http://www.cgisecurity.com/ http://images.cgisecurity.com/i/rss.gif All things related to website, database, SDL, and application security since 2000. en-US 2009-07-01T15:00:58-07:00 http://www.cgisecurity.com/2009/07/new-attack-on-aes.html A new attack has been discovered against AES. "Abstract. In this paper we present two related-key attacks on the full AES. For AES-256 we show the rst key recovery attack that works for all the keys and has complexity 2119, while the recent attack by Biryukov-Khovratovich-Nikolic works for a weak key... Cryptography IndustryNews Research Robert A. 2009-07-01T15:00:58-07:00 http://www.cgisecurity.com/2009/07/security-guard-busted-for-hacking-hospitals-hvac-patient-information-computers.html "A former security guard for a Dallas hospital has been arrested by federal authorities for allegedly breaking into the facility's HVAC and confidential patient information computer systems. In a bizarre twist, he posted videos of his hacks on YouTube, and was trying to recruit other hackers to help him wage a... Funny Incidents IndustryNews Robert A. 2009-07-01T14:56:06-07:00 http://www.cgisecurity.com/2009/07/three-web-application-firewall-advisories-whitepaper-published.html Michael Kirchner and Wolfgang Neudorfer have published 3 advisories in various Web Application Firewall products. Artofdefence Hyperguard Web Application Firewal (Remote Denial of Service) http://www.h4ck1nb3rg.at/wafs/advisory_artofdefence_hyperguard_200907.txt phion airlock Web Application Firewall (Remote Denial of Service via Management Interface (unauthenticated) and Command Execution) http://www.h4ck1nb3rg.at/wafs/advisory_phion_airlock_200907.txt radware AppWall Web Application Firewall (Source code disclosure on... IndustryNews Research Vulns Web Application Firewalls Robert A. 2009-07-01T10:26:47-07:00 http://www.cgisecurity.com/2009/06/researcher-barred-for-demoing-atm-security-vuln.html "A talk demonstrating security weaknesses in a widely used automatic teller machine has been pulled from next month's Black Hat conference after the machine vendor placed pressure on the speaker's employer. Juniper Networks, a provider of network devices and security services, said it delayed the talk by its employee Barnaby Jack... Events IndustryNews Robert A. 2009-06-30T13:29:03-07:00 http://www.cgisecurity.com/2009/06/masked-passwords-must-go.html "Websites should stop masking passwords as users type because it does not improve security and makes websites harder to use, according to two of the technology world's leading thinkers. Usability expert Jakob Nielsen and security expert Bruce Schneier both think websites should stop blanking out passwords as users type them in.... IndustryNews Research Robert A. 2009-06-30T10:00:11-07:00 http://www.cgisecurity.com/2009/06/blind-hacker-sentenced-to-11-years-in-prison.html "A legally blind Massachusetts phone hacker was sentenced Friday to over 11 years in federal prison, following his guilty plea on computer intrusion and witness intimidation charges earlier this year. Matthew Weigman, 19, was sentenced in Dallas by U.S. District Judge Barbara M.G. Lynn, according to the U.S. Attorney’s Office there.... Incidents IndustryNews Robert A. 2009-06-29T17:59:12-07:00 http://www.cgisecurity.com/2009/06/max-vision-pleads-guilty-to-wire-fraudcarding.html "A San Francisco man pleaded guilty today in Pittsburgh this afternoon to federal charges of hacking into computer systems of financial institutions and other hackers to steal nearly 2 million credit card numbers, which were used to rack up more than $86 million in fraudulent charges. Max Ray Vision, formerly Max... Incidents IndustryNews Robert A. 2009-06-29T12:58:12-07:00 http://www.cgisecurity.com/2009/06/generic-remote-file-inclusion-attack-detection.html "A big challenge for identifying web application attacks is to detect malicious activity that cannot easily be spotted using using signatures. Remote file inclusion (RFI) is a popular technique used to attack web applications (especially php applications) from a remote server. RFI attacks are extremely dangerous as they allow a client... Defense Forensics Research Robert A. 2009-06-29T09:15:03-07:00 http://www.cgisecurity.com/2009/06/session-attacks-and-aspnet-part-2.html "In Session Attacks and ASP.NET - Part 1, I introduced one type of attack against the session called Session Fixation as well as ASP.NET’s session architecture and authentication architecture. In this post, I’ll delve into a couple specific attack scenarios, cover risk reduction, and countermeasures." Read: https://blogs.sans.org/appsecstreetfighter/2009/06/24/session-attacks-and-aspnet-part-2/ Defense Development Robert A. 2009-06-28T20:58:36-07:00 http://www.cgisecurity.com/2009/06/ftp-login-credentials-at-major-corporations-breached.html "A trojan has reportedly been uncovered that is harvesting FTP login data of major corporations, including the Bank of America, BBC, Amazon, Cisco, Monster.com, Symantec and McAfee. According to a report in the Friday edition of The Register, Jacques Erasmus, CTO at Prevx, an internet security vendor headquartered in the U.K.,... Incidents IndustryNews Robert A. 2009-06-28T20:54:38-07:00