Web App Security

  • Most Topular Stories

  • pdf-parser: A Method To Manipulate PDFs Part 1

    Didier Stevens
    Didier Stevens
    15 Apr 2015 | 5:00 pm
    I provide 2 days of Hacking PDF training at HITB Amsterdam. This is one of the methods I teach. Sometimes when I analyze PDF documents (benign or malicious), I want to reduce the PDF to its essential objects. But when one removes objects in a PDF, indexes need to be updated and references updated/removed. To automate this process as much as possible, I updated my pdf-parser program to generate a Python program that in turn, generates the original PDF. Thus when I want to make changes to the PDF (like removing objects), I generate its corresponding Python program, and then I edit this Python…
  • Distrusting New CNNIC Certificates

    Mozilla Security Blog
    kwilson
    2 Apr 2015 | 10:36 am
    Last week, Mozilla was notified that a Certificate Authority (CA) called CNNIC had issued an unconstrained intermediate certificate, which was subsequently used by the recipient to issue certificates for domain names the holder did not own or control (i.e., for MitM). We added the intermediate certificate in question to Firefox’s direct revocation system, called OneCRL, and have been further investigating the incident. After reviewing the circumstances and a robust discussion on our public mailing list, we have concluded that CNNIC’s behaviour in issuing an unconstrained intermediate…
  • “Fancybox for WordPress Has Expired” Infection

    Unmask Parasites. Blog.
    Denis
    1 Apr 2015 | 5:24 am
    Today I began to notice quite a massive and very unusual attack that leverages vulnerabilities in older versions of the FancyBox for WordPress plugin. As you might know, versions 3.0.2 and older of this plugin allowed anyone to craft special POST requests to /wp-admin/admin-post.php or /wp-admin/admin-ajax.php and change values of specific plugin options in WordPress database. The plugin uses the modified options to build its own JavaScript code. As a result, the malicious content gets injected into generated WordPress pages. A typical malicious injection looks like this: Such attacks use the…
  • RSA Parties 2015

    Liquidmatrix Security Digest
    Dave Lewis
    14 Apr 2015 | 8:32 pm
    Nothing like waiting until the very last minute to post an RSA Parties 2015 list. Day jobs + kids = you get the idea. That being said, I’m happy to note that Akamai Technologies (my day job) will be hosting a party this year in conjunction with AT&T. Be sure to come out and meet @csoandy, @billbrenner70, @mckeay and myself @gattaca. Now, this is a simple curated RSA Parties 2015 list but, if you want the mother lode be sure to check out @RSAParties for the rest. If you really want to have your party listed just drop me a line via tips AT liquidmatrix DOT org. This table works…
  • CryptoWall 3.0 Campaign Still Kicking

    Zscaler Research
    Chris Mannon
    8 Apr 2015 | 9:14 am
    A scary proposition for organizations and consumers alike is the possibility of being hit by a ransomware campaign. Ransomware threats have been known to spread through targeted spam campaigns, compromised WordPress sites, or Exploit Kits. The purpose of this attack is to encrypt all files on the victim's system and extort the user for money to gain access to their sensitive files. Attackers
  • add this feed to my.Alltop

    Mozilla Security Blog

  • Distrusting New CNNIC Certificates

    kwilson
    2 Apr 2015 | 10:36 am
    Last week, Mozilla was notified that a Certificate Authority (CA) called CNNIC had issued an unconstrained intermediate certificate, which was subsequently used by the recipient to issue certificates for domain names the holder did not own or control (i.e., for MitM). We added the intermediate certificate in question to Firefox’s direct revocation system, called OneCRL, and have been further investigating the incident. After reviewing the circumstances and a robust discussion on our public mailing list, we have concluded that CNNIC’s behaviour in issuing an unconstrained intermediate…
  • Introducing Project Seasponge: Quick and Easy Threat Modeling

    Jeff Bryner
    2 Apr 2015 | 9:09 am
    Threat modeling is a crucial but often neglected part of developing, implementing and operating any system. If you have no mental model of a system or its strengths and weaknesses it is extremely difficult to secure it correctly. In an effort to help make threat modeling easier a Mozilla Winter of Security (MWOS) team has developed Seasponge, a browser-based graphical threat modeling tool. Written specifically for the browser environment, the tool requires no special addons or plugins and allows one to quickly and easily diagram a system and its data flows and begin the important work of…
  • Revoking Trust in one CNNIC Intermediate Certificate

    kwilson
    23 Mar 2015 | 3:23 pm
    Mozilla was recently notified that an intermediate certificate, which chains up to a root included in Mozilla’s root store, was loaded into a firewall device that performed SSL man-in-the-middle (MITM) traffic management. It was then used, during the process of inspecting traffic, to generate certificates for domains the device owner does not legitimately own or control. The Certificate Authority (CA) has told us that this action was not permitted by their policies and practices and the agreement with their customer, and they have revoked the intermediate certificate that was loaded into…
  • Introducing Masche: memory scanning for server security

