Web App Security

  • Most Topular Stories

  • Hackers are evolving – 2015 version – History of Internet and Application Security

    Quotium
    irene
    26 Jan 2015 | 6:14 am
    Hackers are Evolving, your Application Security Must Evolve too : Don’t be the Hacker’s Next Lunch ! Our timeline about Internet history and Evolution of Application Security - updated with a summary of 2014's hacking events. The post Hackers are evolving – 2015 version – History of Internet and Application Security appeared first on www.quotium.com
  • Tighter Control Over Your Referrers

    Mozilla Security Blog
    Sid Stamm
    21 Jan 2015 | 5:40 am
    The purpose of the HTTP Referer (sic) header is to help sites figure out where their traffic comes from. However, as the Web got more complex, the amount of information in the Referer header ballooned, leading to bigger privacy problems. Firefox Beta supports a new feature to help sites protect their users’ privacy by changing the Referer header. HTTP Referer provides a wealth of information about where you came from to the sites you visit, but this context isn’t always necessary (or desired). In addition, it is an unreliable tool for authenticating the origin of an HTTP request unless…
  • The Oracle of Security Flaws

    Liquidmatrix Security Digest
    Bill Brenner
    21 Jan 2015 | 12:45 pm
    When it comes to patching vulnerabilities, Oracle does nothing small. In its latest quarterly CPU (Critical Patch Update), the database giant hands its customers 169 new security fixes affecting many products. The full patch matrix is here. SiliconANGLE offers a decent analysis of the vulnerabilities and patches. From Maria Deutscher’s report: One flaw that drew an outsized amount of attention is a misconfiguration affecting the enterprise technology stalwart’s popular E-Business Suite, which “gobsmacked” its discoverer, in his own words. David Litchfield, a U.K.-based expert on…
  • Malvertising leading to Flash Zero Day via Angler Exploit Kit

    Zscaler Research
    Deepen Desai
    22 Jan 2015 | 10:59 am
    UPDATE [01/25/2015]: Adobe released an update yesterday (APSA15-01) for CVE-2015-0311 that fixes the zero day exploit mentioned in this blog. Given the number of exploit attempts we are seeing for this vulnerability in the wild, it is critical for users to update the Adobe Flash player to the latest version 16.0.0.296. Background Earlier this week, Kafeine published a blog mentioning an
  • Bypassing the IE XSS filter

    The Spanner
    Gareth Heyes
    7 Jan 2015 | 1:06 pm
    Mario noticed that the new version of the IE filter blocks anchors in attempt to prevent the same origin bypass where you double encode the vector and post a link to itself. I had to take a look and see if I could break it and…of course I did. The regex is very generic:- <a.*?hr{e}f This could cause problems with information disclosure if you can put something in between the “a” and “href” and detect if the filter is active which I’ll admit is pretty tricky now with the new protection against such attacks. Anyway lets move onto the vectors. I literally…
  • add this feed to my.Alltop

    Mozilla Security Blog

  • Tighter Control Over Your Referrers

    Sid Stamm
    21 Jan 2015 | 5:40 am
    The purpose of the HTTP Referer (sic) header is to help sites figure out where their traffic comes from. However, as the Web got more complex, the amount of information in the Referer header ballooned, leading to bigger privacy problems. Firefox Beta supports a new feature to help sites protect their users’ privacy by changing the Referer header. HTTP Referer provides a wealth of information about where you came from to the sites you visit, but this context isn’t always necessary (or desired). In addition, it is an unreliable tool for authenticating the origin of an HTTP request unless…
  • Mozilla at HITB Malaysia

