Web Security


An Inside Look at Botnet Chasers

They’re the Internet equivalent of storm chasers, spending endless hours scanning and sleuthing, looking for the telltale signs of botnets. Here’s an inside look at the battle against cybercrime’s weapons of mass infection. Read the full article. [CSOonline.com]

Wikipedia Toolbar on Firefox Open to Attack

A critical vulnerability in the Wikipedia Toolbar extension for Firefox has been discovered that can be exploited by an attacker to compromise a victim’s system. According to the Secunia report, the cause of the problem is due to the application using invalidated input in a call to eval() which can be exploited to execute arbitrary JavaScript code.

Q&A: Cloud Security with Former Sun CSO

The recent ACM Cloud Computing Security Workshop in Chicago was devoted specifically to cloud security. Speakers included Whitfield Diffie, a cryptographer and security
researcher who, in 1976, helped solve a fundamental problem of
cryptography: how to securely pass along the “keys” that unlock
encrypted material for intended recipients. Diffie, now a visiting professor at Royal Holloway, University of
London, was until recently a chief security officer at Sun
Microsystems. He sat down with Technology Review’s chief
correspondent. Read the full article. [Technology Review]


U.K. police are hailing the sentencing of four people who used a
sophisticated Trojan horse program to siphon money out of online bank
accounts. The men used a Trojan horse program called PSP2-BBB that executed a
so-called man-in-the-browser attack when potential victims logged into
online bank accounts. The Trojan would insert a special page within the
customer’s browsing session asking for more personal information,
according to police. Read the full article. [IDG News]

Injection attacks top the 2010 OWASP Top 10 list of Web application security threats, including SQL, OS, and LDAP injection, followed by cross-site scripting (XSS), broken authentication and session management, insecure direct object references, cross-site request forgery (CSRF), security misconfiguration, failure to restrict URL access, unvalidated redirects and forwards, insecure cryptographic storage, and insufficient transport layer protection. The list is considered a “release candidate” that will be published in its final form in 2010. Read the full article. [Dark Reading]

The vulnerability in the design of the SSL/TLS protocol revealed earlier this month can apparently be used to carry out attacks in practice. On his blog, student Anil Kurmus reports that he was able to steal a Twitter password by using a man-in-the-middle attack. Until now it had been assumed that the problem was largely theoretical and would be made manifest only in very limited scenarios.

DNSSEC Usage Expands

According to research released by Infoblox and The Measurement Factory, there has been a dramatic increase in the percentage of external name servers that are open to recursion. The study put the latest figure at 79.6 percent, a 27 percent increase from 2007. The number of DNSSEC signed zones increased by roughly 300 percent – indicating that DNSSEC is gaining momentum. However, in raw numbers the amount of DNSSEC signed zones is
miniscule next to the total number of zones out there. Read the full article. [eWEEK]

Scientists at Microsoft Research have unveiled a new way to secure complex Web applications by effectively cloning the user’s browser and running it remotely. Many of the latest Web applications split their executable code between the server and the client. The problem is detecting whether the code running on the user’s home PC has been compromised in some way. The new Microsoft solution, known as Ripley, was announced on Tuesday at the Association for Computing Machinery’s Computer and Communications Security Conference in Chicago. Read the full article. [MIT Technology Review]

Hackers can exploit
a flaw in Adobe’s Flash to compromise nearly every Web site that allows
users to upload content, including Google’s Gmail, then launch silent
attacks on visitors to those sites, security researchers said today. Adobe
did not dispute the researchers’ claims, but said that Web designers
and administrators have a responsibility to craft their applications
and sites to prevent such attacks. Read the full article. [Computerworld] Read the research. [Foreground Security]

WASHINGTON–There has been a big push in recent years in the security community toward metrics, and measurements of all types have become a hot topic in certain corners of the industry. But measurement for measurement’s sake is useless-and perhaps even counterproductive–if the security team in an organization doesn’t define its goals and parameters ahead of time, experts say.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.