There have been rumors about YouTube and MySpace hosting videos of wanted criminals but I didn’t believe them. So I did some searching on my own and I found this video which basically is a classic "Wanted" police video. I’m wondering though… how can a YouTube / MySpace addicted user spot any of those criminals in real life. Seriously, what chances are that you will meet one of the wanted crooks in your own living room which is more or less where all your social life takes place ? Anyway, here is the video :
Stefan Esser Month of PHP Bugs project is going strong and here are five more vulnerabilities exposed on March 2nd 2007 :
PHP 4 unserialize() ZVAL Reference Counter Overflow During unserialisation of user supplied data that contains a lot of references to a variable the internal 16bit zval reference counter can overflow. This leads to an exploitable double dtor condition.
PHP 4 phpinfo() XSS Vulnerability (Deja-vu) phpinfo() does not escape the content of user supplied arrays in GET, POST or COOKIE variables when it displays them which leads to an XSS vulnerability.
Long story short: If you downloaded WordPress 2.1.1 within the past 3-4 days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately.
As promised, I will keep a close eye on Stefan Esser Month of PHP Bugs project during march 2007. Here are the vulnerabilities exposed on March 1st 2007 :
PHP 4 Userland ZVAL Reference Counter Overflow Vulnerability In PHP 4 userland code is able to overflow the internal 16bit zval reference counter by creating many references to a variable. This leads to an exploitable double dtor condition.
I guess we’ll wait to see what PHP bugs tomorrow brings .
Eyeball Interactive Connectivity Establishment (ICE) can now be integrated with version 2.0 of CableLabs’s PacketCable firewall and NAT traversal. A smart traversal-state-machine inside the AnyFirewall engine handles the complexities of STUN (simple traversal of UDP through network address translators) and TURN protocols, NAT or firewall types, transport methods, ICE candidates, and delivery checks, the company explains. It enables rapid integration with third-party components such as SIP stacks, RTP libraries, and voice/video engines for building feature-rich applications. Because an image is worth 1000 words, this is the
It seems that debate over the automatic tools vs. manual penetration tools raises serious questions within the government agencies.South Carolina and Delaware already use Core Impact, other might follow:
Let’s assume you’ve signed off on a decision to run penetration tests because you want to know how vulnerable your agency is to outside attacks. Now what? Should your agency hire a consultant? Buy automated software to perform the tests? Both?
Answering 10 questions can help you decide whether hiring a consultant or buying software is the right answer.
What is your risk tolerance for information technology security threats?
Does your agency perform critical functions or have stewardship of critical or sensitive data? How serious are the implications of disrupted service or lost or compromised data?
Do you know how well your software patching system is working?
Do you have the in-house expertise necessary to run and interpret automated tests?
Have you determined a baseline of IT security?
Are you required to have a third-party assessor review your IT security?
Does your agency have a robust presence on the Web?
Does your agency primarily use custom applications or does it mostly use commercial software?
How frequently do you want to test your system and network vulnerability?
Nick Baskett wrote an interesting article in it-observer about best practices when hiring an external penetration testing consultant. I hope that more and more business decision makers will apply his advices :
Finally, remember that companies don’t perform penetration tests, people do. So no matter which company you go to, it always boils down to the person you have working on your account. Make sure you always have the best people for the job in place, and remember that the best person for one job, may not be the best for another. Understanding the strengths and weaknesses of your team is a fundamental part of good management.
Anurag Agarwal released the second article from the series of mini biographies called Reflection which so far presented Amit Klein ; this week’s security superstar was RSnake.Next Reflection will feature Jeremiah Grossman . Anurag nicely presents a short bio of RSnake and also his great contribution to Web Application Security.
If there is any mention of XSS, there is a big chance RSnake’s name or its cheat sheet is mentioned along with it. His contribution in the web application security awareness is legendary. On two of his many web sites (http://ha.ckers.org and http://sla.ckers.org ) you will find a wealth of information on various aspects of webappsec. His XSS cheat sheet is arguably the most referenced link in the webappsec space.
Techworld has a story about the ongoing conflict between Stefan Esser, founder of PHP Security Response Team (which he recently left) and his former colleagues which are accused of being careless, if not …security incompetent.
It seems that Esser’s initiative to disclose one PHP vulnerability each day during March 2007 is unpopular among core PHP developers, especially for Zeev Suraski, co-creator of PHP and chief technology officer of Zend, which manages PHP development.
I’m a strong believer in full disclosure and I really hope that Stefan’s security disclosures will benefit all of the Web Sec community .
I will keep a close eye on Stefan’s blog during March because you never know what bug the next day will unveil. Or maybe you know So, what do you think : should all these security vulnerabilities be disclosed or not ? (btw, PHP 5.2.1 fixed some, if not all of these vulnerabilities)
ABC News reports on a new attack vector targeted at broadband routers / acces points : Drive-By Pharming. This attack has one of the most devastating potential we’ve seen this year and I would rate it as very high impact. Maybe not as massive as the Universal PDF XSS Vulnerability , but still raises a few big question marks about web applications’ security. C’mon, directly altering my router’s DNS settings ? How scary is that … Here is an ABC News quote on the subject :
Professor Markus Jakobsson of Indiana University has done a lot of research on router vulnerabilities. Jeremiah Grossman of WhiteHat Security gave a talk at the Black Hat conference last year on Javascript malware. Zulfikar Ramzan of Symantec Security Response put the two pieces together… and realized that it’s possible for Javascript on a web site to modify your router’s DNS settings.
There have been rumors about YouTube and MySpace hosting videos of wanted criminals but I didn’t believe them. So I did some searching on my own and I found this video which basically is a classic "Wanted" police video. I’m wondering though… how can a YouTube / MySpace addicted user spot any of those criminals in real life. Seriously, what chances are that you will meet one of the wanted crooks in your own living room which is more or less where all your social life takes place ? 
Anyway, here is the video : 
Stefan Esser 
Long story short: If you downloaded WordPress 2.1.1 within the past 3-4 days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately.
It seems that debate over the automatic tools vs. manual penetration tools raises serious questions within the government agencies.South Carolina and Delaware already use Core Impact, other might follow:
