````````````````````````````````````````````````````` ( Maslina Salleh ) Ketua Penolong Pengarah [KPP(IT-P)1] Unit Pembangunan Aplikasi ( Sub Sistem Lesen ) Bahagian Teknologi Maklumat Ibu Pejabat Jabatan Pengangkutan Jalan Malaysia Jalan Teknokrat 5 63000 Cyberjaya SELANGOR DARUL EHSAN Tel : 03-83211200 ext 1205 Fax : 03- 8320 1272 ---------------------------------------------------------------------------- --------------------------
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of [email protected] Sent: Wednesday, 21 April, 2010 8:26 PM To: [email protected] Subject: Owasp-Malaysia Digest, Vol 18, Issue 22 Send Owasp-Malaysia mailing list submissions to [email protected] To subscribe or unsubscribe via the World Wide Web, visit https://lists.owasp.org/mailman/listinfo/owasp-malaysia or, via email, send a message with subject or body 'help' to [email protected] You can reach the person managing the list at [email protected] When replying, please edit your Subject line so it is more specific than "Re: Contents of Owasp-Malaysia digest..." Today's Topics: 1. Re: VS-DB : Vulnerable Sites Database (Mohd Fazli Azran) 2. Brute Force Password Guessing!!! (Mohd Fazli Azran) 3. Botnet slides (Mohamad Faizul Zulkifli) 4. Hakin9 Is Now FREE (SK Lim) 5. Re: Hakin9 Is Now FREE (BRIAN RITCHIE) 6. Re: Hakin9 Is Now FREE ([email protected]) ---------------------------------------------------------------------- Message: 1 Date: Wed, 21 Apr 2010 00:05:41 +0800 From: Mohd Fazli Azran <[email protected]> Subject: Re: [Owasp-Malaysia] VS-DB : Vulnerable Sites Database To: Adnan bin Mohd Shukor <[email protected]> Cc: owasp-malaysia <[email protected]> Message-ID: <[email protected]> Content-Type: text/plain; charset="iso-8859-1" I think this site for eye only!!! Keep for your reference. Saying to public about other website got inject especially government or private site are not really nice. It bad boy attitude. Just inform to admin site about their web are proper way or inform MyCERT or GCERT about it. Thanks On Tue, Apr 20, 2010 at 3:44 PM, Adnan bin Mohd Shukor < [email protected]> wrote: > FULL DISCLOSURE VULNERABLE SITES DATABASE > http://www.vs-db.info/ > (ROLF!) > > P/S: Just for your info :) I'm NOT pointing this out to turn it into > our playground, or saying that public disclosure is good > _______________________________________________ > Owasp-Malaysia mailing list > [email protected] > https://lists.owasp.org/mailman/listinfo/owasp-malaysia > > OWASP Malaysia Wiki > http://www.owasp.org/index.php/Malaysia > > OWASP Malaysia Wiki Facebook > http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 > -- Regards, Mohd Fazli Azran -------------- next part -------------- An HTML attachment was scrubbed... URL: https://lists.owasp.org/pipermail/owasp-malaysia/attachments/20100421/6faf62 06/attachment-0001.html ------------------------------ Message: 2 Date: Wed, 21 Apr 2010 00:09:54 +0800 From: Mohd Fazli Azran <[email protected]> Subject: [Owasp-Malaysia] Brute Force Password Guessing!!! To: owasp-malaysia <[email protected]>, mysecurity <[email protected]> Message-ID: <[email protected]> Content-Type: text/plain; charset="windows-1252" Few Article for refresh our self and for reference. * "* Last night a webmaster for a pretty large website mentioned that he was having problems with people doing password guessing against known user lists. This is a really common problem in the web application security world. It?s trivial to mount large scale password guessing attacks against websites, and there?s very little you can do about it. First, let me explain the three different types of password guessing brute force attacks: *Vertical* Veritcal password guessing is where you start with a single known userid and you throw thousands of passwords at the script, testing each one in succession. These are by far the easiest to detect because the way databases are set up, it?s trivial to set up a counter for the number of times a userid has been tested. Once it reaches a limit you ask the user to do something special (unlock an account or otherwise). *Horizontal* Horizontal password guessing attacks use the same password but request many different usernames. This is much harder to detect for a few reasons. First, the password is staying the same but generally people don?t have a database of attempted passwords, and passwords aren?t unique anyway, so that wouldn?t help. Secondly, a table of guessed passwords per username is irrellevant, as they are only guessing one username password pair at a time, and the username changes. Thirdly and most importantly, you cannot seperate the guessing by IP address because of companies like AOL who use massive super proxies and route thousands of people through the same account. *Diagonal* Diagonal password guessing is by far the hardest. Not only does the attacker shift the username, but they also shift the password on each guess. There is relatively no way to stop this type of user except banning their IP address or asking them to remedy in some way or another, which is easy enough to defeat by simply changing IP addresses. And if they come through an AOL proxy, you?re out of luck because then you are asking all of your AOL users to remedy who came through that proxy (which could be upwards of 30k users or more). That may or may not be a big deal