HNNCast.2010.08.20
HNNCast for the third week of August 2010 -
Top Stories:
Free Malware from Network Solutions, Virgin’s Love Letter to the Bot Herd, V(D)-Cards, Facebook Likes Malware, iPhone Suck and Sell Scam
News:
Defacement Buffet, OhyouwantAUTH? Celebrity Twits, Month of Abyssec Bugs, Underworld Transaction Processor Popped, Facebook Hack 1.0
Tool Time:
RIPS, RS Mangler, ROPME, Halbred, SAMHAIN, nfex, URLVoid, MBSA 2.0 (NOT), nmapsi4
Quickies:
Cold Fusion’s Hot Mess, Facebook Leak, Passwords are Pointless, Insert Mens Room Joke Here, Smudge Attack, Shopping for SQL Injections
Con Phooey:
Hurricane Labs Hack Challenge, LockCon, Hack in the Box, Security B-Sides, ToonCON
Stack of Shame:
-count: 159
-Turning 1 Year Old This Week:
- RealNetworks: ZDI-CAN-569 & ZDI-CAN-568/RISK:HIGH (10=AV:N/AC:L/Au:N/C:C/I:C/A:C)&AV:N/AC:L/Au:N/C:C/I:C/A:C) Discovered 2009-08-20 (365 days ago) by: Anonymous
- Hewlett-Packard , IBM , Sun Microsystems: ZDI-CAN-561/RISK:HIGH (10=AV:N/AC:L/Au:N/C:C/I:C/A:C) Discovered 2009-08-20 (365 days ago) by: Rodrigo Rubira Branco (BSDaemon)
- Sun Microsystems: ZDI-CAN-552/RISK: HIGH (9.4=AV:N/AC:L/Au:N/C:C/I:C/A:N) Discovered 2009-08-20 (365 days ago) by: Sami Koivu
Posted: August 21st, 2010
at 10:52pm by tan
Tagged with "Network Solutions", Abysssec, Adobe, Android, Anti-Virus, API, Apple, AV, Axel Rose, binary analysis, botnet, brute force, CCBill, ColdFusion, cPanel, Dallas, darknet.org, defacement, Delaware, dictionary, dislike button, DSS, Essen, Excel, exploit, exploit database, Facebook, Facebook Hacker 1.0, Fethard Finance, file integrity, Fort Worth, gadgets, Georgia Tech Research Institute, GPS Spy, GPU, Guns and Roses, Hack In The Box, Halbred, HP, Hurricane Labs Hack Challenge, IBM, India, Indian Cyber Army, IndiShell, Internet Explorer, Intrusion Detection, iPhone, ISP, Justin Bieber, Kansas City, Koobface, lockcon, LSASS, Malaysia, malware, MBSA 2.0 (NOT), Microsoft, Microsoft codecs, MOAUB, mobile security, Month of Abysssec Undisclosed Bugs, Mozilla, Newcastle, nfex, nmapsi4, OAUTH, Ohio, online supermarket, oracle, PAK Cyber Army, PAK haxors, Pakistan, Palm, passwords, patch, PCI, Penn State, PHP, Pre, python, QT, Real Networks, RIPS, rogue facebook application, ROP Exploit, ROPME, RS Mangler, SAMHAIN, scam, Security B-Sides, securitybsides.com, Shadowserver Foundation, SIM cards, smart phone, smudge attack, sql injection, static source code analysis, Sun, Tapsnake, tcpxtract, tinyurl, Tipping Point, ToonCON, Trojan, Twitter, URLVoid, vCard, Vijay Mallya, Virgin media, virtual business card, vulnerability, WebOS, widget, ZDI, Zero Day Initiative
Comments: 1 comment
HNNCast.2010.06.25
HNNCast for the last week of June 2010
Top Stories
- Ali Wants to Do, Pump and Dump Bot, Get N3k3d or the GIFs go Public, Another Forum Bust, Too ilLEGATT to Quit, Baaaahd Goat
News
- We’ve All Got H0lez, a No-No from Lenovo, Embarxssed, Designed to Fail… on Purpose, a Real Turkey of a Move, POS for Alarm
Tool Time
- THC IPv6 Attack Toolkit, VASTO, Pwnage Tool, iPhone Password Breaker, L0phtCrack, HTTPS Everywhere
Quickies
- Civil Cyber War, Hungry Hungary Po-pos, Crime Bit Down Under, Bhutan Patch Predicament, ACL Needs Better ACLs, Tweets For Turks, Naidu Boo-boo, 1 Ringy Dingy, Sploit Stores DoSsed
Cons Call
- Conf Con, PacSec, HacKid Con, B-Sides Ottawa, B-Sides LV, Pokercon/Hackers Poker Invitational Tournament, CannonBall Run, Mohawkcon
Programming Note: No HNNCast for the 4th of July weekend!
