[Sunnet Alert] Advisory #283 - OS X (Multiple), Safari (Multiple), Kerberos, BitchX, Multiple News
Security and IT News Alerts
alertmailinglist at skiifwrald.com
Thu Jun 28 20:24:09 EST 2007
Sûnnet Beskerming Alert List Advisory #243
You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contact info at beskerming.com to resolve the
error.
Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).
Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)
Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 OS X (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 1 Week
1.2 Safari (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 1 Week
1.3 Kerberos
- Remote Hacker Automatic Control
- Time Since Discovery - 2 Days
1.4 BitchX
- Remote Hacker Automatic Control
- Time Since Discovery - 1 Day
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using
it, or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Apple Release New Point Release
2.2 What is the Value of Your Credit Card Details?
2.3 New Web Attack Platform Draws Attention
2.4 Consolidation in the Security Industry
2.5 The Tribulations of Government IT
2.6 Vista's Changes Not Enough, Says Google
2.7 French Government BlackBerry use Curtailed
2.8 Symantec's Challenge to SiteAdvisor
2.9 Hey, What are Those Ads Doing?
2.10 Data Theft Incident Worsens
2.11 Quicken Recovery Password Discovered?
2.12 Harry Potter Real-World PSYOPS
2.13 Microsoft.co.uk Loses Face
=====================================
1. SECURITY
1.1 OS X (Multiple) - Remote Hacker Automatic Control
-- Products Affected --
OS X 10.4.9 and earlier (and 10.4.10 and earlier)
-- Technical Description --
A design error in the handling of type 0 routing headers in IPv6 can
lead to bandwidth reduction following the receipt of malicious
network traffic. The 10.4.10 update disables handling of this routing
header in OS X 10.4. Remote code execution vulnerabilities have also
been disclosed, affecting WebCore and WebKit. WebCore vulnerabilities
are in the handling of malicious XMLHttpRequest function calls,
leading to application crashes and arbitrary code execution, while
the WebKit vulnerabilities are in the handling of framesets.
-- Description --
OS X 10.4 (Tiger) has a vulnerability in the way that it handles
IPv6 network traffic, particularly with the handling of various
routing headers. This vulnerability, if exploited by an attacker,
could lead to degraded network performance through the consumption of
network bandwidth and resources. The update from Apple disables
support for the vulnerable component. A couple of malicious
vulnerabilities have also been discovered affecting different
components of OS X's support for handling HTML and JavaScript calls.
In the worst case, these vulnerabilities can lead to a remote
attacker being able to take control over a vulnerable system, or
crashing the application that is accessing those system components.
-- Recommended Action --
Apply OS X 10.4.10 from the Software Update application or from the
Apple Downloads website at the earliest opportunity. Apply Security
Update 2007-006 at the earliest opportunity. If users are also using
the Safari 3 Beta, they will find that a combined Safari Update will
install the Security Update 2007-006 patches alongside the Safari
Update.
-- Source --
(Paid subscription required to access)
-- Updates Available --
(Paid subscription required to access)
-- External Tracking Data --
(Paid subscription required to access)
-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)
1.2 Safari (Multiple) - Remote Hacker Automatic Control
-- Products Affected --
Safari 3.0 Beta 3.0.2 and earlier
-- Technical Description --
URL address bar spoofing in the Windows Safari 3 Beta, and cross
domain request flaws allowing JavaScript to modify sites outside of
the original domain. WebCore and WebKit vulnerabilities may lead to
arbitrary code execution or application crashes due to poor handling
of XMLHttpRequest requests and poor frame handling. Adding a page
with a title tag in excess of 1024 bytes to a user's bookmarks can
lead to arbitrary code execution on the Windows Safari 3 Beta.
Successful exploitation of this vulnerability has been achieved, with
exploit samples circulated amongst a small group of recipients.
-- Description --
Several vulnerabilities affecting Safari, WebCore, and WebKit have
been patched by Apple in a cumulative update for the Safari 3 Beta
release for both Windows and OS X. In the worst case, these
vulnerabilities could allow a malicious attacker to take control of a
vulnerable system by tricking a victim into visiting a malicious
site. It should be noted that the vulnerabilities from Security
Update 2007-006 also apply to the Windows Safari 3 Beta
installations, and will be installed alongside the updates to
Safari. Another vulnerability affecting the Safari 3 Beta release on
Windows has been discovered. In this particular vulnerability, adding
a page with an exceedingly long title to a user's bookmarks can lead
to the remote attacker possibly gaining control over the victim's
system. Although exploit code does exist, it has only been made
available to a small group of recipients.
