Tuesday, August 19, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Some guy asked me to draw a gorilla fighting a robot [Vitalsecurity.org - A Revolution is the Solution]

Posted: 19 Aug 2008 07:26 AM CDT

....considering it took about five minutes in MS Paint (and managed to hat-tip everything from Olive Oyl to The Matrix amongst other things), I think it's a pretty damn good gorilla / robot slapfest. Once you've worked out what order the panels read, of course.

Anyway, I can't think of anyone else that announces a week long holiday with gorilla-on-robot action. You too should draw your own battle of the titans and post a link here. When I return, I'll post a bunch of them up because, hey, robots are awesome.

Gorillas less so, but they have their place (being smacked up by robots, mostly).

Malware Disguised as IE7 Update [Commtouch Café]

Posted: 19 Aug 2008 03:23 AM CDT

How ironic - malware distributors are using the vulnerabilities inherent in IE (and other browsers) to distribute malware purporting to be an Internet Explorer update! The spammers did a few things to make the message appear to be legitimately from Microsoft, spoofing a Microsoft from address, and copy-pasting the MSN text into the bottom. Of course, [...]

Why Google is now my homepage instead of Yahoo [StillSecure, After All These Years]

Posted: 18 Aug 2008 11:27 PM CDT

yahoo I promised in an earlier article on my frustrations in dealing with web companies that I would talk about my most frustrating experience of all. Without a doubt, hands down the absolute worst company to deal with is Yahoo!

I have been a Yahoo customer since at least 1996 or 1997.  I remember when Yahoo was a plain gray page and all they had was search.  I have used MyYahoo as my home page since it first came out. I had a Yahoo email account (most people know that now), used Yahoo for fantasy football and for most of my personal email.  Though the world went to Google, I stayed with Yahoo.

Though by 72 hours after the attack I had everything else back under control, here we are over a week later and I still don't have my Yahoo account back. It is shut down because the attackers sent out disgusting porn to people in my Yahoo address book.  Of course this was mostly parents of the little league baseball, football and soccer teams I coach.  But that is indicative of the quality type of people who were involved in this attack.

I have written and called to every address you can think of.  They have asked for copies of my drivers license.  They wanted all of my information when I first applied for an account (yes from 12 years ago). I have had to give them every email address I ever had (anytime you fill out information for a new account you should make a record of it and keep it somewhere safe.  Don't ask me where, but somewhere safe).  Every mail address and zip code I have had. I sent them the answer to every secret question I can think of, but they won't give me the question they want to answer. I sent them the hackers post bragging about getting my email account.

Finally on Sunday I received an email that if I would call with the 8 digits of the credit card on file with my Yahoo wallet (I didn't even know I had a Yahoo wallet.  Again, if you fill something out, keep a copy and record of it somewhere) I could have my account back. I called and left a message.  I called again and left a message. I called again, and again and again. I have called about 12 times in 2 days and have not gotten one call back or even an email response.  What does it take?

At this point I don't know if and when I may ever get my Yahoo account back. What a shame, all of that data and history lost.  In the meantime I have made Google my homepage and am using iGoogle. I have to say, it is better than Yahoo.  I have my gmail account. I am registering for new fantasy football on other sites.  I am done with Yahoo.  They are not a company I want to do business with anymore. a

For a web giant, they should have better process and procedures in place to deal with an account being hijacked like this. Shame on me for having this happen, but shame on Yahoo for just not being a company that values its customers.

