threat to Nmap’s has emerged :). You may recall
the leaked HB Gary emails which received a lot of press lately due to
alleged plots to attack and subvert unions, Wikileaks, journalists,
etc. Well, I’ve just been alerted to a leaked email showing that Nmap
was in their crosshairs too!
Intruder calls 911, afraid homeowner may have gun [edition.cnn.com]
Hacked road sign spells POOP [nakedsecurity.sophos.com]
Simon Pegg and Nick Frost’s Star Wars [www.collegehumor.com]
Hacker invites 200,000 people to girl’s 16th birthday party [www.breakingnews.ie]
Police are bracing themselves for a mass invasion of an ordinary home in Australia after 200,000 people replied to a party invite put on a girl’s hacked Facebook page.
A 17-year-old boy who posted an open invitation to the girl’s 16th birthday party has been arrested.
The girl’s shocked parents had the page removed from the social networking site.
circular logic [c0016417.cdn2.cloudfiles.rackspacecloud.com]