    Paul Theriault
    10 Nov 2014 | 4:18 pm
    The Mozilla security team was proud to be part of Hack In The Box (HITB) 2014, held from 15-16 October 2014 in Kuala Lumpur (KL), Malaysia. Mozilla has been involved in HITB for several years now, and this year‘s HackWEEKDAY contest was probably the best we’ve seen so far. HackWEEKDAY is a contest where contestants develop mobile apps (Firefox OS or any other platforms allowed) in a bid to win glory and prizes. The competition was fierce this year, with over 75 developers and 4 hours of judging! Notable entries included a Firefox extension which used Snort rules to block browser…
  • The POODLE Attack and the End of SSL 3.0

    rbarnes
    14 Oct 2014 | 4:15 pm
    Summary SSL version 3.0 is no longer secure. Browsers and websites need to turn off SSLv3 and use more modern security protocols as soon as possible, in order to avoid compromising users’ private information. We have a plan to turn off SSLv3 in Firefox. This plan was developed with other browser vendors after a team at Google discovered a critical flaw in SSLv3, which can allow an attacker to extract secret information from inside of an encrypted transaction. SSLv3 is an old version of the security system that underlies secure Web transactions and is known as the “Secure Sockets Layer”…
  • CSP for the web we have

    mgoodwin
    4 Oct 2014 | 1:47 am
    Introduction: Content Security Policy (CSP) is a good safety net against Cross Site Scripting (XSS). In fact, it’s the best one and I would recommend it to anyone building new sites. For existing sites, implementing CSP can be a challenge because CSP introduces some restrictions by default and, if the code was written without these restrictions in mind, work will be required. Also, working around these issues can negate the benefits of applying a policy in the first place. In particular, inline scripts require thought; they’re commonly used and, if they’re allowed by your…
  • RSA Signature Forgery in NSS

    Daniel Veditz
    24 Sep 2014 | 6:29 pm
    Issue A flaw in the Network Security Services (NSS) library used by Firefox and other products allows attackers to create forged RSA certificates. Mozilla has released updates to fix this vulnerability and you should apply these updates to ensure your safety on the internet. Impact to Users Users on a compromised network could be directed to sites using a fraudulent certificate and mistake them for legitimate sites. This could deceive them into revealing personal information such as usernames and passwords. It may also deceive users into downloading malware if they believe it’s coming from…
 
  • add this feed to my.Alltop

    Liquidmatrix Security Digest

  • The Oracle of Security Flaws

    Bill Brenner
    21 Jan 2015 | 12:45 pm
    When it comes to patching vulnerabilities, Oracle does nothing small. In its latest quarterly CPU (Critical Patch Update), the database giant hands its customers 169 new security fixes affecting many products. The full patch matrix is here. SiliconANGLE offers a decent analysis of the vulnerabilities and patches. From Maria Deutscher’s report: One flaw that drew an outsized amount of attention is a misconfiguration affecting the enterprise technology stalwart’s popular E-Business Suite, which “gobsmacked” its discoverer, in his own words. David Litchfield, a U.K.-based expert on…
  • “Hackers. It’s time to Unite”

    Bill Brenner
    19 Jan 2015 | 6:10 am
    Last week I wrote about the new anti-hacking laws President Obama plans to float in his State of the Union address and how the proposals are Draconian at best. I noted that it’s in our power to educate the masses and stop this thing before it becomes law. To that end, I have something to share with you. Derek Watson — better known in the security community as Blak Dayz (blakdayz) — posted the following call to action: Hackers. It’s time to UNITE. With these new proposed laws, they are literally coming for our freedom. If you are interested in joining in a fast…
  • Liquidmatrix Security Digest Podcast – Episode 0x50

    James Arlen
    16 Jan 2015 | 2:41 pm
    Episode 0x50 Revenge of the Fourth We’ve been around, just not… you know… around. It’s best that you do not think about what happened to episodes that were not published. Upcoming this week… Lots of News Breaches SCADA / Cyber, cyber… etc. finishing it off with DERPs/Mailbag (or Deep Dive) And there are weekly Briefs – no arguing or discussion allowed And if you’ve got commentary, please sent it to mailbag@liquidmatrix.org for us to check out. DISCLAIMER: It’s not that explicit, but you may want to use headphones if you’re at work.
  • Bad Anti-Hacking Laws: We Can Educate the Public

    Bill Brenner
    15 Jan 2015 | 2:19 pm
    There’s much alarm in the security community over new anti-hacking laws President Obama plans to float in his State of the Union address next week. The alarm is justified. What he proposes, as my friend Rob Graham (@ErrataRob) wrote in this important post, “are blunt political solutions which reflect no technical understanding of the problem.” Obama’s proposed anti-hacking laws are designed to arm companies with legal protections for sharing information with each other and the government about hacking threats. The President believes it’s necessary to help prevent…
  • Microsoft Wrong to Cancel Patch Alerts

