Wolf's Lair

Android vs iOS security

2011-10-24T15:00:00.000+08:00

A interesting video on well-known security researcher Dr Charlie Miller, which discuss the security postures of Android and iOS

My Million dollar ATM is ready for delivery??

2011-10-23T12:49:00.007+08:00

I have just received an interesting Scam mail. Think it will be useful to share with all my readers.

The email claims to be from FedEx. They are ready to deliver "my" million dollar ATM card in GHANA.

-Below are the extract-

Dear Valued Customer.

The office of the FedEx Managements in the capital city of ACCRA GHANA do hereby wish to inform you that your ATM card package is ready for delivery.

The issuing bank of this ATM card has instructed us to inform you that your card has been credited with the total sum of US$4,750,000.00 (Four Million-Seven Hundred & Fifty Thousand Dollars) which is now accessible and you can make your withdrawal from any ATM machine worldwide.

This ATM card with the PIN code and other vital documents has peen packaged into an Envelop which has been assigned for immediately delivery but unfortunately, the issuing bank has cleared (PAID) the delivery fee, insurance fee, custom duty fee, delivery permit fee but they were not allowed to pay the security bonded keeping fee because we have not been told when you will be coming for your claim not until the bank instructed us to contact you and inform you of the security bonded keeping fee which is only the sum of US$98 dollars, this is the only fee that you has to pay.

We further request you to kindly clear security bonded keeping fee of US$98 Dollars to enable us effect the delivery of your ATM card to you as soon as possible. At the meantime, you have to get back to us with your address where your package would be delivered to you within the nest 48hrs.

Your complete Name:…………………………
Your Complete Address:………………………
Your Mobile Number:…………………………..

Upon your swift response, we shall instruct you on how you will make the payment to the security office before we would be allowed to move your package. Our delivery duration is only 48hrs starting from the time when your package was picked up and dispatched out from our office here in Ghana.

We anticipate your response.

Thank you.

Mr. Mac Moses
FedEx Delivery Officer
Tel: 233- 247630112

-End of email-

From the email header, you will able to see some useful information:
1> Source email address.
2> Source mail server
3> Source IP address connected to mail server
4> Reply to address

From the "1> Source email address", you know that the email is coming from "chinkyeyes@rogers.com". Rogers.com is exactly a Canadian ISP, which uses Yahoo mail gateway (as shown below). So it has verified the "2> Source mail server" in the mail header.

From the "3> Source IP Address" (41.218.192.255), it was from Ghana. So it is likely that the user "chinkyeyes" account was compromised by the scammer.

Scam mail tends to show tell-tale sign such as spelling error.

I won $10,000 worth of shopping voucher??

2011-09-30T18:06:00.006+08:00

I received an email informing me that i have won $10,000 worth of shopping voucher coming from HardwareZone's newsletter.

The email format really give me the impression that i am the lucky winner, with two other "winners" listed in the email.

But after reading through the emails, it start to show tell-tale sign that it is just an advertisment and i did not really won a prize. They skillfully claims that "you may be a possible winner" as not to be accused as fraud later.

After clicking the link "www.greatsingaporevoucher.com.sg" to "verify" your details, it was obvious that the email is actually a legal "spam".

By "verifying" your details, you are actually joining the lucky draw instead. It also allow them to collect your information so to legally "spam" you further via Handphone, email, and mailing address.

w01f advise: If anyone still interested to join this lucky draw (or any similar online contest) and to be "spam" further, make sure you read and understand their "Terms and Conditions" and "Privacy Policy" before releasing your personal information to them.

Default again?

2011-09-29T20:44:00.001+08:00

Another device found to be using default password. This time is a home router in Korea. It is a DAVOLINK DVW-2000N router.

w01f advise: Home router console should not be accessible from the Internet. The account should also be properly secured with strong password.

"Easy" access to exam questions?

