Give this Man a Haircut and Support a Worthwhile Cause

Gal Shpantzer, friend of the blog, fellow blogger, and a writer for CSO Online asked us to bring some attention to a worthy cause. As part of his talk at Security B-Sides Boston in Cambridge, MA, he will partake in certain unabashed activities for each monetary contribution threshold reached for Hackers for Charity.

XSS Flaw on PayPal.com

Earlier today Wesley Kerfoot reported on the Full Disclosure mailing list that a page in the Paypal.com domain is susceptible to a non-persistent reflected cross site scripting attack (XSS). While non-persistent XSS bugs are somewhat common, this is quite serious for a site like PayPal, where user accounts are linked directly to bank accounts, debit, or credit cards and payment can be made to third parties without any additional authentication after user access is gained.

Bad Password Management Will Stop You in Your Tracks

Refusing to maintain and follow a good termination checklist that walks through what access rights to decommission when someone leaves your company can put the brakes on your customers’ good will. Texas Auto Center in Austin Texas demonstrated the headaches that ensue when in February they left more than 80 customers who financed cars unable to get to school, work, and stuck with charges for towing and unnecessary repair work.

Originally diagnosed as mechanical failures in the cars, the problems stopped as soon as all the passwords for the WebTeckPlus system used by the firm were reset. A recently terminated employee, twenty year old Omar Ramos-Lopez, had used still active credentials to login to the web administration portal of the Auto Center’s payment incentive vendor and used it to disable vehicle starters or, according to police reports, have horns honk through the night.

The Proliferation Of Scareware Hits Home

The agitation in the voice on the phone shook me from sleep early Saturday morning: My Uncle the surgeon had a computer problem and he was concerned enough to call. He explained he had been trying to view pictures of a newly renovated base in South Korea when all of a sudden McAfee popped up and did a scan, revealing 28 viruses. But for some reason the new module McAfee wanted him to install wasn’t working because the site wouldn’t accept either of his credit card numbers.

A Loss of SecurityFocus

The announcement came out earlier today that SecurityFocus, a long standing security news portal started in 1999 and home of a number of popular mailing lists including the well known Bugtraq is being shuttered by Symantec. While aspects of the site will continue (the mailing lists will remain and some content will be moved to Symantec Connect), the loss of the news portal and site itself is a significant loss of historical perspective on the information security industry from what was a long standing news and research source.

IEPeers – A New Internet Explorer Zero Day Vulnerability

We posted an aside yesterday referencing Microsoft’s recent blog post for new security advisory 981374 referencing a new zero day vulnerability in Internet Explorer versions 6 and 7. New details have emerged since, and the exploit has moved from being what was described as part of “limited targeted attacks” to being widely accessible and available as a new module for the Metasploit framework.

Microsoft’s Google Attack Patch?

Noted journalist and friend of the blog George V. Hulme shared the picture below from CNBC, perhaps the most amusing way seen thus far of describing the patch for the ‘Aurora bug‘ that famously affected Google late last year.

A Brief Reminder, Passwords Have Been Around Forever

The much maligned password has existed for thousands of years, for example the Greek historian Polybius described their use in the Roman military before the birth of Christ.

To illustrate the point here is a clip, the password scene, from the 1932 Marx Brothers movie “Horse Feathers”.

Was the Austin Plane Crash Domestic Terrorism?

In what could be the first act of domestic terrorism since Timothy McVeigh, a small plane (Piper) that set out from Georgetown Municipal Airport hit a federal office building housing the Internal Revenue Service (IRS) at 11:36 AM in Austin, Texas. A software developer, Joseph Andrew Stack, who had previously set his house on fire, was the pilot who suicidally flew his plane Kamikaze style into the building in an apparent act of revenge against the IRS as detailed in a 3,202 word suicide note on his web site: http://embeddedart.com.

Congressional Web Site Defacements Follow the State of the Union

Shortly after President Obama’s State of the Union address, constituents visiting the web sites of Congressional representatives like Charles Gonzalez (20th District of Texas), Spencer Bachus (Alabama’s 8th District), and Brian Baird (Washington’s 3rd District) were presented with a defacement message from the Red Eye Crew that as of 4:10 am EST remains up on their web sites. All of the sites affected are in the house.gov domain, but not every congressional site in the domain is defaced.