Distributing Malware Through Trusted Websites

CEng's picture
By Chris Eng September 15, 2008  | 5

Why bother setting up dedicated websites to host malicious content when you can just infect trusted sites like BusinessWeek? This is becoming something of a trend, as evidenced by the mass SQL Injection attacks from a few months ago. The idea is simple -- find SQL Injection vulnerabilities in high-traffic, trusted websites where the site's content is dynamically fetched from a database (i.e. just... READ MORE

VP Nominee Sarah Palin, Hacker?

cwysopal's picture
By Chris Wysopal August 30, 2008  | 5

John McCain's pick for VP, Sarah Palin, knows a thing or two about retrieving evidence from a computer. The mainstream reporting calls her a "hacker" because she is able to retrieve files from the Windows recycle bin. The Anchorage Daily News reports back in September 2004: Sarah Palin never thought of herself as an investigator. Yet there she was, hacking uncomfortably into Randy Ruedrich's... READ MORE

MBTA Hack Shows Security Hasn't Improved in 10 Years

cwysopal's picture
By Chris Wysopal August 25, 2008

One of my old L0pht collegues, Peiter "Mudge" Zatko, is featured in Mass High Tech today in an article titled Bay State hackers find security holes in defibrillators, RFID. Hackers getting a free T pass may be the least of our worries — local hackers-turned-security experts suggest RFID keycards, wireless networks and medical devices implanted in the body are also vulnerable to hacks. At last... READ MORE

MBTA Hacking Injunction Lifted

CEng's picture
By Chris Eng August 20, 2008

Earlier today, the US District Court dealt a victory to the MBTA hackers and the EFF, lifting the injunction issued on August 9th to prevent the three MIT students from presenting their findings at DEFCON 16. In summary: The lawsuit claimed that the students' planned presentation would violate the Computer Fraud and Abuse Act (CFAA) by enabling others to defraud the MBTA of transit fares. A... READ MORE

MBTA Hack: Is It Really This Easy?

cwysopal's picture
By Chris Wysopal August 15, 2008

A lot of the focus of the MBTA vs MIT case has been discussion of the CharlieCards. These are MiFare classic cards which have been known to be broken earlier this year. There is also a paper disposable card called the CharlieTicket that uses a magnetic stripe. The MIT students presentation states that these are cloneable and forgeable using a $150 magnetic stripe reader/writer. From the... READ MORE

MBTA vs MIT Students Case Continues

cwysopal's picture
By Chris Wysopal August 13, 2008

A hearing will be held in Boston tomorrow to decide whether or not the restraining order gagging the MIT students from talking about the vulnerabilities they have found should be lifted. Even though the Defcon presentation is widely available and the MBTA disclosed the "Confidential" memo from the MIT students in their court filings, they are seeking a permanent speech injunction. An august group... READ MORE

BlackHat Recap

CEng's picture
By Chris Eng August 12, 2008

Another BlackHat has come and gone. As usual, it was a very busy week juggling customer meetings, recruiting, conference planning, vendor parties, and, oh yes, the actual BlackHat presentation My favorite talk, as expected, was the Sotirov/Dowd talk on How To Impress Girls With Browser Memory Protection Bypasses. The attack is a conceptually simple, yet completely reliable technique for... READ MORE

Journalist On Journalist Hacking at BlackHat

cwysopal's picture
By Chris Wysopal August 8, 2008

Three French journalists have been booted for life from Black Hat and Defcon for compromising the Black Hat press room wired network and grabbing the credentials for at least one reporter. Their goal was to publicize the risks to reporters especially current given the massive reporter presence in Bejing for the Olympics. This risk is certainly real and it is a shame that these journalists had to... READ MORE

WarDriving Is So 2000 -- Here Comes WarShipping

cwysopal's picture
By Chris Wysopal August 7, 2008

I'm not talking shipping as in boats, but shipping as in packages. David Maynor is giving a talk at Black Hat on his newest experiment: using a small and cheap WiFi platform that is remotely accessible over a WAN perform WiFi surveillance inside of a package delivered right to your victim. Guess what the cheap platform is? An iPhone of course. George Ou has some pictures and more details in his... READ MORE

BlackHat Picks, Day 2

CEng's picture
By Chris Eng August 4, 2008

Here's the rest of my list: 10:00-11:00 FX, Developments in Cisco IOS Forensics. 11:15-12:30 Oliver Friedrichs, Threats to the 2008 Presidential Election (and more). 13:45-15:00 Option 1: Scott Stender, Concurrency Attacks in Web Applications. Option 2: Travis Goodspeed, Side-channel Timing Attacks on MSP430 Microcontroller Firmware. 15:15-16:30 Option 1: Alexander Sotirov and Mark Dowd, How To... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.

 

 

 

contact menu