    Bill Brenner
    9 Jan 2015 | 5:22 am
    For the last few years I’ve been praising Microsoft for taking great strides to improve security. This morning, I’m tempted to take it all back. For the last decade, Microsoft has issued advance notifications the Thursday before each security patch release. It’s been a valuable service, helping IT security practitioners to be better prepared. Yesterday, the software giant announced it was ending the service, claiming that not enough people are using it. It’s a bad move that comes on the heels of other bad moves, which includes slashing a lot of good security talent in…
  • add this feed to my.Alltop

    Zscaler Research

  • Malvertising leading to Flash Zero Day via Angler Exploit Kit

    Deepen Desai
    22 Jan 2015 | 10:59 am
    UPDATE [01/25/2015]: Adobe released an update yesterday (APSA15-01) for CVE-2015-0311 that fixes the zero day exploit mentioned in this blog. Given the number of exploit attempts we are seeing for this vulnerability in the wild, it is critical for users to update the Adobe Flash player to the latest version 16.0.0.296. Background Earlier this week, Kafeine published a blog mentioning an
  • Chanitor Downloader actively installing Vawtrak

    John Mancuso
    9 Jan 2015 | 10:30 am
    We at ThreatLabZ are keeping an eye on a fairly active downloader called Chanitor. This malware is being delivered via phishing emails purporting to be "important" documents, for example, voicemails, invoices, and faxes; all are actually screensaver executables with the extension ‘.scr’. Another unique feature of this downloader Trojan family is the usage of tor2web.org and tor2web.ru over SSL
  • Compromised Wordpress sites serving multiple malware payloads

    rubin azad
    21 Dec 2014 | 9:58 pm
    During our daily log monitoring process, we observe many interesting threat events. One such event led to a compromised WordPress site campaign, which was found to serve multiple malware families including Upatre/Hencitor/Extrat Xtreme RAT/Vawtrak. The URLs which were serving malware were found to adhere to a particular pattern. Infected WordPress sites observed, included URLs with "/1.php
  • Top Security Features Added to Android Lollipop

    viral
    21 Dec 2014 | 8:31 pm
    As Google officially rolls out it's new operating system Lollipop, let's review some of the enhanced security features added to Android 5.0. Lollipop Kill switch The most interesting new security feature is the Factory Reset Protection option, which is also known as the “kill switch.” To aid corporate and personal users dealing with
  • Trojanized and Pirated Assassins Creed app

    viral
    11 Dec 2014 | 8:56 pm
    During our daily research, we recently came across Android malware disguising itself as an Assassins Creed app, which is a popular paid gaming application. The malware in question will install a pirated version of the Assassins Creed game that functions normally, making end user oblivious to the malicious activities it performs in background. Application information: File MD5 :
 
  • add this feed to my.Alltop

    The Spanner

  • Bypassing the IE XSS filter

    Gareth Heyes
    7 Jan 2015 | 1:06 pm
    Mario noticed that the new version of the IE filter blocks anchors in attempt to prevent the same origin bypass where you double encode the vector and post a link to itself. I had to take a look and see if I could break it and…of course I did. The regex is very generic:- <a.*?hr{e}f This could cause problems with information disclosure if you can put something in between the “a” and “href” and detect if the filter is active which I’ll admit is pretty tricky now with the new protection against such attacks. Anyway lets move onto the vectors. I literally…
  • Unbreakable filter

    Gareth Heyes
    24 Oct 2014 | 2:13 pm
    I was bored so I thought I’d take a look at Ashar’s filters. I noticed he’d done a talk about it at Blackhat Europe which I was quite surprised at. Then I came across the following blog post about the talk which I pretty much agreed with. That blog post links to his filters so you can try them out yourself. The first one is basically multiple JavaScript regexes which are far too generic to be of any value. For example “hahasrchaha” is considered a valid attack =) because it has “src” in. I’m not joking. The regexes are below. function…
  • MentalJS bypasses

