Blog Feed for AppFail

Comodo SSL Certificate Authority Breach

Thu, 14 Apr 2011 00:00:00 UTC

On March 23rd Comodo CA Limited, a major SSL Certificate Authority, announced that on March 15th, one or more of their Registration Authorities was compromised, and a number of SSL certificates were fraudulently issued for such important sites as google, gmail, yahoo, mozilla, live.com and skype. The purpose of the compromised appeared to be the circumvention of the SSL encryption to these sites via a man-in-the-middle attack to allow eavesdropping on communications to these sites. If successfully executed, such an attack could sign malware that appeared to be official mozilla software, as well as compromising credentials and all communications via gmail, yahoo mail, and hotmail.

Password Security Misconceptions

Sat, 3 Apr 2010 00:00:00 UTC

A recent article by John Pozadzides only seemed to reinforce some old misconceptions about passwords and do more harm than good. Things have changed significantly and people need to be aware of the implications of changes in how passwords are stored, and in the tools that are available to crack them. Read on as I explain the ins and outs of protecting your password and the data behind it.

The anatomy of a DoS attack

Fri, 2 Apr 2010 00:00:00 UTC

Crawling twitter earlier I came across a website that was offline due to a denial of service attack, and the owner was not sure when or if it would be back online. This piqued my interest and made me wonder what type of attack the site was suffering from, as some types can be successfully mitigated by experienced administrators. With this article I'll explain some of the different types of attack and mitigation techniques.

IRC Network loses its services database

Sat, 5 Dec 2009 00:00:00 UTC

In recent days, the WyldRyde IRC network lost their services database, when one of their accounts was suspended and deleted by the shell provider. Apparently their backups of the services database were stored on that same shell account.

Network Solutions data breach goes undetected for months

Sat, 25 Jul 2009 00:00:00 UTC

Network Solutions' web servers were compromised, and some extra code was added to their payment processing service, allowing the perpetrators to syphon off the credit card information for all transactions processed through the service. This breach not only affected customers of Network Solutions, but the customers of the over 4500 e-commerce sites that use the service.

Microsoft's new shiny product, has a failure?

Sun, 30 Aug 2009 00:00:00 UTC

As I am just now sitting down to write this, a week after Gnomedex I have come to realize just about everything can crash in this world. So last week we where sitting at the conference playing with microsofts new big shiny toy, the Surface (side note, this is a really neat thing and is fun to use.) we got to meet a lot of people and all toss our cards on it. Nearing the ending of the conference most people where playing games on it and looking up places on the maps. Then as we are closing down, they are shutting down the machines. We had a total of 3 of them at 12,500 each. Expensive coffee tables. Now comes the good part. As they get to the third machine and start the shut down process the familiar site that just about all windows machines do at least once it blue screens wow what a site! As the microsoft people dive for the cable and Phil tackles him, people scramble to take a picture of the sight. Luckly we walked away with one of the few photos of this and are now saying not even microsoft are immune from their won software. By the way, all of the surface machines run on vista 32 bit as "Windows 7 is not released to the public yet" is what I was told. Thanks for letting us have fun on the machines and letting us get close enough to take a picture of this ultimate failure of windows.

USSS caught in rare security fail

Thu, 30 Jul 2009 00:00:00 UTC

Both secret and sensitive documents from the United States Secret Service, having to do with the presidential safe-house and motorcade routes, have been leaked via P2P file sharing networks.

HostGator looses its cool over a rumor

Mon, 27 Jul 2009 00:00:00 UTC

HostGator, one of the many "unlimited" hosting for $4.95 providers out there (claims to host 2.2 million domains), seems to have gotten a bit scared by, or tried to capitalize on being the first to take proactive steps against a supposed 0day OpenSSH flaw.

Rogers Communications Fails to Communicate

Mon, 13 Jul 2009 00:00:00 UTC

Rogers Communications Inc. (TSX: RCI.A, TSX: RCI.B, NYSE: RCI) the largest communications company in Canada, has had an entirely inaccessible website for most of the day today. It seems to be a failure of some kind in their Java Server, which is normally masked by a friendly error message, but even that only seems to be working about 10 percent of the time

Mouthy Blogger Talks Shit About XHTML

Fri, 10 Jul 2009 00:00:00 UTC

A mouthy blogger over at lockergnome has posted claiming that HTML5 spells the death of XHTML. Read on as I rip him to shreds while explaining what is actually happening.