2011-09-27T22:18:00.002+08:00

While doing my "googling" and security analysis, i happen to come across a Shanghai school portal and manage to easily "gain access" into the "admin" account.

With the admin access, i am able to access to all the documents in the portal. Wondering if there are any exam questions in there?

I can do a listing of all the user account, which i can edit or delete.

w01f advise: Web portal should be proper secured, especially the administrative account. Strong password should also be used by all users.

Disclaimer: Only access to the "main" and "user account" page, no modification to the portal and no download of any files from this portal. It is purely for security awareness purpose with no malicious intent.

Should print server be secured?

2011-09-25T20:28:00.006+08:00

Recently, there are many news on data lost of customer information, product designs and algorithms from big corporation. WikiLeaks that exposed sensitive communication. Printers can be one of the good source of data leakage.

When surfing and "googling" around the Internet, we still see many print servers accessible from Internet. Some of these print servers were even configured with default login credential.

Beside data leakage, you can also create some disruptions to their business by making unauthorized changes.

Below are some examples, which i manage to gain access.

From the Admin console, we can access the "System Tools".

We can also make changes in "Advanced Setting".

w01f advise: Print server should not be accessible from the Internet. If access from the Internet is required, make sure it is properly secured and change all default login.

Test Drive OmniPeek 6.6

2011-07-01T14:04:00.001+08:00

Last week, WildPackets released OmniPeek 6.6, the first network analyzer with 802.11n 3-stream wireless support. You can test it out but downloading the Wireless Essentials Pack. The pack includes the OmniPeek Enterprise 6.6 demo software as well as three popular wireless add-ons: Wireless Signal Stats, Wireless Channel Aggregator, and Roaming Latency Analyzer.

The video below with Jay Botelho, Director, Product Management, and Chris Bloom, developer and evangelist of WildPackets will tell you all about OmniPeek's wireless capabilities.

10 Steps: Removing Spyware/Malware/Adware from a PC

2011-06-23T11:08:00.001+08:00

To completely remove spyware from a PC can be very difficult. Most spyware like malware propagates in many different locations i.e. registry, files, system and folders and removing all the erroneous files can be a challenge.
In some instances spyware software will disable antivirus, firewall and other well known
security software as well as create fake BSODs. Some may even remove the Microsoft Windows Security Center and replace it with a fake one as well as hijack the browser and stop users from clicking on links to security websites. Worse still a PC may stop loading Windows altogether.
So you can see the difficulty in attempting to clean a PC. There are some simple steps to removing most spyware and adware – these are generic and provide useful guidance when identifying and cleaning spyware and self-replicating malware from a PC.

STEP 1:

Reboot PC in Safe Mode with Networking – always log as the same user that was previously logged in
with, in normal Windows mode*.

An analysis of the spyware threat and how to protect a PC

STEP 2:

Launch IE and from Tools>Internet Options>Connections tab click LAN SETTINGS and uncheck the
checkbox labelled Use a proxy server for your LAN.

STEP 3:

Download Process Explorer – iexplore.exe (or explorer.scr) – use this program to look for processes
linked to the rogue program you have installed. Rename the iexplore.exe or winlogon.exe installers.
Alternatively download and use AutoRuns from SysInternals (you can also run this from removable
media).

STEP 4:

Check the hosts file and if it has any entries other than 127.0.0.1, comment them out –notepad
c:\windows\system32\drivers\etc\hosts**.

STEP 5:

Download Malwarebytes Anti-malware – if this doesn’t happen then download both the program and signature update database from another PC and install on the infected PC using removable media.

STEP 6:

Then download Spybot S&D and Spyware Doctor.

STEP 7:

Reboot the PC in Safe Mode again and in most situations the malicious files have been removed. Download/update the antivirus and firewall and any other security products on the PC.

STEP 8:

Run a full scan not a fingerprint scan and then reboot the PC.

STEP 9:

Download and install CCleaner and click the Registry tab to run a registry clean – don’t forget to make a
backup of the registry.