Reblog this post [with Zemanta]

Hack the Vote [Security Karma]

Posted: 18 Aug 2008 09:05 PM CDT

Image by Amarand Agasi via Flickr
Christopher Beam wrote a short article for Salon last week with an attention-getting title: Hack the Vote - Five ways hackers could tamper with the 2008 elections over at Slate. After wasting five minutes of my time reading the article I thought I would waste another five minutes of my time writing a short summary of how "hackers" can "tamper" with the elections this fall. Please note that Mr. Beam has the word "hackers" in his title but consistently refers to them as "tricksters." Mr. Beam's short list of ways hacker-tricksters (hicksters?) can sabotage the vote are:
  1. Fake e-mails. Seems that some hicksters (I'm starting to like it... I'm slapping a trademark on it) are actually politically-savvy phishers. He offers defending against phishers with "rapid response" getting the word out about the scam to the people most likely to get duped. I do love this little bit of genius from the article: "...Obama's donation page has a security seal at the bottom designating it an "authentic site." Notice, also, that you can easily copy the seal and post it on your own site." I actually did LOL when I read the last sentence.
  2. Dummy Web sites. I'm not sure how this one made it in but Mr. Beam spends a good amount of screen real estate rambling about: fake content, misspelled domain names, the Obama-Clinton XSS incident, the recent DNS flaw, and finally SQLi. His solution? Well, not much since every security professional I know is struggling with the exact same issues day-in day-out... but I'll give Mr. Beam credit for bringing some of these vulnerabilities to the general public's attention.
  3. Social networking. I see this potentially being an issue for Obamanics but for McCainites? Not so much. Unless you count the golf course or barbershop.
  4. Robo-calling. Um. Yeah, weren't they cold calling my parents to sling some serious mud back when it was Nixon vs. McGovern?
  5. Search-engine deoptimization. Potentially could be a problem if the hicksters are very very motivated and very very organized but his scenarios are too localized to be effective (buying ads to mislead people where to vote?). Google (and the other search engines) have gotten much better about rooting out "google bombing" and other SEO tricks and hacks (hicks?).
Ultimately the article closes out with the statements that it should have started with:
That's not to say these Internet tricks will upset the election—or even dent it. There are plenty of bright mischief-makers out there, but how many of them want to screw up elections? (Elect John McCain for the lulz!) And it may turn out that traditional methods of voter manipulation—such as, say, paying busloads of homeless people to pass out inaccurate sample ballots—will prove more effective. Plus, one smear campaign probably equals a thousand polling-place misinformation campaigns.

Adobe Flash Exploit In The Wild [Infosecurity.US]

Posted: 18 Aug 2008 07:38 PM CDT

ZDNet’s Ryan Narraine and Dancho Danchev report an Adobe Flash exploit, targeting the clipboard feature on Windows, MAC and LInux has cropped up in in the wild. Notwithstanding my missive to be careful, evidently, the hack is also evident on mainstream sites, and based on the blog post, those sites are Newsweek, Digg and MSNBC.com.

Napera on eWeek Channel Insider podcast [Napera Networks]

Posted: 18 Aug 2008 05:32 PM CDT

It’s been a busy summer here at Napera and I plan to get back into the blogging habit later this month. In the meantime, a couple of weeks ago I had the chance to chat with Mike Vizard of eWeek about managed security services, and the podcast is now up on the eWeek website.

Mike and I spoke during Seattle’s annual Seafair celebration, and if you listen real close to the audio you can hear the Blue Angels roaring over the Napera offices on Mercer Island on their practice flights!

Blue Angels over Mercer Island

Brilliant Metasploit Developer Joins Microsoft Security [Infosecurity.US]

Posted: 18 Aug 2008 04:58 PM CDT

via Michael Howard’s MSDN blog, a longtime bur in the Microsoft (NasdaqGS: MSFT) saddle (Skape of MetaSploit fame - aka Matt Miller) has joined the software behemoth’s Security Science Team.

OpenVAS Released - OpenSource Nessus Competitor [Infosecurity.US]

Posted: 18 Aug 2008 04:24 PM CDT

Darknet reports OpenVAS, a Nessus (formerly an open source development project, now a Tenable Security venue) competitor in the Open Source arena has been released. The OpenVAS client, and the OpenVAS server are both available for download now.

