Web App Security

  • Most Topular Stories

  • The POODLE Attack and the End of SSL 3.0

    Mozilla Security Blog
    rbarnes
    14 Oct 2014 | 4:15 pm
    Summary SSL version 3.0 is no longer secure. Browsers and websites need to turn off SSLv3 and use more modern security protocols as soon as possible, in order to avoid compromising users’ private information. We have a plan to turn off SSLv3 in Firefox. This plan was developed with other browser vendors after a team at Google discovered a critical flaw in SSLv3, which can allow an attacker to extract secret information from inside of an encrypted transaction. SSLv3 is an old version of the security system that underlies secure Web transactions and is known as the “Secure Sockets Layer”…
  • UPnP Devices Used in DDoS Attacks

    Liquidmatrix Security Digest
    Bill Brenner
    15 Oct 2014 | 3:59 am
    Attackers are using Universal Plug and Play (UPnP) devices to launch massive DDoS assaults, Akamai’s Prolexic Security Engineering & Research Team (PLXsert) warned this morning in an advisory. PLXsert estimates that 4.1 million UPnP devices are potentially vulnerable to exploits used for reflection DDoS attacks. That’s about 38 percent of the 11 million devices in use around the world. PLXsert plans to share the list of potentially exploitable devices to members of the security community in an effort to collaborate with cleanup and mitigation efforts. PLXsert said the attack…
  • Crypto-Ransomware Running Rampant

    Zscaler Research
    Chris Mannon
    27 Oct 2014 | 11:49 am
    There's no doubt that ransomware is one of the most popular malware threats of 2014. Zscaler is not alone in this opinion, as other security firms have observed up to a 700% increase in infection rates to ransom-like malicious activity on victim PCs.  It's no wonder the attacks are so effective when for example, the delivery mechanism is designed to impersonate a legitimate service such as a
  • Unbreakable filter

    The Spanner
    Gareth Heyes
    24 Oct 2014 | 2:13 pm
    I was bored so I thought I’d take a look at Ashar’s filters. I noticed he’d done a talk about it at Blackhat Europe which I was quite surprised at. Then I came across the following blog post about the talk which I pretty much agreed with. That blog post links to his filters so you can try them out yourself. The first one is basically multiple JavaScript regexes which are far too generic to be of any value. For example “hahasrchaha” is considered a valid attack =) because it has “src” in. I’m not joking. The regexes are below. function…
  • SVG & colors in OpenType fonts

    Mozilla Hacks - the Web developer blog
    Johannes Lang
    23 Oct 2014 | 5:34 am
    Prolog Until recently having more than one color in a glyph of a vector font was technically not possible. Getting a polychrome letter required multiplying the content for every color. Like it happened with many other techniques before, it took some time for digital type to overcome the constraints of the old technique. When printing with wood or lead type the limitation to one color per glyph is inherent (if you don’t count random gradients). More than one color per letter required separate fonts for the differently colored parts and a new print run for every color. This has been done…
  • add this feed to my.Alltop

    Mozilla Security Blog

  • The POODLE Attack and the End of SSL 3.0

    rbarnes
    14 Oct 2014 | 4:15 pm
    Summary SSL version 3.0 is no longer secure. Browsers and websites need to turn off SSLv3 and use more modern security protocols as soon as possible, in order to avoid compromising users’ private information. We have a plan to turn off SSLv3 in Firefox. This plan was developed with other browser vendors after a team at Google discovered a critical flaw in SSLv3, which can allow an attacker to extract secret information from inside of an encrypted transaction. SSLv3 is an old version of the security system that underlies secure Web transactions and is known as the “Secure Sockets Layer”…
  • CSP for the web we have

    mgoodwin
    4 Oct 2014 | 1:47 am
    Introduction: Content Security Policy (CSP) is a good safety net against Cross Site Scripting (XSS). In fact, it’s the best one and I would recommend it to anyone building new sites. For existing sites, implementing CSP can be a challenge because CSP introduces some restrictions by default and, if the code was written without these restrictions in mind, work will be required. Also, working around these issues can negate the benefits of applying a policy in the first place. In particular, inline scripts require thought; they’re commonly used and, if they’re allowed by your…
  • RSA Signature Forgery in NSS