-- Recommended Action --
Consider the use of an alternate browser until Apple is able to
release a patch to address the vulnerability (title tag). Apply
Safari Beta Update 3.0.2 at the earliest opportunity. Users who have
not applied Security Update 2007-006 will also find that it is
applied alongside the Safari beta update.
-- Source --
(Paid subscription required to access)
-- Updates Available --
(Paid subscription required to access)
-- External Tracking Data --
(Paid subscription required to access)
-- Threat Matrix --
U O
Home User 8 8 (Very High)
Corporate 8 8 (Very High)
1.3 Kerberos - Remote Hacker Automatic Control
-- Products Affected --
Kerberos At least version 5-1.6.1
-- Technical Description --
RPC credentials of zero length can crash Kerberos and may lead to
arbitrary code execution. Specifically, the gssrpc__svcauth_gssapi()
function is vulnerable. An integer conversion error in
gssrpc__svcauth_unix() can lead to a crash of Kerberos or arbitrary
code execution. Finally, a stack overflow in rename_principal_2_svc()
can lead to a crash of Kerberos or arbitrary code execution.
-- Description --
Numerous vulnerabilities have been disclosed affecting the Kerberos
authentication protocol, as maintained by MIT. Most of the disclosed
issues can lead to remote attackers taking control over vulnerable
systems. Exploit samples for some of the issues are already privately
held by MIT.
-- Recommended Action --
Administrators and advanced users should apply the updates to
Kerberos as soon as practical.
-- Source --
(Paid subscription required to access)
-- Updates Available --
(Paid subscription required to access)
-- External Tracking Data --
(Paid subscription required to access)
-- Threat Matrix --
U O
Home User 9 10 (Critical - Highly Critical)
Corporate 9 10 (Critical - Highly Critical)
1.4 BitchX - Remote Hacker Automatic Control
-- Products Affected --
BitchX 1.1 and prior.
-- Technical Description --
Unchecked bounds in a hash table in hook.c, allowing remote code
execution by a malicious server. Exploit code is readily available
and it is believed to affect all versions of the software (current
exploit code targets the current Linux version).
-- Description --
BitchX is one of the most popular IRC clients that is available for
multiple platforms. Derived from the ircII IRC client, it remains a
popular choice for connecting to IRC. Exploit code has been released
which allows an attacker to take control of a vulnerable system when
a vulnerable version of the software tries to connect to a malicious
server.
-- Recommended Action --
Consider the use of alternate IRC clients, or only connect to
trusted IRC servers while using vulnerable versions of BitchX.
-- Source --
(Paid subscription required to access)
-- Updates Available --
(Paid subscription required to access)
-- External Tracking Data --
(Paid subscription required to access)
-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)
=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================
2. NEWS
2.1 Apple Release New Point Release
Many people expected Apple to stop releasing point releases for OS X
10.4 (Tiger) after they released OS X 10.4.9 earlier this year,
especially with OS X 10.5 (Leopard) due for release later this year.
Apple's recent release of OS X 10.4.10 has come as a pleasant
surprise, providing new security fixes for networking problems (see
associated Security entry), and general system improvements. Amongst
the improvements for the system are improved support for RAW cameras,
better handling of external USB devices, and improved handling and
support of third party software.
Due to the bundled security fix for IPv6 networking support, it is
imperative that administrators and users apply the update at the
earliest opportunity.
The 25 MB update is available through the Software Update option
under the Apple Menu, or from the Apple downloads site.
2.2 What is the Value of Your Credit Card Details?
In an effort to increase the perceived security of online credit card
transactions, the major credit card providers have been working for a
number of years on the PCI Data Security Standard - a set of
guidelines that provide a minimum baseline considered secure enough
for storing and processing credit card transactions and associated
records.
Version 1.1 of the standard was recently released and web security
researchers are dismayed at the low standard of security required of
vendors in order to be certified as compliant with the PCI DSS 1.1.
This normally wouldn't be a problem, but one of the common
misconceptions about the PCI DSS is that being certified under it
implies a certain level of security exists.