depending on what the remedy is and how many AOL users you have. There are certain things I don?t recommend. For instance what PassMark did to Bank of America <http://www.net-security.org/secworld.php?id=4132>. You don?t want to block your users outright when their password fails. This just sets up a situation where competitors can deny service to all your users simply by enumerating through them in the most obvious ways to get you to block the accounts. One common way to get around this is to ask a user for a CAPTCHA as a remedy. Of course, that represents problems for accessability, but that can be mitigated as I have discussed in previous posts. Another way is to ask the user to limit their account by IP addresses. Give them a few days to tell you all the IP address ranges that they?ll be logging into (optionally) and let them limit access to their account. That way outliers from those IP ranges will set off alerts, or at minimum you don?t have to allow access, so the attacker will waste time. However, you end up doing it, it really won?t stop a determined attacker, but it will make it so difficult it may be easier to attack other targets. ?I don?t have to run faster than the bear, I just have to run faster than you.*?* -- Regards, Mohd Fazli Azran -------------- next part -------------- An HTML attachment was scrubbed... URL: https://lists.owasp.org/pipermail/owasp-malaysia/attachments/20100421/51d28d c0/attachment-0001.html ------------------------------ Message: 3 Date: Wed, 21 Apr 2010 17:37:32 +0800 From: Mohamad Faizul Zulkifli <[email protected]> Subject: [Owasp-Malaysia] Botnet slides To: [email protected] Message-ID: <[email protected]> Content-Type: text/plain; charset="iso-8859-1" http://staff.mybsd.org.my/ded1/BOTNET/ -- 73 de 9W2PJU http://9w2pju.blogspot.com -------------- next part -------------- An HTML attachment was scrubbed... URL: https://lists.owasp.org/pipermail/owasp-malaysia/attachments/20100421/b74b22 14/attachment-0001.html ------------------------------ Message: 4 Date: Wed, 21 Apr 2010 20:19:43 +0800 From: SK Lim <[email protected]> Subject: [Owasp-Malaysia] Hakin9 Is Now FREE To: [email protected] Message-ID: <[email protected]> Content-Type: text/plain; charset=UTF-8 Haking9 security magazine remove subscription based model and it now offer FREE to the community. You may get this first issue editions on April 30th and you can download 6 issue of 2009 past circulation. It have been premium quality magazine and I hope this going to be maintained. Enjoy reading. ------------------------------ Message: 5 Date: Wed, 21 Apr 2010 20:28:19 +0800 From: BRIAN RITCHIE <[email protected]> Subject: Re: [Owasp-Malaysia] Hakin9 Is Now FREE To: SK Lim <[email protected]> Cc: [email protected] Message-ID: <[email protected]> Content-Type: text/plain; charset="iso-8859-1" Thanks for the heads up. This is great news indeed. On Wed, Apr 21, 2010 at 8:19 PM, SK Lim <[email protected]> wrote: > Haking9 security magazine remove subscription based model and it now > offer FREE to the community. You may get this first issue editions on > April 30th and you can download 6 issue of 2009 past circulation. It > have been premium > quality magazine and I hope this going to be maintained. > > Enjoy reading. > _______________________________________________ > Owasp-Malaysia mailing list > [email protected] > https://lists.owasp.org/mailman/listinfo/owasp-malaysia > > OWASP Malaysia Wiki > http://www.owasp.org/index.php/Malaysia > > OWASP Malaysia Wiki Facebook > http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 > -------------- next part -------------- An HTML attachment was scrubbed... URL: https://lists.owasp.org/pipermail/owasp-malaysia/attachments/20100421/19603e 0e/attachment-0001.html ------------------------------ Message: 6 Date: Wed, 21 Apr 2010 12:31:02 +0000 From: [email protected] Subject: Re: [Owasp-Malaysia] Hakin9 Is Now FREE To: [email protected] Cc: [email protected] Message-ID: <1951740730-1271853059-cardhu_decombobulator_blackberry.rim.net-1062217375-@ bda062.bisx.prodap.on.blackberry> Content-Type: text/plain; charset="Windows-1252" Great Sent from my BlackBerry? wireless device via Vodafone-Celcom Mobile. -----Original Message----- From: BRIAN RITCHIE <[email protected]> Date: Wed, 21 Apr 2010 20:28:19 To: SK Lim<[email protected]> Cc: <[email protected]> Subject: Re: [Owasp-Malaysia] Hakin9 Is Now FREE _______________________________________________ Owasp-Malaysia mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-malaysia OWASP Malaysia Wiki http://www.owasp.org/index.php/Malaysia OWASP Malaysia Wiki Facebook http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 ------------------------------ _______________________________________________ Owasp-Malaysia mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-malaysia OWASP Malaysia Wiki http://www.owasp.org/index.php/Malaysia OWASP Malaysia Wiki Facebook http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 End of Owasp-Malaysia Digest, Vol 18, Issue 22 ********************************************** _______________________________________________ Owasp-Malaysia mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-malaysia OWASP Malaysia Wiki http://www.owasp.org/index.php/Malaysia OWASP Malaysia Wiki Facebook http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
