News Coverage :: 2010 WhiteHat Security Coverage
Threats Permeate Wi-Fi Hotspots
Gabriel Perna
August 27, 2010 | Read Article
In the post 9-11 real world, thanks to heightened security measures, an airport terminal is one of the safest places for travel. But in the virtual world, it's still extremely vulnerable.
A recent research note by a leading Symantec engineer warned of potential "scareware," which is a fake anti-virus software system that appears on your computer, floating through a Wi-Fi network in an airport terminal. Web security experts say this type of malware is just one of the many examples of the threats that occur in Wi-Fi hotspots. Read More ››
The New Browser Wars: Chrome vs. IE vs. Firefox
Serdar Yegulalp
August 24, 2010 | Read Article
Just when you thought the browser wars were long-dead, they’ve roared back to life in a totally new incarnation. At stake this time is nothing less than the future of the way many of us work, now that the Web is an “application” and not just a place to read static pages.
The new wave of browsers -- Firefox 4, Internet Explorer 9, Google Chrome (in just about all its incarnations) -- all compete with each other fiercely to be the best possible delivery mechanism for the web as an app platform, in four basic areas: Read More ››
United Nations Website Contains SQL Injection Flaws Three Years After Hack, Researcher Says
Bug Used in Infamous 2007 Defacement Fixed, but Additional SQL Injection Bugs Remain
Kelly Jackson Higgins
August 23, 2010 | Read Article
Three years after the United Nations' website was defaced by activist hackers using a SQL injection attack, the site still contains multiple instances of these vulnerabilities.
Security researcher Robert Graham, CEO of Errata Security, did his now-annual checkup on the UN site and found that while the UN had removed the bug that was exploited in the August 2007 attack, the site is still rife with multiple SQL injection vulnerabilities. Read More ››
Mobile Flaw Could Cloak Clicks
Researchers Demonstrate That Mobile Phones are Exceptionally Vulnerable to a Browser Bait and Switch
Robert Lemos
August 19, 2010 | Read Article
It's possible to craft a malicious website so that a user's clicks are secretly redirected to a legitimate site in a way that steals a user's passwords and other data. Many Web developers have added protections to block the tactic on standard websites, but Stanford University researchers warn that there are not nearly enough defenses against the technique on mobile websites, which are accessed from devices such as the iPhone. Read More ››
Google Debuts Chrome 6 Beta, Trims UI
Boosts JavaScript Speed By 15%, Adds Credit Card Number Autofill
Gregg Keizer
August 12, 2010
| Read Article
Google yesterday shifted Chrome 6 into beta, a move that puts the browser one step closer to a stable release.
Chrome 6 -- specifically version 6.0.472.33 -- includes speed and stability improvements, Google said, as well as a tweaked user interface and enhanced synchronization of bookmarks, passwords and other data among machines running the browser. Read More ››
Tight-lipped Apple Fixes Safari Autosnoop Bug
BlackHat Talk Preempted
Dan Goodin in San Francisco
July 28, 2010
| Read Article
Apple has fixed a flaw in Safari that exposed user names, email addresses, and other sensitive information when the browser visited booby-trapped websites.
The update, which included an unrelated fix for a separate information disclosure vulnerability in Safari, comes a day before security researcher Jeremiah Grossman is scheduled to show attendees of the Black Hat Security conference in Las Vegas how to trick the AutoFill feature in the Apple browser into turning over detailed user information with no user input except visiting a particular website. Grossman said previously he had brought it to Apple's attention privately but received no response from the company. Read More ››
Black Hat: Most Browsers Can Be Made To Give Up Personal Data
IE, Firefox, Chrome and Safari All Have A Feature That Can Be Exploited, Expert Says
Tim Greene
July 27, 2010
| Read Article
All the most commonly used Internet browsers are vulnerable to exploits that can force them to cough up users' personal information that can be used to hack into bank accounts or set them up for other attacks, the Black Hat 2010 conference will be told this week.