STEP 10:

Download and install NovaShield Anti-malware software – this program uses the OS Kernel to monitor any file; registry; process and network changes. This program will work alongside your existing antivirus and firewall software.

* Sometimes the Safe Mode is disabled by the spyware/malware – this happens because the malicious file has deleted the Safeboot registry keys. It is possible to merge a reg file with the missing Safeboot entries to re-enable Safe Mode.

** Spybot S&D inserts entries into the host file – as long as the host file IP address is 127.0.0.1 then all should be ok. According to Spybot S&D these entries (which can be in their thousands and is known to affect browser performance) are inserted as part of the immunization process.

Did you know?
Antivirus software actually makes silent calls to servers to check application status/virus definition updates and some collect operating system data. The malicious spyware will continue to be a threat. Expect spyware authors to develop more cunning ways to deliver spyware as part of a malicious payload. The attack vectors will include looking for vulnerabilities in Java, Microsoft Windows, website browsers, Active X, and sending users to IFrame websites (can be done from links in search engines) just to name a few.

By the way
You can make some extra $$$ with this guide

Hacker for Hire

2011-02-09T21:57:00.001+08:00

Recently i receive an Marketing Email which sell hacking guides, tools, services and even hiring a hacker.

The hacking guide they are selling includes:
- Credit card hacking
- Bypass Virtual keyboard in Internet banking
- Exploit and malware development

They also selling tools like
- Polomorphic Crypter's (to bypass AV Scantime,runtime)
- Paid Botnets
- IRC Bots
- Exploit packs

Services such as
- VPN Encrypted Connection (Hide your real Ip Address)
- Fake Emailer or Email Bomber
- DDOS attacks

If you dont know anything about hacking, you can ever hire a hacker to do the job.

They even have a website that allow you to order their service online. Even hacker give discount.

Swiss Cyber Storm Cargame Challenge

2011-01-16T14:39:00.000+08:00

Swiss Cyber Storm 3 is having a online January CarGame challenge. It is a Pen-testing wargame that you have to gain access into a vulnerable web application. Try to solve this challenge and win a new car.

Challenge Description
In Hacking-Lab, it provides a vulnerable web application - and somewhere on the web server you will be able to disclose a backend server DB connection properties file including hostname, IP, username and password. It is your goal to disclose this DB property file and then get a SQL connection to the database server. This DB server is vulnerable too! Please gain interactive access on the database server and proof your access by sending a screenshot of having access, some server info you gather with commands like "hostname" or similar.

Goal
Gain interactive access to the database server. Proof you are able to access the box.

Details
You must be authenticated and registered for the January 2011 CarGame Challenge in Hacking-Lab to see the full details of this wargame!

More details - http://www.hacking-lab.com/cases/7025-database-hijack-cargame-challenge/index.html

Challenge Registration - http://www.hacking-lab.com/events/registerform.html?eventid=137

Watch Intro video (on how to participate)

Official Swiss Cyber Storm 3 website

Hacker Space

2011-01-14T11:24:00.000+08:00

Hi all,
Just want to share this place called Hackerspace in Singapore. There are many such places around the world. You can find more information here : http://hackerspaces.org/wiki/ and http://en.wikipedia.org/wiki/Hackerspace .It's an interesting initiative and the local site is here - http://hackerspace.sg/ . Only downside is the membership fee due to maintenance of space. I think it's a good spin off from the 2600 monthly meetings- http://en.wikipedia.org/wiki/2600:_The_Hacker_Quarterly .

Part Two: Two Factor Authentication!?!

2010-12-17T18:34:00.000+08:00

Alas, finally I made it to part two after so long. :)

Continuing from the previous post, OTP tokens are generally time-based or event-based. For time-based tokens, the pseudo-random number changes at a pre-determined interval, usually 30-60 seconds. For event-based tokens, it's based on a user event such as user pressing the button on the token and using a mathematical algorithm to generate the pseudo-random number and so on from there. Further explanation can be found here about what is an OTP - http://en.wikipedia.org/wiki/One-time_password .