    Julien Vehent
    12 Mar 2015 | 1:34 pm
    Mozilla operates thousands of servers to build products and run services for our users. Keeping these servers secure is the primary concern of the Operations Security team, and the reason why we have built Mozilla InvestiGator (MIG), a cross-platform endpoint security system. MIG can inspect the file system and network information of thousands of hosts in parallel, which greatly helps increase visibility across the infrastructure. But until recently, it lacked the ability to look into the memory of running processes, a need that often arises during security investigations. This is where…
  • Revoking Intermediate Certificates: Introducing OneCRL

    mgoodwin
    3 Mar 2015 | 2:06 pm
    Users of Firefox from Firefox 37 will be protected by a new feature called OneCRL. This is a new mechanism we have introduced to push lists of revoked intermediate certificates to the browser. Using OCSP for certificate revocation doesn’t serve users very well. For online revocation checks, either you have a system that fails open or you accept the performance penalty of checks that are more strict (as is the case for EV certificates). OCSP stapling can remove the need for live revocation checks, but currently, only only around 9% of TLS connections use it. OneCRL helps speed up revocation…
 
  • add this feed to my.Alltop

    Unmask Parasites. Blog.

  • “Fancybox for WordPress Has Expired” Infection

    Denis
    1 Apr 2015 | 5:24 am
    Today I began to notice quite a massive and very unusual attack that leverages vulnerabilities in older versions of the FancyBox for WordPress plugin. As you might know, versions 3.0.2 and older of this plugin allowed anyone to craft special POST requests to /wp-admin/admin-post.php or /wp-admin/admin-ajax.php and change values of specific plugin options in WordPress database. The plugin uses the modified options to build its own JavaScript code. As a result, the malicious content gets injected into generated WordPress pages. A typical malicious injection looks like this: Such attacks use the…
  • Darkleech Update – November 2014

    Denis
    27 Nov 2014 | 3:10 am
    Just wanted to document some latest changes in Darkleech behavior that may help you detect it. I’d like to thank internet security enthusiasts who share their findings with me. Without you, I could have easily missed these new (?) details. Quick recap Darkleech is a root level server infection that installs malicious Apache modules. The modules inject invisible iframes into server response when it is already prepared (linebreaks added for readability). <style>.a4on6mz5h { position:absolute; left:-1376px; top:-1819px} </style> <div class="a4on6mz5h"> <ifr ame…
  • Most Contradictive Doorway Generator

    Denis
    12 Sep 2014 | 11:57 am
    Check this thread on WordPress.org forum. The topic starter found a suspicious PHP file and asked what it was doing. The code analysis shows that it’s some sort of a spammy doorway. But it’s a very strange doorway and the way that it works doesn’t make sense to me. First of all, this script has a random text and code generator. The output it generates is [kind of] always unique. Here is a couple of output pages: http://pastebin.com/ymwMZMWP http://pastebin.com/Y6B7WM2T ... <title>Is. Last spots brows: Dwelling. Immediately moral.</title> </head>…
  • Google -> Doorway -> Google -> Spam

    Denis
    11 Jun 2014 | 11:32 am
    Just a few thoughts about an interesting behavior of a black-hat SEO doorway. Typically hackers create doorways on compromised sites to make search engines rank them for certain keywords and then, when searchers click on the links in search results, those doorways redirect them further to a site that hackers really promote. Sometime that redirect may go through some TDS (traffic directing service) but the whole scheme remains pretty much the same: Search results -> doorway -> beneficiary site Today, when doing a backlink research of one of such pharma doorways, I encountered a different…
  • Working With the Darkleech Bitly Data

    Denis
    10 Feb 2014 | 9:08 am
    Data Driven Security took the time to analyze the raw data that I published in my recent post on Sucuri blog about how I used Bitly data to understand the scale of the Darkleech infection. In their article, they have a few questions about data formats, meaning of certain fields and some inconsistencies, so I’ll try to answer their questions here and explain how I worked with the data. So I needed to get information about all the links of the “grantdad” bitly account. I checked the API and somehow missed the “link_history” API request (it was the first time I…
  • add this feed to my.Alltop

