Posts

Showing posts from April, 2008

Still not Hacker Safe, roll the video

Accuse me of beating a dead horse, but this really ticks me off. While preparing content for my monthly column, as well as presentation content for the ISSA NW Regional Security Conference, I found yet another bunch of McAfee Hacker Safe branded sites that are completely vulnerable to cross-site scripting (XSS), as well as other issues. The video I took points out only reflected, non-persistent vulnerabilities...no sites were harmed in the making of the video, and all sites have been advised. Nonetheless, let me make my point yet one more time.
1) Sites that are vulnerable to XSS are not PCI compliant. All of the sites in this video take CC payments and store customer information.
2) The sites in this video have been vulnerable for months. Additionally, some have been advised multiple times and have simply ignored my notices. Their McAfee Hacker Safe branding is active and has not been removed at any time.
3) The McAfee Hacker Safe service claims XSS as part of its vulnerability checks; …

Spot the Fed or Spot the Pony - CIA XSS

Image
I can't resist. Giorgio Maone posted this here, having seen it on the Wired blog.
The repros say it all, and mind you, this "opportunity" has been public for days, yet the CIA hasn't fixed or disabled it. As Wired alluded, methinks the Cyber Security 'Manhattan Project' hasn't quite reached fruition yet.
For you fans of the "alqa-ida pony club" go here, but if you'd prefer to read about wunderkind Chertoff's latest spew try this. Both execute in the context of cia.gov. Sad, to say the least. Hopefully, these won't work much longer.
Screenshots if you'd prefer.




del.icio.us | digg

Packet heads and malware hunters rejoice

A couple of projects have recently emerged from development that are well worthy of adding to your feed readers.
Matt Jonkman at Emerging Threats pointed out OpenPacket.org, "a web site whose mission is to provide a centralized repository of network traffic traces for researchers, analysts, and other members of the digital security community." And traces they have...all the yummy pcap goodness you could ever hope for in the Capture Repository. This is a gloden opportunity to correlate attack trends to what you may be seeing on your networks, ro take the time to analyze captures you may not otherwise see, thus tuning your packet analysis skills. It goes without saying that Openpacket.org was conceived by Richard Bejtlich.
The other site of immediate interest to bug hunters is the SRI Malware Threat Center. The press release is here, but the premise is this: "SRI's Malware Threat Center posts daily updates of firewall filters, malware-related domain name system (DNS) n…

Site issues

Just as an FYI, my primary site, holisticinfosec.org, is suffering from server RAID card issues. My ISP is migrating my content to new hardware, so we should be back within 24 hours. Thanks for your patience.
UPDATE 4/5/08: We're back, a painful migration to new hardware, but complete, and fully functional. Thanks again for your patience.

Scan Alert's Hacker Safe now obsolete

Image
The industry has spoken, and McAfee Hacker Safe branding is now obsolete! Everyone can be PCI certified at no cost, with no effort. It's as easy as this:


PCI Certified by Scanless PCI
Now everyone can take credit cards to the satisfaction of PCI DSS.
I'm so excited! Thanks to Jeremiah for pointing out scanlesspci.com.
Internet commerce is now safe for everyone. Priceless.
del.icio.us | digg