ISPs Leave Modems Open to DDoS Attacks

Internet security experts say that misconfigured DSL and cable
modems are worsening a well-known problem with the Internet’s DNS,
making it easier for hackers to launch DDoS attacks against their
victims. According to research, part of the problem is blamed on the growing number of
consumer devices on the Internet that are configured to accept DNS
queries from anywhere, what networking experts call an “open recursive”
or “open resolver” system. Read the full article. [InfoWorld]

OWASP Con Begets Top 10 Threats List

Injection attacks top the 2010 OWASP Top 10 list of Web application security threats, including SQL, OS, and LDAP injection, followed by cross-site scripting (XSS), broken authentication and session management, insecure direct object references, cross-site request forgery (CSRF), security misconfiguration, failure to restrict URL access, unvalidated redirects and forwards, insecure cryptographic storage, and insufficient transport layer protection. The list is considered a “release candidate” that will be published in its final form in 2010. Read the full article. [Dark Reading]

MS Confirms Windows 7 DoS Flaw

On the heels of last week’s release of exploit code for a crippling denial-of-service vulnerability in Windows 7 and Windows Server 2008 R2, Microsoft has issued a security advisory to confirm the issue and offer pre-patch mitigations.The flaw, in the Microsoft Server Message Block (SMB) Protocol which affects SMBv1 and SMBv2, could cause a system to stop functioning or become unreliable, Microsoft said, describing the published exploit code as “detailed.”

The vulnerability in the design of the SSL/TLS protocol revealed earlier this month can apparently be used to carry out attacks in practice. On his blog, student Anil Kurmus reports that he was able to steal a Twitter password by using a man-in-the-middle attack. Until now it had been assumed that the problem was largely theoretical and would be made manifest only in very limited scenarios.

DNSSEC Usage Expands

According to research released by Infoblox and The Measurement Factory, there has been a dramatic increase in the percentage of external name servers that are open to recursion. The study put the latest figure at 79.6 percent, a 27 percent increase from 2007. The number of DNSSEC signed zones increased by roughly 300 percent – indicating that DNSSEC is gaining momentum. However, in raw numbers the amount of DNSSEC signed zones is
miniscule next to the total number of zones out there. Read the full article. [eWEEK]

Security researchers have released a paper detailing successful man-in-the-middle attacks against several smartphones. The SSL enabled log in sessions on the tested, Nokia N95, HTC Tilt, Android G1 and iPhone 3GS devices was sniffed using the publicly available SSLstrip tool, with the attack taking place over insecure Wi-Fi network, now prevalent literally everywhere. Read the full article. [ZDNet]

Cyber-criminals have started preying on Verizon
Wireless customers, sending out spam e-mail messages that say their
accounts are over the limit and offering them a “balance checker”
program to review their payments. The e-mail messages, which
look like they come from Verizon Wireless, are fakes; the balance
checker is actually a malicious Trojan horse program. Read the full article. [Computerworld]

The WordPress developers have released security update 2.8.6 to fix two vulnerabilities. WordPress users are advised to install the update as soon as possible if untrusted authors can add content and upload images. At least one of the bugs allows attackers to inject and execute arbitrary PHP code on the server. There appears to be issues, however, with Apache web servers in the new update. Read the full article [The H Security]

Scientists at Microsoft Research have unveiled a new way to secure complex Web applications by effectively cloning the user’s browser and running it remotely. Many of the latest Web applications split their executable code between the server and the client. The problem is detecting whether the code running on the user’s home PC has been compromised in some way. The new Microsoft solution, known as Ripley, was announced on Tuesday at the Association for Computing Machinery’s Computer and Communications Security Conference in Chicago. Read the full article. [MIT Technology Review]

Hackers can exploit
a flaw in Adobe’s Flash to compromise nearly every Web site that allows
users to upload content, including Google’s Gmail, then launch silent
attacks on visitors to those sites, security researchers said today. Adobe
did not dispute the researchers’ claims, but said that Web designers
and administrators have a responsibility to craft their applications
and sites to prevent such attacks. Read the full article. [Computerworld] Read the research. [Foreground Security]

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.