There are now several companies providing such security tokens used for two factor authentication (TFA). A good explanation of the various types of security tokens can be found here - http://en.wikipedia.org/wiki/Security_token .

In Singapore or even worldwide, for most internet banking services, it's already a practice to use such tokens to improve security. (For the curious or security people, you are able to find out which particular token you are using from the list shown earlier.) Although it adds a layer of protection by using security tokens with TFA, it is still not totally foolproof.

With Wikileaks, cyber attacks in Singapore and other recent events, Singaporeans should not be complacent about security. One such event is the DBS false login page that was in the news and luckily the user was knowledgable to not proceed on. Here is one such notice on phishing by the bank - http://www.dbs.com/sg/personal/ibanking/additionalinfo/security/phishing/default.aspx . The banks has done their part in informing the general public and taking other measures for prevention. Normal users still need to be informed of such risks and how to identify them.

For the technically inclined on how it happens and recommendation of TFA usage, Bruce Schneier mentioned it in his blog here -http://www.schneier.com/blog/archives/2005/03/the_failure_of.html .

References:
- Wikipedia
- http://www.schneier.com/

Eleonore exploit pack

2010-11-10T16:08:00.005+08:00

Exploit packs have been selling in the underground for hundreds of dollars in recent years. These pre-packaged kits are designed to probe the visitor’s browser for known security vulnerabilities, and then use the first one found as a vehicle to quietly install malicious software. They normally comes with a Web administration page, which gives the attacker real-time statistics about victims, such as which browser exploits are working best, and which browsers and browser versions are most successfully attacked. Those commonly found in the market were iPack, Crimepack and Eleonore.

The latter, Eleonore, is the most popular kit and have been making the headlines recently. It is claim to cost between USD$500 - USD$1000 (based on the version). The package was updated approximately every month with the latest browser, PDF and Java vulnerabilities. These kit providers provide "secured" support, updates and even cleanup of the package service if necessary.

Eleonore Web administration page

Crimepack Web administration page

w01f advise: Always patch up your system, especially Internet browser, Java, Flash and PDF applications.

FireSheep Vs BlackSheep

2010-11-09T15:12:00.007+08:00

Firesheep
It is a Firefox extension that demonstrates HTTP session hijacking attacks. HTTP session hijecking (commonly known as Sidejacking) is a common vulnerability, which sniff the network traffic and extract victim's session information or cookie. With the session information, it can gain access to the victim's account without the need of username and password.

I have previously blog on sidejacking with Ferret and Hamster.

Firesheep is free, open source, and is available now for Mac OS X and Windows.

BlackSheep
BlackSheep, also a Firefox plugin is designed to combat Firesheep. BlackSheep does this by dropping ‘fake’ session ID information on the wire and then monitors traffic to see if it has been hijacked. While Firesheep is largely passive, once it identifies session information for a targeted domain, it then makes a subsequent request to that same domain, using the hijacked session information in order to obtain the name of the hijacked user along with an image of the person, if available. It is this request that BlackSheep identifies in order to detect the presence of Firesheep on the network. When identified, the user will be receive the following warning message:

Please note that Firesheep and BlackSheep cannot be installed on the same Firefox instance as they share much of the same code base. If you want to run both Firesheep and BlackSheep on the same machine, they should be installed in separate Firefox profiles.

DotDotPwn 2.1

2010-11-08T17:09:00.003+08:00

DotDotPwn is a Directory Traversal Fuzzer. It works on HTTP, FTP and TFTP servers directory traversal vulnerability. It's written in perl language and can be run either under *NIX or Windows platform.

It is written by chr1x (member of our sectester group) and nitr0us. It had just released v2.1, which is more flexible intelligent. So far, 8 security vulnerabilities were discovered by this tools. It was also voted to be included in the next release of the Backtrack Distro.

Well Done chr1x!!

