[Owasp-hongkong] OWASP News (Feb 2007)

Mon Feb 26 08:48:12 EST 2007

Dear members,

Happy New Year to all of you and wish you have a wonderful Year 2007 :)

Here are some recent news from OWASP:
Feb 05 - Sammy 'MySpace' KamKar Pleads Guilty in Court
"The man responsible for unleashing what is believed to be the first
self-propagating cross-site scripting worm has pleaded guilty in Los
Angeles Superior Court to charges stemming from his most infamous
hacking."
URL:
http://www.scmagazine.com.au/news/45262,myspace-superworm-creator-sentenced-to-probation-community-service.aspx

Feb 05 - Why You're Organization Must Increase It's Web Application
Security Budget
"The Web application security threat is a real one. A failure to respond
to this threat will result in real risk to any enterprise that stores
financial or customer data. While the problem is a serious one, it is not
something that cannot be fixed so long as proper attention and budget are
allocated to it. Unfortunately, given the unique nature of the problem and
its impact on the budgetary process, it will likely require direct
intervention by the financial staff."
URL: http://www.itsecurity.com/security.htm?s=10164

Feb 05 - X-Force Notes Increase in Vulnerabilities. Where are the "X-Men"
to fix them?
" According to the report, which was developed by the IBM Internet
Security Systems (ISS) X-Force(R) research and development team, there
were 7,247 new vulnerabilities recorded and analyzed by the X-Force in
2006, which equates to an average of 20 new vulnerabilities per day. This
total represents a nearly 40 percent increase over what ISS reported in
2005. Over 88 percent of 2006 vulnerabilities could be exploited remotely,
and over 50 percent allowed attackers to gain access to a machine after
exploitation. "
URL:
http://www10.mcadcafe.com/nbc/articles/view_article.php?section=CorpNews&articleid=347382

Feb 05 - Rubin Smacks Diebold Once Again
"Given what I've seen about voting system standards and voting system
testing labs, I would bet money that the parking garage system at
Baltimore Penn Station was tested more extensively before it was deployed
than the Diebold voting machines that we use in Maryland."
Jan 23 - Greasemonkey Backdoor Proof of Concept
A simple Greasemonkey script that illustrates the potential for abuse by
hooking a backdoor to your browser using Javascipt and AJAX techniques.
URL:
http://www.huffingtonpost.com/avi-rubin/bad-software-all-around_b_40119.html

Meanwhile, there are a number of tools release recently and please feel
free to try them :
Nov 28 - JBroFuzz 0.3 Released
This version adds a more stable core, length updating for fuzzed POST
requests and allows you to specify your own fuzz vectors in a separate
file.
URL: http://www.owasp.org/index.php/OWASP_JBroFuzz

Nov 26 - OWASP Report Generator 0.88 Released
A tool for security consultants that supports the documentation and
reporting of security vulnerabilities discovered during security.
URL: http://www.owasp.org/index.php/OWASP_Report_Generator

Nov 26 - OWASP Site Generator v.70 Released
A tool that allows the creating of dynamic websites based on XML files and
predefined vulnerabilities (some simple, some complex) for testing
application security tools.
URL: http://www.owasp.org/index.php/OWASP_Site_Generator

There is an interesting project titled with "Web HoneyNet" which is about
gathering statistics of web server attacks, you could get more information
from here:
http://www.owasp.org/index.php/Announce:Web_Honeynet

Regards,
Anthony Lai, CISSP, CISM, CISA
Chapter Leader
OWASP (Hong Kong Chapter)
Chapter URL: http://www.owasp.org/index.php/Hong_Kong
Headquarter: http://www.owasp.org

"Keep an eye on the risk; Keep pace with the control"