    Liquidmatrix Security Digest

  • RSA Parties 2015

    Dave Lewis
    14 Apr 2015 | 8:32 pm
    Nothing like waiting until the very last minute to post an RSA Parties 2015 list. Day jobs + kids = you get the idea. That being said, I’m happy to note that Akamai Technologies (my day job) will be hosting a party this year in conjunction with AT&T. Be sure to come out and meet @csoandy, @billbrenner70, @mckeay and myself @gattaca. Now, this is a simple curated RSA Parties 2015 list but, if you want the mother lode be sure to check out @RSAParties for the rest. If you really want to have your party listed just drop me a line via tips AT liquidmatrix DOT org. This table works…
  • Four Security Exhibits That Won Without “Booth Babes”

    Bill Brenner
    30 Mar 2015 | 4:25 am
    After last week’s post on RSA Conference banning so-called booth babes, I heard from a lot of people who agree vendors need to find other ways to attract attention during security conferences. One reader correctly noted that this unfortunate phenomenon isn’t the result of bad intentions. It’s just that some marketing teams don’t know any better. They assume the booth babes work because they see others using them. What to do about it? Give marketing practitioners some examples of successful exhibits that succeeded without the sexism. Here are four examples of exhibits…
  • RSA’s Move to Ban Booth Babes

    Bill Brenner
    26 Mar 2015 | 3:33 am
    The language above has been added to exhibitor contracts for RSA Conference 2015. Zenobia Godschalk, a communications practitioner in the security industry and vocal critic of so-called “booth babes” at conferences like RSA and Black Hat, dropped me a line to say RSA added the language to force vendors to stop with the skimpy clothing. It appears the years of blowback over booth babes has had an affect, at least in RSA’s case. In an email, Zenobia said, “We are thrilled to report that RSA has actually changed their language in their vendor agreements this year! It now…
  • What “Hug-Gate” Says About The Infosec Community

    Bill Brenner
    23 Mar 2015 | 4:07 am
    Every once in awhile, someone in the security community says something on Twitter that ignites emotional discussion (some call it drama). This past weekend, it started with a comment about hugs. Someone commented that some security cons involve a lot of hugging and that it makes her uncomfortable. Someone responded with a comment about the benefits of hugs. Then all hell broke loose. Why, the first person asked, do people get offended for not wanting hugs at these events? After all, isn’t it well proven that our industry is loaded with people who suffer from social disorders? Some…
  • Reflections

    Dave Lewis
    8 Mar 2015 | 7:36 pm
    I find myself sitting in a hotel room in some random city this evening with a glass of wine, several open powerpoint decks and Family Guy on the television. A moment of reflection if ever there was one. It occurs to me that Liquidmatrix just had it’s 17th birthday in February. That is a helluva long time for a website of any description. It has been a lot of fun to see the site grow from an insanely (ugly) basic HTML site to a heavily trafficked site with multiple members either writing or podcasting. I’ve been making a lot of architectural changes to the site and now, I’m going to…
 
  • add this feed to my.Alltop

    Zscaler Research

  • CryptoWall 3.0 Campaign Still Kicking

    Chris Mannon
    8 Apr 2015 | 9:14 am
    A scary proposition for organizations and consumers alike is the possibility of being hit by a ransomware campaign. Ransomware threats have been known to spread through targeted spam campaigns, compromised WordPress sites, or Exploit Kits. The purpose of this attack is to encrypt all files on the victim's system and extort the user for money to gain access to their sensitive files. Attackers
  • Angler Exploit Kit Utilizing 302 Cushioning and Domain Shadowing

    John Mancuso
    3 Apr 2015 | 6:31 pm
    Overview Angler Exploit Kit is one of the most prevalent and advanced exploit kits in use today and is continually evolving. Angler continues to utilize malvertising to push landing pages and malicious actors are still registering domains solely for serving exploits, but recently, we've noticed an increase in two new infection vectors - 302 Cushioning and Domain Shadowing. 302 Cushioning, or a
  • Mobile App Wall of Shame: Wattpad

    viral
    2 Apr 2015 | 10:43 am
    Wattpad Price : Free Category : Books & Reference Platform : Android Updated : Mar. 23, 2015 Version : 4.21 Size : 11.18 MB Language : English Vendor : Wattpad.com Background: Wattpad is the world's largest community for readers and writers and was established since 2006. Users are able to post articles, stories, fan fiction and poems about anything they like. The content includes work by
  • March Madness Ads, Scams, and Malware

