This week’s questionable security breach reporting comes courtesy of the Daily Mail, regarding the compromise of accounts on Citigroup’s web site: http://www.dailymail.co.uk/news/article-2003393/How-Citigroup-hackers-broke-door-using-banks-website.html The “attack” (if you can really call it that), required a logged in user to simply modify the URL of an authenticated session to change a plaintext URL parameter containing their account number to another account number. That was all that was required – no coding, phishing, social engineering or other technique that requires any thought was needed. Anyone with a rudimentary understanding of how URL parameters work could have figured this out. I’m amazed nobody figured it out sooner. What bothers me about the article, though, is that the “expert” and law enforcement representatives who are quoted[…]

Comptroller Susan Combs offered another apology Thursday for the information breach in her agency, saying she now is offering a year of free credit monitoring to the 3.5 million people at risk of identity theft after their data was exposed on a public computer server…She announced in a written statement April 11 that the Social Security numbers and other personal information of 3.5 million people were left exposed for a year or more in a publicly accessible computer server at her agency. Dallas News According to this article in the Dallas Morning News, 3.5 million identities were left free for the taking on a public server for at least a year. That is a colossal security lapse. However, it is[…]

Looks like there will be some pretty important patches released next week by Microsoft. According to the advance notice issued yesterday, there are three remote code execution vulnerabilities in Windows and Office that need to be patched. The advance bulletin doesn’t detail exactly what the problems are, but remote code execution vulnerabilities are serious problems. So, everyone, if/when the little icon shows up next Tuesday telling you that you need to re-start for updates to take effect, don’t put it off too long!

You know those Facebook applications that occasionally pop up on your news feed, promising to add a “dislike” button, let you view who’s been looking at your profile, or implement some other feature that Facebook won’t ever support?  A lot of these applications are not much more than thinly disguised malware designed to harvest personal information or trick the user into participating in a click fraud scam. Well, it looks like we’re in for a lot more of them, thanks to a new, cheap toolkit that allows users with little to no programming knowledge or experience create these malicious applications.  For the low price of $25, this application will guide you through the process of creating your own nefarious Facebook[…]

As Peter touched on when relating his story about the Gawker password database compromise (in addition to numerous other mentions on this blog), maintaining secure passwords for all of your various online identities is not something to take lightly.  In addition to secure passwords, you should also use passwords unique to each site you are visiting.  You may not care if someone compromises the account you use to comment on Gizmodo, but if you also use that password for e-mail, banking, Facebook, or other sites you may value, you leave yourself open to a painful security breach. In a perfect world, websites would just use OpenID or other roaming credential, so that everyone would only have one secure password to[…]

AntiXSS is an open source .NET assembly available for download from Microsoft (source here).  This library provides much more flexible XSS protection in .NET applications than the built-in Server.HTMLEncode() approach, as it adds support for XML and LDAP filter encoding in addition to HTML encoding.  By allowing flexible and secure encoding and decoding of strings for these types of data, application developers can breathe a little easier when accepting data across trust boundaries. Libraries such as AntiXSS that perform string processing are incredibly useful for developers, for several reasons.  First, they are maintained separately from your code base, so any updates to the string processing functions for emerging threats can be applied without much hassle.  Second, by using a code[…]