Comments for Mal-Aware.org

Comment on Fedex Kinko’s Smart Cards Hacked by PICCOLA GADGETS

PICCOLA GADGETS — Wed, 05 Apr 2006 22:38:48 +0000

FedEx Kinko’s ExpressPay card (and others?) hacked…

Earlier this week, information security company Secure Science released a video
of a hack that would defeat FedEx Kinko’s ExpressPay card’s limited security. As with all traumatic events, FedEx
first issued a denial, but have recently come to acc…

Comment on The Anti-Phishing Working Group Releases January Phishing Trends Report by Clint's Security Blog

Clint's Security Blog — Wed, 29 Mar 2006 21:46:33 +0000

Security Blogs I Read, Part II…

So you’ve probably read Part I, which are my favorite security blogs. Now onto some……

Comment on 17 Million Mystery Database Entries in Hands of Phishers by Clint's Security Blog

Clint's Security Blog — Fri, 24 Mar 2006 07:03:58 +0000

Security Blogs I Read, Part II…

So you’ve probably read Part I, which are my favorite security blogs. Now onto some……

Comment on 17 Million Mystery Database Entries in Hands of Phishers by localhostage

localhostage — Thu, 23 Mar 2006 19:46:14 +0000

$1300.00. Wowzers!

Interesting follow up

-lh
http://www.wirah.com

Comment on Fedex Kinko’s Smart Cards Hacked by Clint's Security Blog

Clint's Security Blog — Sun, 12 Mar 2006 07:24:39 +0000

Security Blogs I Read, Part I…

I’ll admit it, I’m a blog addict. I read about 50 security blogs and have another……

Comment on Fedex Kinko’s Smart Cards Hacked by Zero Day Security

Zero Day Security — Sun, 05 Mar 2006 22:28:59 +0000

FedEx Kinko’s ExpressPay smartcards vulnerable…

Several stories have posted over the past few days about a vulnerability in the ExpressPay smartcard implementation recently exposed by Secure Science Corporation. The attacker who successfully exploits this vulnerability can, anonymously, add value to…

Comment on Fedex Kinko’s Smart Cards Hacked by the 60 billion $$ man

the 60 billion $$ man — Sat, 04 Mar 2006 14:21:05 +0000

FedEx Kinko’s ExpressPay Card (and others?) Hacked…

…

Comment on Fedex Kinko’s Smart Cards Hacked by The.RSS.Reporter

The.RSS.Reporter — Sat, 04 Mar 2006 10:15:00 +0000

=?utf-8?B?RW5nYWRnZXQ=?=…

Today in Engadget: March 3, 2006
http://www.engadget.com/2006/0…oday-in-engadget-march-3-2006/Date: 3/3/2006 5:59 PM Author: Evan Blass
Filed under: Misc. Gadgets
Almost two years ago to the day, a young man
sat…

Comment on Fedex Kinko’s Smart Cards Hacked by Schneier on Security

Schneier on Security — Thu, 02 Mar 2006 13:06:15 +0000

FedEx Kinko’s Payment Card Hacked…

This site goes into detail about how the FedEx Kinko’s ExpressPay stored value card has been hacked. There’s nothing particulary amazing about the hack; the most remarkable thing is how badly the system was designed in the first place. The……

Comment on Fedex Kinko’s Smart Cards Hacked by JinSun

JinSun — Wed, 01 Mar 2006 10:37:55 +0000

Nicely done!

http://www.wirah.com

Comment on Fedex Kinko’s Smart Cards Hacked by evan

evan — Wed, 01 Mar 2006 04:22:10 +0000

this is good stuff. great work!

Comment on Recent Haxdoor Distribution Breaks SSL via Pharming by Lance James

Lance James — Sun, 19 Feb 2006 18:27:48 +0000

I liked the explanation Robert, but there is something that you’re under-playing here. The web browser is supposed to do it’s job. The issue isn’t that there is a trojan that can hook into IE and grab all traffic before it’s encrypted, the issue is that it performed a successful man-in-the-middle by using a mixed-certificate technique to bypass the “EDUCATION” of SSL and the authentication. An example of this is here:

http://ip.securescience.net/exploits/ssl_mix.html

This demonstrates 4 frames 2 of which are SSL protected, and 2 which are not. No matter what browser we demonstrate this from, there are no warnings, pop-ups, or anything about non-secure pages, secure pages, and as we all know there is no Lock at the bottom. If you reverse the roll:

https://slam.securescience.com/threats/mixed.html

We see my Cert (which shouldn’t alert, some browsers in mozilla still don’t like Thawte), and we also have two frames with two separate SSL certs on the page. No warnings, and the SSL lock states that it’s what the domain has. This is a problem with cross-user attacks as well as Trojans that Pharm because they easily fake “authentication” which is the intent of SSL for the home user, to authenticate the site and make sure they are there. The education around this for pharming is to use SSL to verify you are at the site. Well - in this report, this proves that not all cases will work.

Comment on Recent Haxdoor Distribution Breaks SSL via Pharming by Someone Else

Someone Else — Sun, 19 Feb 2006 15:43:26 +0000

Have hackers "Broke" SSL?…

Seems that there has been some rumbling that SSL encryption has been broken recently, which is quite……

Comment on Mountain-America.net Phish Uses Valid SSL Certificate by ITDefPat

ITDefPat — Tue, 14 Feb 2006 19:24:25 +0000

First Phishing, next Spear Phishing (targeted Phish)

NOW: Jet-Spear Phishing

There is a trust problem. Looks like Equifax/GeoTrust has broken.

Comment on Microsoft Releases Public Beta of IE 7 by natas

natas — Wed, 01 Feb 2006 20:26:44 +0000

Wow, it sure didn’t take long for an IE7 security advisory to be released: http://www.security-protocols.com/advisory/sp-x23-advisory.txt

Comment on Microsoft Releases Public Beta of IE 7 by Elliott Back

Elliott Back — Wed, 01 Feb 2006 00:19:23 +0000

IE 7 Beta 2: Resources…

Here are some first impressions from around the blogosphere on IE7b2:

Robert McLaws list of related resources
Sean MCB has a few thoughts on the new beta
Chron realizes that this is not a beta, but a preview of a beta
Digg has a choir of anti-MS…

Comment on Swordphish by sandman

sandman — Thu, 26 Jan 2006 04:56:15 +0000

Also, phishers already have scripts to counter this problem. Some of the phish sites won’t accept invalid information as well. So automating this for all phishing urls won’t and can’t work. Another thing, this ruins forensics for the people investigating this, because a lot of times we need to get to the site, and it gets DoS’d.

Comment on Swordphish by Lance James

Lance James — Thu, 26 Jan 2006 04:48:34 +0000

Well, it’s tempting, but technically illegal. It’s considered a DoS attack. Some of the more effective fighting techniques would be something that I practice, ,what I call Robin Hood’ing a phisher. Find the blind drops, steal the data back, returning it to the bank - aka, Data: DOA

Comment on Yahoo! Inc. Phishing Their Own Users? by natas

natas — Tue, 24 Jan 2006 05:40:21 +0000

WOW! That Yahoo session riding vulnerability is pretty serious! :O

Comment on Anatomy of a Phish III Now Available by meneame.net

meneame.net — Mon, 23 Jan 2006 20:01:59 +0000

New group joins the fight against malicious activity!…

This organization focuses on Malicious Activity Awareness and Response, specifically in regards to criminal activity on computers such as phishing, fraud, and malicious software (malware) with the intent of information theft….