    Ed Miles
    20 Mar 2015 | 5:00 pm
    Introduction March Madness is officially upon us, with the last games of the round of 64 taking place today. As is usual with events that have such a level of interest, bad actors across the internet will be trying to get their cut of the action through topical spam advertising and phishing as well as search engine poisoning to draw ad revenue and in some cases, deliver malicious software.
  • njRAT & H-Worm variant infections continue to rise

    Deepen Desai
    20 Mar 2015 | 8:46 am
    Introduction njRAT Trojan also known as Bladabindi, is a Remote Access Tool (RAT) that was first seen in 2013 and has been extremely prevalent in the Middle Eastern region. njRAT was developed using Microsoft's .NET framework and like many other RATs, provides complete control of the infected system and delivers an array of features to the remote attacker. We have seen attackers leveraging 
  • add this feed to my.Alltop

    Mozilla Hacks - the Web developer blog

  • Creating a mobile app from a simple HTML site: Part 2

    Piotr Zalewa
    16 Apr 2015 | 8:00 am
    Or: Making our simple app work for others In the first part of this series, which began late last year, we worked through the process of developing a school planner app. At this point (see the final code from Part 1) we’ve got multiple school plans displayed at once, and we’ve got Web, iOS and Android support via Cordova. Let’s imagine that others have seen the benefits and would like to use our app as well. Creating an app tailored to them should be possible by simply replacing one file (let’s name it www/app_data/plans.json) with their family’s data and making…
  • Drag Elements, Console History, and more – Firefox Developer Edition 39

    J. Ryan Stinnett
    14 Apr 2015 | 7:25 am
    Quite a few big new features, improvements, and bug fixes made their way into Firefox Developer Edition 39. Update your Firefox Developer Edition, or Nightly builds to try them out! Inspector The Inspector now allows you to move elements around via drag and drop. Click and hold on an element and then drag it to where you want it to go. This feature was added by contributor Mahdi Dibaiee. Back in Firefox 33, a tooltip was added to the rule view to allow editing curves for cubic bezier CSS animations. In Developer Edition 39, we’ve greatly enhanced the tooltip’s UX by adding various…
  • Mobile game development with the Device Orientation and Vibration APIs

    Andrzej Mazur
    8 Apr 2015 | 9:52 am
    The market for casual mobile gaming is keeping pace with the growing market for smartphones. There are Web tools that can help web developers like you build games that compete with native games. You’ll need great execution to stand out from the crowd – using the JavaScript APIs correctly can help. For game development, you’ll want to understand the Device Orientation API and the Vibration API. Cyber Orb Cyber Orb is a simple HTML5 game demo created using the Phaser framework. I was interested in Phaser as a mobile game framework, because it’s fast, optimized for…
  • Trainspotting: Firefox 37, Developer Edition and More

    dietrich
    7 Apr 2015 | 7:49 am
    Welcome to Trainspotting, a new series on Mozilla Hacks designed to help the busy Web developer keep up with what’s new, what’s changed and what is coming soon in all of the Firefoxes, the Web platform, and the tools for building the Web! Mozilla develops Gecko and Firefox on a “train model” – we branch the code and ship a release on a time-based schedule (every six weeks). If a feature is not finished, it’s reverted or disabled and has to, as we say, ride the next train. This means we ship new features, performance improvements, and bug fixes to users every six weeks,…
  • Peering Through the WebRTC Fog with SocketPeer

    Potch
    2 Apr 2015 | 9:10 am
    WebRTC allows browsers to do things they never could before, but a soup of unfamiliar terminology and the complexity of the API makes for a steep learning curve. After spending several weeks neck-deep in example code and cargo-culting several libraries, I have emerged with a workable understanding and a nifty library that helps hide some of the complexity of WebRTC for its simplest use case of two way peer-to-peer communication. But before I start talking about the library, it helps to understand a bit of what it abstracts away. Alice and Bob (and ICE and NAT and STUN and SDP) When two…
 