Respected Web Application Security expert, Jeremiah Grossman, points
out that a website or vendor only needs to test (and pass) against
two of the OWASP Top 10 web vulnerabilities - SQL injection, and XSS.
The Open Web Application Security Project (OWASP) list of Top 10 web
vulnerabilities is widely regarded as an accurate and valuable
assessment of the most common and riskiest vulnerabilities present in
web applications and related content. Limiting compliance
requirements to only two of these 10 is being seen as paying lip
service to web application threats.
Making matters even more interesting, the PCI standard goes on to
list several testing techniques that are not permitted to be used in
the process of ascertaining compliance under the two vulnerabilities
that should be tested against.
Unfortunately, compliance under the PCI standard is looking more and
more like many other standards and industry best practices (ISO 9000,
CMM, etc) - a disturbing number of vendors who pass their compliance
with flying colours will only be capable of complying within the
specific guidelines established in the PCI DSS. Their security and
data management practices will be almost as weak as ever, but they
can pass their certification with ease.
As pointed out by Jeremiah Grossman, the standard of security
promulgated in the PCI DSS isn't really going to stop anyone with the
slightest bit of web security attack know-how from getting in, let
alone what a financially-motivated attacker is going to be able to
achieve.
2.3 New Web Attack Platform Draws Attention
When attackers single out websites for attack, whether it is to
deface, infect, or extract sensitive data from, there are a number of
tools that are readily available to automate the process. One such
tool which has recently been created is being linked to a number of
very significant website attacks, where legitimate sites were made to
serve malicious content to site visitors. In just one case, more than
10,000 sites were affected when an Italian ISP was attacked. Other
hosting compromises are not being made as public, even though the
damage is still significant to the sites hosted by them (such as
happened at DreamHost).
More of an exploit framework (sort of like MetaSploit) built in PHP,
the attack tool, dubbed MPack, gives the attacker a number of choices
not only in terms of how the exploit attempts will load on the target
websites, but also in terms of what exploits they want the target
sites to try and load in the victims' browsers. The most widespread
combination being observed at the moment is an IFRAME on the homepage
of affected sites, which then calls back to a hacker-controlled
server and attempts to load a range of exploits that are derived from
previously released public exploit code.
Of significant importance, the victim won't really notice any
difference to their online experience with an affected site, making
it harder for the casual web surfer to identify that something has
gone wrong.
With included exploits targeting Microsoft Windows core
vulnerabilities, WinZip ActiveX controls, QuickTime, and a number of
other vulnerabilities, MPack is a significant threat to anybody who
is not maintaining an updated system when going online.
The use of mass webhost compromises to spread the impact of an attack
neatly bypasses the so-called 'protection' that blacklists of known
phishing and malware sites claim to provide. It also means that
advice to only visit trusted sites doesn't really hold up when the
hosting provider is attacked and ALL sites are compromised.
While it is unfortunate and costly that such a large number of
websites have been affected in such a quick manner, it is an
excellent example of the shortcomings of antiphising and antimalware
initiatives (such as SiteAdvisor) that try and ascertain the safety
of a website prior to the potential victim visiting it. The risk of
improper classification of a site has also increased significantly
with these attacks, more so for hosting providers who are not as
rigourous with their server maintenance and administration.
Researchers at iDefense have tied the emergence of MPack to a group
of Russian criminals who have previously been linked to '0-day'
CPanel exploits (also believed to be relevant to how they are
compromising servers with this set of attacks), though the CPanel
issues were actually known ahead of the exploit evolution (just not
by very long), and to other malicious online activity.
With the rapid spread of affected sites, and the 'anti-malware'
vendors being caught flat-footed, or being unable to adequately
address the threat, it appears that many victims are already
succumbing to the exploits that load when they visit an affected
site. iDefense researchers indicate that more than 80,000 victims
were discovered following just one attack (the number of affected
sites was not mentioned).
2.4 Consolidation in the Security Industry
The pace of consolidation in the Information Security industry
doesn't appear to have slowed very much, with two significant
acquisitions by major IT companies drawing some recent attention.
In the first case IBM acquired Watchfire, a US-based web security
company that offers a range of services to assess, analyse and manage
various web application security and compliance testing elements.
