A Romanian hacker has on December 6th identified input validation deficiencies in URL parameter handling leading to security vulnerabilities on a section of the official site of the Pentagon, http://pentagon.afis.osd.mil, the headquarters of the U.S. Department of Defense. The hacker who identifies himself as Ne0h has posted images of the vulnerabilities, which are still active at the time of this blog post, on his blog.
Archive for December, 2009
Unu did identify a Wall Street Journal branded web site that is vulnerable to SQL Injection attacks. But the site is not WSJ.com, is not on the same servers WSJ.com is on, is not a site hosted by Dow Jones-Teleratel but rather a conference site hosted by a WSJ vendor called MAP Digital, Inc..
We have been continuing to play around with the SHODAN Computer Search Engine after first looking at it last week. We continue to identify a variety of devices we sometimes note on security engagements (although usually on internal networks) that: should not be externally accessible and are either still using factory default credentials or are not using any credentials to access administrative interfaces. Accessing the administrative panels of these devices would allow a bad actor to further compromise the organization running the device on its network. We can quantify that we are seeing results not just for poorly configured home offices or small businesses, but large and medium businesses who would experience significant negative effects when breached or their devices tampered with. We’ll continue to blog about our findings until we get bored with it. Today’s search demonstrates how we found a few hundred accessible interfaces for IP Camera DVR surveillance systems.