  • add this feed to my.Alltop

    Ajaxian » Front Page

  • Intent to deprecate and remove: JavaScript

    Michael Mahemoff
    1 Apr 2015 | 7:40 am
    Blink has been a frequent source of innovation ever since it forked and a bold proposal on the Blink list today is no exception. We’re all about deprecation and removal around here, so Konstantin Nikitin’s idea created quite a buzz at Ajaxian HQ. Removing JavaScript will lead to significant performance improvements: — A lot of problems with inappropriate usage of blocking scripts will be solved. — Code of the whole project will become more readable and easy to understand. — Security will be improved dramatically. — Battery consumption decrease is going to be > 86.3%.
  • Scaling up CSS

    Michael Mahemoff
    5 Sep 2014 | 9:05 pm
    CSS has a habit of creeping up on you. If you’re not careful, your humble stylesheet can go from a few flourishes to a giant maintenance tangle. Before you can say “12-deep nested div”, your in a world of duplication and complexity that prevents you from making timely user-interface updates. [Medium's](https://medium.com) one organisation that’s been through the growing pains of CSS and Jacob Thornton (“Fat”) has an in-depth case study we can all learn from. Medium’s CSS is actually pretty f***ing good is the claim and it’s hard to argue with the…
  • Mobile Proxies: A New Era Dawns

    Michael Mahemoff
    7 Mar 2013 | 6:35 pm
    This week, Chrome For Android M26 was announced. It has the literally-awesome ability to record video via `getUserMedia()`, but enough about making Skype irrelevant. What’s even more interesting is the new data compression feature. Which, to be clear, is experimental, has to be switched on, doesn’t apply to secure (SSL) sites, and it’s only running in the beta app. With this feature, Google will be delivering streamlined responses, leading to substantial performance improvements and bandwidth savings. In the latest Mobile Web Thursday’s, Google’s Pete Le Page…
  • Here comes Traversty traversing the DOM

    jvaughan
    1 Nov 2012 | 6:59 pm
    The Traversty DOM utility has as its purpose to allow you to traverse the DOM and manage collections of DOM elements. Proponents admit core Traversty traversal methods are inspired by Prototype’s DOM Traversal toolkit, but now in a multi-element environment that is more like jQuery and less like Prototype’s single element implementation.
  • Fat Fractal enters the BaaS fray

    jvaughan
    26 Sep 2012 | 7:24 pm
    What has sometimes been described as mobile middleware has taken a new tack. Now, the idea of Backend as a Service (BaaS) has begun to take off in the mobile application development space. Proponents of BaaS say it helps developers easily build mobile apps, or any other applications connected to a cloud backend. Some of their views suggest a wholly new computer architecture is in the works. Fact Fractal is among the horses running in the BaaS stakes.
  • add this feed to my.Alltop

    Didier Stevens

  • MS15-034 Detection: Some Observations

    Didier Stevens
    17 Apr 2015 | 2:15 am
    Several detection rules (SNORT, F5, …) are being published these days to detect exploitation of vulnerability MS15-034. If you are making or modifying such detection rules, I want to share some observations with you. MS15-034 can be exploited with a GET request with a specially crafted Range header. Here is the example we’ll use: Range: bytes=2-18446744073709551615 Referring to RFC 2616 section 14.35.1, you can see that this is not the only way to specify a range. Here is the BNF: ranges-specifier = byte-ranges-specifier byte-ranges-specifier = bytes-unit “=”…
  • pdf-parser: A Method To Manipulate PDFs Part 1

    Didier Stevens
    15 Apr 2015 | 5:00 pm
    I provide 2 days of Hacking PDF training at HITB Amsterdam. This is one of the methods I teach. Sometimes when I analyze PDF documents (benign or malicious), I want to reduce the PDF to its essential objects. But when one removes objects in a PDF, indexes need to be updated and references updated/removed. To automate this process as much as possible, I updated my pdf-parser program to generate a Python program that in turn, generates the original PDF. Thus when I want to make changes to the PDF (like removing objects), I generate its corresponding Python program, and then I edit this Python…
  • PDF Password Cracking With John The Ripper

    Didier Stevens
    14 Apr 2015 | 5:00 pm
    I have a video showing how to use oclHashcat to crack PDF passwords, but I was also asked how to do this with John The Ripper on Windows. It’s not difficult. Download the latest jumbo edition john-the-ripper-v1.8.0-jumbo-1-win-32.7z from the custom builds page. Decompress this version. Download the previous jumbo edition John the Ripper 1.7.9-jumbo-5 (Windows binaries, ZIP, 3845 KB). Extract file cyggcc_s-1.dll from the previous jumbo edition, and copy it to folder John-the-Ripper-v1.8.0-jumbo-1-Win-32\run. Generate the hash for the password protected PDF file (I’m using my…
  • Update: oledump.py Version 0.0.14