In an almost exactly mirrored move, HP acquired SPI Dynamics, also a
US-based web application and compliance testing company.
Some concerned observers were extremely surprised to see HP acquire a
security company - observing that HP isn't really known for its
Information Security capability.
Others see nothing but potential - identifying the opportunities that
these smaller companies now have to really advance the quality of
their service offerings with major consultant support at client
locations, and the extra reach that they now have as part of a larger
conglomerate (especially at the larger end of the IT industry). This
line of thinking is very optimistic, hoping that the companies don't
get absorbed into the corporate structure and losing what made them
special (as some have claimed happened to ISS after acquisition by IBM).
2.5 The Tribulations of Government IT
In less than a week, two embarrassing reports about major incidents
affecting US government agencies associated with national security
have been reported on in the media.
Hitting various media sources in the last 24 hours was coverage of
comments from senior US Defence officials regarding a successful
network penetration that affected a low-security system, directly
affecting approximately 1,500 email users. While exact details are a
little sketchy, popular consensus based on the available reporting is
that an unknown number of servers used to provide email capabilities
were compromised via some means, and almost 1,500 accounts were
temporarily suspended as system administrators investigated the issue.
This low-threat attack pales in comparison to a report that the
Department of Homeland Security had their network security breached
more than once a day on average over a two year period. The breaches
ranged from virus outbreaks to internal systems being used as hacker
drop boxes (systems maintained for the sole purpose of storing and
disseminating key files used in remote network attacks).
When the agency is mandated as being responsible for maintaining and
managing the Information Security needs of the United States, the
apparently significant holes in their own network security really
open up.
In defence of the DHS, with more than 180,000 employees this rate of
successful attack represents 0.004 attacks per employee over the two
year period. While not all employees will have routine access to a
dedicated networked system, that number can be partially made up by
server farms. Some other observers have suggested that it isn't DHS
that is at fault, but the "security industry and standard
methodologies" that have continued to fail.
Meanwhile, in the UK the head of the National Program for IT (NPfIT),
an ambitious and mis-managed modernisation effort for the National
Health Service, has stood down after ongoing public damnation of the
troubled project. The UK government also came under fire for
overspending on consulting work that appeared to have little
practical benefit.
2.6 Vista's Changes Not Enough, Says Google
After recently gaining a favourable ruling that was going to force
Microsoft to make it easier for third party software developers to
add their own desktop search equivalent to Windows Vista, Google have
issued a statement that the changes haven't gone far enough.
It seems that even though Microsoft have made it easier for the third
party local search products to work, they haven't completely disabled
the inbuilt Vista search and indexing function, nor allowed the third
party applications the opportunity to control or disable the function.
Google's current argument about the steps Microsoft have made seem
similar to the arguments made by the EU after they determined that
Microsoft had not sufficiently opened the APIs that they had been
required to.
Some have seen this as a step too far by the search engine giant.
Pointing out that Google have known about the integrated search
capabilities of Vista since early in Vista's development cycle
(several years ago), critics have slammed Google for not acting
sooner if the issue is so important to them. This change in attitude
towards Google's position appears to be most evident amongst strong
Google supporters.
2.7 French Government BlackBerry use Curtailed
News first surfaced earlier this week that sections of the French
government were enacting guidelines that limits (bans) the use of the
BlackBerry handheld email device by Government employees. The chief
reason being given for the bans is that with the network traffic
associated with the device passing through North American servers,
there are concerns about the ability of foreign intelligence services
(US) being able to spy on the traffic (even though the BlackBerry
servers are based in Canada).
On the surface, the claims could be interpreted as scaremongering or
xenophobia, but with international espionage alive and well, it isn't
as silly as it first sounds. While news of claimed British and
Russian espionage activities have dominated news stories in recent
historiy (British embassy in Moscow, Polonium-210 poisoning), the US
hasn't avoided coverage of espionage activity within European
borders. The most recent significant case was hacking of the Greek
mobile phone network, but the US has previously used communication
intercepts from France to give Boeing commercial advantage over
Airbus in competitive bidding on airline purchases.
So far the BlackBerry ban has had mixed results, with some successful
bans, and some not so successful.
Government bans on IT equipment from foreign countries does have
precedent. The US government raised concerns about sourcing computer
hardware from Lenovo following the sale of IBM's consumer hardware
division to the Chinese company. Even though the hardware is still
being assembled and shipped from the same factories, the change of
ownership was enough to prompt the concerns.
