Security
Vulnerability Report: Information Exposure in Oracle's iRecruitment PDF Print E-mail
Vulnerability Reports
Tuesday, 27 April 2010 00:00

Release Date: 4/27/2010
CVE Identifier: Pending

The following information exposure vulnerability has been reported to Oracle. Oracle reports that the following vulnerability has been addressed by patches and upgrades via January 2010 CPU via CVE-2010-0075 and via April 2010 CPU via CVE-2010-0861.

Employee information exposure and reporting-relationships public exposure from Oracle's iRecruitment software

Oracle's iRecruitment software is a HR system used by many government agencies and large private corporations. The system can be used to manage hiring information as well as current employee records. Upon using one such company's hiring system as an external applicant, I followed a hyperlink and was able to recover the entire company's corporate hierarchy, which includes employees names, contact information (primarily business-centric, but some personal information such as cell phones). More importantly, the vulnerability shows departmental breakdowns and reporting relationships in the hierarchy. Depending upon the amount of information stored and where by a particular organization, this could result in violation of employee privacy protection laws such as those from the state of Massachusetts.

Click here to read the full article...
 
Evil Twin Attack Explanation PDF Print E-mail
Exploits and Attacks
Thursday, 14 May 2009 12:15

 

Note, this report is for educational purposes only. The experiment was carried out in a secured lab setting. You should NOT try this at home. If you perform the Evil Twin attack in public, you are almost certainly committing a crime (e.g. computer trespass) in your state/province/country. I will not be held responsible for your usage of information. Use your knowledge for good, not evil.

This report is also available as a PDF, which includes the full Appendix and all content, which may not be shown here. Please note, some external documents such as original packet captures will not be provided. If you just want to see the attack and not read the details, then check out the presentation version, complete with example videos.

Click here to read the full article...
 
Evil Twin Attack Demonstration PDF Print E-mail
Exploits and Attacks
Wednesday, 13 May 2009 00:00

 

The following is a demo and presentation I made to explain the Evil Twin AP attack. In the Evil Twin attack, you use software to immitate a real access point in order to trick user into connecting to your AP instead of the real AP. This gives you man-in-the-middle abilities to snoop and inject data. The presentation includes videos direct from YouTube, so you can easily see the attack in action. I recommend going full screen and watching the videos in HD for best viewing.You can also view the demo videos directly by clicking here.


To view the full report on the Evil Twin attack, click here.

 

 

 
A solution to the botnet problem PDF Print E-mail
Security Awareness
Saturday, 02 May 2009 14:45

A solution to the botnet problem, in response to Aviram’s article I would beg to differ that there is no way to stop botnets. For the most part, botnets are composed of hijacked user PCs which are usually the most open to attack. Aviram is absolutely correct when he says that awareness is very important. Usually awareness implies that the user should have updated virus scan, not fall for scams, etc – be aware of the risk level they operate under and how that risk level is affected by their decisions. I propose a slightly more annoying example for the end user and the service provider:

 

Tags botnet :: awareness :: ISP :: privacy :: securiteam :: inform
Click here to read the full article...
 
Don't Lose Yourself on the Internet PDF Print E-mail
Security Awareness
Monday, 27 April 2009 00:00

 

Security Awareness is really important to me. I believe that creative and long lasting reminders, slogans, and images can really do a lot to help reduce IT security threats. The goal is to keep these ideas and concepts fresh in people’s minds. They may not really understand what the slogan means, but they will be more conscious of what they are doing.

I created this poster for a Security Awareness Competition sponsored by Educase (contest info and past winners). The target placement was for university computer labs, in order to remind users to stay safe on the Internet. One of the big issues in user-space security right now is Phishing and Identity Theft. I decided to tackle this topic in a simple to digest format.

Click here to read the full article...
 
<< Start < Prev 1 2 3 4 5 Next > End >>

Page 1 of 5