    Didier Stevens
    12 Apr 2015 | 5:00 pm
    A new version of oledump (small bugfix and updated plugins). oledump_V0_0_14.zip (https) MD5: 5ECD8BC3BD1F6C59F57E7C74DACCF017 SHA256: 7EEF509D84F7185C299A17882D3BD71481B7B1E41654F463F58492455FBDBD11
  • Quickpost: Maldocs: VBA And Pastebin

    Didier Stevens
    8 Apr 2015 | 1:24 pm
    Since a day or two I’m seeing yet another trick used by malware authors in their VBA macros. The sample I’m looking at is 26B857A0A57B89166584CBB7167CAA19. The VBA macro downloads base64 encoded scripts from Pastebin: The scripts are delimited by HTML-like tags like <text10>. Tags that start with stext are scripts for Windows XP systems, and tags that start with text are for Windows Vista and later. This difference is for Powershell: on XP, VBS scripts are executed, and on more recent systems, Powershell scripts are executed. The URL of the payload comes from another…
  • add this feed to my.Alltop

    Technicalinfo.net Blog

  • Is Upping the Minimum Wage Good for the Information Security Industry?

    16 Apr 2015 | 8:46 pm
    The movement for upping the minimum wage in the US is gathering momentum. Protests and placard waving are on the increase, and the quest for $15 per hour is well underway. There are plenty of arguments as to why such a hike in minimum wage is necessary, and what the consequences could be to those businesses dependent upon the cheapest hourly labor. But, for the information security industry, upping the minimum wage will likely yield only good news.It's hard not to be cynical, but we're already hearing how simple automation will be used to replace most basic unskilled jobs.For technologists,…
  • A cynic’s view of 2015 security predictions (first part)

    20 Jan 2015 | 9:54 am
    Better late than never, but the first of a series of blogs from me covering my ever cynical view of security predictions has now been posted to the NCC Group website.Check out https://www.nccgroup.com/en/blog/2015/01/a-cynics-view-of-2015-security-predictions-part-one/ today. And more to come later this week.I think yo'll enjoy it ;-)
  • A Cancerous Computer Fraud and Misuse Act

    15 Jan 2015 | 6:35 pm
    As I read through multiple postings covering the proposed Computer Fraud and Misuse Act, such as the ever-insightful writing of Rob Graham in his Obama's War on Hackers or the EFF's analysis, and the deluge of Facebook discussion threads where dozens of my security-minded friends shriek at the damage passing such an act would bring to our industry, I can't but help myself think that surely it's an early April Fools joke.The current draft/proposal for the Computer Fraud and Misuse Act reads terribly and, in Orin Kerr's analysis - is "awkward".The sentiment behind the act appears to be a…
  • If Compliance were an Olympic Sport

    6 Oct 2014 | 1:52 pm
    First published on the NCC Group blog - 6th October 2014...It probably won’t raise any eyebrows to know that for practically every penetration tester, security researcher, or would-be hacker I know, nothing is more likely to make their eyes glaze over and send them to sleep faster than a discussion on Governance, Risk, and Compliance (i.e. GRC); yet the dreaded “C-word” (Compliance) is a core tenant of modern enterprise security practice.Security professionals that come from an “attacker” background often find that their contention with Compliance is that it represents the lowest…
  • The Pillars of Trust on the Internet

    6 Oct 2014 | 1:48 pm
    As readers may have seen recently, I've moved on from IOActive and joined NCC Group. Here is my first blog under the new company... first published September 15th 2014...The Internet of today in many ways resembles the lawless Wild West of yore. There are the land-rushes as corporations and innovators seek new and fertile grounds, over yonder there are the gold-diggers panning for nuggets in the flow of big data, and crunching under foot are the husks of failed businesses and discarded technology.For many years various star-wielding sheriffs have tried to establish a brand of law and order…
 
  • add this feed to my.Alltop

    CERIAS Combined Feed

  • CERIAS 2015 Symposium Now Online!