    Daniel Veditz
    24 Sep 2014 | 6:29 pm
    Issue A flaw in the Network Security Services (NSS) library used by Firefox and other products allows attackers to create forged RSA certificates. Mozilla has released updates to fix this vulnerability and you should apply these updates to ensure your safety on the internet. Impact to Users Users on a compromised network could be directed to sites using a fraudulent certificate and mistake them for legitimate sites. This could deceive them into revealing personal information such as usernames and passwords. It may also deceive users into downloading malware if they believe it’s coming from…
  • Phasing Out Certificates with SHA-1 based Signature Algorithms

    kwilson
    23 Sep 2014 | 3:13 pm
    Many of the certificates used by secure websites today are signed using algorithms based on a hash algorithm called SHA-1. The integrity of the hash algorithm used in signing a certificate is a critical element in the security of the certificate. Weaknesses in hash algorithms can lead to situations in which attackers can obtain fraudulent certificates. Mozilla, along with other browser vendors, is working on a plan to phase out support for the SHA-1 hash algorithm. SHA-1 is nearly twenty years old, and is beginning to show its age. In the last few years, collision attacks undermining some…
  • A Faster Content Security Policy (CSP)

    ckerschbaumer
    10 Sep 2014 | 9:14 am
    With the establishment of CSP Level 2, Mozilla shifted gears and reimplemented CSP in C++. This security feature first shipped in Firefox 4 (2011), and until now was implemented in a combination of JavaScript and C++. The new implementation is based solely on C++ and without the need to connect two languages, which increases performance and simplifies the implementation. This allows us faster turnaround when deploying new features established by future layers of the CSP standard. We’re thrilled to report that CSP in Firefox now works faster than ever. Performance measurements: We…
 
  • add this feed to my.Alltop

    Liquidmatrix Security Digest

  • UPnP Devices Used in DDoS Attacks

    Bill Brenner
    15 Oct 2014 | 3:59 am
    Attackers are using Universal Plug and Play (UPnP) devices to launch massive DDoS assaults, Akamai’s Prolexic Security Engineering & Research Team (PLXsert) warned this morning in an advisory. PLXsert estimates that 4.1 million UPnP devices are potentially vulnerable to exploits used for reflection DDoS attacks. That’s about 38 percent of the 11 million devices in use around the world. PLXsert plans to share the list of potentially exploitable devices to members of the security community in an effort to collaborate with cleanup and mitigation efforts. PLXsert said the attack…
  • PLXsert warns of Spike DDoS Toolkit

    Bill Brenner
    24 Sep 2014 | 8:01 am
    Akamai’s Prolexic Security Engineering and Research Team (PLXsert) is tracking the spread of Spike, a new malware toolkit that poses a threat to embedded devices, as well as Linux and Windows systems. Several versions of Spike can communicate and execute commands to infected Windows, desktop Linux and ARM-based devices running the Linux operating system (OS), PLXsert said in an advisory Wednesday morning. From the advisory: Binary payloads from this toolkit are dropped and executed after the successful compromise of targeted devices, which may include PCs, servers, routers, Internet of…
  • Data Breach Victims or Enablers?

    Bill Brenner
    19 Sep 2014 | 8:28 am
    Back in May,  my good friend Eric Cowperthwaite caused a stir with a blog post about security breach victims getting demonized for failing to prevent break-ins. Other industry friends passionately disagreed. My thinking on the matter continues to evolve. But as is usually the case, my thinking takes me to the middle. Companies that suffer a breach — Home Depot and Target have been among this year’s biggest poster children — are victims. They don’t set out to put their customers’ data in danger and they probably thought they were practicing all due diligence…
  • After 9-11, Fear Made Us Stupid

    Bill Brenner
    12 Sep 2014 | 6:31 am
    Included in all the tweets and Facebook postings about the 13th anniversary of 9-11 yesterday was this from friend and co-worker Martin McKeay: Never forget 9/11 and terrorism. But don’t forget how many rights have been taken from us in the name of fighting terrorism. He’s got that right. There’s been plenty of outrage in recent years over the U.S. government running wild, violating our privacy in the name of security. The Bush Administration was rightly criticized over warrantless wiretapping. More recently, the Obama Administration and such government agencies as the NSA…
  • Exposing Gregory Evans: It Can Be Done

