It has been a year since the SSL BEAST attack was announced, reports continue to surface regarding websites still setup with weak SSL cipher suites. Posted are a few ideas on how you should secure your websites by implementing strong cipher suites and disabling weaker suites. The following video (http://www.youtube.com/watch?v=BTqAIDVUvrU) demonstrates how BEAST exploits a weakness in SSL to decrypt secret cookies.

By: QJax – Recently website owners have been hit by a new attack that injects obfuscated code hidden within their legitimate .js file. SC Magazine is reporting “Plesk zero-day may be behind thousands of hacked sites”.  The malicious code is also found in ASP.NET pages and pure HTML pages.
The original hack happened a few months [...]

XSS Attack: Busting Browsers to Root!
By: QJax
This video will demonstrate how a simple XSS vulnerability can be leveraged to gain complete control of your web-browser and eventually lead to a complete system compromise.
 1)   We will use a cross-site scripting vulnerability as the initial attack vector
2)   Exploit XSS by redirecting the user’s browser to the Evil_IP [...]

Hackers Can Turn Your Home Computer into a BOMB!
Sometime in the distant future, I can see myself telling some young kid about the good ole days when all we ever had to worry about was some computer worm over-loading our corporate network, perhaps disrupting the Airlines schedule or an occasional ‘cracker’ defacing a clients website [...]

Pass Policy…
Over Regulations…
Through Vulnerabilities…
Nothing but NETwork!
As I sit here watching the 2011 NBA Slam Dunk contest, I can’t figure out which story on Monday will be better.  Blake Griffin jumping over a car for a slam dunk OR HBGary getting hacked by the WikiLeaks Supporter group called ‘Anonymous’.  Like others have said, “it is [...]

What is XSSF or the Cross-site Scripting Framework?

The XSS Framework (XSSF) is able to manage victims of a generic XSS attack and hold an existing connection with JavaScript loop refreshing in order to allow future browser-based attacks.  After injection of the generic attack (resource “loop” generated by XSSF), each victim will ask the attack server [...]

As a good penetration tester, you should consider hiding your IP address after it has been determined that the target utilizes dynamic shunning to block the attackers’ source IP address. Most IDS Systems or Web Application Firewalls have this capability and are often deployed as a protective control. In any case, shunning is certainly not a 100% effective attack deterrent. Also, the mere threat of a upcoming penetration test can travel around an IT staff like the plague. Eventually, you will run up against Network Administrators trying to cover their a$$ by setting up a firewall rule to block your authorized test IP. If so, here is a slick way around it!

As a security researcher and avid user of the HTC Android Incredible, I too have an interest in the security of mobile devices. With so much concern around mobile devices on corporate networks, I sought out to know if any mobile security issues could be leveraged to steal personal data. In doing so, I found a small but meaningful flaw in the way mobile devices leak information that could be useful to a potential hacker.

Take a look at this paragraph. Can you read what it says? All the letters have been jumbled (mixed). Only the first and last letter of ecah word is in the right place:
Unisg the icndeblire pweor of the hmuan mnid, aocdcrnig to rseecrah at Cmabrigde Uinervtisy, it dseno’t mttaer in waht oderr the lterets in a wrod are, the olny irpoamtnt tihng is taht the frsit and lsat ltteer be in the rhgit pclae. An atactk can be a taotl mses but you can dceode it and sitll raed it whoutit a pboerlm. Take the extra step to raed the mnid of a hcaekr.

Website setup by Chinese Scammers with fake online electronics for sale. Another scenario would be an unethical marketing company hired to drive traffic to this Chinese electronics site and they are using illegal tactics by exploiting user email accounts. < CLICK TO READ MORE >

After procrastinating for many weeks on whether or not to purchase the NexusOne, it was finally time to upgrade my Blackberry 8330. I am so glad I waited because the new HTC Android Incredible is absolutely no less than that – “INCREDIBLE”.

One of the first downloads I searched the Android Market for was those applications related to security. I think I may have found a really useful one to play around with and it is called The Network Mapper by Ian Hawkins. CLICK TO CONTINUE…

Cyber Banging is a play on the hood slang word “Gang Banging”, which has recently become a topic worth discussing according to WGN Chicago reporter Gaynor Hall. And I must say up front how I totally disagree with her definition of Cyber Banging. More recently we are starting to hear of another phrase called “Cyber Bullying”. This is where a kid feels intimidated or teased so bad that it drives them to the point of depression that could even lead to suicide. Now I don’t want to sound like I have absolutely no compassion for the little people but haven’t we all gone through a few bully experiences ourselves? I do admit that Cyber Space can sometimes be intimidating but I also believe that it pales in comparison to what most inner city kids have to face on a daily basis. Those with the muscle, money, or elite skills are usually the ones that come out on top. CLICK TO READ MORE…

MOLDOVA HACKER: Case of the Hacked Hotmail
1. A Hotmail account hacked via a “weak password” or via usage of a public computer while on vacation
2. An e-mail phishing attack sent
3. A link to a system located in INDIA
4. A URL encoded link as the attack
5. A confirmation by Google that this site has served malicious content
6. And finally an HTTP REDIRECT ending at a site selling Canadian VIAGRA from Moldova

If you receive an email with the subject line “Sad news.. urgent“, please do not respond, take action or click any links within this message. The e-mail will appear to come from someone you know stating that they are traveling and all their money was stolen. The attacker will plead for you to send X amount of funds through Western Union money transfer. The message is a classic “social engineering attack.” Depending on your action, it could result in the compromise of your personal information, lost of nonrefundable money and/or leakage of company confidential data.

CLICK TO READ MORE….