Security on Omid Farhang

Advanced Security Practices for Web Applications: Implementing CSP, HSTS, and SRI

Sun, 16 Jun 2024 01:10:11 +0330

In today’s digital age, the security of web applications is of paramount importance. With cyber-attacks becoming increasingly sophisticated, web developers must implement robust security measures to protect their applications and users. This blog post explores three advanced security practices—Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), and Subresource Integrity (SRI)—that can significantly enhance the security of web applications. We will delve into their implementation, use cases, and benefits, providing comprehensive guidance to help you secure your web applications effectively.

Linux Malware targets WordPress and common Plugins

Sun, 15 Jan 2023 23:55:43 +0330

Doctor Web has discovered a malicious Linux program that hacks websites based on a WordPress CMS. It exploits 30 vulnerabilities in a number of plugins and themes for this platform. If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted webpages are injected with malicious JavaScripts. As a result, when users click on any area of an attacked page, they are redirected to other sites.

What they can do?

Upon their command, it is able to perform the following actions:

End of Microsoft Windows 7 security updates from today

Tue, 10 Jan 2023 17:56:31 +0330

Starting today, January 10th, Windows 7 Enterprise and Professional operating systems will no longer receive security updates. Thus, computers that still run these OS will no longer be protected against critical vulnerabilities.

Apart from the operating system itself, browsers (both Edge and third-party browsers), as well as services from other non-Microsoft vendors, such as NVIDIA, have confirmed that they have also stopped offering new security patches in Windows 7.

Actions to be taken

You should upgrade your Microsoft Windows to newer versions, if your hardware does not support Windows 11, you may upgrade to Windows 10 or maybe consider switching to another Operation System like Linux.

Farewell Lastpass, We don't need more data breach

Thu, 29 Dec 2022 01:21:22 +0330

You’ve heard it again and again: You need to use a password manager to generate strong, unique passwords and keep track of them for you. And if you finally took the plunge with a free and mainstream option, particularly during the 2010s, it was probably LastPass. For the security service’s 25.6 million users, though, the company made a worrying announcement last week: A security incident the firm previously reported on November 30 was actually a massive and concerning data breach that exposed encrypted password vaults—the crown jewels of any password manager—along with other user data.

Cross-platform botnet targets SSH-enabled devices

Mon, 12 Dec 2022 23:37:43 +0330

Microsoft researchers found a cross-platform botnet that originates from malicious software downloads on Windows devices & succeeds in propagating to a variety of Linux-based devices by enumerating default credentials on internet-exposed SSH-enabled devices.

Microsoft researchers observed that the initial infection points related to the botnet were devices infected through the installation of malicious cracking tools that purport to acquire illegal Windows licenses. The cracking tools contain additional code that downloads and launches a fake version of svchost.exe through a PowerShell command. In some cases, the downloaded file is named svchosts.exe.

What you need to know about BERserk and Mozilla

Thu, 25 Sep 2014 22:10:46 +0000

The Intel Security Advanced Threat Research Team has discovered a critical signature forgery vulnerability in the Mozilla Network Security Services (NSS) crypto library that could allow malicious parties to set up fraudulent sites masquerading as legitimate businesses and other organizations.

The Mozilla NSS library, commonly utilized in the Firefox web browser, can also be found in Thunderbird, Seamonkey, and other Mozilla products. Dubbed “BERserk”, this vulnerability allows for attackers to forge RSA signatures, thereby allowing for the bypass of authentication to websites utilizing SSL/TLS. Given that certificates can be forged for any domain, this issue raises serious concerns around integrity and confidentiality as we traverse what we perceive to be secure websites.

New Facebook scams in 2014

Fri, 22 Aug 2014 17:03:30 +0000

So many Facebook scams in 2014 have been a little worrying even though at first they all seem innocent enough, but these are social scams to lure users in to gain money or access to computers.

One particular Facebook scam this year was the “Robin Williams goodbye video”, which was apparently made before his death. This fake BBC News video is a scam and no such video exists.

The “Robin Williams goodbye video” started to circulate on Facebook and asks users to share the video before they can watch it, DO NOT click on it. There is no video so no point on sharing it, Symantec explains in detail that when Facebook users click on the video it asks them to either fill out a survey or install an application. When the survey is complete the scammers gain money for each one completed.

The FBI is willing to pay top dollar to download some malware

Fri, 07 Feb 2014 22:45:03 +0000

The Federal Bureau of Investigation is willing to pay top dollar for the malicious, infectious software the rest of us pay to keep out of our computers, according to the Federal Business Opportunities website.

