HTTP DDOS May Be in Your Website's Future

I found some interesting research work recently. Attackers have a new technique that can be used against your websites: HTTP DDOS.
Researcher by Wong Onn Chee discovered a way to cause a website to be slow and even take it down via a technique where POSTs are sent to a website slowly causing gridlocks the connection. It's similar to the Slowloris HTTP DDOS attack by RSnake, however this slow POST attack can't be mitigated by load-balancers like the Slowloris one can.

Check it out:
http://www.darkreading.com/vulnerability_management/security/attacks/showArticle.jhtml?articleID=228000532

Even security conferences suffer from vulnerabilities

Whoops, it looks like the folks who developed the registration website for the Blackhat security conference have a little security issue themselves. As Michael Coates reported, the website that is used to register for access to some of the live talks from the conference is vulnerable to a hack where an attacker could obtain free access to paid content.

For a fee the conference offers access to select talks that are streamed live. Well Micheal found a vulnerability where he was able to access the stream without providing his credit card. Oops.

The good news out of all of this is the response from the company who developed the website responded quickly to Michael's call and within 4 hours had a fix installed. Further Michael followed responsible disclosure and did not disclose the issue until after the site was fixed.

Using SQL injection to compromise your internal LAN

I just recently discovered this great post by web app security guru Rafal Los about how via SQL injection he was able to (if he hit the button) compromise an internal LAN. Nice.

Check out Rafal's cool blog.