2.8 Symantec's Challenge to SiteAdvisor
In an unsurprising move, Symantec have announced that they are
developing a number of 'reputation systems' that are going to be
designed to aid users in identifying the relative safety of a website
or file that they are visiting or downloading. Seen as a challenge to
McAfee's SiteAdvisor program, Symantec's systems have been under
development since late 2006.
It will have to be seen whether Symantec's new systems will suffer
from the same technical flaws that plague SiteAdvisor, Google's
malicious site blacklist and other less-known systems.
With these new technologies to be integrated into software suites
already on offer from Symantec, it marks a continuation of the move
from specialised software products to a broad-spectrum multi-faceted
approach to client-side security that the major security vendors have
been taking over recent years.
2.9 Hey, What are Those Ads Doing?
Online advertising is a necessary evil for many company owners
seeking to increase the awareness about their services, and a
valuable asset to popular website owners, who are able to make extra
money from the inclusion of advertising on their site.
Unfortunately, it appears that some Internet Service Providers are
inserting advertising content into the sites that their customers are
browsing, making it appear that the advertising is coming from the
actual site, rather than the ISP. Besides being ethically and morally
questionable, the practice has drawn complaints from site maintainers
who have complained that the inserted advertising is making their
sites non-compliant with web standards and causing the sites to
render differently on web browsers.
Depending on how the practice is looked at, it could be illegal under
a number of different pieces of legislation in various countries. In
the United States it may constitute an unauthorised derived work
($150,000 USD per breach), or it could represent unauthorised reverse
engineering and thus prosecutable via the DMCA. It will take
For the curious, the only advertising that you will ever see on
beskerming.com will be for services and products offered by Sûnnet
Beskerming. We don't use pop ups, pop unders, any other form of
interstitial advertising, third party text advertising, or third
party banner advertising. If you encounter advertisements for other
companies and services while on beskerming.com, please let us know at
the earliest opportunity by emailing us at
customer_support at beskerming.com.
If you are unlucky enough to experience third party advertising while
visiting beskerming.com, you should ensure that your system is clean
of viruses, malware, spyware, and other nasties, and you should
investigate whether your ISP is inserting online advertising into
your browsing experience without your permission.
2.10 Data Theft Incident Worsens
Theft of a backup tape from an intern's car in early June was
originally thought to only affect around 60,000 Ohio state workers
and around 80,000 state welfare recipients. It has now been disclosed
that the backup tape contained records on more than 200,000 Ohio
residents, making it one of the largest personal identity data thefts
in recent months.
It was discovered that the backup tape should contain records on Ohio
residents who had not banked state income tax refund cheques. While
authorities claim that accessing the data will require access to
specialised equipment, software and expertise, it has been pointed
out many times in the past that accessing backup tapes is actually
not all that difficult to achieve.
While the theft is a significant concern, it has highlighted the poor
information management practices applied by the state government.
Apart from having poor policy level guidance for information
management, the practice of encouraging staff to take backup tapes
home for safekeeping also needs to be addressed.
2.11 Quicken Recovery Password Discovered?
Quicken is one of the most popular personal finance software
applications, useful for personal and small business finance, created
by US financial software firm, Intuit.
One of the protection methods used by the software to protect user's
sensitive financial information is to encrypt the data file with
strong encryption, using a password supplied by the user.
In the case that the user has forgotten or otherwise lost their
password, there is a method where Intuit can use a special password
to recover the otherwise-protected financial data.
Russian password-recovery specialist, Elcomsoft, has claimed that the
presence of this extra password is a backdoor that may allow not only
Intuit unrestricted access to user's files, but also US Government
agencies (though this last part is pure speculation).
While the actual encryption method being used to protect the file has
not been defeated, Elcomsoft claim to have recovered the 512-bit RSA
key that is being used by Intuit as the master encryption key. Making
this key recovery more interesting is the claim that Elcomsoft
factored the RSA key in order to extract the details required. This
marks one of the first times that factorisation of an RSA key of this
size has been used to recover protected information.
