We have thousands of posts on a wide variety of open source and security topics, conveniently organized for searching or just browsing.
First reports of a vulnerability apparently discovered by Microsoft at the start of this year, appeared in mid June. The vulnerability could reportedly be used to carry out man-in-the-middle attacks on HTTPS connections. Mozilla classed the risk as high and released corresponding patches for its browser. It has now become clear that the vulnerability affects many other browsers.
A New Jersey hacker has been arrested after he broke into a site owner's account, transferred the domain name ownership to himself, and then sold it to an NBA player.
At the Black Hat security conference in Las Vegas, Mandiant security researchers Peter Silberman and Steve Davis are releasing a new forensic framework on Wednesday that will make it possible to detect whether or not a host was hit by Metapsloit's meterpreter. The new tool could change the game when it comes to Metasploit-based attacks that previously could not be identified on the target machine.
When was the last time you heard about a Linux security vulnerability that was not fixed for more than a year? This article talks about how Microsoft has ineffectively handled a significant vulnerability present in all versions of Windows, and only with Black Hat coming are they finally addressing it.On Tuesday, Microsoft will slap a permanent patch on a video streaming ActiveX control used by Internet Explorer (IE), addressing a vulnerability that it has known about, but not fixed, for more than a year. Two weeks ago, Microsoft issued a "kill bit" update that, rather than address the underlying problem, disabled the ActiveX control to stymie attacks that were already in progress. It's also slated a fix for Visual Studio, Microsoft's popular development platform.
The Twitter document leak fiasco started with a simple story that personal accounts of Twitter employees were hacked. Twitter CEO Evan Williams commented on that story, saying that Twitter itself was mostly unaffected. No personal accounts were compromised, and
A recently published attack exploiting newer versions of the Linux kernel is getting plenty of notice because it works even when security enhancements are running and the bug is virtually impossible to detect in source code reviews.
Attackers have used a configuration error in the Xoops content management system to access the main web server of the CentOS project. According to Ralph Angenendt, system administrator at CentOS, no data has been injected into the system or stolen from it. He also stated that the server had not been used to send spam. As a precaution though, all users of the CMS will need to get a new password for the CMS through the Xoops lost password system.
In the US a 19-year-old phreaker (or phone phreak) has been sentenced to more than eleven years in prison because he placed numerous emergency calls resulting in the dispatch of special police units or SWAT teams (Special Weapons and Tactics). The SWAT teams arrived at the locations from which the calls were placed only to find sleeping families. Such incidents are increasingly common in the US, giving rise to the term swatting.
A Pennsylvania man has been charged with allegedly launching distributed denial-of-service (DDoS) attacks against at least nine Web sites, including Rolling Stone magazine's site, which was attacked multiple times for nearly a year.
In a move to close the door on the largest reported retail data breach in history, TJX announced Tuesday that it has settled with 41 states who were probing the discount merchant's data security practices. TJX, which operates more than 2,500 outlets nationwide, agreed to pay $9.75 million to settle investigations by 41 state attorneys general, who were looking into the monster breach, announced in January 2007, that exposed as many as 94 million credit and debit card numbers.
It has just become apparent that, on June 16, attackers hacked into the web server of the SquirrelMail open source project. The operators have suspended all accounts and reset all crucial passwords. Access to the original server and to all the available plug-ins has also been disabled. The operators believe that none of the plug-ins has been compromised, but investigations are still in progress. Third party plug-ins can be used to add features to SquirrelMail.
In the third of a three-part Q&A series with hackers, Lamo, now 28, talks about his "hack value," his remorse for the trouble he caused network administrators, and how he hopes to make people smile. Q: How did you get started hacking? I was around computers as a very young child. I had a Commodore 64 when I was like 6 or so. And my first interest in seeing how things worked behind the scenes wasn't all about technology necessarily, and my interest in what you might call hacking isn't really primarily about technology...It's not sexy when I'm exploring less obvious aspects of the world that don't involve multibillion-dollar corporations. There's a certain amount of tunnel vision there.
Writing buggy applications is a cinch--for decades, the world's software developers have been proving that with just about every program they release. Truly interesting bugs, however, are a relatively rare breed. I'm talking about the kind that cause technology products and services to stop working for extended periods, or that prompt them to behave as if they were possessed or harbored grudges against the humans who use them. And even though the bugs themselves usually stem from mundane errors such as typos or faulty math, their symptoms are anything but boring.
There is no question who the most famous hacker is. One of the first computer hackers prosecuted, Kevin Mitnick was labeled a "computer terrorist" after leading the FBI on a three-year manhunt for breaking into computer networks and stealing software at Sun, Novell, and Motorola. In the first in a three-part Q&A series with hackers, CNET News talked to Mitnick, now 45, about what got him interested in computers in the first place, the differences between hacking today and three decades ago, and whether it's wise to hire a former black hat hacker to do security work.
Hacking contests never seem to go well. Back in 2002, ZDNet wrote about a $100K hacking contest ends in free-for-all. Don't people remember history?Hackers love a challenge. And more than that, they love cash. That's what Telesign found out this week. A provider of voice-based authentication software, the company challenged hackers to break into its StrongWebmail.com Web site late last week. The prize? US$10,000. On Thursday, a group of security researchers claimed to have won the contest, which challenged hackers to break into the Web mail account of StrongWebmail CEO Darren Berkovitz and report back details from his June 26 calendar entry.
Looks like a combination of easily avoidable attack vectors and uninformed users clicking on things they shouldn't.As many as 40,000 Web sites have been hacked to redirect unwitting victims to another Web site that tries to infect PCs with malicious software, according to security vendor Websense. The affected sites have been hacked to host JavaScript code that directs people to a fake Google Analytics Web site, which provides data for Web site owners on a site's usage, then to another bad site, said Carl Leonard, threat research manager for Websense.
Another article discussing the legendary l0phtcrack password cracking and auditing tool. Works on crypt, NTLM Windows passwords, and many other types. Great stuff. It's official: The famous password-cracking tool L0phtCrack is back, and its creators plan to keep it that way. L0phtCrack 6 tool, released Wednesday, was developed in 1997 by Christien Rioux, Chris Wysopal, and Peiter "Mudge" Zatko from the former L0pht Heavy Industries -- the hacker think tank best known for testifying before Congress that it could shut down the Internet in 30 minutes. In January of this year, Rioux, Wysopal, and Zatko bought back L0phtCrack from Symantec, and later announced they would build a new version of the tool with support for 64-bit Windows platforms and other new features.
Although Google's Chrome was the only browser left standing after March's Pwn2Own hacking contest, it was vulnerable to the same bug that a German college student used to bring down Apple's Safari, Google acknowledged this week. Although Google patched the Chrome vulnerability May 7, it waited until last Wednesday to reveal that the bug was the same WebKit flaw that Apple patched the day before.
Interesting copyright case is really heating up. What do you think about this case? Do you use bittorrent? Do you think that even without Pirate Bay copyrighted material will still be easy through bittorrent?Pirate Bay judge Tomas Norstr
Updated linkSecurity researchers are warning administrators to secure their servers in the wake of new Secure Shell (SSH) attacks. Researchers at security firm SANS warned that so-called 'brute force' attacks were occurring on a "daily" basis. The article isn't clear whether this includes OpenSSH. Does anyone have any further knowledge? I haven't seen any advisories for it.
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
