Security By Default

PayPal XSS Exploit available for two years?

2006-07-24T16:20:00.000-07:00

The cross-site scripting (XSS) vulnerability, which was harnessed by fraudsters to execute a convincing phishing attack against PayPal users, may have been exploitable for two years previously.

Despite the prompt action taken by PayPal to address the security flaw after it was reported by Netcraft last month, it became apparent that the very same flaw had been discovered and documented two years earlier. The page - cached by the Wayback Machine - describes a cross site scripting attack that affected donation pages for suspended users, and is the exact method exploited by the phishing attack in June 2006.

Chris Marlow tried to warn PayPal about the flaw in June 2004, but claims the PayPal representative he spoke to did not understand what cross-site scripting was, and - due to company policy - was unable to provide an email address to allow a proof-of-concept exploit to be demonstrated. Frustrated at being unable to convey the seriousness of the issue, Mr Marlow then posted details about the exploit to his web site but did not receive any response from PayPal.

PayPal fixed the flaw after reports of the phishing attack were published by Netcraft. A PayPal company spokesman initially said that they did not know how many people had fallen victim to the scam, although as the fraud was committed using PayPal's own web site, analysis of log files, if available, would have allowed PayPal to identify users at risk and take appropriate action.

Citibank Fraudsters Defeat Two-Factor Authentication

2006-07-17T18:22:00.000-07:00

An ongoing phishing attack against Citibank is using man-in-the-middle tactics to defeat two-factor authentication and gain access to online banking accounts.

The second authentication factor used by Citibank is provided by a security token – a physical item possessed by an account holder – which generates a one-time password that remains valid for approximately one minute. One-time passwords are useless to an attacker if they are captured via keylogging trojans, as they will not work immediately after the victim has used them, nor will the attacker be able to gain access to the victim's account at a later date.

However, by tricking a victim into entering these items of data into a form, the attacker's site can automatically relay the authentication credentials to the real Citibank site instantly. Effectively, this allows the attacker to successfully log in on behalf of the victim.

Guidance issued by the Federal Financial Institutions Examination Council (FFIEC) has called for banks to provide additional protection for high-risk transactions, such as those that involve moving funds or accessing sensitive customer information, but it is now clear that fraudsters are already making efforts to bypass the protection features being added by banks.

The Netcraft Toolbar community has to date reported 35 sites that have used this method to attack Citibank customers. All of the reported sites have used Russian country-code top level domains (.ru), although the hosting location varies from site to site.

Security Threat in CMS Application (Mambo, Joomla)

2006-07-10T10:52:00.000-07:00

Potentially serious security flaws have been found in existing versions of the Mambo and Joomla content management systems, and developers of the two projects are advising users to install upgrades or security patches as soon as possible. Both programs are vulnerable to SQL injection attacks, which allow remote attackers to execute commands on the web server in by typing SQL code into form fields. Joomla is a fork of Mambo, with both programs derived from the same code base.

Mambo and Joomla are open source projects which use the PHP scripting language and MySQL database. These applications are popular with web site owners because they are powerful, user-friendly, and can be installed by users with little or no PHP coding experience. They are also frequently targeted by Internet criminals seeking to crack web servers for use in botnets, phishing scams and distributed denial of service (DDoS) attacks. The Internet Storm Center said it is receiving reports that older versions of Mambo are being actively targeted and exploited using unpatched vulnerabilities.

Ideally, user input in web forms is sanitized - checked to ensure that users are not attempting to introduce code to give instructions to the web server. Content management systems typically bring together blogs, forums, news feeds and link directories in a single application, making it easy for webmasters to manage large communities of users. As a result, CMS apps include a large number of forms accepting user input, increasing the likelihood that some form fields may not be properly secured, providing an opportunity for SQL injection attacks.

Open source CMS programs often find and fix security holes promptly. But as is the case with most web software, a significant number of users fail to install security patches in a timely fashion. This provides an opportunity for hackers, who typically use public advisories to identify security flaws in specific programs and files, and then query search engines to locate vulnerable versions of the software.

Your Internet Privacy Is At Risk

2006-06-13T02:52:00.000-07:00

Minimizing the risks related to the Internet security is of primary concern for any online business site. Internet security is very important and must be guarded severely at all costs. Minimizing the risks related to online security will ensure that you will be able to attract many customers to your online sites. Many security measures can be installed in an online site for lessening the risk of Internet security.

If the customers are not sure about the security of their personal details and financial statements, they will never conduct online business. Internet privacy security is very important for any online business site.

Internet privacy is at risk due to the presence of different elements. The presence of spyware is one factor of risk for Internet privacy security. The spyware that is present in your computer can track your online behavior. Spyware software is enabled with the advanced features that allow the spyware manufacturers to surreptitiously track the actions of a computer user. The information gathered through this process can be used to commit frauds and other illegal activities.

The cookies that are deposited in your computer when you visit different sites can also pose a risk to your Internet privacy security. Cookies are data that is sent from a website to be stored in your computer. The cookies of the different websites can be used to track the user’s activities for a particular span of time. If the information falls into wrong hands many illegal activities can take place as a result. With the advancement in technology, it is very natural to be worried about online privacy and security.

A person with a criminal intention is always on the look out for ways and means to invade Internet privacy security of the people. If he can get information about a person’s bank details and other personal details, he can misuse them. The person can assume your identity online and deal with your bank or other agencies in your capacity. The victim may be completely unaware about the fraud that is taking place in his name. This can lead to the huge losses to the person whose privacy has been invaded.

You will have to adopt various means to safe guard your Internet privacy security. Installing a spyware in your computer can be one option for you to safe guard your privacy. The software will efficiently remove all traces of the presence of any kind of spyware from your computer. If it is difficult to remove all spyware installed in your computer, seek online advice on the manual removal of such spyware.

Imagine yourself in a situation where someone else is able to monitor every move that you make. This is a terrifying situation to face. The best way for you to escape such a situation is to install the best security features in your computer. You will then be able to surf online peacefully without constantly worrying about your Internet privacy security.

About the author:
Matt Garrett,

Microsoft Blackmail All Windows User

2006-04-29T07:16:00.000-07:00

Due to recent move by Microsoft to implement Nag watermark to all unlicense Windows usage, we can see that Microsoft has started to blackmail all windows user to either buy the license version or received humiliation by embossed nag to the Operating System.

After all these year, i have told others long time ago that Microsoft will do this sooner or later. All the monopolised that Microsoft has won all these year, the court order that they have won, we will see that the Giant (Bill Gates) is a same as any Mafia Godfather. Well for me, as I don't condone any pirate (unlicensed) software usage, I don't even like the way Microsoft do. After all this while, we're all know that Microsoft has put a tools or spyware in the Operating System. That's why they don't want US Government or anybody else review their Operating System source code. They said that it's under copyright reserved.

So, these so called "smart move" by the Microsoft should trigger the Anti-Microsoft movement using Linux or Open Source as a guidelines. If we (user) don't take action regarding this "smart move", sooner or later we will all be blackmailed by Microsoft using other method. So don't update your "unlicense" Microsoft Windows Operating System at all. Be safe than sorry.

Hail to the Open Source communities..

Asian Government Server Prone To Hacking

2006-04-10T21:57:00.000-07:00

Right now, many Asian country has been developing their e-government system using Linux and Windows server. Their system mainly under PHP, ASP and .NET. Many of these server located in govermental datacenter located in the heart of their organization.

Singapore, Malaysia, Thailand and Phillipines has being doing this quite aggresively. But on top of that, many system developed by them is either not secure enough or not even have any security. You can test some of them by using Retina, Nmap (Stealth function) and other security assessement tools.

You can also found out that many e-government server have neither upgraded their Operating System patches nor do they upgraded their firewall firmware and tools. Some installation only use one type of firewall like Watchguard or Sonicwall, but without any IDS or any monitoring system.

