Great Reviews!Need help setting up your website, installing Apache, PHP, MySQL, or RavenNuke(tm)?Need help customizing or designing scripts?Please contact us via the Contact Us option for further details and pricing.
DESCRIPTION: Some vulnerabilities have been reported in Google Chrome, which potentially can be exploited by malicious people to compromise a user's system.
Posted by Raven on Friday, January 27, 2012 @ 02:12:23 EST (121 reads) (Read More... | 1191 bytes more | Score: 0)
Major Symantec breach highlights risks of running old software
Summary: Symantec says it has fewer than 50,000 users of pcAnywhere, a remote-access program that has been around for decades. It now says, for safety’s sake, those users should pull the plug. Immediately.
At this time, Symantec recommends disabling the product until Symantec releases a final set of software updates that resolve currently known vulnerability risks.
Posted by Raven on Friday, January 27, 2012 @ 00:51:47 EST (45 reads) ( | Score: 0)
Security mandates aim to shore up shattered SSL system
Southern writes "Too little, too late
A consortium of companies has published a set of security practices they want all web authentication authorities to follow for their secure sockets layer certificates to be trusted by browsers and other software.
The baseline requirements (PDF), published this week by the Certification Authority/Browser Forum, are designed to prevent security breaches that compromise the tangled web of trust that forms the underpinning of the SSL certificate system. Its release follows years of mismanagement by individual certificate authorities permitted to issue credentials that are trusted by web browsers. Most notable is this year's breach of DigiNotar, which led to the issuance of a fraudulent certificate used to snoop on 300,000 Gmail users in Iran.
The four dozen or so members of the CAB Forum still have a way to go, since their requirements are meaningless unless they are mandated by the software makers who place their trust in the authorities.
Posted by Raven on Friday, January 13, 2012 @ 16:27:09 EST (54 reads) ( | Score: 0)
SQL Injection Attacks by Example
Southern writes ""SQL Injection" is subset of the an unverified/unsanitized user input vulnerability ("buffer overflows" are a different subset), and the idea is to convince the application to run SQL code that was not intended. If the application is creating SQL strings naively on the fly and then running them, it's straightforward to create some real surprises.
We'll note that this was a somewhat winding road with more than one wrong turn, and others with more experience will certainly have different -- and better -- approaches. But the fact that we were successful does suggest that we were not entirely misguided.
There have been other papers on SQL injection, including some that are much more detailed, but this one shows the rationale of discovery as much as the process of exploitation.
DESCRIPTION: Multiple vulnerabilities have been reported in Opera, where one has an unknown impact and others can be exploited by malicious people to bypass certain security features, disclose potentially sensitive information, and hijack a user's session. The vulnerabilities are reported in versions prior to 11.60.
Posted by Raven on Wednesday, December 07, 2011 @ 17:10:48 EST (438 reads) (Read More... | 1717 bytes more | Score: 0)
Download.Com Caught Adding Malware to Nmap & Other Software
Southern writes "CNET's Download.Com is one of the most popular (currently ranked #174 worldwide by Alexa) and longest-running (been around since 1996) major sites on the Internet. As a download repository, their key value ad was that they screened software to avoid malware, spyware, ad-ware, viruses and other harmful content that certain shady software contains. Even many security experts recommended them as a safe place to download software online. Download.Com is run by CNET, which is part of the 17-billion dollar CBS media empire. Many people assumed that a major site like this wouldn't resort to unethical monetization schemes like adding spyware and other malware to their downloads.
Unfortunately, those people were wrong."
Posted by Raven on Wednesday, December 07, 2011 @ 17:01:21 EST (458 reads) (Read More... | 1748 bytes more | Score: 0)
Crypto writes "There have been several reports of sites being injected with a php-string. Typically code is inserted into several tables. From the information gathered so far it looks targeted at ASP, IIS and MSSQL backends, but that is just speculation at this time.
When discovered yesterday about 80 sites showed in Google, this morning about 200, by lunch 1000 and a few minutes ago 4000+."
Posted by Raven on Sunday, December 04, 2011 @ 10:24:11 EST (457 reads) (Read More... | 676 bytes more | Score: 0)
Outsmarted: Captcha security not much of a gotcha
Southern writes "A team of Stanford University researchers has bad news to report about Captchas, those often unreadable, always annoying distorted letters that you're required to type in at many a Web site to prove that you're really a human.
Many Captchas don't work well at all. More precisely, the researchers invented a standard way to decode those irksome letters and numbers found in Captchas on many major Web sites, including Visa's Authorize.net, Blizzard, eBay, and Wikipedia.
This chart shows how successful Decaptcha was in decoding each Web site's anti-bot mechanism. The column marked "precision" shows the success rate.
This chart shows how successful Decaptcha was in decoding each Web site's anti-bot mechanism. The column labeled "precision" shows the success rate.
Their decoding technique borrows concepts from the field of machine vision, which has developed techniques to control robots by removing noise from images and detecting shapes. The Stanford tool, called Decaptcha, uses these algorithms to clean up the image so it can be split into more readily recognized letters and numbers.
"Most Captchas are designed without proper testing and no usability testing," Elie Bursztein, 31, a postdoctoral researcher at the Stanford Security Laboratory, told CNET yesterday. "We hope our work will push people to be more rigorous in their approach in Captcha design." Captcha stands for Completely Automated Public Turing test to tell Computers and Humans Apart.
Posted by Raven on Thursday, November 10, 2011 @ 01:31:03 EST (211 reads) ( | Score: 0)
Race conditions in security dialogs
Southern writes "From www.squarefree.com I discovered arbitrary code execution holes in Firefox, Internet Explorer, and Opera that involve human reaction time. One version of the attack works like this:
The secret word fills the blank in the sentence 'If ____ web developers would use alternate text correctly!' It is all lowercase.
The page contains a captcha displaying the word "only" and asks you to type the word to verify that you are a human. As soon as you type 'n', the site attempts to install software, resulting in a security dialog. When you type 'y' at the end of the word, you trigger the 'Yes' button in the dialog. I made a demo of this attack for Firefox and Mozilla.
Another form of the attack involves convincing the user to double-click a certain spot on the screen. This spot happens to be the location where the 'Yes' button will appear. The first click triggers the dialog; the second click lands on the 'Yes' button. I made a demo of this attack for Firefox and Mozilla.
DESCRIPTION: Multiple vulnerabilities have been reported in phpMyAdmin, which can be exploited by malicious users to conduct cross-site scripting attacks and potentially compromise a vulnerable system and by malicious people to disclose potentially sensitive information and potentially compromise a vulnerable system.
Posted by Raven on Friday, July 29, 2011 @ 23:19:12 EDT (1275 reads) (Read More... | 2697 bytes more | Score: 0)
![[Valid RSS]](http://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
:: 
::