New DLL injection attack in Windows

2010-08-26T12:51:00.002+08:00

Microsoft had release an advisory on the vulnerability in Windows applications that allows attacker to execute malicious code remotely on victim's system.

Some exploits were found attacking third party applications. Microsoft is currently investigating whether any of their applications are susceptible to this DLL injection attack.

Many friends are asking me about this vulnerability. I think it will be good to explain in more details and share with everyone here.

The root cause of this vulnerability is the loading of dynamic libraries (DLL), which is the behavior and design of Windows. To better understand, you will need to know how DLL is used in Windows.

Windows provides a lot of DLL, which allow programmers to use functions from those DLL in their applications. Normally application load their libraries from the current working directory. But if the DLL is not found, there will be a search order that windows will perform.

Search order:
1. The directory from which the application loaded.
2. The system directory.
3. The 16-bit system directory.
4. The Windows directory.
5. The current directory.
6. The directories that are listed in the PATH environment variable.

If multiple directories hold a DLL with the same name, the first match be used.

So attacks exploit the weakness in the way windows search and load associated DLL. This DLL can be located in various directories, which include network paths that is controlled by the attacker. The malicious DLL may then be loaded.

Fix and workaround
Microsoft mentions that this flaw cannot be fixed in Windows without "Breaking expected functionality". It is because there are many applications that are written to search for their library based only on the file name, rather than the full directory path.

But Microsoft did provide some workaround such as disable loading of libraries from WebDAV and remote network shares. For more details, refer to the Microsoft Security Advisory (226937)

Related reports:
- The Register: Microsoft confirms code-execution bug in Windows apps

- Dark Reading: Microsoft Issues Advisory On New DLL Hijacking Attack

XSS found in Linkbucks.com

2010-08-14T17:19:00.006+08:00

Linkbucks.com website was found to be vulnerable to Cross Site Scripting(XSS) vulnerability, which could be exploited using malicious scripts.

Vulnerability Description:
==================
Linkbucks.com is a famous advertising network site that brings web users, websites and marketers together. The XSS vulnerability is found in the Default.aspx page. Script can be injected to the Message and Returnurl parameters. This can be exploited by injecting arbitrary HTML and malicious script code, which will execute in a user's browser session. Unvalidated redirection and forwarding is also possible.

Vulnerability testing:
===============
Vulnerable URL: http://www.linkbucks.com/Default.aspx?
Tested with: Firefox 3.5 and Internet Explorer 7 on Windows XP SP3

A simple "alert("You are hACked by w01f")" script was injected to the "Default" page. It was executed and display on the web browser. Malicious script could be executed using this method.

Below is the video demonstration on exploiting the XSS vulnerability using redirection. It will redirect to my blog. Hacker can redirect to a spoofed Linkbucks site with malicious code.

Remediation:
==========
The Message and ReturnURL parameters need to be properly sanitized after a user's logging out. The Linksbuck support team was contacted on the vulnerability. The support ticket is "#KHT-97974-227" but so far no fixed was done.

Windows Lnk Exploit Protection Tool

2010-07-27T17:15:00.006+08:00

The Recent Microsoft vulnerability in Windows Shell could allow Remote Code Execution such as using shortcut. Many malwares were found exploiting this vulnerability. Sophos had recently released a free protection tool that claims to be able to detect and block this Windows shortcut exploit from running. It will also work with your existing Anti Virus.

The tools can be downloaded from this official website.

Below is the demo video of the tools

Related Report:
- TechNet: Microsoft Security Advisory (2286198)

Disclamer: I do not in any way endorsed this tool nor responsible for any problem or issue cause by it.

Vulnerability found in WPA2

2010-07-27T13:43:00.003+08:00

Recently, a vulnerability was found in WPA2 protocol. It is an insider vulnerability where authenticated attacker could launch a "Man in the Middle" attack by decrypting and injecting malicious traffic into the wireless network.