    Gareth Heyes
    24 Jun 2014 | 2:41 pm
    I managed to find time to fix a couple of MentalJS bypasses by LeverOne and Soroush Dalili (@irsdl). LeverOne’s vector was outstanding since it bypassed the parsing itself which is no easy task. The vector was as follows: for(var i i/'/+alert(location);0)break//') Basically my parser was inserting a semi colon in the wrong place causing a different state than the actual state executed. My fix inserts the semi colon in the correct place. Before the fix the rewritten code looked like this: for (var i$i$; / '/+alert(location);0)break//') As you can see the variables have been incorrectly…
  • mXSS

    Gareth Heyes
    6 May 2014 | 11:51 am
    Mutation XSS was coined by me and Mario Heiderich to describe an XSS vector that is mutated from a safe state into an unsafe unfiltered state. The most common form of mXSS is from incorrect reads of innerHTML. A good example of mXSS was discovered by Mario where the listing element mutated its contents to execute XSS. <listing>&lt;img src=1 onerror=alert(1)&gt;</listing> When the listing’s innerHTML is read it is transformed into an image element even though the initial HTML is escaped. The following code example shows how the entities are decoded. <listing…
  • Java Serialization

    Gareth Heyes
    6 May 2014 | 11:39 am
    In this post I will explore Java serialized applets and how they can be used for XSS. A serialized applet contains code that can be easily stored and loaded. Java supports an attribute called “object” which accepts a url to a serialized class file this allows us to load applets of our choosing provided they can be serialized and implements the java.io.Serializable interface. This feature is very old and obscure and I have successfully used the technique to bypass filters that look for very specific XSS patterns. In order to create a serializable Java applet you need the following code…
  • add this feed to my.Alltop

    hackademix.net

  • Both Your Cheeks

    Giorgio
    16 Jan 2015 | 9:53 am
    Dear pope Francis, Thank you for for this chance to punch your face (both cheeks, the way you christians enjoy best) because your organization routinely defames and insults His Majesty Satan. Sincerely, Your friendly neighbourhood satanist P.S.: a very good article about this from The Guardian. P.P.S.: Yes, I think free thinking, free speech and censorship are very relevant to the Open Web.
  • s/http(:\/\/(?:noscript|flashgot|hackademix)\.net)/https\1/

    Giorgio
    19 Nov 2014 | 3:16 pm
    I'm glad to announce noscript.net, flashgot.net and hackademix.net have been finally switched to full, permanent TLS with HSTS Please do expect a smörgåsbord of bugs and bunny funny stuff :)
  • Avast, you're kidd... killing me - said NoScript >:(

    Giorgio
    19 Nov 2014 | 5:20 am
    If NoScript keeps disappearing from your Firefox, Avast! Antivirus is likely the culprit. It's gone Berserk and mass-deleting add-ons without a warning. I'm currently receiving tons of reports by confused and angry users. If the antivirus is dead (as I've been preaching for 7 years), looks like it's not dead enough, yet.
  • No Free Professional Service

    Giorgio
    12 May 2014 | 3:32 pm
    This is a real exchange from NoScript “User Reviews” section at AMO, copied here as a memento and a caveat (for NoScript potential “customers”? for free software developers?), since some or all of it may be edited by its authors or deleted by those nasty AMO editors in a near future. Deception and rude treatment of users Rated 1 out of 5 stars by JamesOnTheWay on May 12, 2014 My negative review was deleted; therefore, I no longer have confidence in NoScript or its developer. I was not looking for a bug fix. I was warning potential users away, which is permitted in the…
  • NoScript and FlashGot Unsigned

    Giorgio
    20 Jul 2013 | 11:36 am
    Notice to mariners: starting with NoScript version 2.6.6.9 (ATM still a RC) and next version of FlashGot (1.5.5.6, most likely) the packages (XPIs) of my Firefox add-ons won’t be signed anymore. Almost no other Firefox extension gets signed these days (NoScript and FlashGot had been among the earliest and few for a long time), and AMO being the only authorized repository you can install the add-on from by default, there’s little or no point in keeping the relatively expensive and clunky signature machinery in place. You probably noticed AMO lags quite a lot behind stable versions.
 