"None of the tools I will demonstrate are really difficult," says Jeremiah Grossman, CTO of WhiteHat Security who will present the briefing "Breaking browsers: Hacking Auto-Complete" at the conference. Read More ››
Why Banks Are Losing The Desktop Security War
July 26, 2010
| Read Article
Click here to listen to the podcast.
Jeremiah Grossman, CTO of WhiteHat Security, on what banking institutions can do to regain the advantage over the fraudsters.
The war isn't over, but banking institutions are losing too many battles.
This is the perspective of web security expert Jeremiah Grossman, who sees banks and credit unions at a distinct disadvantage in the fight to secure banking transactions via the desktop. Read More ››
Apple Working On Fix For Browser Privacy Flaw
 Ben Worthen
July 22, 2010
| Read Article
The Internet Explorer, Firefox, Chrome, and Safari browsers are susceptible to attacks that allow webmasters to glean highly sensitive information about the people visiting their sites, including their full names, email addresses, location, and even stored passwords, a security researcher says.
In a talk scheduled for next week's Black Hat security conference in Las Vegas, Jeremiah Grossman, CTO of White Hat Security, plans to detail critical weaknesses that are enabled by default in the browsers, which are the four biggest by market share. The vulnerabilities have yet to be purged by the respective browser makers despite months, and in some cases, years of notice. Read More ››Apple's Web Browser Allows Sites To Collect Personal Information
 Miguel Helft
July 22, 2010
| Read Article
A security researcher uncovered a flaw in Apple's Safari Web browser that allows Internet sites to harvest personal information from visitors. The flaw, which exploits the Web browser's "auto-fill" capabilities, allows Web sites to scrape information like the name, e-mail, address, phone number and place of work of the person who uses the computer, which many Macintosh users store in their digital address books.
The Safari bug, which Apple acknowledged, is the latest to underscore the difficulty that Apple, and other technology companies, face in keeping personal information from falling into the wrong hands. Last month, a bug in an AT&T Web site exposed the e-addresses of 114,000 iPad owners. This month, a developer of iPhone applications breached the accounts of several iTunes users to conduct unauthorized purchases. Read More ››
IE And Safari Lets Attackers Steal User Names And Addresses
Ripe For The Picking, Researcher Says
Dan Goodin in San Francisco
July 20, 2010
| Read Article
The Internet Explorer, Firefox, Chrome, and Safari browsers are susceptible to attacks that allow webmasters to glean highly sensitive information about the people visiting their sites, including their full names, email addresses, location, and even stored passwords, a security researcher says.
In a talk scheduled for next week's Black Hat security conference in Las Vegas, Jeremiah Grossman, CTO of White Hat Security, plans to detail critical weaknesses that are enabled by default in the browsers, which are the four biggest by market share. The vulnerabilities have yet to be purged by the respective browser makers despite months, and in some cases, years of notice. Read More ››Adobe To Introduce Sandboxing To Limit Reader Exploits
 Angela Moscaritolo
July 20, 2010
| Read Article
The next major version release of Adobe Reader is expected to include new technology designed to mitigate attacks against the popular PDF software, Adobe announced on Tuesday.
The new security feature, called "Protected Mode," will force all operations that display PDF files to the user to be run inside a highly confined environment, known as a sandbox, in which certain functions are prohibited, Brad Arkin, Adobe's senior director of product security and privacy, told SCMagazineUS.com on Tuesday. Prohibited functions inside the sandbox include installing or deleting files, or modifying system information.
As a result, if an exploitable security vulnerability is discovered, the new functionality will help prevent an attacker from being able to write files, change registry keys or install malware on an individual's computer, Arkin said. Malicious code inside PDF files will be contained inside the Reader sandbox, instead of being installed on a user's system. Read More ››Firefox Lets Hackers Grab Your Passwords
Black Hat Researcher Will Demonstrate How To Scrape Firefox Passwords With Cross Site Scripting Malware
Source Seeker
July 19, 2010
| Read Article
Better delete your passwords from Firefox's Password Manager before next week's Black Hat security conference in Las Vegas. That's when Jeremiah Grossman will present a demo showcasing how Javascript can be used to collect passwords from Firefox. He'll also show how to grab other personal data from IE 6 and IE 7.