WPA2 is currently the strongest WiFi encryption and authentication protocol available. According to the researcher in AirTight networks, this vulnerability is a design loophole in IEEE 802.11 Standard.

Based on the standard, Group Temporal Key (GTK), which is used to protect broadcast data sent to multiple clients, is using a common shared key. This allows authenticated user to use the common key to encrypt and sends spoofed packets to other clients.

Currently there isn't any patch on this standard.

Related Report:
- NetworkWorld: WPA2 vulnerability found

Email Scam Reloaded

2010-07-25T12:40:00.000+08:00

I have not been receiving any scam email for some time. Finally got last week. This one spoofed to be from the director of United Nations Compensation Commission.

- Extracted from the Scam mail -

From: Jeffrey S. Mears
To: brady@pisem.net
Subject: Swift Transafer Notification

Jeffrey S. Mears Director,
United Nations Compensation Commission (UNCC)
3 Vivian Avenue, London SW1Y 4TE
London UK
We need to confirm from you if JP Morgan Chase NA, London UK has credited your
account, with the approved amount of US$18Million dollars as
instructed by United Nations and African Union.
The African Union and UN has instructed for an immediate transfer to all
beneficiaries who has an outstanding payment to collect

We will be obliged to confirm from you if you have received the money from our
corresponding bank the JP Morgan Chase NA London UK,
to enable us close your file and put our record straight.

Thanks for the anticipated cooperation.

Jeffrey S. Mears Director,
United Nations Compensation Commission (UNCC)
3 Vivian Avenue, London SW1Y 4TE
London UK

- End of Email -

The letter may looks genuine to many, but it gives alot of tell-tale sign that it is actually a scam mail.

Firstly, the mail was send "To:" some unknown email instead of your own email address. for this case, "To:" field is to "brady@pisem.net".

Secondly, the sender is suppose to be "Jeffrey S. Mears" of the United Nations Compensation Commission. But the "From:" field is from "wangqm@im.ac.cn", which the domain is not from UN.org.

From the Mail header, the mail seems to be coming from "mail.im.ac.cn" and the message body was not in plain text but encoded.

Checking on the "mail.im.ac.cn", it is actually from the email system of the "Institute of Microbiology, Chinese Academy of Science" in China. Seems that the user "Wangqm" account was being hacked and used by the scammer.

Reverse Engineering Flash games

2010-06-30T17:22:00.004+08:00

Majority of online games uses Adobe Flash these days. While trying out this online games, i was surprised find out that there are still many unsecured flash games. Some are still sending the score in clear text (shown below). I think it is the basic for all online games to protect the score (or data) while submitting back to the server. I even created a simple Web challenge (Data Manipulation attacks for Web applications) on this flaw several months back, to teach and share this knowleadge.

Hashing, good enough?
But there are others that try to protect the score that is transmit back to the server using hashing. They hash the score with a secret key or "Salt". It look safe to many by protecting the data transmission. But they did not protect the Flash itself. It can be easily decompiled to extract the key (shown below) or change the code. Flash code should be obfuscated so that decompiling could not be easily done.

Below is the example of the unsecured Flash game that i came across recently. I had inform their administrator about the possible hacking on their game but they never reply to find out more. So i decided to share some of my finding and show how easy it can be reverse engineered.

Below is function that calls the hashing and submit the user's info and score.

Below shows the "key" or "Salt" that is use for the hashing.

-Update on 19 Jul

After the programmer of the game (that i previously mentioned) tried to secure their code, they were hacked again. This time it looks like an Indonesian hacker, which uses the name "Rank 1 to 10 all cheated" in Bahasa Indonesia, put himself on the top of the score table (with obvious reason).

Looks like the programmer don't understand malay language at all as the name was listed for a few days and was not removed. Time for me to send them a note again.

Wing FTP Server XSS vulnerability by w01f Labs

2010-06-01T10:09:00.004+08:00

New finding from the w01f Labs, the Wing FTP Server was found to be vulnerable to Cross Site Scripting(XSS) vulnerability, which could be exploited using malicious scripts.

