Some businesses are starting to respond more aggressively to cyber attacks, even launching retaliatory attacks against their attackers. This article explores why this is bad policy.
Even very large organizations with deep IT budgets can be the victim of a web application attack. Case in point, Home Depot's website. This article discusses malicious javascript found on Home Depot's e-commerce site.
The focus of this article is to provide a comparison of Acunetix WVS and Mavituna Netsparker webapp scanners in terms of accuracy, features, speed, and usability.
This article illustrates a typical threat scenario from start to finish. The goal is to demonstrate how hackers use a combination of tactics to compromise systems.
This article discusses a common method used by scammers to commit fraud against ecommerce sites by taking advantage of their affiliate marketing programs.
A new zero-day Apache DoS vulnerability has been reported that affects most default installations of Apache 1.3/2.x. This article discusses several mitigation techniques.
Advance fee fraud, sometimes called the Nigerian bank scam, is one of the most common scams on the Internet. This article is a case study in a variation of this scam.
Recently a Minnesota man was charged with aggravated identity theft and threatening the vice president after allegedly tapping into a neighbor’s wireless network and sending threatening email messages to US Vice President Joe Biden. With a long history of having disputes...
The conversation usually goes something like this:
Me: “Hey, have you heard about that new phishing attack targeting Bank of America customers?”
Mac User: “Oh, I’m not worried about that. I use a Mac.”
Me: “Well you know, just because you use a...
In October of 2009 the Fox Sports web site was found to have been compromised with an iframe that redirected visitors to a site hosting malicious content. The affected URL was hxxp://msn.foxsports.com/fantasy/baseball/hotstreak/external and an example of the injected code is...
Recently the Wake County Public School System, in Raleigh North Carolina, sent out about 15,000 post cards to the parents of students. These post cards contained information for parents on how to indicate their intentions for school attendance in the next school year. And about one...
Introduction
Late last week it was disclosed by security researchers Marsh Ray and Steve Dispensa that a design flaw in TLS (the IETF implementation of SSL) could allow an attacker to successfully inject data in an encrypted session using a man-in-the-middle (MITM) attack. The primary...
During a recent security audit of the DreamPoll 3.1 software by Dreamlevels, I discovered a number of XSS and SQL Injection vulnerabilities in the application. These vulnerabilities could be exploited to make unauthorized changes to a web site or compromise a client accessing a site...
Websense recently released their report on the State of Internet Security for the first half of 2009. They have some very interesting findings which I have summarized below.
In the first half of 2009, 77 percent of Web sites with malicious code were legitimate sites that have been...
Two researchers from Carnegie Mellon University recently released a study showing that social security numbers (SSNs) can be predicted with a fairly high degree of accuracy by knowing just a few bits of personal information. For example, with knowledge of a person’s birth date...
On Thursday we awoke to a good old-fashioned web site defacement and the public release of emails and other personal information of some of the most prominent names in the information security field. A group hacked into the servers of Dan Kaminsky, Julien Tinnes, and Kevin Mitnick to...
