AZHTCIA

Newsfeeds

Praetorian Prefect Turning an ATM into a Slot Machine In a talk originally slated for last year before it was muffled by Juniper based on the concerns of "an affected ATM vendor", Jack demonstrates what he calls jackpotting an ATM. PCI Rock, WTH? Security Awareness Programs can be a daunting task. It is not atypical to try to mix security awareness programs with some element of fun, such as humor with a message. Asian Men Prefer LIGATT A number of new Twitter accounts spawned today, all tweeting positively about the disgraced security firm LIGATT security (plagiarism, threats, stock manipulation), responding to actual security professionals, and all using avatars that are easily attributable to other web sites. Persistent XSS on Twitter.com Twitter user 0wn3d_5ys has demonstrated a persistent cross site scripting (XSS) vulnerability he found on June 21st using his own Twitter account (visit at your own risk) that appears to be due to a lack of input validation of the application name field when accepting new requests for Twitter applications. Sextortion via Hacking At least 186 women and 44 girls were caught in a bizarre scheme by 31 year old Santa Ana CA resident Luis Mijangos who attempted to extort pornographic videos from his victims. Mijangos, a paraplegic due to a gang shooting, was arrested yesterday following a two year investigation by the FBI, is charged with extortion and faces a maximum of two years in federal prison. NationalCyberSecurity.com has all “Original Content” Readers of Yahoo Finance were treated to the following wackadoo press release on Friday: National Cyber Security Uncovers Racism Within the Computer Security Industry. LIGATT’s Evans Strikes Back Gregory Evans, the CEO of LIGATT Security, is not taking the criticism heaped upon himself and his firm or his latest book lying down. Did LIGATT Security’s CEO Threaten the Life of a Security Professional? How did one of these men come to threaten the lives of the other and his family? F-Secure XSS on Anti-Theft Website In a new section supporting the release of an anti-theft product for mobile phones, the web site of Helsinki based anti-virus company F-Secure is vulnerable to cross site scripting (XSS). iPhone 4 Ordering and Session Switching Upon logging into AT&T online to place an order for the new iPhone, some users are reporting that another user's information is coming up including billing information, call history, and so forth. Newsweek Reports Zombie Invasion Newsweek.com becomes the latest in a long list of sites that will reveal an Easter egg if you enter the Konami Code (↑, ↑, ↓, ↓, ←, →, ←, →, B, A, enter) correctly. Zuckerburg Apologizes for Facebook Privacy Changes A video recently went up where Facebook CEO Mark Zuckerberg took the time to apologize to Facebook's users for the multiple recent confusing and "open by default" changes to Facebook's privacy settings. 114,000 iPad Owners: The Script that Harvested Their E-mail Addresses Here is the script referenced in the Gawker story from earlier that describes how a number of early iPad 3G subscribers, including names like Harvey Weinstein, Michael Bloomberg, Diane Sawyer, and Rahm Emanuel had their e-mails revealed via a poorly designed web application hosted by AT&T. Going After BP BP continues to be the subject of criticism following the Deepwater Horizon oil spill, and the hacking community appears to be taking exception to some of BP's recent public relations activities in the online arena. Formspring.me XSS Vulnerability Formspring.me, a newly popular social networking site, has a fundamental cross site scripting flaw that allows one logged in user to steal another user’s session, but also may allow users to find out who posted a nasty comment about them. Thou Shalt Not Send Naked Pictures…To Anyone Ever It's becoming a familiar story, an angry parent of a student reports finding inappropriate images, self taken naked pictures and videos, on that student's cell phone. But this story has an unusual wrinkle: the student is a 20 year-old at the University of Central Florida, the girlfriend of 32 year-old Mandarin High School football coach Jason Robinson. For Access Call, or Walk Right In Presumably the door sign should read "For Access Call...or Just Walk In". Happy 30th Birthday Pac-Man, Google Style Hat's off to Google for unveiling perhaps the greatest tribute today to the 30th anniversary of the iconic video game Pac-Man. Best Information Security Commercial Evah… Say what you will about LIGATT security, the publicly traded (around 0.0004) Georgia company headed by self styled security expert and convicted felon (federal conspiracy and wire fraud) Gregory Evans: they are responsible for what might be the greatest information security commercial ever created. As you can see, the protagonist is down on his luck, but [...] May’s Patch Tuesday After a busy April patch month, May’s patch Tuesday proves to be much quieter with two updates released by Microsoft. Although deemed critical, read the details below to see how your environment may or may not be affected. Microsoft Updates ID: MS10-030 Title: Vulnerability in Outlook Express and Windows Mail Could Allow Remote Code Execution Microsoft Severity: Critical Summary: [...] Bo Dietl Lost His Guns Richard "Bo" Dietl lost his guns. The former NYPD Detective and media contributor on Fox News and the Don Imus show, founder of Beau Dietl & Associates, subject of a film where he was played by Stephen Baldwin, and Chairman of the New York State Security Guard Advisory Council was featured on Jon Stewart's show for being himself burglarized. What's funny is that his description of what happened, particularly his focus on the security measures he had in place but that weren't used, follow the well worn pattern of responses one typically hears after an information security breach (but we were PCI compliant, we had IDS in place, it was a sophisticated attacker, everyone gets hacked, and so forth). Give this Man a Haircut and Support a Worthwhile Cause Gal Shpantzer, friend of the blog, fellow blogger, and a writer for CSO Online asked us to bring some attention to a worthy cause. As part of his talk at Security B-Sides Boston in Cambridge, MA, he will partake in certain unabashed activities for each monetary contribution threshold reached for Hackers for Charity. WinPE 3.0 & Forensics It is a common task for an investigator to boot a machine using bootable media in the form of DVD or USB and there are countless options available. This tutorial is not intended to replace your favorite Helix CD or preferred method, but you may find this analysis interesting if you are a Windows expert performing a forensics analysis. XSS Flaw on PayPal.com Earlier today Wesley Kerfoot reported on the Full Disclosure mailing list that a page in the Paypal.com domain is susceptible to a non-persistent reflected cross site scripting attack (XSS). While non-persistent XSS bugs are somewhat common, this is quite serious for a site like PayPal, where user accounts are linked directly to bank accounts, debit, or credit cards and payment can be made to third parties without any additional authentication after user access is gained. Bad Password Management Will Stop You in Your Tracks Refusing to maintain and follow a good termination checklist that walks through what access rights to decommission when someone leaves your company can put the brakes on your customers’ good will. Texas Auto Center in Austin Texas demonstrated the headaches that ensue when in February they left more than 80 customers who financed cars unable to get to school, work, and stuck with charges for towing and unnecessary repair work. Originally diagnosed as mechanical failures in the cars, the problems stopped as soon as all the passwords for the WebTeckPlus system used by the firm were reset. A recently terminated employee, twenty year old Omar Ramos-Lopez, had used still active credentials to login to the web administration portal of the Auto Center’s payment incentive vendor and used it to disable vehicle starters or, according to police reports, have horns honk through the night. The Proliferation Of Scareware Hits Home The agitation in the voice on the phone shook me from sleep early Saturday morning: My Uncle the surgeon had a computer problem and he was concerned enough to call. He explained he had been trying to view pictures of a newly renovated base in South Korea when all of a sudden McAfee popped up and did a scan, revealing 28 viruses. But for some reason the new module McAfee wanted him to install wasn’t working because the site wouldn’t accept either of his credit card numbers. A Loss of SecurityFocus The announcement came out earlier today that SecurityFocus, a long standing security news portal started in 1999 and home of a number of popular mailing lists including the well known Bugtraq is being shuttered by Symantec. While aspects of the site will continue (the mailing lists will remain and some content will be moved to Symantec Connect), the loss of the news portal and site itself is a significant loss of historical perspective on the information security industry from what was a long standing news and research source. IEPeers – A New Internet Explorer Zero Day Vulnerability We posted an aside yesterday referencing Microsoft's recent blog post for new security advisory 981374 referencing a new zero day vulnerability in Internet Explorer versions 6 and 7. New details have emerged since, and the exploit has moved from being what was described as part of "limited targeted attacks" to being widely accessible and available as a new module for the Metasploit framework. Microsoft IE 6 & 7 Zero-day (Aside) A blog post on the MSRC web site warned of a new zero-day in Internet Explorer versions 6 and 7 running on Windows XP, Windows 2000, or Windows 2003. The post references Security Advisory (981374), and at this time there aren’t many details about the vulnerability other than what MS has stated in the advisory. Related [...] March’s Patch Tuesday Today is patch Tuesday for March 2010, and Microsoft has released two security bulletins for this round of updates, neither of which are deemed critical. The second bulletin addresses seven different vulnerabilities across various versions of Microsoft Office Excel. | Date published: Thu, 29 Jul 2010 16:38:31 +0000 Back to newsfeed list