His demo will involve getting passwords out of Firefox's Password Manager using "nothing but garden variety Cross-Site Scripting (XSS)," says Grossman, who is founder and CTO of WhiteHat Security and is a co-founder of the Web Application Security Consortium. Execution requires tricking Firefox users into visiting a site hosting the XSS malware, but how hard is that? Read More ››Talk On China Cyber Army Pulled After Pressure
 Robert McMillian
July 15, 2010
| Read Article
A talk on China's military cyber-attack capabilities has been pulled from the Black Hat security conference schedule following pressure from Taiwanese and Chinese agencies.
The talk, entitled "The Chinese Cyber Army: An Archaeological Study from 2001 to 2010," was billed as an analysis of China's government-backed hacking initiatives, based on intelligence gathered from a variety of Asian intelligence groups. The talk was to be given by Wayne Huang, chief technology officer with Taiwanese security vendor Armorize, and Jack Yu, a researcher with the company.
On Wednesday Armorize CEO Caleb Sima announced via Twitter that the talk had been pulled, saying that the "Taiwanese [government] is prohibiting it due to sensitive materials." Read More ››
SIFMA TECH 2010: Black Hats Outspending White Hats?
 Tom Steinert-Threlkeld
June 24, 2010
| Read Article
Professional hackers are now motivated by the same compulsion as Wall Street: Making money.
And they are not just in the habit of out-thinking defenders of financial systems. They may be outspending them as well, an expert said Thursday at the Securities Industry and Financial Markets Association 2010 Financial Services Technology Expo in New York.
The popular image of a lone hacker attacking sites, from a personal computer in a bedroom is out of date, said Stephanie Fohn, the chief executive of WhiteHat Security, in discussing "Proven Methods to Combat the Web Attacks That Plague the Financial Services Industry. Now, hackers work in worldwide collaboration, organized criminals in a digitally-driven age, she said. "The enemy is very well organized, very well funded and very focused on making money,'' Fohn said. In fact, since 2004, organized crime has made more from the sale of data than it has from the sale of drugs, she said. In 2009, the take was an estimated $1 trillion, she said, citing a report to the U.S. Senate Commerce Committee. Read More ››
AT&T iPad Breaches Are About App Security, Not Mobile Devices, Experts Say
Gaffes Offer Lessons For IT Security Organizations, According To Analysts
By Ericka Chickowski, Contributing Editor
June 24, 2010
| Read Article
AT&T and Apple claimed they couldn't replicate the problem, but security experts, such as Jeremiah Grossman of WhiteHat Security, claimed the issues sounded suspiciously like session exhaustion, an behavioral anomaly that occurs when an application is overloaded and begins to run out of session IDs. Observers say both incidents likely involved poorly deployed Web applications that put sensitive back-end data at risk, giving nonauthorized users access to database information to which they shouldn't have been privy. Read More ››AT&T’s iPhone Preorder Security Mayhem Likely Caused By ‘Session Exhaustion
 Andy Greenberg
June 17, 2010
| Read Article
Another week, another embarrassing Apple-related security breach at AT&T. On Tuesday, customers trying to preorder the new iPhone found themselves logged into other users' accounts, implying that there may have been an accidental large-scale breach of customers' sensitive information.
So what happened? The details still aren't clear. But a few Web security cognoscenti that we reached out to believe the problem may have been this: As the hundreds of thousands of users flooded into AT&T's site, the interface started running out of "session IDs," the unique numbers meant to allow secure sites to keep track of individual browsers--typically with cookies--and keep users logged into their accounts.
Jeremiah Grossman, a Web security researcher and chief technology officer of WhiteHat Security, calls that phenomenon "session exhaustion." "I've seen similar behavior across different websites over the years, particularly among those under extreme application load to the point where the site is barely reachable," he wrote to us in an email. Read More ››
Rash Of Facebook 'Likejacks' Still Flaring
On Facebook, No One Knows You're A Bot
Dan Goodin in San Francisco
June 3, 2010
| Read Article
Facebook attacks that force users to unwittingly endorse scam pages keep spreading, researchers say.