The Evils of Password Reset [Security Incite Rants]

Posted: 18 Aug 2008 02:40 PM CDT

So my buddy Shimmy did his best imitation of My Little Pwnie last week. Basically his blog account was compromised, which seemed to yield information on one of his webmail accounts and from there, it was game over. His domain was hijacked, credit card information published, amongst other things.

Basically it's was a nightmare, and agonizing for both Alan and his family to be victimized by what can only be termed as a hate crime.

Alan has talked a bit about it, and hopefully we'll learn more soon since I believe this is a great opportunity to educate a lot of folks about what to do when they've been compromised. The sad thing is that Alan had to call in a bunch of chits to get activity from some of his service providers. This is while his blog is being redirected to a pretty nasty site.

Clearly anyone with a website and/or an email address needs to have a scripted plan when you get pwned. I'm not sure if Alan did or not, but he seemed to handle the situation as well as can be expected. So if you don't have your own containment plan documented, get to work. It's important.

But that's not really what I want to discuss, relative to Alan's issue. It's the dependability of many of these web services. Things like web mail, or your domain registrar, or a DNS service, or your banking/credit card accounts. All of these are online and pretty much all have a "password reset" capability, which probably filter into one (or many) email accounts.

Clearly for anyone that has forgotten a password (happens to me at least once a week), these password resets are a life saver. Anyone who has suffered having to wait a week for their airline to resend a 4 digit passcode to get into their frequent flyer account knows what I'm talking about.

And password reset is also a huge benefit to the web site. Not having to deal with forgetful idiots like me save them a lot of money as well.

Lest we cannot forget that password reset is also one of the bad guy's best friends. The fact is that if someone can own your email account where the password reset requests are routed, then it's game over. They can reset all of your passwords and lock you out of your own life. Now that's a bad day.

Most folks use webmail because it's convenient. I know I do. But with that convenience is this clear and present danger. If via some type of sidejacking, or man in the middle, or XSS, or even CSRF the bad guys get into your webmai, and then start resetting your passwords. You are done.

So what do you do? I guess one option is to pray. Though I'm a bit skeptical that will work over the long term. You can also use strong passwords. That's what I do. Really strong passwords. But that's not a panacea.

You can also hope that most of these websites require some security questions to be answered before they actually reset the password. In my experience, so do and some don't. And I don't want easy questions like my Mother's maiden name. It should be stuff that would be hard to know without being me. Like my 7th grade science teacher. If you can figure that one out, then you deserve to be in my account. You are really good.

What I'm thinking is that we need to protect the email account that does password reset. Optimally I'd like to use an account that is not obvious (like not my typical work or personal address) and not a web based account - so it won't be subject to typical XSS or other web attacks. This is a bit of security by obscurity. If it's a domain you don't know I own, it would be hard to specifically target it.

Then you lock down the account to the best of your ability. Clearly you use a strong password on this "reset" account. And maybe you only use secure IMAP to access the account, only from one of my trusted machines.

You use the "reset" account as the email of record for the sensitive accounts. Things like banking, credit cards, ecommerce (if I have my credit card stored there), DNS, domain registration, web site hosting, etc. Basically any place that if that account is owned, it would be bad. Maybe you have a few "reset" accounts, just to diversify the risk a bit.

And to be clear, this is really a pain in the ass and it is not truly an answer. You can still be compromised. But you would be making it a bit harder. Building walls, so if one account is pwned, you don't fall like a house of cards.

Alan suffered significant pain through this situation. Shame on us if we don't learn some lessons and work a bit harder to make sure it's not us next time.

Photo credit: "berlin_my little pony" originally uploaded by madchenkrawall

Take the DoS Survey [Jon's Network]

Posted: 18 Aug 2008 02:09 PM CDT

Computer Defense has a Denial of Service Survey to research people’s perception of it.