This isn't the first time that Elcomsoft or its employees have
attracted attention to themselves. In 2001 Dmitry Sklyarov was
arrested at DefCon following the presentation of techniques designed
to overcome Adobe's eBook protection. These techniques were developed
by Elcomsoft, where Dmitry Sklyarov was an employee at the time. This
incident became known as the Sklyarov affair.
2.12 Harry Potter Real-World PSYOPS
Information was recently leaked to a number of security mailing lists
claiming that the unpublished manuscript for the upcoming Harry
Potter and the Deathly Hallows (due for release in July) had been
stolen via the compromise of a system at the publishing company that
will be responsible for the eventual release of the book.
Claiming to have used nothing more than freely available exploit
information and a little bit of social engineering, the individual
claiming to have stolen the manuscript claims that they found the
manuscript after looking around the system and network that they
gained access to as a result of a publishing company employee
interacting with a malicious email that the attacker sent.
Accompanying the claim on the security mailing lists were key plot
points that were being kept hidden until after the books were to be
released. To complete the appearance of a legitimate breach, the
message that presented the claim had enough grammatical and spelling
errors mixed in with the self-confident hubris that tends to be
displayed when previously unknown individuals are going for fame or
infamy and respect from Information Security researchers.
The only problem was that it was all fake.
Such wild claims presented in a believable manner were guaranteed to
attract a lot of attention from a wide variety of sources, with a
very large number being completely fooled by the 'disclosure'. This
list included:
* More than 200 media outlets (including BBC, CNN, Reuters)
* 10,000+ blogs, and
* Numerous global television reports
Even noted security experts such as Bruce Schneier and the ISC have
been somewhat taken in by the claims, though they do express their
doubts about the veracity of the claims. The ISC use it as an example
as to why it is important to apply appropriate protection to
Intellectual Property and how easy it can be to have everything
completely compromised.
In a followup posting, from a different account, the people behind
the hoax identified that the manuscript had not been stolen, it was a
very well created experiment in Psychological Operations (PSYOPS) as
applied to Information Security / Warfare. The key elements that were
used to create the hoax were:
* A futile but really widespread subject for which an high
expectation is already set worldwide
* A salad of religion, technology and language
* An accurate choice of the entry point in the information flow.
Other significant historical cases where a system compromise has led
to the loss of commercially sensitive information includes Valve,
when early stage code and artwork for Half Life 2 was stolen after a
system was compromised; Cisco, where it was claimed that source to
IOS was stolen; and Microsoft, where partial source to Windows 2000
was stolen after a 'shared source' partner suffered a system compromise.
Who was behind the unique PSYOPS operation? From clues scattered
throughout the messages released up until now, it appears that
whoever was responsible is from Europe. Having said that, someone who
is careful enough to create such a believable operation should know
enough about the idioms, phrasing, spelling, and formatting
conventions of various regions to know how to fake their location as
well.
As an example, consider the different methods that can be used to
represent numbers of greater than 1,000. Some countries will use a
comma as the separator between each group of thousands, while others
will use a period - saving the comma for the decimal separator. The
following numbers are equivalent, just differing in representation:
* $100,234,467.23
* $100.234.467,23
Other formatting variations can include using a space as the
thousands separator and placing the currency symbol after the value,
rather than before it.
There are already enough hoaxes and fake manuscripts circulating
about the final volume of Harry Potter - readers who are actively
awaiting the release of the book should just wait until the book is
actually released to find out the key plot secrets they are so keenly
awaiting.
2.13 Microsoft.co.uk Loses Face
It has been some time since a high profile site was defaced publicly,
but it has happened again - this time with Microsoft's UK-based
website (http://www.microsoft.co.uk).
As reported by online defacement archivists, Zone-h, the events
booking component of the website was defaced by a Saudi-affiliated
attacker through a combination of Cross Site Scripting and SQL
injection.
With most high profile defacements, websites are returned to normal
operation in a matter of hours. In this case, it appears that the
site stayed compromised for some time, and it now appears that the
whole microsoft.co.uk website is offline.
This isn't as bad as it first seems, as most of the UK-specific
content for Microsoft exists on other subdomains belonging to
microsoft.com.
=======================================
Sincerely,
Sûnnet Beskerming Team
info at beskerming.com
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444
** Sûnnet Beskerming Pty. Ltd. **
Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist
and, in conjunction with the tools developed by Jongsma & Jongsma
Pty. Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
More information about the Alertmailinglist
mailing list