Don't be a failure, ask an expert

Thu, 9 Jul 2009 00:00:00 UTC

Got a question that requires some technical prowess and would be of interest to the AppFail audience? Submit a question and you are eligible to win one of two $25 USD Gift Certificates from ShopSharkSystems.com - AppFail's favourite hardware supplier. As always, if you have an idea for a new story, or a tip on a developing situation, let us know, and we'll attribute you in the post, and link to your blog or twitter stream.

Rackspace customers fanatical about downtime

Tue, 7 Jul 2009 00:00:00 UTC

Rackspace customers have become frantic about the lack of so called "Fanatical Support" as they have suffered for over a week with power and network outages

Microsoft DirectX remote failure

Mon, 6 Jul 2009 00:00:00 UTC

Attackers over the weekend found a remote hole for taking over websites. the exploit was a Zero-day exploit which means it was released and used on the same day.

The information that is flowing through the web, says it was first reported on a danish website then released from there (milw0rm anyone?) anyway read on to see what this vulnerability is about.

US-CERT Update

Sun, 28 Jun 2009 00:00:00 UTC

The US-CERT (read United States Computer Emergency Readiness Team) has released an update on the 26th about new phishing scams on the internet.

The marked increase in Spam, Phishing, and Malicious Code attacks related to recent celebrity deaths has sparked growing concerns that many users are still overly susceptible to social engineering and other human attack vectors.

Identi.ca Fails during upgrade

Fri, 26 Jun 2009 00:00:00 UTC

Identi.ca the premier instance of the Laconi.ca OpenMicroBlogging platform, attempted to perform an upgrade to 0.8.0 as a final test before releasing the new version, and the site has been pretty much entirely down ever since. The developer's blog blames the problem on their new cloud hosting provider, who seems to have promised more than they can deliver.

Big news brings down the big news sites

Fri, 26 Jun 2009 00:00:00 UTC

If the news of a pop star dieing is enough to cripple the biggest sites on the internet, what would happen if there was a truly important news item of global interest? This is a matter of the utmost urgency, what if something serious were to happen, and you couldn't find out about it?

WebCT fails at password hashing

Thu, 25 Jun 2009 00:00:00 UTC

WebCT, the popular Learning Management System used at many post secondary institutions, fails at implementing password hashing. The use of an outdated cryptographic hashing function makes WebCT vulnerable to offline brute force attacks, but also to shoulder surfing and other password guessing techniques. WebCT contains sensitive information such as grades, but also in-progress and submitted assignments, which if stolen could result in a charge of Academic Dishonestly (plagiarism) and result in possible lost credits or expulsion.

What is an Infrastructure Fail anyway?

Wed, 24 Jun 2009 00:00:00 UTC

Infrastructure is all the various bits that hold a website up, like the piers of a bridge, or the legs of a chair. For your average blog or forum the most common failure is overloading the database, which happens when unoptimized queries lock tables for too long, or when a single database just cannot handle the volume of queries that are coming in. When any one part of that infrastructure fails, the entire site comes crashing down. In this brief article Security Analyst Allan Jude examines some of the common pitfalls of infrastructure design.

What makes Security Fail?

Wed, 24 Jun 2009 00:00:00 UTC

The most common cause of Security Fails is improper implementation, people who do not fully understand the concepts involved trying to engauge in complicated crypto. We'll be profiling a number of different security fails that we know about, and we would love it if you could point out any that you happen to know about or find. FreeBSD Security Officer and all around security Guru Colin Percival offers his advice on what is the Cryptographic right answer.

By: Allan Jude

First

Sat, 27 Jun 2009 18:23:56 UTC

AppFail.com profiles some of the biggest and most spectacular failures of (Web) Applications, Infrastructure, Design and Security on the internet. A wise man learns by the mistakes of others, a fool by his own.

Test app fail

Fri, 19 Jun 2009 00:45:15 UTC

Welcome to AppFail.com We will test your apps, websites, security and see how bad it will fail. If you have a site that is on digg and you go down when a link is posted... You need us.