Thursday, August 21, 2008

BSQL (Blind SQL) Hacker

This is definitely a tool to checkout....

BSQL (Blind SQL) Hacker is an automated SQL Injection Framework / Tool designed to exploit SQL injection vulnerabilities virtually in any database.

BSQL Hacker aims for experienced users as well as beginners who want to automate SQL Injections (especially Blind SQL Injections). It allows metasploit alike exploit repository to share and update exploits.

http://labs.portcullis.co.uk/application/bsql-hacker/

Tuesday, August 12, 2008

Patience Pays Off for Hackers in Web Security War

The hacker group behind the Coreflood Trojan has learned that patience pays, as it has stolen at least 463,582 user names and passwords while flying under the radar. At Black Hat, SecureWorks Director of Malware Research Joe Stewart discussed his research on the gang and how it has gone undetected.

LAS VEGAS—The creators of the Coreflood Trojan have managed to stick their digital hands into the pockets of victims for years. And they have done it largely under the radar, according to research revealed at the Black Hat conference here Aug. 6.

[ Read Article ]

Friday, August 8, 2008

Clear Program >= "Pathetic"

I must say, I'm completely blown away by what has happened with the Clear Program.  For those of you who do not know what/who Clear is....

Clear® is the fast pass for airport security. Clear members are pre-screened and provided with a high-tech card which allows them to access designated airport security fast lanes nationwide. Clear members pass through airport security faster, with more predictability and less hassle.

Basically, they pre-screen you through TSA and give you a card to carry around so you don't have to wait in line with all of the other yahoos.  So let's take a look at the recent email that just came out. First line of the email ...

We take the protection of your privacy extremely seriously at Clear. 

This isn't giving me a warm feeling.  Next?

Before we could send out that notice, the laptop was recovered. And, we have determined from a preliminary investigation that no one logged into the computer from the time it went missing in the office until the time it was found. Therefore, no unauthorized person has obtained any personal information.

Okay....this isn't getting any better.  Next?

We are sorry that this theft of a computer containing a limited amount of applicant information occurred, and we apologize for the concern that the publicity surrounding our public announcement might have caused. But in an abundance of caution, both we and the Transportation Security Administration treated this unaccounted-for laptop as a serious potential breach. We have learned from this incident, and we have suspended enrollment processes temporarily until all pre-enrollment information is encrypted for further protection. The personal information on the enrollment system was protected by two separate passwords, but Clear is in the process of completing a software fix - and other security enhancements - to encrypt the data, which is what we should have done all along, just the way we encrypt all of the other data submitted by applicants. Clear now expects that the fix will be in place within days. Meantime, all airport Clear lane operations continue as normal.

So .... as a security person, my first question would be -- HOW DID THIS COMPANY GET APPROVED TO OPERATE WITH TSA SENSITIVE DATA WITHOUT THE USE OF ENCRYPTION?  Yet another quote from the privacy policy....

TSA also conducts periodic audits to assure that we comply with their extremely high standards of data security.

Okay...I won't be hiring these idiots to perform my next vulnerability assessment...

We use encryption (a strong data coding process) for all program sensitive data communications. We apply firewalls to guard against outside intruders.

Wow!  Now this is really surprising to me -- yet another group of yahoos who think that a firewall is going to guard your applications from compromise.  Brilliant.

I'm sorry folks, but there are few moments in life when you really do find yourself speechless -- and well.....i guess this is one of them.  I must say - if this is the way these folks plan to do business, you might want to:  (a)  Not enroll or (b) enroll and quickly find yourself a good lawyer.

Ug.




Thursday, August 7, 2008

Cross Site Request Forgery and Same Origin Policy

There has definitely been an increase in the number of conversations around XSS and CSRF.  If you are looking to understand the basics of this attack, this is an excellent article....

Monday, August 4, 2008

OWASP 2008 NYC

The agenda for OWASP 2008 in New York has been posted.

OWASP Agenda

Should be a great show!

PHPCharset Encoder

This tool helps you encoding arbitrary texts to and from 65 kinds of charsets. Also some encoding functions featured by JavaScript are provided.

http://h4k.in/encoding/index.php