A new bug in Firefox could be used by attackers to scout out a system prior to mounting a more thorough assault, according to Mozilla's head of security.
The flaw, said Window Snyder, Mozilla's chief security officer, is in the browser's chrome protocol - 'chrome' is the Firefox term for its user interface - as she responded to reports of the vulnerability and the public posting of a proof-of-concept exploit.
What do you think about this latests Firefox bug?
Researchers at Google and the Georgia Institute of Technology are studying a virtually undetectable form of attack that quietly controls where victims go on the Internet.
The study, set to be published in February, takes a close look at "open recursive" DNS servers, which are used to tell computers how to find each other on the Internet by translating domain names like google.com into numerical Internet Protocol addresses. Criminals are using these servers in combination with new attack techniques to develop a new generation of phishing attacks.
What is so new about the possible attacks on DNS servers? We all know they are very vulnerable to attack because they are so visible and important to the Internet
In an exclusive interview with Wired News, gun-for-hire hacker Robert Anderson tells for the first time how the Motion Picture Association of America promised him money and power if he provided confidential information on TorrentSpy, a popular BitTorrent search site.
Read on for an account of Hollywood-style hacker plots - big bad company hires young hacker to obtain vital information, hacker uses savvy to accomplish goal, +1 to the lore of hack0rz. In actuality, the "hack" was nothing more than a weak password, and the retrieval of the "vital information" was nothing more than some reconfigurations of email forwarding. I think the most interesting (and important) aspect of this act was the fact that the hacker-for-hire "knew the network very well", showing once again that these types of attacks are almost always 90% or more planned out rather than improvised. -1 to Hollywood "I can hack anything anytime" lore. How do you feel about the MPAA's tactics?
Source: Dark Reading - Posted by Eckie Silapaswang
Turn Firefox into a web application swiss army knife by applying the methods shown in this article. From manipulating what cookies are being sent to telling the site you're hacking "hey, I'm IE!", it's interesting to know how the wonderful Firefox extensions (yay Firebug!) can be used for more than just surfing.
Source: Network World - Posted by Eckie Silapaswang
Corporate storage systems and networks are an attractive target for hackers looking to steal sensitive data or launch computer attacks, Alan Lustiger, security architect at TD Ameritrade, told an audience at Computerworld's Storage Networking World user conference in Dallas Monday
Looks like NAS systems are becoming the low-hanging fruit as far as hackable network storage. The article states that the systems are most attractive due to its reliance on well-known protocols, and that these protocols could easily be studied and picked apart. This just sounds to me like a poor use of security - certain protocols have been around longer than the cast of Cocoon (ok maybe not THAT long) and yet many open-source companies maintain and secure them daily. Read on and let us know how you would defend "well known clear protocols"!
Fortify Software announced that Fortify’s Security Research Group has identified a new class of security vulnerabilities, known as cross–build injection. These vulnerabilities, which Fortify discovered through its work with the Java Open Review (JOR) project (http://opensource.fortify.com), allow a hacker to insert code into the target program while it is being constructed.
What do you think about Fortify releasing whitepapers detailing this new class of vulnerabilities. Are they opening the door open for attackers to exploit? I don't think, they are hoping that software developers will listen and prevent these attacks from happening.
I wrote about three of my favorite Firefox extensions that help me stay safe when I'm browsing the darker areas of the Web and incoming email. Today, let's look at three other extensions: Those that can turn Firefox into a feature-filled, Web-hacking weapon. These extensions aren't required to use Firefox for hacking Web applications, but they certainly make it a lot easier.
Should web servers be alarmed about this attack? Maybe web administrators should start using these Firefox extensions to test out how secure their web pages really are.
Source: Network World - Posted by Eckie Silapaswang
Flaws in your DHCP server that allow intruders access to your whole system are not exactly what people have in mind in secure systems. Such flaws have been discovered in VMWare and are definitely worth taking a look at. Read on to see the ups and downs of VMWare in open source security - what do you think has to be done before virtual servers will be taken into the mainstream for enterprise companies?
Source: Network World - Posted by Eckie Silapaswang
Musicians are constantly reinventing themselves in an attempt to "keep up with the times" - noone wants to be that oldies band / artist. Malware and worms do the same, this time through emailing sensationalist headlines that are too juicy to not click on. Read on for a quick overview of how worms have no vacations as well as an interesting point about these new attacks trends - they keep up with our time to stay relevant. Even the message bodies are conformed to 2007!
Robert Hansen provides us a very intriguing paper on web application security by focusing on the attacks on intranets through web browsers. This is not to say that all servers will be vulnerable to the attacks described in the paper, rather that the web servers act as a proxy to enable certain forms of probing and attacks. Read on for a more detailed account of an increasing trend of internet hacks.