Internet SecuritT Group

Five Ways to Stop Mass SQL Injection Attacks

Fri, 03 Sep 2010 08:21:25 +0000

The best practices for mitigating this popular form of attack often are not being deployed

View full post on DarkReading – All Stories

Cybercrime Map 05: Prison Compound Music (???)

Fri, 03 Sep 2010 07:30:16 +0000

I like the music of this stage -w- I allways get fragged

MITM, SSL and Session Fixation

Fri, 03 Sep 2010 07:21:25 +0000

23 posts left…

It’s been known for a long time that HTTP can set cookies that can be read in HTTPS space because cookies don’t follow the same origin policy in the way that JavaScript does. More importantly, HTTP cookies can overwrite HTTPS cookies, even if the cookies are marked as secure. I started thinking of a form of session fixation during our research that uses this to the attacker’s advantage. Let’s assume the attacker wants to get access to a user’s account that’s over SSL/TLS. Now let’s assume the website sets a session cookie prior to authentication and after authentication the site marks the cookie as valid for whatever username/password combo it receives.

First, the attacker goes to the website before the victim gets there so he can get a session cookie. Then, if the victim is still in HTTP for the same domain the attacker can set a cookie that will replay to the HTTPS website. So the attacker sets the same cookie that he just received into the victim’s browser. Once the victim authenticates, the cookie that the attacker gave the victim (and knows) is now valid for the victim’s account. Now if the victim was already authenticated or had already gotten a session token, no big deal. The attacker overwrites the cookie, which at worst logs the user out. Once the victim re-authenticates, voila – session fixation. Now all the attacker has to do is replay the same cookie in his own browser and he’s in the user’s account.

View full post on ha.ckers.org web application security lab

Fake browser warnings lure victims to rogue AV solution

Fri, 03 Sep 2010 06:45:41 +0000

Certain compromised websites are detecting which browser (Firefox, Chrome, IE) the visitor is using and present to them a fake malware/reported attack warnings that urge them to download an "upgrade"/…

View full post on Help Net Security – News

VMWARE releases 2 security advisories for ESX Service Console: http://lists.vmware.com/pipermail/security-announce/2010/000103.html and http://lists.vmware.com/pipermail/security-announce/2010/000104.html, (Wed, Sep 1st)

Fri, 03 Sep 2010 05:07:18 +0000

– John Bambenek bambenek at gmail /dot/ com

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

View full post on SANS Internet Storm Center, InfoCON: green

Cisco Small Business 48-Port ESW-520-48P-K9 10/100 Mbps PoE Switch

Fri, 03 Sep 2010 03:59:51 +0000

Product Description
The 48-Port ESW-520-48P-K9 10/100 Mbps Switch from Cisco provides easy integration with other Small Business Pro products and the Cisco Smart Business Communications System (SBCS). It features 48 Ethernet 10/100 PoE-enab… More >>

Cisco Small Business 48-Port ESW-520-48P-K9 10/100 Mbps PoE Switch

MCSE: Windows 95 Study Guide

Fri, 03 Sep 2010 03:43:32 +0000

Product Description
Implementing and Supporting Microsoft Windows 95 can be taken as one of the four core requirements for the MCSE certification. The test can also be taken for MCPS certification. This bestselling study guide includes a te… More >>

MCSE: Windows 95 Study Guide

Where’s Waldo? Adjusting Law and Policy for Location-Based Services

Fri, 03 Sep 2010 02:55:52 +0000

Last month, my colleague Christopher Burgess shared some thoughts on the “double-edged sword” of location-based services at the Huffington Post. In his post, Christopher highlighted how these services could alternately be a benefit, and where they might cross a line and become undesirable. Recently, some US Federal courts have heard cases about the legality of GPS tracking, including how and when such tracking should require a search warrant. While it will be up to people with far more legal experience than I have to debate exactly how these decisions will impact individual rights vs. police or government powers, I do think that there is something to be concerned about from a purely technical viewpoint. Whether used by government officials or attackers who have unauthorized access to this information, location-based data could result in a person being picked from a crowd when they least expect it.

View full post on Security

Microsoft freshens retro code lock-down tool

Fri, 03 Sep 2010 02:10:11 +0000

Teaching old apps new tricks

Microsoft has released a new version of a software tool that developers and administrators can use to harden older applications against common vulnerabilities.…

View full post on The Register – Security

Google Code hosting malware-spreading project

Fri, 03 Sep 2010 00:49:58 +0000

Google Code's project hosting feature has occasionally been used by malicious individuals for storing and spreading malware.

Zscaler pointed out yesterday that even though Google claims that any p…

View full post on Help Net Security – News