PayPal XSS vulnerability affects EV SSL

May 16, 2008 – 6:13 PM

A new attack on PayPal could have allowed users who thought they were on a trusted page to access a fraudulent page and possibly expose personal information. On Friday, Finnish researcher Harry Sintonen reported the vulnerability on an IRC chat room.

In an interview with Netcraft, Sintonen said the issue was critical. “You could easily steal credentials.” He added that in this case you can’t trust the URL http://www.paypal.com.

A few weeks ago PayPal announced it would block users whose browsers did not support EV SSL. Sintonen, who is credited with finding an XSS attack on Barack Obama’s Web site in April, said his vulnerability also affected EV SSL pages.

In response, a PayPal representative said: “At PayPal, we take safety and security very seriously. As soon as we were informed of this exploit, we began working very quickly to shut it down. To our knowledge, this exploit was not used in any phishing attacks.

“However, as in any phishing incident, we encourage our customers to contact us immediately if they believe they have given out any personal or financial information that would jeopardize the security of their accounts or lead to unauthorized account access. If an unauthorized withdrawal or purchase is made on a PayPal account, PayPal will reimburse that customer 100 percent. We encourage all of our customers to frequently check the status of their accounts to ensure security.”

Source: CNet

Debian and Ubuntu keys under attack

May 16, 2008 – 11:29 AM

A recently disclosed vulnerability in widely used Linux distributions can be exploited by attackers to guess cryptographic keys, possibly leading to the forgery of digital signatures and theft of confidential information, a noted security researcher said Thursday.

HD Moore, best known as the exploit researcher who created the Metasploit penetration testing framework, called the vulnerability in Debian and Ubuntu systems “ugly” and said it will be a big job for administrators to find every flawed key, and then re-issue them.

The bug, noted Tuesday by the Debian Project, is in the random number generator used to produce a variety of digital keys, including SSH (Secure Shell) keys and SSL (Secure Socket Layer) certificates. The latter are widely used to secure traffic between users and secure sites on the Internet.

According to Moore, the bug makes it relatively easy to “guess” keys. In a posting to his blog Wednesday, Moore claimed he was able to generate 1024- and 2048-bit keys in about two hours.

Read the rest of this story…

Xprobe2 – Active OS Fingerprinting Tool

May 16, 2008 – 5:55 AM

Sometimes I wonder to myself have I mentioned a certain tool on the site, usually one of my favourites…often I search the site to find I have never posted about it.

It just goes to show how we often overlook some of the more ‘obvious’ choices, and to many people they may not be that obvious. I’ll be going through the tools I use and posting them up here if I haven’t already.

Anyway one of the stock tools for any pen-tester is Xprobe usually known now as Xprobe2 – some of it’s logic has been absorbed into nmap and it’s basically an active OS fingerprinting tool meaning it sends actual data to the machine it’s fingerprinting rather than a passive tool like p0f which just listens.

Xprobe2 is a remote, active OS fingerprinting tool, the features are as below:

  • Port scanning is now available through the usage of the -T (TCP) and -U (UDP) command line option
  • Added the -B command line option (’blind port guess’) used for searching an open TCP port among the following ports: 80,21, 25, 22, 139
  • Include XSD schema with distribution and make our XML comply with that XSD
  • loopback (lo) is supported

You can read more on Xprobe2 and what it does here:

Intrusion Detection FAQ: What is XProbe?

Download Xprobe2 here:

xprobe2-0.3.tar.gz

Or read more here.

Source: Darknet

DIY Identity-Theft Protection: A 12-Step Program

May 15, 2008 – 7:52 PM

You don’t have to spend $100 to $200 a year to defend yourself from identity theft at the level of protection that a paid service offers. You can do almost everything the services do, for free. But following these steps will require time and effort.

  1. Get a free copy of your credit report by visiting AnnualCreditReport.com. Don’t be fooled by look-alike sites that promise free reports if you subscribe to their credit-monitoring services. Better yet, order by phone at 877/322-8228.
  2. For DIY credit monitoring, order a free report every three months from a different bureau. Scan the report for unfamiliar information, such as accounts you don’t remember opening.
  3. Place a fraud alert on your credit report by calling one of the credit bureaus. (You can find contact information for all three bureaus by browsing to the Fight Identity Theft Web site.)
  4. Put a recurring event in your online calendar to remind you to renew your fraud alert in 90 days.
  5. Tell the bureaus to stop selling your information to credit services, by calling 888/567-8688 or visiting OptOutPrescreen.com. Doing so will reduce but not eliminate the number of preapproved credit card offers you receive.
  6. Request a free public records report from ChoicePoint . You’ll have to print a form and mail it, along with copies of your driver’s license and proof of address. Scan the report for addresses and other details not related to you.
  7. Take your name off other marketing lists by signing up for ProQuo.com’s free service. In some instances, you may have to mail letters or navigate to a marketer’s own site to complete your opt-out request.
  8. Buy a mailbox that locks, or use a post office box. This will help prevent thieves from stealing your identity via paper mail.
  9. Buy a crosscut paper shredder and shred junk mail to frustrate dumpster-diving identity thieves.
  10. Never click a link from an e-mail message to log in to your bank or to any other financial institution. Type the secure site’s address into your browser, bookmark it, and use that link to access your accounts. Otherwise, you risk having your identity stolen by phishers.
  11. If you believe that you are a victim of identity theft, contact the Identity Theft Resource Center. Volunteers there can walk you through the process of restoring your identity.
  12. Get educated. Mari Frank’s IdentityTheft.org, the Privacy Rights Clearinghouse, and the Federal Trade Commission maintain huge libraries of information on how to avoid being victimized, and what to do if it has already happened.

Source: PC World

5 Misunderstood features in Windows Vista

May 15, 2008 – 5:17 PM

Microsoft have just published an article on the 5 most misunderstood features in Windows Vista from IT Professional’s & Developer’s point of view, these include:

  • User Account Control (UAC)
  • Image Management
  • Display Driver Model
  • Windows Search
  • 64-bit version

Head over to the Microsoft Download Center to grab the document.

Source: Nicholas Rayner