NewsBytes :Top Security Sites Easy Prey To Script Attacks Looks like other security people are starting to see that CSS is a big problem.
Tech in the country. Programming & Technology inovations.
Wednesday, January 30, 2002
Monday, January 28, 2002
CNN : Banks suffer high rate of security cracks Why does this not surprise me? Are banking systems the least secure of all the internet sites? Or, is it just that crackers target banks more?
Friday, January 25, 2002
The good news is that I'm feeling better, I've been mostly home for that last 10 days in bed with the flu. It's about the sickest I've been that I can remember... It's also going around, so stay away from coughing people... yet another reason not to smoke. Anyway, I've gotta get caught up on mail, food and uhm life.
Wednesday, January 23, 2002
NewsBytes:Net Users Warned To Beware Sites With Scripting Holes "The sites consider it a minor issue, but for visitors, it's a pretty big security and privacy matter. They could be giving away personal information without knowing it." says Jason Rafail from CERT. NewsBytes links to my update page with security holes on Chase, Microsoft, Oracle and more.
Sunday, January 20, 2002
Is AOL going to buy Red Hat? They have already bought cool products like Netscape and Winamp, which aren't that cool anymore. Will Red Hat go the way of Netscape? Can a bunch of Linux Geeks help AOL's bottom line? Will AOL Newbies all be running Linux soon?
Wednesday, January 16, 2002
Citibank Update C2IT and accountonline.com seems to finally be listening and making changes. C2IT removed your account #'s from the send cash page and accountonline is continuing to stamp out scripting holes. Thanks. Now, if the rest of the internet sites would follow through and fix their holes, we might all have a safe browsing experience.
IE Browser SuperCookie paranoid that Microsoft can track you globally with a supercookie? Well, you have good reason to be. This page shows you what your MS number is. There is a option somewhere deep in your preferences to turn it off. Oh, yeah, and since it's hidden in Windows Media player plugin, it also works on Netscape.
Sunday, January 13, 2002
CitiBank Update It seems that citibank is still patching up their sites (c2it, accountonline, etc), however, it's clear they are doing a rush job. I don't think they even READ the CERT advisory on how to fix CSS problems because they STILL don't filter all the important characters, thus letting scripting in. In addition, they STILL don't obfuscate your CREDIT CARD NUMBER in the html of some pages. That's just a basic Security 101 tip. If they don't have enough man power to handle their sites, they should really consider hiring Some of the many out of work programmers.
Saturday, January 12, 2002
Announcing our free screamingCSS vulnerability detector, the world's first general CSS detection program (that we know of anyway). This program that will automatically spider a page and detect Cross Site Scripting problems. This is our first version, and is in no way complete, however, it has already successfully found CSS problems in public sites, so we are putting it up as is.
Friday, January 11, 2002
Geek.com : Citibank Payment System Flaw I like the opinion on this piece. The web will never be secure if websites don't respond quickly to security problems. Citibank was lucky this time, they were notified, and after 3 months fixed the problem, before user accounts could be drained.
Thursday, January 10, 2002
E-Commerce Times : E-Commerce Sites Fail Security 101 An article covering more of the Cross Site Scripting holes I posted here. The only misleading thing in the article is that it may appear that you could get a list of credit card numbers of multiple people at a time. That's not really true, one could have only gotten user information one person at a time, going through their browser. What I really liked about the article is that it's the first one to indicate just how common this problem could be.
PC Word snobs like make me sick. Why do they believe that "leave early" and "dropout" are that much different. The stigma is from the association with not getting a good education, not with the word dropout. If everyone were to switch to this new classification, don't you think that "leave early" is going to start having a new stigma. Maybe it's just that Canada doen't want as many dropouts in it's country? Maybe they look down on dropouts? I'm a early grad school leaver, and I look down on Bill Gates, but not because he's a early college leaver.
This is a really cool clock. Didn't you always want someone to personally transcribe ever second of the day for you? Don't spend your whole day watching it.
Wednesday, January 09, 2002
Viruses are ready and waiting for Microsoft's .Net Can't MS write a virus free product?
InformationWeek : Security Researcher Says Citibank Took A While To 'C2' Security Flaw. IW chimes in about Citibank's fix for c2it. I love the part where the spokeswoman says she only learned about it Monday. It makes it look like Citibank learned of it on Monday, when it was really just her. They seem to completely ignore the fact that I have been trying (and at least partially succeeding) in contacting them in regards to cross site scripting security flaws in many of their online sites, including c2it, since Sept.
C2IT.com has fixed the flaws I published. Let's see, That's 3 months and nothing for quietly trying to get them to fix things vs. 36 hours after getting picked up by media and it actually getting fixed. Does the media have a special security hotline to call, or do companies only fix things when pressed? (please excuse the pun) So, tell us, are you for public disclosure? Update - another Citibank site has been posted to my list of exploitable sites, along with a few other high profile sites.
Tuesday, January 08, 2002
Addr.com Ripoff! I used to host one of my sites on addr.com hosting. They were slow, and my site didn't do good, so I moved it off. I requested that they cancel my account on 10/13/01.. Nearly 3 months ago. They closed down my site, but they keep on billing me. I have continued to email them and they continue to ignore me. Stay tuned and I'll let you know how it turns out! In the meantime, don't use them!
MSNBC Article on my c2it security flaws. C2IT claims to have fixed all the problems, but I can assure you, I was able to run scripts on their site just this morning. It's pretty embarrasing that they should have been working on this for over 3 months, and all it is just filtering 4 nasty characters. They also locked me out of my account, so I can't test other flaws (account number access), but I'll see if I can get access later. See also the article in eWeek.
Thursday, January 03, 2002
Do you like the Dr. Pepper? If so, you may have also noticed the numerous Fake Doctors (or are they fake peppers?) Anyway, this site does a wonderful job rating the best tasting knock-offs. Looks like Dr. Riffic is the best.
Keep your dog on a leash, even if you are a former president or first lady. Otherwise, this could happen to your dog. They gave away the cat and now their dog is dead, don't let it happen to you.