Template:Application Security News


 * Jun 23 - Citibank wrestles with XSS
 * On the same day that Neosmart makes the ridiculous claim that XSS is not a vulnerability, a hacker has highlighted an XSS flaw in citibank.com and claims dozens more major sites have similar problems. It's not rocket science, but of course it's a vulnerability.


 * Jun 19 - Analyst research discovers that hackers go for low hanging fruit
 * The trend continues - less overall security breaches, and more web related attacks (12%). "Internet-enabled software applications, especially custom applications, present the most common security risk encountered today," said John Andrews, President, Evans Data. "Overall we're witnessing better software security practices early in the software lifecycle, which is positively affecting overall security breaches."


 * Jun 16 - For goodness sakes, don't click on links in email
 * A pretty complete writeup about the exploit of an XSS flaw in PayPal - "The scam works quite convincingly, by tricking users into accessing a URL hosted on the genuine PayPal web site. The URL uses SSL to encrypt information transmitted to and from the site, and a valid 256-bit SSL certificate is presented to confirm that the site does indeed belong to PayPal; however, some of the content on the page has been modified by the fraudsters via a cross-site scripting technique (XSS). When the victim visits the page, they are presented with a message that has been 'injected' onto the genuine PayPal site that says, "Your account is currently disabled because we think it has been accessed by a third party. You will now be redirected to Resolution Center." After a short pause, the victim is then redirected to an external server, which presents a fake PayPal Member log-In page."


 * Jun 16 - When developers go bad...
 * The unbelievable story of what a disgruntled developer can do - "2,000 of the company's servers went down, leaving about 17,000 brokers across the country unable to make trades. Nearly 400 branch offices were affected. Files were deleted. Backups went down within minutes of being run. The system was offline for more than a day, and UBS PaineWebber -- which was renamed UBS Wealth Management USA in 2003 -- spent about $3.1 million in assessing and restoring the network. Executives at the company haven't reported how much was lost in business downtime...The agent executed a warrant on March 21, 2002, and allegedly found hard copy of the logic bomb's source code on the defendant's bedroom dresser. The Secret Service also allegedly found the source code on two of his four home computers."


 * Jun 15 - SCOMP, STOP, Tmach, Gemsos, MVS, VMS, Trusted Solaris, and OpenBSD seriously put out
 * "Microsoft senior vice president Bob Muglia opened up TechEd 2006 in Boston Sunday evening by proclaiming that Windows Vista was the most secure operating system in the industry...Windows Vista is the first operating system from Microsoft to be built from the ground up using the SDL development model. Every bit of code is scrutinized for Common Criteria Certification and security compliance checkpoints must be met along the way."


 * Older news...