  • add this feed to my.Alltop

    Didier Stevens

  • Converting PEiD Signatures To YARA Rules

    Didier Stevens
    21 Jan 2015 | 4:56 pm
    I converted Jim Clausing’s PEiD rules to YARA rules so that I can use them to detect executable code in suspect Microsoft Office Documents with my oledump tool. Of course, I wrote a program to do this automatically: peid-userdb-to-yara-rules.py This program converts PEiD signatures to YARA rules. These signatures are typically found in file userdb.txt. Since PEiD signature names don’t need to be unique, and can contain characters that are not allowed in YARA rules, the name of the YARA rule is prefixed with PEiD_ and a running counter, and non-alphanumeric characters are converted…
  • YARA Rule: Detecting JPEG Exif With eval()

    Didier Stevens
    20 Jan 2015 | 12:39 pm
    My first release of 2015 was a new YARA rule to detect JPEG images with an eval() function inside their Exif data. Such images are not new, but I needed an example to develop a complex YARA rule: rule JPEG_EXIF_Contains_eval {     meta:         author = "Didier Stevens (https://DidierStevens.com)"         description = "Detect eval function inside JPG EXIF header (http://blog.sucuri.net/2013/07/malware-hidden-inside-jpg-exif-headers.html)"         method = "Detect JPEG file and EXIF header ($a) and eval function ($b) inside EXIF data"…
  • Update: oledump.py Version 0.0.6

    Didier Stevens
    16 Jan 2015 | 8:11 am
    My last software release for 2014 was oledump.py V0.0.6 with support for the “ZIP/XML” Microsoft Office fileformat and YARA. In this post I will highlight support for the “new” Microsoft Office fileformat (.docx, .docm, .xlsx, .xlsm, …), which is mainly composed of XML files stored inside a ZIP container. Except macros which are still stored with OLE files (inside the ZIP container). When oledump.py detects that the file is actually a ZIP file, it searches through all the files stored inside the ZIP container for OLE files, and analyses these. Here is an example…
  • Didier Stevens Suite

    Didier Stevens
    8 Jan 2015 | 12:14 pm
    I bundled most of my software in a ZIP file. In all modesty, I call it Didier Stevens Suite.
  • YouTube Video Promo

    Didier Stevens
    26 Dec 2014 | 2:24 am
    I produced 21 technical videos this year. You can find them on YouTube and my video blog (sometimes I also post beta versions of my new tools along with the video on my video blog). I decided to run a promo for my Didier Stevens Labs videos: If you buy one of my products, you get to download the original MP4 files I uploaded to my free YouTube channel. This offer is also valid for existing clients. YouTube Video Promo
  • add this feed to my.Alltop

    Technicalinfo.net Blog

  • A cynic’s view of 2015 security predictions (first part)

    20 Jan 2015 | 9:54 am
    Better late than never, but the first of a series of blogs from me covering my ever cynical view of security predictions has now been posted to the NCC Group website.Check out https://www.nccgroup.com/en/blog/2015/01/a-cynics-view-of-2015-security-predictions-part-one/ today. And more to come later this week.I think yo'll enjoy it ;-)
  • A Cancerous Computer Fraud and Misuse Act

    15 Jan 2015 | 6:35 pm
    As I read through multiple postings covering the proposed Computer Fraud and Misuse Act, such as the ever-insightful writing of Rob Graham in his Obama's War on Hackers or the EFF's analysis, and the deluge of Facebook discussion threads where dozens of my security-minded friends shriek at the damage passing such an act would bring to our industry, I can't but help myself think that surely it's an early April Fools joke.The current draft/proposal for the Computer Fraud and Misuse Act reads terribly and, in Orin Kerr's analysis - is "awkward".The sentiment behind the act appears to be a…
  • If Compliance were an Olympic Sport

    6 Oct 2014 | 1:52 pm
    First published on the NCC Group blog - 6th October 2014...It probably won’t raise any eyebrows to know that for practically every penetration tester, security researcher, or would-be hacker I know, nothing is more likely to make their eyes glaze over and send them to sleep faster than a discussion on Governance, Risk, and Compliance (i.e. GRC); yet the dreaded “C-word” (Compliance) is a core tenant of modern enterprise security practice.Security professionals that come from an “attacker” background often find that their contention with Compliance is that it represents the lowest…
  • The Pillars of Trust on the Internet