You can DDOS or spam these server without much hassle. Last few years, Malaysian Parliament webserver has been defaced without much problem. Only after 8 hours later they found that what happen to their server. Some server has being set-up with out of the box configuration (by default).

Phone Eavesdropping

2006-04-10T08:28:00.000-07:00

After 9/11 incident, many country has been set-up an Terrorist Emergency Response Team. Developed country like Indonesia, Singapore, Malaysia, Philipines, India, Thailand and Arabs Country has been setting it up fast.

Some even block any usage of prepaid cellular phone account while other has been using a registration system to register all the cellular phone which handle by that country. Many telco's has been investing more money prior to this matter.

But, some others country has bee started to scanned and eavesdropping any communication beyond these cellular network. Singapore has been eavesdropping the communication far more early with the help from American and Israel.

As a consumer, our privacy is being compromised every day and night. It's a human right. No one's should argue with this matter. Maybe in a couple of year you can see (Encrypted Mobile Cellular) type of model in the market soon enough. With this we can secure our conversation without BigBoys monitored all our inbound/outbound calls.

GPS Tracking

2006-04-09T11:49:00.000-07:00

Nowadays many motorist used GPS to locate and track their destination. The usage of Mobile Civilian GPS equipment have taken a leap in this millenium. With as low as USD$100 per unit, the GPS is becoming a household needs.

We can see the benefits of GPS usage, but do we see it on security level. Anyone with a GPS signal tracking devices can track any GPS equipment who send a small signal upward to the satellite to triangulate their coordinates. Meaning that, with a little tweaking in GPS technology and some knowledge in electronic, anyone can track others GPS enable car.

It will make us feel unsafe because anyone can track where are we going. There is no privacy if this tracking is allowed. The Russian has been developed a small equipment to jammed any GPS signal within two or three miles. But it's for military purposes. Do we civillian have the access to this equipment with lower radius and low cost?

Hope to get some before FEDs tracking me down.

Vista Unsecured

2006-04-09T10:28:00.000-07:00

Do you think that Microsoft Windows Vista will inherits some or many Windows XP and 2000 flaws and bugs? Well, I have already survey people who use Windows Operating System on this matter. Around 75% surveyed people says that they think the same problems that happen in WinXP and 2000 will be seen in Vista.

If Microsoft still have a long way to produce clean code for Longhorn, so you'll see the same problem arise in Vista. Well more hype for the unpublished product. Many have seen Vista in beta version. Vista is good for Multimedia and Internet functionality, but maybe lack in security.

Virus will always trying to attack the flaws in Microsoft product. Spyware, Malware, Trojan and other will also taken their turn to test Vista in real operational function. Will Microsoft strengthen their inhouse antivirus and implemented a full heuristic function in Vista.

Nobody know what Vista will capable of. Will either Vista be totally secured from any viral infection or prone to many of the generics viruses. We will know it in the matter of time. So let look to the future.

And hope that Vista will finally landed to our personal computer at last.

WiFi Unsecured

2006-04-09T09:59:00.000-07:00

Nowadays, there are many WiFi installation you can see around you. No matter you are in big or small town, you can see and found-out that these small hotspot scattered near you.

Yes, this WiFi technology is good because there is no need to lay out cables around to implement a small network. WiFi technology can minimised your time to set-up small network. But, there is a thing or two that should limit the access to WiFi.

The first is how to secure your small network? Do you need to implement firewall to separate your server and your peers. Do you need to implement WEP or WPA? Is WEP or WPA is secure enough to handle all your network security.

I’ve found out many “Out Of Box” configuration that WiFi Hotspot implementor used to set it up. I’ve tested more that 300 WiFi spot and found out 95% of them is not secure at all. You can use many tools like “NetworkView” and “Retina” to search and found all the configuration within these small WiFi spot.

I hope that anyone who want to set-up small network using WiFi equipment should consider to secure all their network first before set-up the network. Use a hardened WEP and WPA equipment or consider to connect the network based on MAC address only.