Stack of Shame
Count: 142
BIRTHDAYS:
- Turning 1 Yr Old:
- ZDI-CAN-509 from RealNetworks = HIGH RISK by: Anonymous 2009-06-25
- ZDI-CAN-508 from RealNetworks = HIGH RISK by: Anonymous 2009-06-25
- ZDI-CAN-506 from RealNetworks = HIGH RISK by: Anonymous 2009-06-25
- ZDI-CAN-490 from RealNetworks = HIGH RISK by: Anonymous 2009-06-25
- Turning 2 Yr Old:
- ZDI-CAN-348 from RealNetworks = HIGH RISK by: Matteo Memelli aka ryujin 2008-06-25
Posted: June 27th, 2010
at 1:58am by tan
Tagged with "bit torrent", "Conf-con", "Jason Scott", "Kevin Mitnick", 501-3c, ACL, Adobe, Alistair Peckover, Argenta, Australian Christian Lobby, bank accounts, Belgium, Bhutan, botnet, botnets, British Telecom, Byrone Sonne, CannonBall Run, CISSP, Citrix, cloud, comspiracy to commit fraud, credit card umbers, Cyber War, DDoS, defacement, Defcon 18, Dexia, Dixie Cafe, DoS, Driskill Hotel, Durknet, ElcomSoft, Eleonore Exploit Pack, encryption, Exploit Sharing, extortion, F-Secure, Facebook, Fake Anti-Virus, Firefox, forums, fox news, fraud, g20, Gmail, Google Docs, Google Maps, Google Voice, Gregory Evans, hacked by Turkish Hackers, Hackers Poker Invitational Tournament, Hackerspace, HacKid Con, hacktivism, How to Become the Worlds #1 Hacker, HP, HTTPS Everywhere, Hungary, intimidating justice system participants, iPhone, iPhone Password Breaker, IPSwitch, ISC2, ISP, KBC, Kyrgyzstan, L0phtCrack, Las Vegas, Lenovo, Liberty Exploit Pack, Ligatt Security International, Lucky Exploit Pack, Luis Mijangos, malware, Meghna Naidu, Meredrop, metasploit, Metropolitan Police Central e-Crime Unit, milw0rm, mischief, Mohawkcon, National CyberCrime Centre, nCore, Neon Exploit Pack, New Zealand, Ottawa, PacketStorm, PacSec, phished passwords, PIN, Pokercon, POS, possession of explosives, Pwnage Tool, Rainbow Table, Real Networks, remote shells, Security B-Sides, Security Klatch, Sketch Cow, Sniper Backdoor, Spain, sql injection, THC IPv6 Attack Toolkit, The Hacker's Choice, Toronto Goat, Toronto Hack Lab T.O., Trojan, Trust Key, Turkey, Twitter, unauthorised computer access, VASTO, VMWare, vulnerabilities, weapons, whistle-blower, WiFi, Xen, XSS, XSSED, XSSED.com, Yes Exploit Pack, YouTube, ZDI, Zero Day Initiative, Zeus
Comments: 1 comment
Billionaire Polluters Defacement
A quick looksie into this shows we’re talking Cross Site Scripting (XSS) here…
- http://energiser.bp.com/login/index.php?lang=
- + trigger,
- + iFrame of content to display
Which is why this is up on XSSED.NET I guess – LOL. You can visit the archive and follow the actual link to see the site is STILL VULNERABLE.
Found by: holisticinfosec
Past XSS finds by holisticinfosec include: American Express, Bravo TV, SOMA FM, Sprint, NAI, Amtrak, Hyatt, Princeton, McAfee, SecurityLab.RU, Intuit, FAA, Forbes, Palm, VoteSmart.ORG, Cornell, and BlackBerry to name a few others.
Because this is XSS, it’s not an *actual* defacement. XSSED.NET archives the vulnerability being exploited to be obvious and in your face, yet benign. Pen Testers usually just use a JavaScript AlertBox to show you, yes, they have control of the victim’s browser thanks to the vulnerable website. In this case, they add drama by “defacing” the site. The real risk is a slient hijacking of your session or installation of a back door into your system.
Sort of Hacktivism meets Cross Site Scripting I guess – I’m sure there’s plenty of Deep Shit on the Horizon for the Billionaire Polluters 
Security researcher who goes by the nickname “holisticinfosec” (holisticinfosec.org), has submitted a rather funny cross-site scripting (XSS) vulnerability affecting the official British Petroleum (BP) company website. Due to improper input handling, he was able to deface the page and display an image showing oil spill protesters waving anti-BP banners – one banner read “Billionaire Polluters” aka “BP” (See Screenshot below).
BP.com XSS Mirror:
http://www.xssed.com/mirror/67152/
via BP.com defaced with XSS to show Gulf of Mexico oil spill protesters | News | XSSed.com.
Posted: June 8th, 2010
at 12:05pm by tan
Tagged with BP, defacement, XSS
Categories: Breaking News
Comments: No comments