    Gene Spafford
    9 Apr 2015 | 2:12 pm
    The 2015 CERIAS symposium — held March 24 & 25, 2015 — was wonderful! We had a great array of speakers and panels, and one of our largest audiences in years. The talks were fascinating, the panels provocative, and the student research exciting (as usual). Featured speakers included Sam Curry, CTO and CSO, Arbor Networks; Deborah Frincke, Director of Research, NSA/CSS; and Michelle Dennedy, VP & CPO McAfee/Intel Security. If you were there and want to hear a repeat of a talk, or if you didn’t make it to the symposium and want to hear what went on, visit our website. We have…
  • Indiana to Launch New IN-ISAC and Enhance Cyberdefense Programs

    CERIAS Webmaster
    10 Feb 2015 | 9:34 am
    Unique Indiana state government partnership with Purdue University will also utilize private-sector expertise to defend state networks from next-generation cyberattacks. This breaking news demonstrates that cyberdefense is a top priority for Indiana Gov. Mike Pence. More information »
  • Cybersecurity Issue Goes Beyond the Anthem Headlines

    CERIAS Webmaster
    7 Feb 2015 | 5:46 am
    (Phys.Org) Eugene Spafford, the executive director of Purdue’s Center for Education and Research in Information Assurance and Security, says in the case of Anthem and others, the costs and dangers are hidden. “The personal information they listed can represent a problem for people for years to come,” he said. “That’s information that can be used for identity theft, extortion and to gain people’s trust. So, it really is a big problem, even if medical or credit card information is not given out. The company providing a year or two of credit monitoring won’t fix that.” More…
  • Not so Easy to Buy Privacy: Study Shows How ‘Anonymized’ Credit Card Data Still Identifies

    CERIAS Webmaster
    30 Jan 2015 | 11:26 am
    The study shows that when we think we have privacy when our data is collected, it’s really just an “illusion,” said Eugene Spafford, director of Purdue University’s Center for Education and Research in Information Assurance and Security. Spafford, who wasn’t part of the study, said it makes “one wonder what our expectation of privacy should be anymore.” More information »
  • North Korea’s Internet Outage Was Likely the Work of Hacktivists (The Washington Post)

    CERIAS Webmaster
    23 Dec 2014 | 12:34 pm
    “If the government wanted to do something about this, I would suspect they would do something more targeted toward the leadership rather than just shutting down the network,” said Eugene Spafford, a professor of information security at Purdue University. “Teenagers with botnets regularly shut down networks.” Targeting the financial assets of North Korean leaders (rather than the country’s Internet equipment) would be much more closely aligned with President Obama’s warning of a “proportional response” — and something the White House could accomplish that nameless hacktivists…
  • add this feed to my.Alltop

    Security Bloggers Network

  • Infosec Haiku

    Chris Merritt
    18 Apr 2015 | 12:04 pm
    Anata no joho sekyuritei konshu no haiku Java CPU Released This Week – 14 Bugs Squashed – Please Update Now!   ### Notes ### * Thanks to Ms. Etsuko vdH for the translation. * Thanks to everyone who’ve contributed their haikus … watch this space to see if yours is published. * Submit Your Own […]
  • 18 Apr 2015 | 12:00 pm

    Kevin Riggins
    18 Apr 2015 | 12:00 pm
  • Faraday Home

    Marc Handelman
    18 Apr 2015 | 9:30 am
    The RAM House by PROKOSS + Space Caviar The ulitmate whole-house signal-attenuation device.... Behold, the Faraday Home, perfect for the paranoid amongst us; or, interestingly, those that suf...
  • Saturday Security Maxim

    Marc Handelman
    18 Apr 2015 | 8:30 am
    Father Knows Best Maxim: The amount that (non-security) senior managers in any organization know about security is inversely proportional to (1) how easy they think security is, and (2) how much they will mi...
  • Critical Magento Shoplift Vulnerability (SUPEE-5344) – Patch Immediately!

    Daniel Cid
    18 Apr 2015 | 8:29 am
    The Magento team released a critical security patch (SUPEE-5344) to address a remote command execution (RCE) vulnerability back in February. It’s been more than two months since the release and still more than 50% of all the Magento installations have not been patched, leaving them open to attacks. This means hundreds of thousands of websites areRead More
  • add this feed to my.Alltop

    blog.hotspotshield.com

  • Hotspot Shield Mother’s Day Giveaway

    Levent Sapci
    17 Apr 2015 | 11:12 am
    Hotspot Shield Mother’s Day Giveaway We are approaching the time of the year again to celebrate and cherish our moms! Mark your calendar: Sunday, May 10th is Mother’s Day! We have arranged a special giveaway for this important celebration! 2 lucky winners will each receive: a $100 gift card, 1-year Hotspot Shield Elite Membership, and a limited edition Hotspot Shield T-shirt We will pick the winners randomly and announce them on Hotspot Shield Facebook, Twitter and G+ pages on Wednesday, May 6. Winners will also be contacted directly via email. Winning tips: complete as many…
  • How To Use Hotspot Shield To Get More Out of Your Netflix Account