    Bill Brenner
    5 Sep 2014 | 6:06 am
    Thanks to the efforts of Attrition.org, we’ve known for years that LIGATT Security and Gregory Evans can’t be trusted. That article includes a long list of examples where Evans has committed plagiarism and threatened those who question his credentials as a hacker. There are court documents on the Internet that add to the evidence. I won’t go into the full summary of misdeeds here, because veteran security professionals have heard and seen it all before. Besides, I can’t do it any better than Attrition.org already has. Despite all we know about Evans, the mainstream…
  • add this feed to my.Alltop

    Zscaler Research

  • Crypto-Ransomware Running Rampant

    Chris Mannon
    27 Oct 2014 | 11:49 am
    There's no doubt that ransomware is one of the most popular malware threats of 2014. Zscaler is not alone in this opinion, as other security firms have observed up to a 700% increase in infection rates to ransom-like malicious activity on victim PCs.  It's no wonder the attacks are so effective when for example, the delivery mechanism is designed to impersonate a legitimate service such as a
  • Android Ransomware 'Koler' Learns to Propagate via SMS

    viral
    24 Oct 2014 | 1:08 pm
    Android Koler is a family of ransomware that targets Android users by locking up their mobile devices and demanding a ransom. It is believed to be the mobile extension of the Reveton ransomware family. Ransomware has been a profitable venture in the PC world with the likes of Crytolocker, but is a relative newcomer on mobile devices, at least in part due to file restrictions in mobile operating
  • Analysis of SandWorm (CVE-2014-4114) 0-Day

    Deepen Desai
    14 Oct 2014 | 5:42 pm
    Background iSIGHT Partners, working with Microsoft, today published details of a 0day vulnerability (CVE-2014-4114) used in a possible Russian cyber-espionage campaign targeting NATO, the European Union, the Telecommunications and Energy sectors. In this blog, we will provide a quick analysis of an exploit payload targeting this vulnerability, presently in the wild and showcase Zscaler's APT
  • #BASHed Evolution of Shellshock Attack payloads

    Deepen Desai
    7 Oct 2014 | 1:43 pm
    Background We recently blogged about the GNU Bash arbitrary code execution vulnerability (CVE-2014-6271) dubbed as Shellshock and covered some initial attacks that we captured in the wild during the first week of this vulnerability disclosure. We have continued to monitor the Shellshock exploit attacks and the malicious payloads that were getting dropped over past two weeks. In this blog, we
  • Fiesta Exploit Kit: Live Infection

    Sameer Patil
    29 Sep 2014 | 12:11 am
    During our daily hunt for Exploit Kits (EK), we came across many live Fiesta exploit chains. The infection started from the following compromised domains:       orpi.com       soyentrepreneur.com       interfacelift.com Compromised sites: The attackers often leverage compromised sites to serve as the first level of redirection in the EK infection cycle. In the first Fiesta EK instance
 
  • add this feed to my.Alltop

    The Spanner

  • Unbreakable filter

    Gareth Heyes
    24 Oct 2014 | 2:13 pm
    I was bored so I thought I’d take a look at Ashar’s filters. I noticed he’d done a talk about it at Blackhat Europe which I was quite surprised at. Then I came across the following blog post about the talk which I pretty much agreed with. That blog post links to his filters so you can try them out yourself. The first one is basically multiple JavaScript regexes which are far too generic to be of any value. For example “hahasrchaha” is considered a valid attack =) because it has “src” in. I’m not joking. The regexes are below. function…
  • MentalJS bypasses

    Gareth Heyes
    24 Jun 2014 | 2:41 pm
    I managed to find time to fix a couple of MentalJS bypasses by LeverOne and Soroush Dalili (@irsdl). LeverOne’s vector was outstanding since it bypassed the parsing itself which is no easy task. The vector was as follows: for(var i i/'/+alert(location);0)break//') Basically my parser was inserting a semi colon in the wrong place causing a different state than the actual state executed. My fix inserts the semi colon in the correct place. Before the fix the rewritten code looked like this: for (var i$i$; / '/+alert(location);0)break//') As you can see the variables have been incorrectly…
  • mXSS