When the exploits surfaced on Tuesday, they resulted in hundreds of thousands of users giving their thumbs up to links with titles including: "LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE." Since then, similar attacks have circulated that cause users to recommend pages promising naked pictures of alternative rock diva Hayley Williams or the phone number of heart-throb singer Justin Bieber.
The attacks exploit a flaw present in virtually every browser that allows unscrupulous webmasters to control the links a visitor clicks on. They work by overlaying an invisible iframe or other web object on top of a link or blank space on a webpage. The result is that a user can never be sure he's clicking on the link or button he thinks he is. The exploit has been coined “clickjacking” by Jeremiah Grossman and Robert “RSnake” Hansen, the security researchers who brought the technique to public awareness in late 2008. Read More ››
Researchers Beat Clickjacking Defenses Of Top Websites
Four Researchers From Stanford And Carnegie Mellon Outlined How Frame Busting, A Protection Meant To Defeat Clickjacking, Can Be Circumvented On Twitter And Other Popular Sites 
By Brian Prince
May 28, 2010
| Read Article
New research has found a common defense used by Websites to prevent clickjacking attacks can be broken.
Clickjacking uses malicious iframes to take control of a Web surfer’s clicks and hijack their Web session. The term clickjacking was first used in 2008 by WhiteHat Security CTO Jeremiah Grossman and Robert "RSnake" Hansen, CEO of SecTheory. In order to combat the attack, Websites instituted techniques known as frame busting, which prevent a site from running when it is loaded inside a frame. Read More ››
Voice Of Experience: Stephanie Fohn, CEO, WhiteHat Security
By Melissa J. Anderson (New York City)
May 13, 2010
| Read Article
“Really, what I am is an entrepreneur,” said Stephanie Fohn, CEO of WhiteHat Security. “I found out very early on that what I love to do is create something from nothing.”
Fohn is emphatic about her love of entrepreneurship. “I love being an entrepreneur and I feel very strongly about creating – whether creating companies, jobs, or security, which has a positive impact around the world.”
“I would like to see all women become CEOs or COOs,” she said. “The biggest thing is to find something that you love to do – and not everyone can – and stick with it. Don’t give up. It’s so challenging and rewarding.” Read More ››
art of defence Integrates hyperguard With WhiteHat Sentinel to Deliver Risk Mitigation for Cloud Computing Environments
 SAN FRANCISCO, CA--(April 27, 2010) - Today, art of defence, the leading distributed web application firewall (dWAF) provider, and WhiteHat Security, leading provider of website risk management solutions, announced the integration of art of defence's hyperguard and the WhiteHat Sentinel website vulnerability management service.
Enterprises, web hosting and cloud service providers are able to mitigate risk across any production website. Ideal for the unique cloud computing environment, customers can combine WhiteHat Sentinel's SaaS-based website vulnerability management capabilities with art of defence's software-based dWAF for a highly-targeted vulnerability remediation solution that enables organizations to obtain quick, easy protection from Web application attacks.
Researcher Shows New Clickjacking Methods
By Jeremy Kirk, IDG News Service
April 14, 2010 | Read Article
Clickjacking is a style of attack where a user is tricked into clicking on certain parts of a Web page with hidden buttons that perform malicious actions. The hidden buttons are delivered by an invisible iframe, which is a window that brings other content into the target Web site.
Clickjacking become well-known in 2008 after researchers Robert Hansen and Jeremiah Grossman discovered a kind of attack involving Adobe Systems' Flash application that could give remote access to a victim's Web camera and microphone. Read More ››
Next-Generation Clickjacking Attacks Revelead
Researcher At Black Hat Europe Will Also Release New, Free Tool For Executing These Attacks
By Kelly Jackson Higgins
April 13, 2010
| Read Article
Tomorrow at Black Hat Europe a researcher will demonstrate a new, powerful breed of clickjacking attacks he devised that can bypass newly constructed defenses in browsers and Websites.