    6 Oct 2014 | 1:48 pm
    As readers may have seen recently, I've moved on from IOActive and joined NCC Group. Here is my first blog under the new company... first published September 15th 2014...The Internet of today in many ways resembles the lawless Wild West of yore. There are the land-rushes as corporations and innovators seek new and fertile grounds, over yonder there are the gold-diggers panning for nuggets in the flow of big data, and crunching under foot are the husks of failed businesses and discarded technology.For many years various star-wielding sheriffs have tried to establish a brand of law and order…
  • Smart homes still not "smarter than a fifth-grader"

    31 Jul 2014 | 10:01 pm
    Smart Home technologies continue to make their failures headline news. Only yesterday did the BBC ran the story "Smart home kit proves easy to hack, says HP study" laying out a litany of vulnerabilities and weaknesses uncovered in popular internet-connected home gadgetry by HP's Fortify security division. If nothing else the story proves that household vulnerabilities are now worthy of attention - no matter how late HP and the BBC are to the party.As manufacturers try to figure out how cram internet connectivity in to their (formerly) inanimate appliance and turn it in something you can…
  • add this feed to my.Alltop

    Security Bloggers Network

  • Security vulnerability in Blackphone service exposed

    ZDNet &#124; Zero Day RSS
    28 Jan 2015 | 3:01 am
    No device is 100 percent secure, and one researcher has demonstrated this concept by exposing a vulnerability in the Blackphone, an Android device for the security conscious.
  • Data protection policy: Are you ready for 2015?

    Clearswift Blog
    28 Jan 2015 | 2:48 am
  • Fluffy awareness, anyone?

    Kai Roer
    28 Jan 2015 | 1:18 am
    Fluffy awareness – what exactly is that? And perhaps more important – is fluffy awareness something we want? Or even need? This was the main question discussed during the January 2015 episode of the live Security Culture Show I host together with the excellent Mo Amin. You can watch … Continue reading → The post Fluffy awareness, anyone? appeared first on The Kai Roer Blog.
  • Infographic: Privacy tips for business

    Deborah Salmi
    27 Jan 2015 | 10:00 pm
    Privacy plays a growing part in customer buying decisions. With every data breach, trust is eroded further. Privacy and security are intertwined when it comes to our individual information. Consumers are becoming increasingly aware of the value of their personal data, so that means that businesses have to step up and do a better job […]
  • VERT Alert: GHOST – glibc overflow

    Lamar Bailey
    27 Jan 2015 | 8:48 pm
    Vulnerability Description A heap-based buffer overflow was found in glibc’s __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application.   Exposure […]… Read More The post VERT Alert: GHOST – glibc overflow appeared first on The State of Security.
 
  • add this feed to my.Alltop

    blog.hotspotshield.com

  • 7 Ways to Celebrate Data Privacy Day

    Peter Nguyen
    22 Jan 2015 | 11:21 pm
    Data Privacy Day takes place on January 28 each year. This day is designated internationally as a time to focus on protecting and respecting privacy, raising awareness about data risks, and empowering consumers to be accountable for how and where their information is used. Celebrate Data Privacy Day this year with the following activities to help yourself and others stay safe. Attend a Data Privacy Day Event You can participate in Data Privacy Day events both online and in person. There are a number of events that can provide valuable information for professionals. In Atlanta, you can attend…
  • Privacy and Security in the Internet Age

    Peter Nguyen
    21 Jan 2015 | 6:15 pm
    Anchorfree’s CEO David Gorodyansky recently published an article on Wired.com, bringing to light the importance of privacy and security in the Internet age. Here are the key points mentioned in the Wired.com article. The Obama Administration is ramping up efforts to strengthen America’s cybersecurity and make it more difficult for hackers to damage our economy and threaten our privacy. The unprecedented demand for mobile devices (more people in the world have access to cell phones than toilets, according to the U.N.), further complicates legal issues when it comes to Internet use…
  • Mobile Malware on the Rise: Tips to Keep Your Android Safe

    Peter Nguyen
    20 Jan 2015 | 12:27 am
    Mobile malware is on the rise in 2015. Read these essential tips to learn how to keep your Android device safe the next time you decide to download. Watch Out for App Clones Pay close attention when you’re downloading a popular app — you could end up with an artful fake designed to deliver malware. Clone apps tend to pop up in greater frequency when their popular namesakes are pulled from the app market. The classic example of this happening is when the creator of the popular app “Flappy Bird” pulled his money-making machine in 2014 at the peak of its popularity.
  • What Could End-to-End Encryption Mean for You?

