Archive for December, 2009

Pentagon Web Site Vulnerabilities Identified

Pentagon Web Site Vulnerabilities Identified

A Romanian hacker has on December 6th identified input validation deficiencies in URL parameter handling leading to security vulnerabilities on a section of the official site of the Pentagon, http://pentagon.afis.osd.mil, the headquarters of the U.S. Department of Defense. The hacker who identifies himself as Ne0h has posted images of the vulnerabilities, which are still active at the time of this blog post, on his blog.

Table of press contact information.

Unu Cracks a Wall Street Journal Conference Site, Not WSJ.com

Unu did identify a Wall Street Journal branded web site that is vulnerable to SQL Injection attacks. But the site is not WSJ.com, is not on the same servers WSJ.com is on, is not a site hosted by Dow Jones-Teleratel but rather a conference site hosted by a WSJ vendor called MAP Digital, Inc..

James Lipton says “Don’t tweet your junk”

James Lipton says “Don’t tweet your junk”

James Lipton’s new public service announcements (PSA’s) on texting (text messaging) for teenagers gives the concept a whole new meaning. The campaign “Before you test, give it a ponder” features videos of Lipton loaning his trademark beard to teenagers so that its magical properties of forethought can be temporarily bestowed on them effectively uses humor to combat the problems of sexting and cyber-bullying.

IP Surveillance DVR.

SHODAN: Cracking IP Surveillance DVR

We have been continuing to play around with the SHODAN Computer Search Engine after first looking at it last week. We continue to identify a variety of devices we sometimes note on security engagements (although usually on internal networks) that: should not be externally accessible and are either still using factory default credentials or are not using any credentials to access administrative interfaces. Accessing the administrative panels of these devices would allow a bad actor to further compromise the organization running the device on its network. We can quantify that we are seeing results not just for poorly configured home offices or small businesses, but large and medium businesses who would experience significant negative effects when breached or their devices tampered with. We’ll continue to blog about our findings until we get bored with it. Today’s search demonstrates how we found a few hundred accessible interfaces for IP Camera DVR surveillance systems.

Disabling Javascript on Adobe Acrobat

Disabling Javascript on Adobe Acrobat

For many users, PDF’s are simply a mechanism for providing documents to read. Given the spate of vulnerabilities identified in Acrobat and Reader in 2009, and the likely promise of more in 2010, we are releasing by request this general instruction for disabling Javascript in Adobe Acrobat. An advisable approach, depending on your usage of these products, may be to disable Javascript and only re-enable when performing an activity with a PDF that requires Javascript be enabled, such as with an eForm.

Page 2 of 212