Paul Stone, a security consultant with Context Information Security in the U.K., also will release a browser-based point-and-shoot tool for clickjacking that simplifies these attacks on Web applications and provides researchers visual views of the links, buttons, fields, and data to be targeted by the clickjacking attack. Read More ››
RSA 2010: Correlating Static And Dynamic Analysis Results For More Secure Software
 By David Spark
March 5, 2010 | Read Article
Jeremiah Grossman, CTO and Founder of WhiteHat Security and Jacob West, Director of Security Research at Fortify both spoke to the process of dynamic and static analysis of your applications for building security into your software (Watch my video interview with both of them after the presentation, “Where is your software most vulnerable?”). That in a nutshell is WhiteHat Security’s focus. Jeremiah pointed out that while most of a company’s budget goes to applications, we spend the least amount of money securing those applications.
To secure an application during a development, a combination of dynamic and static analysis is necessary. There are benefits and drawbacks to both processes. Read More ››
Test: Most Web Application Scanners Missed Nearly Half Of Vulnerabilities
Tools Were Scanning Their Own Test Websites
By Kelly Jackson Higgins
February 4, 2010 | Read Article
Most Web application scanning tools miss vulnerabilities and generate false positives on their own public testing sites, according to a recent test of some of these products.
Larry Suto, an application security consultant, tested the Web app scanners for accuracy and false positives as well as the time it took with each to get the best possible results, including running, reviewing, and supplementing the results from the scans. He tested Acunetix, IBM's AppScan, Portswigger.net BurpSuitePro, Cenzic's Hailstorm, HP's WebInspect, NT Objectives' NTOSpider, and Qualys' managed scanning service.
Suto says what surprised him most about what he found in the tests was how the tools didn't catch vulnerabilities and threw false positives when scanning their own test Websites. "I think the report shows that while these tools are very helpful, one should not rely on them exclusively for security," he says. Read More ››
Following Google's Lead on Security? Don't Forget To Encrypt Cookies
SSL Secures Data Exchanged Between The Client And Server
 By Lori MacVittie
January 15, 2010 | Read Article
In the wake of Google’s revelation that its GMail service had been repeatedly attacked over the past year the search engine goliath announced it would be moving to HTTPS (HTTP over SSL) by default for all GMail connections. For users, nothing much changes except that all communication with GMail will be encrypted in transit using industry standard SSL, regardless of whether they ask for it by specifying HTTPS as a protocol or not. In the industry we generally refer to this as an HTTPS redirect, and it’s often implemented by automatically rewriting the URI using a load balancing / application delivery solution.
Widely regarding as a good idea, and I’m certainly not disagreeing with that opinion, SSL secures data exchanged between the client and the server by encrypting every request and response using a private/public key exchange. This is a Good Idea and the general advice that “you should do this too” is sound; protecting data in transit from prying eyes eliminates the possibility that someone with ill intent might “sniff” out data and steal a user’s e-mail messages. Given the number of small and medium businesses that rely upon GMail for business-related communication and that some of that communication might be considered confidential or sensitive, this simple security mechanism is certainly one that has a high value with minimal risk and costs associated with implementation. Read More ››
Google Upgrades Security On Gmail
By Riva Richmond
January 13, 2010 | Read Article
Gmail users around the world are getting an important security upgrade.
In a blog post Tuesday night, Google said it would begin using Hypertext Transfer Protocol Secure, or HTTPS, technology to encrypt all traffic carried on its free Web-based e-mail service. HTTPS is a popular Internet protocol that combines the standard HTTP Web protocol with a layer of encryption based on the SSL/TLS protocol. It is commonly used by online banking services and shopping sites to protect secret customer data from interception by Web eavesdroppers.
Gmail has always used HTTPS to encrypt login pages, and thereby defend passwords, but encryption of e-mail traffic itself has been an option that users had to select. Now, Google will move all users to HTTPS by default, arguing that the security benefits of that outweigh the slight hit to the speed of e-mail delivery that the technology imposes. The performance impediment has been steadily diminishing as an issue because computing power, the speed of individual connections and overall Internet bandwidth have all expanded. Read More ››
|