    Levent Sapci
    17 Apr 2015 | 8:30 am
    Netflix is the perfect option for a lazy Sunday afternoon or any other time when you need a convenient TV break. It’s also great for when you get into marathon mood and compulsively watch 10 episodes of your favorite show without doing so much as getting up for a bathroom break. The online streaming service offers thousands of movies and shows to viewers in the United States, but Netflix operates in other countries as well — where they offer different program menus. Even some popular movies and shows that you might wish for on Netflix US are available across international borders in…
  • How to Recognize Online Risks

    Robert Siciliano
    14 Apr 2015 | 7:19 am
    Would you give up your bank account and credit card numbers to a stranger on the street after he approaches and asks for them? Of course not. But that’s essentially what people do when they’re tricked by online crooksters into revealing sensitive personal information, including their Social Security numbers. One of the most common ways this is done is through phishing. The phishing attack is when the thief sends out thousands of the same e-mail. If enough people receive the message, sooner or later someone will take the bait. The bait may be a notice you’ve won a prize; a warning that…
  • Public Wi-Fi Checklist: 7 Things to Remember Before Signing On

    Levent Sapci
    10 Apr 2015 | 8:45 am
    Public Wi-Fi is everywhere. According to BBC News, there is one hotspot to 150 people worldwide. Of course, in some countries, the ratio is a lot smaller. In the United Kingdom, for instance, there is one hotspot for every 11 people. Indeed, it is easier to connect than ever before, whether you are just stopping to check your email or you want to settle in for a while and take care of some serious work. No one denies that public Wi-Fi is convenient, but it doesn’t come without its drawbacks. Before you hop on that enticing public network, make sure you’ve taken steps to protect…
  • Watch Game of Thrones Season 5 on HBO from Any Country

    Peter Nguyen
    7 Apr 2015 | 4:47 pm
    Attention Game of Thrones fans, Season 5 of the popular fantasy drama TV series is scheduled to premiere on April 12, 2015! Yup! Just another 2 weeks away and I will be glued to the TV, watching every episode that rolls out. Game of Thrones is HBO’s most popular TV series ever.  The good news is that you can now watch each episode in real time without subscribing to a cable service! HBO just released its streaming service, called HBO NOW, which allows you to stream its content on the Internet for $14.99/month and good news, first month of service is free! It is available in the iOS App…
 
  • add this feed to my.Alltop

    HackerOne News & Security Blog

  • The Wolves of Vuln Street - The First System Dynamics Model of the 0day Market

    13 Apr 2015 | 5:00 pm
    HackerOne has been working with economics and policy researchers from MIT and Harvard to study the economic forces behind the 0day market. Here's what they found.
  • Meet The Newest Member of the HackerOne Team: Stepto, Director of Hacker Success

    6 Apr 2015 | 5:00 pm
    At HackerOne we believe in the power of the research community as an effective way to harden any attack surface. Encouraging, promoting and protecting security research has been integral to our mission since day one. As a key next step in fulfilling this commitment, we are thrilled to announce that Stepto has joined the HackerOne team as the Director of Hacker Success.
  • What's in a Name?

    25 Feb 2015 | 4:00 pm
    While there are many interpretations of the word "hacker," we choose to pay homage to the original MIT hackers by using the term in our company name. We favor their early definition of a hacker: "one who enjoys the intellectual challenge of creatively overcoming limitations."
  • Proposed Changes to the Computer Fraud and Abuse Act, Austin Powers, and You

    15 Jan 2015 | 4:00 pm
    Many security professionals, hackers, lawyers, law enforcement, and members of the media are keenly interested in the White House's proposed changes to laws affecting Internet security. Among the proposed amendments to the Computer Fraud and Abuse Act (CFAA), some of the proposed changes that represent the biggest concerns center around expanded language that pose an increased risk to performing many vulnerability research and security testing activities, and even reporting on breaches.
  • The Tale of the Privacy Pink Panther

    4 Jan 2015 | 4:00 pm
    Last Friday, on my way home from 31c3, a funny thing happened on my way through Charles de Gaulle airport in Paris: I was required by a security agent to not only power up, but also type in my password to unlock my laptop in order to board my flight.
Log in