A Monday price quote request by the Investigative Analysis Unit of the agency’s Operational Technology Division is asking computer security developers and retailers to help the agency build a library of malware for an undisclosed reason, letting the companies name their price.

WordPress hardened with XSS, DoS and SSRF fixes

Tue, 25 Jun 2013 10:57:44 +0000

With the second security and maintenance release of WordPress 3.5, the developers of the popular open source blogging software have closed 12 bugs, seven of them security issues. In their announcement, the developers “strongly encourage” all users to update all their installations of the software to version 3.5.2 immediately. In addition to the fixed vulnerabilities, the new release also includes some proactive changes intended to harden the platform against attacks.

Facebook Virus That Drains Your Bank Accounts: What You Need to Know

Thu, 06 Jun 2013 08:43:10 +0000

This post has been shared originally by Malwarebytes Blog:

The word about the Zeus Trojan back on Facebook has spread as fast as the malware itself across many news sites.

Awareness and education about online dangers is essential but headlines like “Malware That Drains Your Bank Account Thriving On Facebook” instill fear while at the same time blame Facebook — something that may not be entirely justified.

Malicious links on social networking sites are nothing new (Twitter, Linkedin to name a few). They have been, and continue to be, abused by spammers to peddle fake AV or redirect to exploit sites distributing all sorts of nasties.

Iranian Hackers targeting US oil, gas, and electric companies

Sun, 26 May 2013 19:50:30 +0000

The Hacker News reported: For all the talk about China and the Syrian Electronic Army, it seems there’s another threat to U.S. cyber interests i.e. Iran. Series of potentially destructive computer attacks that have been targeting American oil, gas and electricity companies tracked back to Iran.

Iranian hackers were able to gain access to control-system software that could allow them to manipulate oil or gas pipelines. Malware have been found in the power grid that could be used to deliver malicious software to damage plants. The targets have included several American oil, gas and electricity companies, which government officials have refused to identify.

Apple closes QuickTime vulnerabilities on Windows

Thu, 23 May 2013 20:01:51 +0000

Apple has released a security update for its QuickTime media framework for Windows. Version 7.7.4 of the software closes 12 critical security holes causing memory corruption and buffer overflows when processing a number of media formats. The vulnerabilities affect Windows 7, Vista and XP SP2 or later and could be exploited to cause arbitrary code execution and application crashes.

The vulnerabilities affected the playback of MP3, H.263, H.264, TeXML, JPEG, QTIF, Sorenson Video and FPX files as well as the handling of dref, enof and mvhd atoms within the program. All of the problems were reported by researchers working with HP’s Zero Day Initiative, five of them by Tom Gallagher and Paul Bates from Microsoft.

Symantec vs AV-Comparatives, Which one do you trust?

Thu, 25 Apr 2013 18:42:01 +0000

Cross-posted from PCMag SecurityWatch:

Last week independent antivirus lab AV-Comparatives released the results of an on-demand antivirus detection test. The fact that Microsoft came in near the bottom wasn’t big news; the fact that Symantec scored even lower was surprising indeed. In a blog post released today, Symantec decried the entire practice of performing on-demand malware scanning tests, calling it “misleading.”

In the early years of antivirus testing, every test was an on-demand scanning test. Researchers would assemble a collection of known malware, run a full scan, and record the percentage of samples detected. Modern labs work hard to devise tests that more closely reflect a user’s real-world experience, taking into account the fact that the vast majority of infections enter the computer from the Internet. Symantec contends that only the real-world sort of test is valid; I don’t entirely agree.

LulzSec Hacker Gets A Year For Sony Hack

Sat, 20 Apr 2013 19:47:19 +0000

A former LulzSec hacker has been jailed for a year for ransacking Sony Pictures Entertainment’s computer systems.

Cody Kretsinger, 25, from Decatur, Illinois – better known to his fellow LulzSec cohorts as “Recursion” – was also ordered to carry out 1,000 hours of community service, and a year of home detention, following his release from prison.

He was sentenced by a Los Angeles court on Thursday, Reuters reports.

Kretsinger had pleaded guilty to a single count of conspiracy and unauthorized impairment of a protected computer (i.e. computer hacking) in a plea-bargaining agreement. Kretsinger admitting breaking into the Sony Pictures website and extracting information which he passed on to other members of LulzSec, who leaked the data in order to embarrass Sony, a hated enemy of the hacktivist group.

