never-ever-****-with-my.net

End of last week, NIST published four Draft Special Publications on e-mail security, intrusion detection and prevention, web services security, and cell phone forensics.

According to the Web Application Security Consortium (WASC), XSS and SQL injection remain the most popular attack vectors being exploited in public incidents. Further details can be found in the Web Hacking Incidents Database (WHID), which was updated today.

The chart below illustrates the number of public incidents registered per year:

A broader list of vulnerabilities is listed in OWASP Top Ten, which ranks the most critical web application security flaws.

As reported by Computerworld, three regional banks in the US were hacked in new spoofing attack:

"Earlier this month, attackers were able to hack servers run by the Internet service provider (ISP) that hosted the three banks' Web sites.  They then redirected traffic from the legitimate Web sites to a bogus server, designed to resemble the banking sites, according to Bob Breeden, special agent supervisor with the Florida Department of Law Enforcement's Computer Crime Center.

Users were then asked to enter credit card numbers, PINs (Personal Identification Numbers) and other types of sensitive information, he said.

According to Breeden, the affected banks are Premier Bank, Wakulla Bank, and Capital City Bank, all small regional banks based in Florida."

CNET's News.com reports on a panel discussion at the RSA Conference 2006:

"We have recently seen a move away from stealing user name and passwords," Shipp said.  The new "bank-stealing Trojans" wait until the victim has actually logged in to their bank.  "It then just transfers the money out."

"All of the authentication, little keys you have to have in your hand, biometrical things, it doesn't matter.  The bad guy just waits until you're there and then takes the money out," Shipp said.

This new type of Trojan is on the rise and is currently No. 3 on the list of most common threats, according to Shipp who works at MessageLabs as senior antivirus technologist.

I guess we will all end up surfing with VMware's Browser Appliance.

This interesting article (in French) warns webmasters about the "latest" spammers' techniques to exploit e-mail forms (i.e. FromMail.pl).  It consists in injecting recipients in the From: field.  We told you before: you shall never trust user input. :-)