Is Free Better? [The Security Shoggoth]

Posted: 18 Aug 2008 01:02 PM CDT

I'm a geek at heart so I take part in alot of geek-related activities. One of the ones I've gotten into within the last few years is boardgaming. Not your typical games like Monopoly, Scene-It or Risk (although I love Risk), but euro-games which, IMO, have a lot more strategy in them. It is because of this hobby I was at a LFGS the other night playing games with the local boardgaming group.

We were playing a game of Arkham Horror and in between turns one of my fellow gamers and I were talking about the laptop he had just brought and was playing with. He said it was mostly set up, but he had to go out and buy the latest AV suite to make sure it was protected. I mentioned that there were free AV software available which, IMO, were just as good as the commercial software. His response was that he had used them before, had liked them, but wanted the assurance he felt when he purchased the AV software. I was a little dumbfounded by his comment.

From his perspective, he felt safer paying $50+ for an AV suite of software than using free AV software which, to his own admission, would protect him just as well. I've seen this mentality in the corporate world as well. Corporations would rather shell out large amount o' cash for security suites or devices than use, just as good or better, free software because they felt safer paying for it. After all, if they are paying for it and it fails, they have someone to sue.

This post isn't meant to start a fight on commercial vs free software. I'm just confused by the perception out there in the corporate, or in the first case, the user world that paying for something will get you more protection that using free software. I guess I'm just surprised that this point of view is taken by end-users as well.

Has anyone else seen examples of this? Any good stories to share?

Welcome OpenVAS - The New GPLed Version of Nessus [NovaInfosecPortal.com]

Posted: 18 Aug 2008 12:40 PM CDT

The folks over at Darknet just threw up a blog post entitled “OpenVAS - Open Vulnerability Assessment System (Nessus is Back!).” Finally! I won’t go into too much detail but was just excited to see this posted. Too bad BackTrack 3 just recently came out. It would have been nice to have this version of Nessus, I mean OpenVAS, on the CD. There’s always the next version…

Can you help a brother out (HABO) with some security research? [StillSecure, After All These Years]

Posted: 18 Aug 2008 12:08 PM CDT

My friend Tyler Reguly of nCircle and computerdefense.org is conducting some research on denial of service attacks, peoples perceptions of them, etc. He posted a request for help on the nCircle360 blog here. The actual very short (did I say very short) survey is on computerdefense.org here.  If you have 30 seconds to spare (it should not take you more than that) could you take the survey for Tyler?  You don't have to be a security whiz and the survey is open to everyone.

I thank you, Tyler thanks you, yada, yada.

Report writing [Liquid Information]

Posted: 18 Aug 2008 11:22 AM CDT

I've seen a lot of different mailinglist posts where people ask what kind of report they should write for a penetration test/web application assessment/vulnerability scan/other audit related activity. We all probably agree that the report is an important factor for showing the results of whatever task you've been assigned with.

The answer I have is: It depends. By that I mean that it is a lot up to the customer to decide the level of reporting you have to do. This should be decided upon the planning phase of the assessment. If the customer does not have a clue then you can always suggest your own "template". If you have no clue, like the people who ask what kind of report they should write, this could be a small guideline for you:
  • Do not provide only the scan results to the customer unless they want it that way. Correlate information with available data/patch levels and whatever information you have about the targets to validate the findings and only give relevant information.
  • Be clear and avoid using buzzwords. Sure, you can use something like Cross-Site scripting, but explain what it is and why it is a problem. You might think that you look like an idiot if you write things in a simple manner, but at least you are understood.
  • Provide clear examples whenever possible. In case of web application audits, it is best described by giving the customer all the information on how to re-produce the problem. This is added value to the customer because they can see the issue and also incorporate it into their future QA testing.
  • Provide a solution to the customer. If you only tell something is wrong but can't offer a way to mitigate the vulnerability, it has no clear value to the customer. Use your security experience in the area to provide the solution, either low- or high-detailed description.
  • Take into account the existing infrastructure and other things like availability of vulnerability to give the found vulnerability the proper risk level. This has to be based on the exposure of the application and functionality itself.
In addition to these, you need to adapt the report to the target audience. There might be executives reading the report who make decisions of the findings, there can be project managers who understand things on a technical level but who need a summary of vulnerable issues, and then the developers who the earlier bullets relate to and who usually have to fix things. You might even have to write a report for each party separately, it depends a lot on the customer. But at least provide information on what the problem is, why it is a problem and what the solution to the problem is.