    Gareth Heyes
    6 May 2014 | 11:51 am
    Mutation XSS was coined by me and Mario Heiderich to describe an XSS vector that is mutated from a safe state into an unsafe unfiltered state. The most common form of mXSS is from incorrect reads of innerHTML. A good example of mXSS was discovered by Mario where the listing element mutated its contents to execute XSS. <listing>&lt;img src=1 onerror=alert(1)&gt;</listing> When the listing’s innerHTML is read it is transformed into an image element even though the initial HTML is escaped. The following code example shows how the entities are decoded. <listing…
  • Java Serialization

    Gareth Heyes
    6 May 2014 | 11:39 am
    In this post I will explore Java serialized applets and how they can be used for XSS. A serialized applet contains code that can be easily stored and loaded. Java supports an attribute called “object” which accepts a url to a serialized class file this allows us to load applets of our choosing provided they can be serialized and implements the java.io.Serializable interface. This feature is very old and obscure and I have successfully used the technique to bypass filters that look for very specific XSS patterns. In order to create a serializable Java applet you need the following code…
  • Bypassing the XSS filter using function reassignment

    Gareth Heyes
    7 Apr 2014 | 10:54 am
    The XSS filter introduced in IE8 is a really powerful defence against XSS. I tested the filter for a number of years and found various bypasses one of which I would like to share with you now. You can read more about the filter and its goal in the following blog post. Scope There have been numerous public bypasses of the filter however very few within the intended scope of the filter. The filter blocks reflected XSS in HTML context, script, style and event context. It does not support attacks that use multiple parameters or same origin requests. Once you are aware of the intended scope the…
  • add this feed to my.Alltop

    Mozilla Hacks - the Web developer blog

  • SVG & colors in OpenType fonts

    Johannes Lang
    23 Oct 2014 | 5:34 am
    Prolog Until recently having more than one color in a glyph of a vector font was technically not possible. Getting a polychrome letter required multiplying the content for every color. Like it happened with many other techniques before, it took some time for digital type to overcome the constraints of the old technique. When printing with wood or lead type the limitation to one color per glyph is inherent (if you don’t count random gradients). More than one color per letter required separate fonts for the differently colored parts and a new print run for every color. This has been done…
  • The Visibility Monitor supported by Gaia

    John Hu
    22 Oct 2014 | 6:04 am
    With the booming ultra-low-price device demands, we have to more carefully calculate about each resource of the device, such as CPU, RAM, and Flash. Here I want to introduce the Visibility Monitor which has existed for a long time in Gaia. Origin The Visibility Monitor originated from the Gallery app of Gaia and appeared in Bug 809782 (gallery crashes if too many images are available on sdcard) for the first time. It solves the problem of the memory shortage which is caused by storing too many images in the Gallery app. After a period of time, Tag Visibility Monitor, the “brother” of…
  • New on MDN: Sign in with Github!

    hoosteeno
    21 Oct 2014 | 6:07 am
    MDN now gives users more options for signing in! Signing in to MDN previously required a Mozilla Persona account. Getting a Persona account is free and easy, but MDN analytics showed a steep drop-off at the “Sign in with Persona” interface. For example, almost 90% of signed-out users who clicked “Edit” never signed in, which means they never got to edit. That’s a lot of missed opportunities! It should be easy to join and edit MDN. If you click “Edit,” we should make it easy for you to edit. Our analysis demonstrated that most potential editors stumbled at the Persona sign in.
  • Creating a mobile app from a simple HTML site

    Piotr Zalewa
    16 Oct 2014 | 6:00 am
    This article is a simple tutorial designed to teach you some fundamental skills for creating cross platform web applications. You will build a sample School Plan app, which will provide a dynamic “app-like” experience across many different platforms and work offline. It will use Apache Cordova and Mozilla’s Brick web components. The story behind the app, written by Piotr I’ve got two kids and I’m always forgetting their school plan, as are they. Certainly I could copy the HTML to JSFiddle and load the plan as a Firefox app. Unfortunately this would not load…
  • Passwordless authentication: Secure, simple, and fast to deploy

    Florian Heinemann
    15 Oct 2014 | 3:11 am
    Passwordless is an authentication middleware for Node.js that improves security for your users while being fast and easy to deploy. The last months were very exciting for everyone interested in web security and privacy: Fantastic articles, discussions, and talks but also plenty of incidents that raised awareness. Most websites are, however, still stuck with the same authentication mechanism as from the earliest days of the web: username and password. While username and password have their place, we should be much more challenging if they are the right solution for our projects. We know that…
 