    Peter Nguyen
    15 Jan 2015 | 10:47 pm
    Encryption is one of the main tools that companies use to gain consumer trust and keep information private. There are different kinds of encryption, each with its own advantages and drawbacks. One form of encryption that is sparking discussion across the board is end-to-end encryption. What exactly is it, and what will its emergence mean for you? Defining End-to-End Encryption End-to-end encryption essentially means that any information you send — whether it is an email, text message, or other form of communication — is virtually impossible to spy on from the time it leaves your device to…
  • How Anomaly Detection Protects Your Data

    Robert Siciliano
    13 Jan 2015 | 11:19 pm
    The  recent Sony hack attack tells us that a data breach could inflict huge damage and embarassment to a company. Investigators haven’t ruled out the possibility of a disgruntled ex-employee behind the attack. One way to prevent your employees from stealing your company’s data is to detect anomalous behavior coming from an employee—online behavior and even offline computer behavior that’s strays outside the line, that’s a little unexpected. This is called anomaly detection, and it can help prevent a data breach. But it’s easier said than done, because this technology is…
  • add this feed to my.Alltop

    Blog - CloudEntr

  • How to Tackle Your Top 3 Cloud Security Challenges

    Macey Morrison
    5 Jan 2015 | 4:00 am
    [This post is part of a two part series on tackling the top 3 cloud security challenges today's IT pros face.]It’s tough being a hero these days. As an IT pro, you serve and protect your fellow workers. You empower employees to do their jobs well. You keep your corporate citizens safe in a world where unseen dangers lurk on the web.But lately, things are shifting. There’s a disturbance in the Force. As the 2015 State of SMB Cybersecurity report revealed, most of you (a whopping 77%) are primarily concerned about the enemy within. Employees, your company’s greatest asset, are also…
  • IT Pros Speak: Top 3 Priorities for Your IT Security Budget in 2015

    Macey Morrison
    17 Dec 2014 | 4:00 am
    The year is wrapping up quickly (can you believe its mid December?!), meaning we’re all scrambling to finalize budgets and plans for next year. And cyber theft is certainly on our minds with the recent Sony Pictures Entertainment hack and the sheer fallout of confidential data exposure the company is currently experiencing.With Sony poised to be making some IT security changes in the near future and giants like Target and Home Depot making investments to improve their security in the wake of their breaches in the last year, can the same be said for the not so giant companies in 2015?From…
  • [Feature Release] Extend Your Active Directory Service Security and Access Controls to the Cloud

    Ella Segura
    24 Nov 2014 | 6:50 am
    Ella Segura serves as the Product Manager for CloudEntr, guiding the product road map and all new features and developments. One switch to manage employee resource access: on-boarding, off-boarding, and day-to-day. When it comes to controlling access to local business applications, let’s face it, Microsoft’s Active Directory (AD) is the de facto standard.  For years, businesses like yours (and ours) have been investing in their AD infrastructures.  AD provides an identity and access management framework, giving us the tools to centrally manage users, set policies, and…
  • [Report] 77% of SMB IT Pros Cite Employees as Weakest Link in Cloud Security

    Macey Morrison
    13 Nov 2014 | 4:00 am
    IT pros give us their take on the state of SMB cybersecurity moving into 2015.Now that we are in the sixth “year of the hack,” IT professionals, even at smaller companies, are recognizing that cloud security is not someone else’s problem. In fact, it seems that IT pros at SMBs see the headlines of the breach du jour and are turning their gaze inward toward their employees rather than outside to the hackers. They see employees as their weakest link!At CloudEntr, we're excited to share with the IT community our inaugural State of SMB Cybersecurity report. We set out to find what SMBs were…
  • 4 reasons why your client's data is your data