It is not rocket science, as long as you modify everything to suit the target audience. If you try to make yourself important and knowledgeable with lots of buzzwords and other stuff, you might be successful in that. But is that beneficial to your customer if it doesn't understand your report?

If you are required to log all your actions and give those for the customer, then you need to have a solid way of logging your actions and might also be required to do a full verbal writeup of what has been done, when and so on. In such cases tool logs and/or tcpdump and other things might prove valuable.

No Soup For You: MIT Infosec Researchers Bounced [Infosecurity.US]

Posted: 18 Aug 2008 11:19 AM CDT

CNET (recently purchased by the CBS Corporation (NYSE: CBSreports Massachusetts authorities have filed briefs with the court stating, unequivocally, student information security researchers do not possess the right of free speech. Flagrant disregard for  Constitutionally Guaranteed Rights, or fear of the truth of incompetent State Transportation officials. Don’t forget this is the agency that actually released the exploit to the web during brief filings with the Court. Not exactly evidentiary proof of information security competency…

[1] PCWorld

[2] Wired's Threat Level

[3] The Register

[4] Holland + Knight Law (Law Firm and Attorney Representing The State)

[5] CNET

OpenVAS - Open Vulnerability Assessment System (Nessus is Back!) [Darknet - The Darkside]

Posted: 18 Aug 2008 10:57 AM CDT

As you all probably known since version 3 Nessus turned to a proprietary model and started charging for the latest plugins locking most of us out. Now we finally have a new, properly organised forked development with the name of OpenVAS - at last a decent and free Vulnerability Scanner! OpenVAS stands for Open Vulnerability Assessment...

Read the full post at darknet.org.uk

Race To Zero - Results [Donkey On A Waffle]

Posted: 18 Aug 2008 10:07 AM CDT

The Race to Zero results are in. And the winner was a group of three consultants from iMandiant Security. While I've only read a single report of the results, it sounds like the Mandiant guys really had their stuff together and used a combination of custom packing code and manual modification of binaries. They may not have been the quickest team to complete the race, but they were the most detail oriented and were able to pass all ten challenges presented to them. Kudos go to these guys and their hard work.

If you recall from a previous blog post, I suggested a "simple" idea of creating a "new" packing routine and simply using that to modify and thus pass the AV checks in the race. Well it turns out the fastest team to compete did exactly that. Team "retem" from the security firm Damballa, finished the contest in 2 hours and 25 minutes making them the fastest team in the competition. They were able to pass 7 of the 10 challenges using their custom packing solution.

"You can take any malware sample and pack it with an original packer, go to VirusTotal and get zero of 32 detections," [Paul Royal of Damballa] said.

I'm still not sure of the why of this competition, however it appears as if some good may be coming from it. If the end result is that companies and the general public don't rely on AV as a silver bullet, then maybe there was indeed a silver lining to the event. I doubt it's going to get the AV industry to attempt to work any harder at creating new methods of detection (they presumably are already researching new techniques as hard as they financially can), but if a single organization stops relying on AV as a sole layer of security, then the effort has been worthwhile.

VLC Vulnerability Reported [Infosecurity.US]

Posted: 18 Aug 2008 09:32 AM CDT

HeiseSecurity UK reports a new, VLC Media Player exploit, related to TrueAudio, is in the wild. Evidently, manipulated TrueAudio files may initiate a overflow condition,  permitting data to be overwritten in the memory heap of the application.