  • add this feed to my.Alltop

    Didier Stevens

  • Update: PDFiD With Plugins Part 2

    Didier Stevens
    27 Oct 2014 | 1:40 am
    The second feature in this new version of PDFiD is selection. With this, you can select PDFs using criteria you provide. Example: pdfid.py -S “pdf.javascript.count > 0″ *.pdf This command will select all files with extension .pdf in the current directory that are PDFs and have a /JavaScript count larger than zero. The selection expression you provide is a Python expression. Here is a list off attributes to use in your selection expressions: pdf.version pdf.filename pdf.errorOccured pdf.errorMessage pdf.isPDF pdf.header pdf.keywords[keywordname].count…
  • Update: PDFiD With Plugins Part 1

    Didier Stevens
    20 Oct 2014 | 1:51 am
    Almost from the beginning when I released PDFiD, people asked me for anti-virus like feature: that PDFiD would tell you if a PDF was malicious or not. Some people even patched PDFiD with a scoring feature. But I didn’t want to develop an “anti-virus” for PDFs; PDFiD is a triage tool. Now you can develop your own scoring system with plugins. Plugins are loaded with option -p, like this: I provide 3 plugins: plugin_triage.py, plugin_nameobfuscation.py and plugin_embeddedfile.py. You can run more than one plugin by separating their names with a comma: pdfid.py -p…
  • Announcement: PDFiD Plugins

    Didier Stevens
    30 Sep 2014 | 2:30 pm
    I have a new version of PDFiD. One with plugins and selections. Here’s a preview:
  • Update: XORSearch With Shellcode Detector

    Didier Stevens
    28 Sep 2014 | 5:00 pm
    XORSearch allows you to search for strings and embedded PE-files brute-forcing different encodings. Now I added shellcode detection. This new version of XORSearch integrates Frank Boldewin’s shellcode detector. In his Hack.lu 2009 presentation, Frank explains how he detects shellcode in Microsoft Office documents by searching for byte sequences often used in shellcode. I integrated Frank’s methods in XORSearch, so that you can use it for any file type, not only Microsoft Office files. Frank was kind enough to give me his source code for the detection engine. However, I did not…
  • Video: PDF Creation – Public Tools

    Didier Stevens
    23 Sep 2014 | 1:27 pm
    Have you subscribed to my new video blog: videos.didierstevens.com ? If not, you missed my new video where I show my public tools to create PDFs.
  • add this feed to my.Alltop

    Technicalinfo.net Blog

  • If Compliance were an Olympic Sport

    6 Oct 2014 | 1:52 pm
    First published on the NCC Group blog - 6th October 2014...It probably won’t raise any eyebrows to know that for practically every penetration tester, security researcher, or would-be hacker I know, nothing is more likely to make their eyes glaze over and send them to sleep faster than a discussion on Governance, Risk, and Compliance (i.e. GRC); yet the dreaded “C-word” (Compliance) is a core tenant of modern enterprise security practice.Security professionals that come from an “attacker” background often find that their contention with Compliance is that it represents the lowest…
  • The Pillars of Trust on the Internet

    6 Oct 2014 | 1:48 pm
    As readers may have seen recently, I've moved on from IOActive and joined NCC Group. Here is my first blog under the new company... first published September 15th 2014...The Internet of today in many ways resembles the lawless Wild West of yore. There are the land-rushes as corporations and innovators seek new and fertile grounds, over yonder there are the gold-diggers panning for nuggets in the flow of big data, and crunching under foot are the husks of failed businesses and discarded technology.For many years various star-wielding sheriffs have tried to establish a brand of law and order…
  • Smart homes still not "smarter than a fifth-grader"

    31 Jul 2014 | 10:01 pm
    Smart Home technologies continue to make their failures headline news. Only yesterday did the BBC ran the story "Smart home kit proves easy to hack, says HP study" laying out a litany of vulnerabilities and weaknesses uncovered in popular internet-connected home gadgetry by HP's Fortify security division. If nothing else the story proves that household vulnerabilities are now worthy of attention - no matter how late HP and the BBC are to the party.As manufacturers try to figure out how cram internet connectivity in to their (formerly) inanimate appliance and turn it in something you can…
  • Consumer Antivirus Blogs