Boston Marathon Bombing Links May Hide Java-Based Exploits

Wed, 17 Apr 2013 21:52:42 +0000

PCMag: My social media accounts and email inbox are full of links to stories about the horrific incident in Boston earlier this week. I am reading about the victims, the bystanders and first responders that rushed to help, and looking for updates on the investigation.

It turns out I should be careful about what links I click on, as cyber-criminals have already started exploiting the tragedy for their own nefarious purposes, security experts told SecurityWatch.

Microsoft to plug holes in Windows Defender in Patch Tuesday

Fri, 05 Apr 2013 20:18:00 +0000

Microsoft’s Patch Tuesday on 9 April will be an important spring cleaning day; the company plans to implement nine security bulletins. One of the bulletins deals with vulnerabilities in Windows Defender for Windows 8 and RT; the hole is rated as important and can be exploited to achieve elevated privileges.

The headline bulletins will be the two critical security holes, one of which affects all versions of Windows and Windows Server, and another critical vulnerability which can be found in all versions of Internet Explorer. Whether the Internet Explorer fix will be addressing the IE vulnerability revealed at the recent Pwn2Own contest is unclear though. Both critical holes allow for remote code execution.

Russian malware spies on US ATMs

Sun, 31 Mar 2013 10:47:00 +0000

Security firm Group-IB has identified a malware program called Dump Memory Grabber that can take debit and credit card data from point-of-sale (POS) terminals and ATMs. The researchers say that the program has already been used to steal data from clients of US banks including Chase, Capital One, Citibank, and Union Bank N.A. as well as from clients with Nordstrom-branded cards.

SecurityWeek reports the author of Dump Memory Grabber has put a video online to teach other hackers how it works. The Windows program written in C++ reads the target system’s memory using an external tool called mmon.exe.

Backdoor Uses Evernote as Command-and-Control Server

Fri, 29 Mar 2013 00:53:00 +0000

With its rich functionality and accessibility, Evernote is a popular note-taking tool for its many users. Unfortunately, it may also provide the perfect cover for cybercriminals’ tracks.

We recently uncovered a malware that appears to be using Evernote as a communication and control (C&C) server. The malware attempts to connect to Evernote via https://evernote.com/intl/zh-cn, which is a legitimate URL.

The sample we gathered consists of an executable file, which drops a .DLL file and injects it into a legitimate process. The said .DLL file performs the actual backdoor routines.

Turkish FlashPlayer? no! It’s malware

Thu, 28 Mar 2013 17:37:00 +0000

I recently came across the file “FlashPlayer.exe” during the course of regular research.

The file had been distributed with the file name FlashPlayer.exe and not surprisingly, when executed, it shows the following GUI, partly written in Turkish:

Obviously, it’s disguised as an Adobe Flash Player 11 installer.

Here is more info about the file:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


File Name: FlashPlayer.exe
MD5: e2856b1ad6c74c51767cab05bdedc5d1
SHA1: 1ac150ddb964722b6b7c96808763b3e4d0472daf
CRC32: a8464606
SHA-256: b5f37cc44365a5a1b240e649ea07bbb17959ceddc3f8b67a793df694a6f03a88
SHA-512: e2d1388bd5feec51227cfa10a5606f7d3bc58f12ea95d688acb5178ff31a156a1092f739e7dd276f4c5368d89c33ed6a15b08ff5df294b9c3647905c1083921d
SHA-384: 5d622afcf87e33334a446df5dfd2be7769cab596cc9a121bfd6269bc85ee980f75e1a2d1472f0eb379788845230d883b
File Size: 561,152
Version: 2.01
Source: hxxps://flash-player-download.com/FlashPlayer.exe

VirusTotal: Latest Report

IRS uncorks Dirty Dozen Tax Scams for 2013

Tue, 26 Mar 2013 19:59:00 +0000

The Internal Revenue Service today reminded taxpayers that there are plenty of scam artists and cybercriminals that want your money.

The tax collection agency issued its “Dirty Dozen” list of tax scams that it says peak at this time of year and include:

Identity theft

Tax fraud through the use of identity theft tops this year’s Dirty Dozen list. Identity theft occurs when someone uses personal information such as your name, Social Security number (SSN) or other identifying information, without your permission, to commit fraud or other crimes. In many cases, an identity thief uses a legitimate taxpayer’s identity to fraudulently file a tax return and claim a refund, the IRS said.