AT&T: Google Is Bad. Very Bad [Infosecurity.US]

Posted: 18 Aug 2008 08:21 AM CDT

Wired’s ThreatLevel blogger Ryan Singel posts a fascinating story of AT&T’s (NYSE: T) efforts to redirect privacy scrutiny by congressional investigators. In a written statement filed recently, they apparently tattle on Google’s (NasdaqGS: GOOG) privacy policies and procedures. Problem is, the telecom conglomerate may be right

Warning: Petty Post [Digital Bond]

Posted: 18 Aug 2008 07:48 AM CDT

Ok. I’m going to break the rules. I always tell the team be clear on the facts, explain your opinions, you own what you write, and above all avoid personal attacks on the blog.

I actually held back when I saw Joe Weiss’s blog post, which followed a Walt Boyes blog, castigating DHS, DoE, and a slew of other organizations for not attending Weisscon a few weeks back. There are a lot of events now. PCSF, SANS, ISA Expo, sector events, vendor user groups, … People have to make choices, and it is competitive. Obviously they didn’t feel the event made the cut. Maybe it was the agenda? the anticipated attendees? Repetition from previous years? Maybe it was the time or place? The price? Who knows in each case, but obviously they did not feel compelled to attend. The deal was not closed.

We put on an event, the SCADA Security Scientific Symposium S4 - - note the call for papers is open through Sept 15th. We believe it is the premier research event in the control system security space, but it is our job to convince others via a killer agenda, attendees who are leaders in this area, great environment, fun, right price, right place and so on. Like most event organizers we would like it to be the hot ticket that all the leaders in this area feel they can’t miss. That said, I can’t imagine calling out organizations who did not attend. They made a choice. Try to improve either the content or event marketing for next year.

Now the real petty part of this post. Joe’s latest blog post states we lack “a fundamental understanding of control systems and impacts of computers on system performance”. I know there are multiple repeat consulting clients which run many of the largest control systems in their sectors who would disagree, and equally important our research results, SCADApedia, blog, presentations, podcasts, etc. are easily available. Bandolier, the project he references, is in fact well on its way to being wildly successful. Control system vendors and asset owners are thrilled that they will have an easy and much safer way to audit the multitude of security settings on control system workstations and servers. Quickdraw, the PLC passive security log generator, is well on its way as well and in the next month you will see the first 25 security events. I’ll leave it at that, and let others evaluate based on our very open trove of information on the site.

The main point is the community needs to get away from this trend of pointing fingers and “saying you’re not qualified to participate” in this space. Stick to the facts, and let’s focus on the results. The control system security space still has so much work that needs to be done that it is easy to find a place to contribute. If something can be done better. Great. Do it. We feel frustrated sometimes that there are not more success stories to highlight in the blog, although there are some like Secure DNP3, Procurement Project, etc. Let’s stop the carping on generalities and get to developing and analyzing specific solutions, tools, guidelines, standards and other resources. Contribute to the effort and put your results out there for sale or pro bono.

Ok. That’s it. You won’t be hearing further back and forth from me or Digital Bond on this petty issue.

PI ACE Portaledge Meta-Event Proof-Of-Concept [Digital Bond]

Posted: 18 Aug 2008 03:35 AM CDT

I recently started working with OSISoft’s PI ACE for use in the Portaledge project.  Kevin and I put together a sample Meta-Event involving snort events, a key logger and uploading new firmware to a PLC.  The code below is an example of an ACE library that will run every 5 minutes and iterate through the past 15 minutes of data.  Due to the nested for loops, this may not be the most efficient method but it works as a proof-of-concept.