    11 Dec 2013 | 10:47 pm
    OK, I give up, what's up with all the blog sites run by the antivirus vendors - in particular the consumer-level antivirus products? Every day the post essentially the same damned blog entries. What is the purpose of those blogs?You know the blogs I mean. Day-in, day-out, 20+ antivirus companies post the same mind-numbing blog entries covering their dissection of their latest "interesting" piece of malware or phishing campaign. The names of the malware change, but it's the same blow-by-blow step through of another boring piece of malware, with the same dire warnings that you need…
  • Divvy Up the Data Breach Fines

    7 Dec 2013 | 4:21 pm
    There are now a bunch of laws that require companies to publicly disclose a data breach and provide guidance to the victims associated with the lost data. In a growing number of cases there are even fines to be paid for very large, or very public, or very egregious data breaches and losses of personal information.I often wonder what happens to the money once the fines have been paid. I'm sure there's some formula or stipulation as to how the monies are meant to be divided up and to which coffers they're destined to fill. But, apart from paying for the bodies that brought forth the case for a…
  • add this feed to my.Alltop

    CERIAS Combined Feed

  • Donate to the Ada Initiative!

    Gene Spafford
    7 Oct 2014 | 2:22 pm
    I just heard about the fund drive for the Ada Initiative. There are only a few days left in their fund drive supporting women in the tech community. Their efforts are certainly in line with some of my earlier blog posts (including here and here), and thus worthy of support. Your contribution can make a difference, so please give it some thought. (And yes, there are lots of other worthy efforts out there, from abolishing cancer to feeding kids to stopping terrorism. Don’t use that as an excuse to not support at least some worthwhile causes!)
  • Sensors Everywhere Could Mean Privacy Nowhere, Expert Says

    CERIAS Webmaster
    18 Sep 2014 | 5:34 am
    Eugene Spafford, professor of computer science at Purdue University and executive director of the Center for Education and Research in Information Assurance and Security (CERIAS), says the so-called “Internet of Things” will see small microprocessors and sensors placed seemingly everywhere, and these devices will collect much data about us - often without our knowledge. More information »
  • National Cyber Security Hall of Fame announces Final Selectees for the Class of 2014

    CERIAS Webmaster
    10 Sep 2014 | 7:25 am
    PRESS RELEASE - Baltimore, MD (September 1, 2014) (http://www.cybersecurityhalloffame.com/) Mike Jacobs, Chairman of the Advisory Board for the National Cyber Security Hall of Fame, released the names of 5 innovators who will be enshrined in the Hall of Fame on Thursday, October 30th at a gala at the Four Seasons in Baltimore. In announcing the inductees, Jacobs, the first Information Assurance Director for the National Security Agency (NSA) and a respected cybersecurity consultant to government and industry said, “these honorees continue to advance our goal of “respecting the past” in…
  • What is wrong with all of you? Reflections on nude pictures, victim shaming, and cyber security

    Gene Spafford
    4 Sep 2014 | 8:06 pm
    [This blog post was co-authored by Professor Samuel Liles and Spaf.] Over the last few days we have seen a considerable flow of news and social media coverage of untended exposure of celebrity photographs (e.g., here). Many (most?) of these photos were of attractive females in varying states of undress, and this undoubtedly added to the buzz. We have seen commentary from some in the field of cybersecurity, as well as more generally-focused pundits, stating that the subjects of these photos “should have known better.” These commentators claim that it is generally known that passwords/cloud…
  • CERIAS Researchers Win Student Paper Award

    CERIAS Webmaster
    26 Aug 2014 | 11:23 am
    CERIAS researchers won the Best Student Paper award at the 23rd USENIX Security Symposium, a top-tier computer systems security conference. The paper, “DSCRETE: Automatic Rendering of Forensic Information from Memory Images via Application Logic Reuse,” was co-authored by Ph.D. students Brendan Saltaformaggio and Zhongshu Gu, with CS Professors Xiangyu Zhang and Dongyan Xu. This award was presented at the conference on August 20 in San Diego. (Photo: Brendan Saltaformaggio accepting the award from Dr. Kevin Fu, Chair of the conference.) Figure 1. DSCRETE is a memory forensics tool for…
 