Discovered Date: May 31, 2010
System affected: Wing FTP Server for Windows, Version 3.5.0 and prior version

For more detail on this vulnerability, visit my research site - w01f Labs

References:
- SecurityFocus: Wing FTP Server 'admin_loginok.html' HTML Injection Vulnerability
- Bugtraq: Wing FTP Server - Cross Site Scripting Vulnerability

Nessus Plugin for VicFTPS Vulnerability

2010-05-31T16:03:00.007+08:00

Wrote a Nessus Plugin to test on the VicFTPS Directory Traversal Vulnerability, that was discovered by chr1x (member of our sectester team).

This plugin will exploited the directory traversal vulnerability and return results if successful. I will be sending it to Nessus to get it added into the Plugin Feeds to be share with everyone. You can download the plugin here.

-Test with NASL Interpreter

- Added the Plugin

-Result from a scan

References:
- SecurityFocus: VicFTPS Directory Traversal Vulnerability

The Pwn2Own 2010 Contest

2010-05-26T10:11:00.002+08:00

The Pwn2Own 2010 organized by DVlabs was over. But there are some interesting information to share.
(Extract from "10 Lessons From The Pwn2Own Hacker Contest")

Google Chrome the Most Secured?

"The only browser that survived Pwn2Own this year was Google Chrome. This led to numerous news reports like this one suggesting that Google's browser was somehow more secure than the others. This is far from the truth. In fact, the vulnerability that caused the iPhone's downfall was in the WebKit engine and also affected the Google Chrome browser. Chrome's sandbox was also held up as a major CanSecWest roadblock but there's already scuttlebutt circulating that at least two security researchers have found a way to break out of the Chrome sandbox. Keep in mind that the iPhone has a sandbox that didn't help much when hackers hijacked the SMS database at Pwn2Own.

Survival at the Pwn2Own contest simply means that researchers weren't motivated enough to give up their vulnerabilities/exploits in exchange for a smartphone and cash prizes. The iPhone survived in 2008, didn't it?"

IE 8 seems to be Most Protected Browser.

"Despite the survival of Google Chrome and the fall of Internet Explorer 8 (running on Windows 7), all the browser hackers at the contest maintained that Microsoft's browser is by far the most difficult to exploit. For starters, IE 8 is the only browser to fully -- and properly -- implement ASLR. Peter Vreugdenhil, the researcher behind the successful IE 8 hack, needed two different vulnerabilities and several exploitation tricks to get it to work. However, because IE is the world's most widely deployed browser, it will continue to attract the attention of hackers and malware writers. Security doesn't equate to safety."

Apple Safari still the Easiest to Hack?

"For the third year in a row, security researcher Charlie Miller successfully compromised a fully patched MacBook Pro machine with a Safari vulnerability and exploit. Despite Apple's best efforts at making it difficult to exploit the Mac OS X, Miller's exploits show that Safari is still easy pickings because it lacks the mitigations found in Microsoft Windows. For example, Safari does not implement ASLR properly and does not have a sandbox to limit the damage from a hacker attack."

D-Link Router XSS vulnerability found by w01f Labs

2010-05-19T10:41:00.005+08:00

I have discover a Cross site Scripting (XSS) vulnerability on my own D-Link Router while working on fuzzing and vulnerability research last week. This vulnerability allows injecting of arbitrary HTML and malicious script code in the user's browser session.

Discovered Date: May 14, 2010
System affected: D-Link DI-724P+ Router, Firmware Version: v1.03

For more detail on this vulnerability, visit my research site - w01f Labs

Other References:
- SecurityFocus: D-Link DI-724P+ Router 'wlap.htm' HTML Injection Vulnerability
- OSVDB 65002 : D-Link DI-724P+ Admin Interface wlap.htm GET String XSS
- SANS: @RISK: The Consensus Security Vulnerability Alert