The attack, know as the Man in the Browser method, works like this. Malicious code is first introduced onto the victim’s computer where it resides in the web browser. It will lay dormant until the victim visits a specific website—in this case, his bank’s secure website. Once the user attempts to log in, the malware activates and runs between the victim and the actual website. Often the malware will request that the victim enter his password or other security pass into an unauthorized field, in order to “train a new security system.” Once that happens, the attacker has full access to the account.

Pretty nasty, but still only valid for that session.

By extending the Burp Suite and integrating it with a CAPTCHA solving farm you can enable the automated bypassing of CAPTCHA within all burp tools; seamlessly replacing all CAPTCHA with their correct solutions.

One of the coolest Burp extensions I’ve ever seen.

One of the more interesting features is called File Trajectory. This tracks file movement within the enterprise, allowing organizations to identify the entry point and propagation path of malware. As you see from the below display, you have a list of every endpoint that has touched a particular file.

Interesting.

A researcher today published proof-of-concept code that takes a different spin on the slow HTTP denial-of-service (DoS) attack simply by dragging out the process of reading the server’s response — and ultimately overwhelming it.

Sergey Shekyan, senior software engineer with Qualys, also has added this new so-called Slow Read attack to his open-source slowhttptest tool.

Slow Read basically sends a legitimate HTTP request and then very slowly reads the response, thus keeping as many open connections as possible and eventually causing a DoS.

Data Collection: No data, no visuals (see also Where Data Analytics and Security Collide). This is the foundation. Data needs to be available and accessible. Generally it is centralized in a big data store (it used to be relational databases and that’s a viable solution as well). This step generally involves parsing data. Turning unstructured data or semi-structured data into structured data. Although a fairly old problem, this is still a huge issue. I wonder if anyone is going to come up with a novel solution in this space anytime soon! The traditional regular expression based approach just doesn’t scale.

Data Analysis: Once data is centralized or accessible via a federated data store, you have to do something with it. A lot of companies are using Excel to do the first iteration of data analysis. Some are using R, SAS, or other statistics and data analytics software. One of the core problems here is data cleansing. Another huge problem is understanding the data itself. Not every data set is as self explanatory as sales data.

Context Integration: Often we collect data, analyze it, and then realize that the data doesn’t really contain enough information to understand it. For example in network security. What does the machine behind a specific IP address do? Is it a Web server? This is where we start adding more context: roles of machines, roles of users, etc. This can significantly increase the value of data analytics.

Visualization: Lets be clear about what I refer to as visualization. I am using visualization to mean reporting and dashboards. Reports are static summaries of historical data. They help communicate information. Dashboards are used to communicate information in real-time (or near real-time) to create situational awareness.

Visual Analytics: This is where things are getting interesting. Interactive interfaces are used as a means to understand and reason about the data. Often linked views, brushing, and dynamic queries are key technologies used to give the user the most freedom to look at and analyze the data.

Collaboration: It is one thing to have one analyst look at data and apply his/her own knowledge to understand the data. It’s another thing to have people collaborate on data and use their joint ‘wisdom’.

Dissemination: Once an analysis is done, the job of the analyst is not. The newly found insights have to be shared and communicated to other groups or people in order for them to take action based on the findings.

Put in Action: This could be regarded as part of the dissemination step. This step is about operationalizing the information. In the case of security information management, this is where the knowledge is encoded in correlation rules to catch future instances of the same or similar incidents.

Hackers have posted a file online that they claim is a confidential glimpse into Symantec’s Norton Antivirus program and have threatened to release source code for the security giant’s flagship antivirus product.

The hacker group, which calls itself the Lords of Dharmaraja, posted a file on Pastebin that it said described the confidential workings of Symantec’s Norton Antivirus threat-detection product.

Mantra is a collection of free and open source tools integrated into a web browser, which can become handy for students, penetration testers, web application developers,security professionals etc. It is portable, ready-to-run, compact and follows the true spirit of free and open source software.

Mantra is lite, flexible, portable and user friendly with a nice graphical user interface. You can carry it in memory cards, flash drives, CD/DVDs, etc. It can be run natively on Linux, Windows and Mac platforms. It can also be installed on to your system within minutes. Mantra is absolutely free of cost and takes no time for you to set up.

Neat.

Their finding is backed up by anecdotal evidence, as well. Chrome has emerged unscathed during the annual Pwn2Own hacker contest for three years in a row, something no other browser entered has done.

Yep.

Phenomenal software.

[NSE] Added a new httpspider library which is used for recursively crawling web sites for information. New scripts using this functionality include http-backup-finder, http-email-harvest, http-grep, http-open-redirect, and http-unsafe-output-escaping. See http://nmap.org/nsedoc/ or the list later in this file for details on these. [Patrik]

And my web scanner can port scan. It’s a strange world.

The researchers, who can make thousands of dollars for reporting just one security hole on the social-networking site, can use the card to make purchases, just like a credit card, or create a PIN and take money out of an ATM. As the researchers find more bugs, Facebook can add more money to the account.

Facebook wanted to do something special for the people who are helping the company shore up its software and keep hackers and malware out.

Nifty.

A must see. It only runs like 30 minutes; the rest is Q&A.

White-box fuzzing or smart fuzzing is a systematic methodology that is used to find buffer overruns (remote code execution); unhandled exceptions, read access violations (AVs), and thread hangs (permanent denial-of-service); leaks and memory spikes (temporary denial-of-service); and so forth.

You can perform fuzzing on any code that parses input that is received across a trust boundary. This includes files, network sockets, pipes, remote procedure call (RPC) interfaces, driver IOCTLs, ActiveX objects, and message queues (including Microsoft Windows messages).

This article presents a case study of fuzzing during development of Microsoft Internet Security and Acceleration (ISA) Server 2006, and discusses efforts, bug density, and ROI. During this release, the internal testing team found over 30 bugs that were either Important or Critical—according to Microsoft Security Response Center (MSRC) ranking—in over 500 KLOC parsing code.

A decent intro to the concept of fuzzing, by Microsoft.

The screen goes black. The characters, despite their obvious talents, have been dwarfed by the formidable force on the other end of the connection.

It makes for exciting television, but the truth is even scarier.

In the real world, the majority of hackers don’t brilliantly blast through the defenses of slightly less brilliant computer whizzes.

They don’t win by being faster or smarter or more well-funded.

They win by waiting for smart people to do stupid things.

Nearly all new mobile malware in Q3 was targeted at Android. This follows a 76 percent rise in Android malware in Q2 of 2011.

At the end of 2010, McAfee predicted that malware would reach the 70 million unique samples by the end of 2011 but has increased this prediction to 75 million unique malware samples reached by year’s end, which is the busiest in malware history, says McAfee.

As mentioned above, McAfee says that malware authors are capitalizing on the popularity of Android devices (and perhaps the security flaws as well) this quarter. The Android platform was the only mobile operating system for all new mobile malware in Q3. One of the most popular forms of trickery in Q3 was SMS-sending Trojans that collect personal information and steal money. Another new method of stealing user information is malware that records phone conversations and forwards them to the attacker.