    Christopher Bartik
    17 Oct 2014 | 12:03 pm
    If information is power, let’s face it, you’re getting closer and closer to super-man/woman status, but before you step inside that booth and go about your day saving lives, you may want to brush up on what today’s grateful citizens are expecting of you. After all, they have entrusted you with all sorts of sensitive information, including their customers’ and clients’ files, applications, credential data, etc.As the number of data breaches continues to rise, service organizations and others who deal in high volumes of privileged information may find themselves yearning for the days…
  • add this feed to my.Alltop

    Quotium

  • Video

    irene
    27 Jan 2015 | 7:28 am
    The post Video appeared first on www.quotium.com
  • Hackers are evolving – 2015 version – History of Internet and Application Security

    irene
    26 Jan 2015 | 6:14 am
    Hackers are Evolving, your Application Security Must Evolve too : Don’t be the Hacker’s Next Lunch ! Our timeline about Internet history and Evolution of Application Security - updated with a summary of 2014's hacking events. The post Hackers are evolving – 2015 version – History of Internet and Application Security appeared first on www.quotium.com
  • Quotium and VersionOne Announce a Partnership to Deliver Secure Agile Software

    Quotium Research Center
    15 Dec 2014 | 2:13 am
    Quotium Seeker is now integrated with the VersionOne ALM platform to integrate security testing into the ongoing development and testing cycles. With Seeker and VersionOne, all stakeholders can now work together towards the common goal of Hacker-proof software. The post Quotium and VersionOne Announce a Partnership to Deliver Secure Agile Software appeared first on www.quotium.com
  • Field Sales Engineer US

    irene
    1 Dec 2014 | 2:03 am
    Job Description We are looking for Field Sales Engineers. Quotium is seeking talented Field Sales Engineers to support our Sales and Business Development activities in the US. You will be working in tandem with our sales team as a technical advisor and product advocate. The ideal candidate must be able to articulate technology and product […] The post Field Sales Engineer US appeared first on www.quotium.com
  • Quotium Joins F5’s Technology Alliance Program to Deliver Rapid Mitigation of Vulnerabilities

    irene
    26 Nov 2014 | 6:04 am
    Quotium partners with F5 to help mutual customers implement highly efficient, optimized, and easy-to-manage application security workflow The post Quotium Joins F5’s Technology Alliance Program to Deliver Rapid Mitigation of Vulnerabilities appeared first on www.quotium.com
 
  • add this feed to my.Alltop

    HackerOne News & Security Blog

  • Proposed Changes to the Computer Fraud and Abuse Act, Austin Powers, and You

    15 Jan 2015 | 4:00 pm
    Many security professionals, hackers, lawyers, law enforcement, and members of the media are keenly interested in the White House's proposed changes to laws affecting Internet security. Among the proposed amendments to the Computer Fraud and Abuse Act (CFAA), some of the proposed changes that represent the biggest concerns center around expanded language that pose an increased risk to performing many vulnerability research and security testing activities, and even reporting on breaches.
  • The Tale of the Privacy Pink Panther

    4 Jan 2015 | 4:00 pm
    Last Friday, on my way home from 31c3, a funny thing happened on my way through Charles de Gaulle airport in Paris: I was required by a security agent to not only power up, but also type in my password to unlock my laptop in order to board my flight.
  • Jingle Bugs - How to Rock in a Hard Place

    25 Dec 2014 | 4:00 pm
    With the end of 2014 dashing to a close and 2015 just over the hill, let's take a moment to look at the ghosts of bugs and breaches past. Vulnerability coordination, disclosure, and incident response have never been more important to get right. What could happen if we make adjustments in the way we approach security and how could that impact the bugs that will inevitably be delivered to both the naughty and nice in the future?
  • Introducing Reputation

    27 Oct 2014 | 5:00 pm
    One of the primary challenges when running a vulnerability coordination program is distinguishing the signal from the noise. Today, we're introducing a new reputation system to make running a program even easier.
  • New Security Inbox & Dashboard

    27 Aug 2014 | 5:00 pm
    At HackerOne, we're on a mission to empower the world to build a safer internet. Better security begins with a quality vulnerability coordination process, and our free platform enables your team to seamlessly manage the entire workflow. Think of it as a replacement for your old shared security inbox.
Log in