Hacker Legendaris Luncurkan Tool Penyerang Google

Washington - Sebuah grup hacker yang menamakan diri 'Cult of the Dead Cow', merilis sebuah tool gratis bernama Goolag. Goolag diklaim memudahkan para hacker melancarkan aksinya dengan memanfaatkan situs mesin cari populer, Google.Software open source ini memungkinkan hacker menggunakannya untuk memakai Google dalam usaha mencari celah keamanan yang ada di situs-situs Internet. Pemanfaatan Google untuk aktivitas hacker seperti ini memang dilaporkan sering dilakukan, namun dengan cara yang sangat rumit.Goolag diklaim mudah digunakan, baik oleh para hacker atau pakar keamanan komputer yang ingin memakainya. Tekniknya berbasis teknologi yang dikembangkan seorang peneliti dari lembaga Computer Sciences Corp, Johny Long.Seperti dikutip detikINET dari Washington Post, Selasa (26/2/2008), Johny menghabiskan waktu bertahun-tahun untuk meneliti bagaimana Google bisa dipakai untuk mengetahui celah keamanan dalam situs-situs yang diindeksnya.Dilaporkan, telah banyak tool semacam ini. Namun diprediksi, Goolag akan populer karena pembesutnya, 'Cult of Dead Cow' dilaporkan merupakan grup hacker yang cukup legendaris di era akhir tahun 90-an. Grup hacker ini pernah menciptakan sebuah software bernama 'Back Orifice' yang mampu menembus ke dalam komputer yang menggunakan sistem operasi Windows."Saya pikir ini bukanlah barang yang benar-benar baru, namun saya kira Goolag membuat tindakan hacking via Google menjadi lebih mudah," demikian tanggapan dari Robert Hansen, pembesut situs keamanan komputer, sechteory.com.

www.detikinet.com

Microsoft Excel Terancam Hacker

Jakarta - Microsoft memperingatkan adanya celah keamanan di aplikasi populernya, Microsoft Excel. Celah keamanan yang ada di beberapa versi program spreadsheet Excel ini bisa dimanfaatkan dedemit maya alias penjahat cyber.

Celah keamanan tersebut memungkinkan para hacker mengkreasi dokumen Excel jahat. Jika dokumen ini dibuka, sistem komputer bisa terambil alih dan juga data-data penting di dalamnya. Masalah ini dilaporkan cukup riskan karena Excel sering dipakai sebagai penyusun dokumen bisnis penting.

Masalah celah keamanan tersebut menimpa Microsoft Office Excel 2003 Service Pack 2, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2002, Microsoft Office Excel 2000 dan Microsoft Excel 2004 untuk Mac.

Namun demikian, Microsoft menyatakan bahwa mereka yang menginstall Office Service Pack 3 (SP 3), yang termasuk update untuk Excel, tidak terpengaruh. Seperti dikutip detikINET dari PCWorld, Kamis (17/1/2008), SP tersebut dirilis Microsoft pada September 2007 lalu.

Serangan ini bisa terjadi melalui beberapa cara. Misalnya, sebuah e-mail dengan attachment Excel jahat dikirimkan dan jika dibuka, bisa menimbulkan bahaya. Hacker juga bisa menciptakan situs yang mengandung file Excel jahat.

Microsoft belum mengumumkan akan adanya patch atau tambalan untuk celah keamanan ini. Mereka mengatakan, orang-orang yang terkena serangan bisa menghubungi Microsoft atau aparat hukum terkait. ( fyk / fyk )

www.detikinet.com

Mozilla beefs up security with Firefox 3

The Mozilla Foundation released on Monday a beta version of the group's latest open-source Firefox browser, rewriting parts of the code and enhancing security.

Firefox 3 Beta 1 adds anti-malware features to the browser, using a similar mechanism as the anti-phishing feature in Firefox 2, harnessing a Google-generated blacklist of sites that are hosting malicious code. The beta version of the browser also checks plugins to make sure they are compatible with the software and uses a secure download mechanism for updates.

"There is a lot of code that has changed, but I don't think there is a lot more code," Mike Schroepfer, vice president of engineering for the group, told SecurityFocus. "We have actually excised old code, and there are couple of areas were we dug out the component and rewrote the whole thing."

Web sites have become an increasingly important vector for malicious and fraudulent software. Earlier this month, attackers defaced hundreds of Web sites -- and thousands of pages -- embedding hidden iframe code to redirect visitors to malicious download sites. Yet, while such techniques can affect Firefox as well as Internet Explorer, attackers have generally left the open-source browser alone, despite it having a greater number of flaws.

Security features have become a point of competition between Mozilla and Microsoft. A year ago, when both organizations launched their latest browsers, they both claimed to have a better -- albeit, very similar -- anti-phishing solution.

Mozilla has included several user interface improvements to help users understand the risks of a particular Internet site. Clicking on the favicon, the small icon for the site at the left of the URL (uniform resource locator), will drop down a box containing identity information about the site. The group also rewrote the Password Manager in JavaScript from C++ to eliminate memory errors, Schroepfer said.

The Mozilla Foundation has not given a release date for the final version of the Firefox 3 browser.

Top 10 Web application vulnerabilities for 2007

A1 - Cross Site Scripting (XSS) XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim's browser which can hijack user sessions, deface web sites, possibly introduce worms, etc.
A2 - Injection Flaws Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker's hostile data tricks the interpreter into executing unintended commands or changing data.
A3 - Malicious File Execution Code vulnerable to remote file inclusion (RFI) allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise. Malicious file execution attacks affect PHP, XML and any framework which accepts filenames or files from users.
A4 - Insecure Direct Object Reference A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization.
A5 - Cross Site Request Forgery (CSRF) A CSRF attack forces a logged-on victim's browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim's browser to perform a hostile action to the benefit of the attacker. CSRF can be as powerful as the web application that it attacks.
A6 - Information Leakage and Improper Error Handling Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Attackers use this weakness to steal sensitive data, or conduct more serious attacks.
A7 - Broken Authentication and Session Management Account credentials and session tokens are often not properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users' identities.
A8 - Insecure Cryptographic Storage Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers use weakly protected data to conduct identity theft and other crimes, such as credit card fraud.
A9 - Insecure Communications Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications.
A10 - Failure to Restrict URL Access Frequently, an application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly.