Companies go on the Offensive

Some businesses are starting to respond more aggressively to cyber attacks, even launching retaliatory attacks against their attackers. This article explores why this is bad policy.

OpenX CSRF Vulnerability Being Actively Exploited

OpenX 2.8.8 is vulernable to CSRF attacks and these are being actively exploited to compromise OpenX ad servers.

Home Depot Website Hack

Even very large organizations with deep IT budgets can be the victim of a web application attack. Case in point, Home Depot's website. This article discusses malicious javascript found on Home Depot's e-commerce site.

Webapp Scanner Review: Acunetix Versus Netsparker

The focus of this article is to provide a comparison of Acunetix WVS and Mavituna Netsparker webapp scanners in terms of accuracy, features, speed, and usability.

Following the Trail of Web-based Malware

This article illustrates a typical threat scenario from start to finish. The goal is to demonstrate how hackers use a combination of tactics to compromise systems.

Affiliate Marketing Scam

This article discusses a common method used by scammers to commit fraud against ecommerce sites by taking advantage of their affiliate marketing programs.

Mitigating the Apache Range Header DoS Vulnerability

A new zero-day Apache DoS vulnerability has been reported that affects most default installations of Apache 1.3/2.x. This article discusses several mitigation techniques.

Profiling the Use of Javascript in a Driveby Download Attack

In this article I will detail how the javascript works in its attempt to download and install malware on unsuspecting visitors’ machines. Weak Authentication

This article examines the use a weak authentication mechanism used by a major daily news paper in North Carolina -- The News and Observer.

Advance Fee Scams: A Case Study

Advance fee fraud, sometimes called the Nigerian bank scam, is one of the most common scams on the Internet. This article is a case study in a variation of this scam.

Dissection of an Active Malware Campaign

This article walks the reader through a typical malware campaign from the web server infection to the actual infection of the client system.

WPA Keeps Law Enforcement Away

Recently a Minnesota man was charged with aggravated identity theft and threatening the vice president after allegedly tapping into a neighbor’s wireless network and sending threatening email messages to US Vice President Joe Biden.   With a long history of having disputes...

Mac Users Beware

The conversation usually goes something like this: Me:  “Hey, have you heard about that new phishing attack targeting Bank of America customers?” Mac User:  “Oh, I’m not worried about that.  I use a Mac.” Me: “Well you know, just because you use a...

Fox Sports Compromised… Again

In October of 2009 the Fox Sports web site was found to have been compromised with an iframe that redirected visitors to a site hosting malicious content.  The affected URL was hxxp:// and an example of the injected code is...

WCPSS Student SSN Disclosure

Recently the Wake County Public School System, in Raleigh North Carolina, sent out about 15,000 post cards to the parents of students.  These post cards contained information for parents on how to indicate their intentions for school attendance in the next school year.  And about one...

Putting the TLS Vulnerability Into Perspective

Introduction Late last week it was disclosed by security researchers Marsh Ray and Steve Dispensa that a design flaw in TLS (the IETF implementation of SSL) could allow an attacker to successfully inject data in an encrypted session using a man-in-the-middle (MITM) attack.   The primary...

DreamPoll 3.1 Vulnerabilities

During a recent security audit of the DreamPoll 3.1 software by Dreamlevels, I discovered a number of XSS and SQL Injection vulnerabilities in the application.  These vulnerabilities could be exploited to make unauthorized changes to a web site or compromise a client accessing a site...

State of Internet Security Report

Websense recently released their report on the State of Internet Security for the first half of 2009.  They have some very interesting findings which I have summarized below. In the first half of 2009, 77 percent of Web sites with malicious code were legitimate sites that have been...

The Implications of Predictable SSNs

Two researchers from Carnegie Mellon University recently released a study showing that social security numbers (SSNs) can be predicted with a fairly high degree of accuracy by knowing just a few bits of personal information.  For example, with knowledge of a person’s birth date...

Even Security Pros Get Owned

On Thursday we awoke to a good old-fashioned web site defacement and the public release of emails and other personal information of some of the most prominent names in the information security field.  A group hacked into the servers of Dan Kaminsky, Julien Tinnes, and Kevin Mitnick to...