Public Overrides Sub ACECalculations() Dim Syslog_PtOneValue, Syslog_PtTwoValue, WEL_PtOneValue, WEL_PtTwoValue As PIValue Dim Syslog_PtOneValArray, Syslog_PtTwoValArray, WEL_PtOneValArray, WEL_PtTwoValArray As PIValues Dim AttackIP As String  Syslog_PtOneValArray = Syslog22.Values("*-15m", "*", 0) For Each Syslog_PtOneValue In Syslog_PtOneValArray   If StrMatch(Syslog_PtOneValue.Value, "NMAP Scan") Then     AttackIP = GetIP(Syslog_PtOneValue.Value)     WEL_PtOneValArray = WEL_22.Values(Syslog_PtOneValue.TimeStamp, "*", 0)     For Each WEL_PtOneValue In WEL_PtOneValArray       If StrMatch(WEL_PtOneValue.Value, AttackIP, "Xwin Login", "|") Then         Syslog_PtTwoValArray = Syslog22.Values(WEL_PtOneValue.TimeStamp, "*", 0)         For Each Syslog_PtTwoValue In Syslog_PtTwoValArray           If StrMatch(Syslog_PtTwoValue.Value, AttackIP, "CorpNet to FEP") Then             WEL_PtTwoValArray = WEL_22.Values(Syslog_PtTwoValue.TimeStamp, "*", 0)             For Each WEL_PtTwoValue In WEL_PtTwoValArray               If StrMatch(WEL_PtTwoValue.Value, "", "Firmware Upload", "|") Then                 PortaledgeTemplate_Alert.Value = "Portaledge MetaEvent Detected" 

I am going to look into triggering ACE libraries from events, allowing one ACE library to trigger another ACE library. On the plus side, stacked libraries can use more generic code and will permit increased levels of severity. Negative aspects to stacked libraries include increased initialization time, additional complexity and libraries not being initialized.  I will be talking with a few people from OSIsoft to determine the most efficient path.  Stay tuned.

Why We Pay Attention To Anton Chuvakin [Infosecurity.US]

Posted: 17 Aug 2008 09:03 PM CDT

Dr. Anton Chuvakin posts an on-target story on his latest log management outrage. This time, dealing with Microsoft (NasdaqGS: MSFT) Access and Enterprise Log Management. Amazing what people will purchase to manage their company/agency/organizational log structure, isn’t it?

Censorship is in Italy - PirateBay blacklisted [Hackers Center Blogs]

Posted: 17 Aug 2008 06:00 PM CDT

Censorship in China? No in Italy

You know I'm italian and I'm not used to talk about security in my home country since basically there's no such a field in italy and the only news you can get is about someone being fined for downloading music.
While online banking services have session id's in the url.

This time I will make an exception since we are in front of the first censorship case in a western liberal, democratic or however you want to call our money-masonic-ruled count [...]

New MySpace and Facebook Worm Target Social Networks [Darknet - The Darkside]

Posted: 17 Aug 2008 04:27 PM CDT

Well another reason for you guys (and gals) to avoid social networks, a new worm is spreading. Again they are using the same ploys that have been leveraged for years on e-mail and instant messaging. Trust is gained as the message or link/video/etc comes from a known source so people are more likely to click/open/play it [...] ShareThis

Read the full post at darknet.org.uk

Shimel’s View: Hijacked [Infosecurity.US]

Posted: 17 Aug 2008 10:15 AM CDT

Alan Shimel (CSO of StillSecure, respected security blogger and recent victim of a web hijack by miscreants unknown) tells his side of the story. Key to this debacle is the apparent (and I can personally attest to this) ineptitude and convoluted support structure at Godaddy (to say nothing of the issues he had with TypePad). Bob Parsons (sole investor of GoDaddy Group, Inc), are you listening?

Linus: Security Circus - Admission Is Free [Infosecurity.US]

Posted: 16 Aug 2008 04:27 PM CDT

In today’s MustRead, a rather curmudgeonly, and controversial view of information security professionals espoused by Linus Torvalds, the creator of the Linux kernel. He really doesn’t find much use for BSD (a statement, of which, we most certainly take exception too)…

No comments: