[malicious] websites can use to coax a browser into revealing information that it probably should not.
I Know A LOT About Your Web Browser and Computer – blog.whitehatsec.com
Web browser hacking techniques are frequently platform dependent. Creating stable and cross-platform proof-of-concept code is often challenging. So it is helpful for a [malicious] website, such as http://maliciouswebsite/, to learn everything it can about a visiting browser before executing a real-world attack. We can loosely describe this process as “browser interrogation.”
I Know The Country, Town, and City You Are Connecting From (IP Geolocation) – blog.whitehatsec.com
Every browser leaves a log of their public IP address when it connects to any website – if it didn’t, the website would have no idea where to send the requested Web page. What many people do not realize is the tremendous amount that websites can learn about a visitor — instantly — just from their IP address.
I Know What Websites You Are Logged-In To (Login-Detection via CSRF) – blog.whitehatsec.com
Now that we know a lot about a visitor’s browser, we can mix and match several techniques – six, by my count — that http://maliciouswebsite/ can use to learn what other websites a visiting browser is logged in to – an online bank, social network, email provider, a local home router’s Web interface, and basically anything else.
I Know Your Name, and Probably a Whole Lot More (Deanonymization via Likejacking, Followjacking, etc.) – blog.whitehatsec.com
Building on the previous section, where we learned a variety of ways that http://maliciouswebsite/ can detect what other websites a browser is logged in to, we’ll move onto the next step — deanonymizing visitors. Deanonymization refers to a website like http://maliciouswebsite/ surreptitiously uncovering a visitor’s full real name.
I Know Who You Work For – blog.whitehatsec.com
Other than asking a visitor directly, there are five ways I know of for http://maliciouswebsite/ to find out where a visitor is employed. Depending on the visitor’s browser set-up, most of the time one of them should be able to get the job done.
I Know Your [Corporate] Email Address, and more… – blog.whitehatsec.com
Let’s assume that with the techniques in the previous section, http://maliciouswebsite/ is able to ascertain a visitor’s full name and where they work. It may then use this information to infer the corporate email address of a visitor.
Summary and Guidance for the “I Know…” series – blog.whitehatsec.com
When it’s all said and done, who do these Web and browser security and privacy problems belong to? We could point the finger at the browser vendors for allowing such Web technology abuses without providing adequate controls. Maybe the fault lies with website owners and Web developers who demand and implement features without fully understanding or appreciating the risks.
Exploiting a MIPS Stack Overflow – devttys0.com
- UPEK Windows Password Decryption – adamcaudill.com
On August 28th ElcomSoft announced that they had determined a method to extract Windows passwords from the registry for users of UPEK’s fingerprint readers and Protector Suite software (UPEK is now owned by AuthenTec, which is now owned by Apple). What they didn’t announce was the technical details of how they did it. Myself and Brandon Wilson have been working to recreate their research – and we have.
- UPEK + Lenovo = Insecure Password Storage – netspi.com
Recently Adam Caudill and ElcomSoft identified vulnerabilities in the way that UPEK fingerprint readers store Windows passwords in the registry. Adam has released a great proof-of-concept tool to decrypt these poorly encrypted passwords.
Although D-Link’s CAPTCHA login feature has a history of implementation flaws and has been proven to not protect against the threat it was intended to thwart, they continue to keep this feature in their products. Today we’ll be looking at the CAPTCHA implementation in the D-Link DIR-605L, which is a big-endian MIPS system running Linux 2.4.
- Compiling and Release of Netview – room362.com
If you haven’t caught Chris Gates (@carnal0wnage) and my talk at DerbyCon 2012 – we released 2 tools, Netview, and Ditto. Here I’ll walk you through compiling Netview yourself, in the next blog post we’ll go over compiling Ditto and how you can remove it’s icon to reduce the size if you want. But for Netview it’s pretty straight forward.
- Compiling and Release of Ditto – room362.com
If you follow the exact same steps you did for Netview: http://www.room362.com/blog/2012/10/8/compiling-and-release-of-netview.html
then you already have the steps needed to create a compiled version of ditto from the repo here.
- THC-IPV6 v2.0 Update – thc.org
The THC IPV6 ATTACK TOOLKIT (THC-IPV6) is a complete tool set to attack the inherent protocol weaknesses of IPV6 and ICMP6, and includes an easy to use packet factory library.
- wick2o – github.com
Offline Security Focus Database
- Inception – breaknenter.org
Inception is a FireWire physical memory manipulation and hacking tool exploiting IEEE 1394 SBP-2 DMA. The tool can unlock (any password accepted) and escalate privileges to Administrator/root on almost* any machine you have physical access to.
- Everything you need to know about hash length extension attacks – skullsecurity.org
Awhile back, my friend @mogigoma and I were doing a capture-the-flag contest at https://stripe-ctf.com. One of the levels of the contest required us to perform a hash length extension attack. I had never even heard of the attack at the time, and after some reading I realized that not only is it a super cool (and conceptually easy!) attack to perform, there is also a total lack of good tools for performing said attack!
- DNSSEC Walker – josefsson.org
This is a proof-of-concept of a utility to download DNS zone contents even when AXFR is disabled on the server, assuming DNSSEC is used. Optionally it can also verify all digital signature RRs within a zone against the zone key.
- Microsoft Updates
- Microsoft Patches Critical Word Flaw; Certificate Key Length Changes are Official – threatpost.com
Microsoft rolled out seven security updates today, including a fix for a critical remotely exploitable Word vulnerability. In all, 20 vulnerabilities were repaired by Microsoft, which also issued an advisory regarding poorly generated digital certificates that have to be replaced and the distribution of an automated mechanism that will check for certificate key lengths and revoke any shorter than 1024 bits.
- Welcome to the 1024-bit world and the October security updates – blogs.technet.com
As previously mentioned in the Advance Notification blog on Thursday, today we’re releasing seven bulletins, one Critical-class and six Important-class bulletins. Before we discuss those releases, let’s take a closer look at the Security Advisories we also released today.
- Assessing risk for the October 2012 security updates – blogs.technet.com
Today we released seven security bulletins addressing 20 CVEs (7 Microsoft and 13 Oracle CVE’s). Only one of the bulletins is rated Critical. The other six have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
- Critical Adobe Flash Player Update Nixes 25 Flaws – krebsonsecurity.com
Adobe has issued an update for its Flash Player software that fixes at least 25 separate security vulnerabilities in the widely-installed program. The company also pushed out a security patch for its Adobe AIR software.
- HTML 5
- Proof-of-Concept Exploits HTML5 Fullscreen API for Social Engineering – threatpost.com
Independent security researcher, web designer, and Stanford Computer Science student Feross Aboukhadijeh has developed an attack concept that exploits the fullscreen application programming interface in HTML5 in order to carry out phishing attacks.
- Using the HTML5 Fullscreen API for Phishing Attacks – feross.org
The Fullscreen API (see W3C docs and MDN docs) allows web developers show web content that fills up the user’s screen completely. You’ve seen this functionality in action whenever you watch a fullscreen video on YouTube (if you use their new HTML5 player, which you should do!) or look at a fullscreen photo on Facebook.
- Flaws allow 3G devices to be tracked – scmagazine.com.au
The vulnerabilities could be exploited with cheap commercial off-the-shelf technology to reveal the location of phones and other 3G-capable devices.
- Content Smuggling – xs-sniper.com
A few years ago, I discovered a peculiar design decision described in the PDF specification. This design flaw allows for an attacker to conduct XSS attacks against some websites that would not normally have XSS vulnerabilities.
- Banks Take Action After Alert, Attacks – bankinfosecurity.com
It’s been nearly three weeks since the Financial Services Information Sharing and Analysis Center issued its warning about new online threats facing U.S. banking institutions (see High Risk: What Alert Means to Banks).
- Security Manager’s Journal: I hired a hacker – computerworld.com
A very important piece of my budget is the quarterly allotment for security assessments. I usually focus on physical penetration testing of our major facilities or assessments of critical applications or our own products. This quarter, though, I decided to hire a hacker.
- Human Rights Groups Report A Surge In Highly Targeted Malware For Macs – forbes.com
The security world has long cautioned Mac users that the lack of malware targeting their machines has been a function of cybercriminals’ focus on Windows’ larger market share, not of Apple’s brilliant security.
- Exclusive: Anatomy Of A Brokerage IT Meltdown – informationweek.com
Regulators last year issued the SEC’s first-ever privacy fine against broker-dealer GunnAllen for failing to protect customer data. But former IT staffers say regulators didn’t seem to know half of this cautionary tale of outsourcing and oversight gone wrong.
- Call for Volunteers – Help Create an Easy to Use Open Source Risk Equation – blog.securestate.com
For many years now, the information security industry has attempted to adapt existing Risk Management practices for the task of managing information security. Numerous frameworks have been devised over the years, including FAIR, OCTAVE, ISO 27001/27005 and NIST 800-53/NIST 800-39, just to name a few.
- – stripe.com/blog
The last flag has been captured, and the final tallies are in. Over 16,000 people from around the world participated in Capture the Flag 2.0 during its week-long run, and it’s been a blast exploring web application security with all of you.
- Facebook confirms researcher exploited privacy settings to quickly collect user phone numbers – thenextweb.com
On Friday, a researcher by the name of Suriya Prakash claimed that the majority of phone numbers on Facebook are not safe. It’s not clear where he got his numbers from (he says 98 percent, while another time he says 500 million out of Facebook’s 600 million mobile users), but his demonstration certainly showed he could collect countless phone numbers and their corresponding Facebook names with very little effort.
- Real Bad Guys Create Fake Bad Piggies Game: Infect 80,000 Angry Birds Fans – readwriteweb.com
People love to play the bad guy, so it’s no surprise that Bad Piggies, the spin off of Rovio’s popular Angry Birds game franchise, has done very well worldwide, earning the top spot in the iPhone App Store hours after its release in late September.
- Lone packet cripples telco networks – scmagazine.com.au
Telecommunications infrastructure is riddled with security holes so severe that a handful of malformed packets could take down GSM communications systems, according to veteran pen tester and founder of Qualys, Philippe Langlois.
- Corporate Attacks Hint Of A Coming ‘Cyber Pearl Harbor’ – forbes.com
Hackers have already unleashed World War III in World of Warcraft, killing the avatars of thousands of innocent gamers. Is the real world next?
- Task Force Tells DHS to Offer ‘Cool’ Cybersecurity Jobs to Gov. Workers and Test Them Like Pilots – wired.com
In order to attract the highly skilled and qualified cybersecurity workers the Department of Homeland Security needs to fulfill its mission of protecting government computer systems and overseeing the security of critical infrastructure systems, DHS has to reserve its coolest cybersecurity jobs for federal workers, not contractors, according to a task-force report submitted to DHS this month.
- ReVuln Emerges as New Player in Vulnerability Sales Market – threatpost.com
It’s getting difficult these days to keep track of all of the companies, public and otherwise, that are buying and selling vulnerabilities or information on bugs, and now there’s another group on the scene: ReVuln. But, unlike other companies in the industry, ReVuln is mostly focusing its efforts on vulnerabilities in SCADA and ICS software, the applications that run utilities, industrial systems and other sophisticated systems.