February 1, 2013 
UPnP Pwnage and Hacked Journalists
This week is rife with security news. If you want the quick highlights, you’ve come to the right place. Today’s video covers a few Yahoo XSS vulnerabilities, some serious UPnP security flaws, and the alleged China-based hack of the New York Times. Watch the video below for details.
Also, if you are interested in some other stories I didn’t have time to cover in the video, make sure to check out the Reference section for links to these extras.
Thanks for watching, and see you next week.
(Episode Runtime: 10:00)
Direct YouTube Link: https://www.youtube.com/watch?v=azjZ0dFxnR4
Episode References:
- Yahoo XSS flaws lead to account compromise - The Next Web
- H.D. Moore releases extensive UPnP Security Research - WGSC
- NYT alleges that they were hacked by Chinese attackers - New York Times
- WSJ says they were hacked by China too - The Wall Street Journal
- EXTRAS
- FBI looking for who leaked details about US and Stuxnet - Naked Security
- XSS attacks increast 160% in Q4 2013 - Computing.co.ul
- Apple fixes iOS and AppleTV security issues - Apple
- Anonymous defaces government web sites - Fast Company
- Browser malware leverages SPF protocol – NetworkWorld
- Critical VLC Player vulnerability fixed - InfoWorld
- Malware infects over half a million Chinese Android phones - NBC News
- “Sexploitation” hacker arrested - The Register
- FBI looking for who leaked details about US and Stuxnet - Naked Security
Cross-site scripting and SQL injection attacks (similar with discussed in video and in extras article) are considered, let’s say “complicated malicious activities”, and if you will deeper analyze their technical nature – you will came to conclusion, similar with this:
- Your employees, responsible for development of SQL Web applications (or dedicated testers), should make multiple check on stability of developed applications by revealing and applying potentially dangerous SQL queries to the applications. That should be done during testing period. It’s the way to proper data sanitization and secure the application code.
- Multilayer protection should be provided for the perimeter networks of a company, hosting externally accessed services. And the firewalls with advanced security services can play their indispensable role to provide “defense-in-depth” for IT-resources.
I agree… I always recommend web developers at least look at OWASP.org to learn about some secure web development practices. Network security appliances, like the ones WatchGuard provides, and even more focus Web Application Firewalls (WAF), can help protect you during the “vulnerability window” when new flaws are found (because no coder is perfect)… but still the real solution is secure coding!