Web Security


Proof of Concept Pen Testing Tools Coming

A researcher is working on tools for
penetration testers that’s a first step toward ultimately integrating
and correlating data among different types of penetration-testing
products. Josh Abraham, a.k.a. “Jabra,” will release some proof-of-concept tools at the OWASP AppSec Conference in Washington, D.C., that let pen testers integrate data they gather in their white-hat hacking projects. Read the full article. [Dark Reading]

Gumblar: New Generation of Self-Building Botnets

By Vitaly KamlukWe’ve been looking at the infrastructure of the Gumblar malware and found some curious facts on how Gumblar operates which we would like to share to make hosting owners aware of the Gumblar threat.Analysis of some infected websites showed that the only way to inject the infection of Gumblar was by using FTP access, because those websites have no server-side scripting. Later this was proved by an analysis of FTP log files.

Microsoft Threatens Discoverer of ‘Cash Back’ Loophole in Bing

The security glitch, which is linked to a “cash back” system
operated by Bing, potentially leaves users and retailers exposed to
fake transactions. But despite an outcry online over the existence of
the loophole, the world’s largest company has responded to the issue by
threatening legal action against the man who discovered the problem. First launched last year, before Microsoft rebranded
its search website, the affiliate scheme offers users the chance to
earn money back for every product they buy through the service. Read the full article. [guardian.co.uk]


Almost 80% of more than 3,000 software security flaws publicly reported
so far this year have been in Web technologies such as Web servers,
applications, plugins and Web browsers.
That number is about 10% higher than the number of flaws reported in
the same period last year — and nine out of 10 of the flaws were found
in commercial code. Read the full article. [Computerworld]

Human error is to blame for the accidental exposure last week of
more than 4,500 Chaminade University student’s Social Security numbers
on the private Catholic college’s official Web site. University officials discovered the snafu Wednesday and quickly removed the obscure but accessible links from the Web site. The students’ Social Security numbers were exposed for about
eight months, according to a statement released by the Honolulu-based
university. Read the full article. [internetnews.com]

As of this morning, an anonymous group hijacked more than 200 Facebook groups and renamed them “Control Your Info”. Pasted on each group’s Wall was a message announcing that it had been “hijacked” and reminding members to be careful about controlling personal information on social networking sites. “This means we control a certain part of the information about you on
Facebook. If we wanted we could make you appear in a bad way which
could damage your image,” the message said. Read the full article. [Computerworld] 

Microsoft’s Computer Online Forensic Evidence Extractor (COFEE) has made it into the hands of pirates, and their virtual ships are distributing it. The COFEE application lets officers grab data from password-protected or encrypted sources. That means you can now break the law twice over: download the software and then use it to steal information from other people’s computers.

Microsoft will release on Tuesday
guidelines for developers building online applications and for those using the Agile code-development process. The Agile guidelines apply principles from Microsoft’s Security
Development Lifecycle (SDL) to Agile, an umbrella term for a
development model frequently used for Web-based applications released
under short deadlines, called “sprints.”ilding online applications and for those
using the Agile code-development process. Read the full article. [Computerworld]

Mozilla has pushed out a new
version of its browser to fix a crash bug inadvertently introduced in its latest Firefox update. Firefox 3.5.5, which Mozilla posted
for download late Thursday, fixes a small number of what the company
called “stability issues” in the release notes that accompanied the
update.

A flaw in the SSL protocol that could affect company networks, hosting environments and key machines has security researchers scrambling. The flaw, which requires a hack in to a network to launch, has devastating consequences and implications on database and mail servers. Discovered in August by PhoneFactor, the researchers have been working with ICASI to make an industry-wide fix, which is called “Project Mogul.” Researchers Chris Paget and HD Moore are helping to expose the flaw. Read the full article. [Computerworld]

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.