Browsing Category: Data Breaches

[img_assist|nid=1752|title=|desc=|link=none|align=right|width=115|height=115]Injection attacks top the 2010 OWASP Top 10 list of Web application security threats, including SQL, OS, and LDAP injection, followed by cross-site scripting (XSS), broken authentication and session management, insecure direct object references, cross-site request forgery (CSRF), security misconfiguration, failure to restrict URL access, unvalidated redirects and forwards, insecure cryptographic storage, and insufficient transport layer protection. The list is considered a “release candidate” that will be published in its final form in 2010. Read the full article. [Dark Reading]

Read more...

[img_assist|nid=1742|title=|desc=|link=none|align=left|width=165|height=112]Security researchers have released a paper detailing successful man-in-the-middle attacks against several smartphones. The SSL enabled log in sessions on the tested, Nokia N95, HTC Tilt, Android G1 and iPhone 3GS devices was sniffed using the publicly available SSLstrip tool, with the attack taking place over insecure Wi-Fi network, now prevalent literally everywhere. Read the full article. [ZDNet]

Read more...

[img_assist|nid=1712|title=|desc=|link=none|align=left|width=115|height=115]Researchers at the University of Pennsylvania say they’ve discovered a
way to circumvent the networking technology used by law enforcement to
tap phone lines in the U.S.The flaws they’ve found “represent a serious threat to the accuracy and completeness of wiretap records used for both criminal investigation and as evidence in trial,” the researchers say in their paper, set to be presented today at a computer security conference in Chicago. Read the full article. [PC World]

Read more...

[img_assist|nid=1701|title=|desc=|link=none|align=right|width=115|height=115]Let’s try to separate the wheat from the chaff. Let’s start by looking at the vulnerability itself. It is a “man-in-the-middle” (MitM) attack in which an attacker can use an SSL feature called “negotiation” to inject bad stuff into an SSL session. Right, so that’s not good news. But the sky isn’t exactly falling yet, so we can all remain calm for now. Let’s put things into perspective here… In order to use an MitM attack to actually effect damage isn’t entirely
trivial. The attacker either needs to be on the same local network as
the client, or in the network path between the client and the server. By far, the most likely of these scenarios, at least in the near term,
is to attack systems on a local network. We have a little bit of
leverage there. Read the full article. [Computerworld]

Read more...

A researcher is working on tools for
penetration testers that’s a first step toward ultimately integrating
and correlating data among different types of penetration-testing
products. Josh Abraham, a.k.a. “Jabra,” will release some proof-of-concept tools at the OWASP AppSec Conference in Washington, D.C., that let pen testers integrate data they gather in their white-hat hacking projects. Read the full article. [Dark Reading]

Read more...

[img_assist|nid=1669|title=|desc=|link=none|align=right|width=115|height=115]The security glitch, which is linked to a “cash back” system
operated by Bing, potentially leaves users and retailers exposed to
fake transactions. But despite an outcry online over the existence of
the loophole, the world’s largest company has responded to the issue by
threatening legal action against the man who discovered the problem. First launched last year, before Microsoft rebranded
its search website, the affiliate scheme offers users the chance to
earn money back for every product they buy through the service. Read the full article. [guardian.co.uk]

Read more...

[img_assist|nid=1663|title=|desc=|link=none|align=right|width=115|height=115]A well known commercial provider of spyware applications for numerous mobile platforms, has recently ported its Mobile Spy app to the Android mobile OS. Just like previous releases of the application, the Android version
keeps a detailed log of GPS locations, calls, visited URLs, and
incoming/outgoing SMS messages, available at the disposal of the
attacker who installed it manually by obtaining physical access to the
targeted device. Read the full article. [ZDNet]

Read more...

Categories: Data Breaches

[img_assist|nid=1652|title=|desc=|link=none|align=right|width=115|height=115]The four men whom a federal grand jury indicted this week for their alleged roles in a scam that stole millions of dollars from RBS WorldPay were no fools. The small crew of hackers had a distinct division of labor, operated with skill and efficiency and left one of the world’s larger banks holding the bag.

Read more...

Categories: Data Breaches

[img_assist|nid=1626|title=|desc=|link=none|align=left|width=115|height=115]U.S. and international prosecutors have taken down a criminal ring that they allege was responsible for an ATM scam last year that stole about $9 million from RBS WorldPay. The criminals were able to evade the company’s encryption system used on payroll debit cards and withdraw money from ATMs in 280 cities around the world.

Read more...

[img_assist|nid=494|title=|desc=|link=none|align=right|width=115|height=115]Microsoft’s Computer Online Forensic Evidence Extractor (COFEE) has made it into the hands of pirates, and their virtual ships are distributing it. The COFEE application lets officers grab data from password-protected or encrypted sources. That means you can now break the law twice over: download the software and then use it to steal information from other people’s computers.

Read more...