  • add this feed to my.Alltop

    Security Bloggers Network

  • SBN Sponsor Post

    Kevin Riggins
    25 Oct 2014 | 7:00 pm
  • Review: The Peripheral, by William Gibson

    Robert Graham
    25 Oct 2014 | 4:09 pm
    After four years, William Gibson is finally coming out with a new book, “The Peripheral”. Time to preorder now. http://www.amazon.com/gp/product/B00INIXKV2There’s not much to review. If you like Gibson’s work, you’ll like this book. (Also, if you don't like Gibon's work, then you are wrong).What I like about Gibson’s work is his investment in the supporting characters, which are often more interesting than the main characters. Each has a complex backstory, but more importantly, each has a story that unfolds during the book. It’s as if Gibson takes…
  • SpiderLabs Radio: October 22, 2014

    Karl Sigler
    25 Oct 2014 | 2:29 pm
    In this episode: Google offering Security Key for 2FA New Microsoft OLE vulnerability Ebola Phishing Campaign Here are some of the links discussed in this weeks show: SpiderLabs writeup of CVE-2014-4114 Microsoft advisory for CVE-2014-6352 We'...
  • SBN Sponsor Post

    Kevin Riggins
    25 Oct 2014 | 12:00 pm
  • Two new attacks on Tor

    Lance Cottrell
    25 Oct 2014 | 9:36 am
    Two new attacks on Tor have recently been published. One inserts malware into software updates, the other compromises bitcoin transactions. The post Two new attacks on Tor appeared first on The Privacy Blog.
  • add this feed to my.Alltop

    blog.hotspotshield.com

  • Data-Mining in Schools: How It Could Threaten Your Kids’ Privacy

    Peter Nguyen
    27 Oct 2014 | 11:52 pm
    Once upon a time, your child’s school performance was tidily summarized in two, maybe three, report cards per year. The cards rested safely in his or her student file, shared only with parents, teachers, and college administrators. Today’s digital technology has completely revamped that practice, and once-private academic information is now shared with countless individuals whom you’ll probably never meet. Is this an acceptable practice? According to Jose Ferreira, CEO of a six-year-old data-mining company called Knewton, it’s perfectly acceptable, and it’s also…
  • More Than 20% of Financial Malware Attacks Target Bitcoin

    Peter Nguyen
    22 Oct 2014 | 10:16 pm
    According to recent reports, criminals target Bitcoins in more than one-fifth of financial malware attacks. Specifically, Bitcoin miners accounted for 14 percent of all financial attacks, while Bitcoin wallet-stealers accounted for 8 percent in the second quarter of 2014. Hackers also used keyloggers, or keystroke logging malware, to steal users’ authentication credentials for online payment systems and banking in four percent of financial attacks. While traditional banking malware still accounts for the largest number of monetary attacks at 74 percent, the fact that Bitcoins are…
  • Beware of the POODLE Bug

    Peter Nguyen
    19 Oct 2014 | 11:08 pm
    Do you spend a lot of time surfing the Internet at public places such as Starbucks? There’s a new security bug that you should be aware of. This security vulnerability could give hackers access to your bank, social media, and email accounts! This security hole is called POODLE. No, it doesn’t behave or bark like a dog. POODLE actually stands for “Padding Oracle On Downgraded Legacy Encryption.” What is the POODLE bug? POODLE is a security bug in version 3 of the Secure Sockets Layer protocol (SSLv3). It was recently discovered by Google researchers. SSL protocol is used to…
  • How Safe is the Digital Wallet on Your Smartphone?

    Peter Nguyen
    15 Oct 2014 | 10:26 pm
    Apple’s new digital wallet software may revolutionize the way people pay for things. While the digital wallet concept and various apps have been in use for years, few people have really embraced the technology. This may be due to the limited number of merchants who accept wallet apps, or technology barriers that prevent seamless integration between various apps and networks, or a low level of trust in the safety and security of digital wallets. Apple’s entry into the digital wallet market may change all of that by capitalizing on its excellent reputation for simplicity and its…
  • It’s National Cyber Security Awareness Month

    Peter Nguyen
    12 Oct 2014 | 7:58 pm
    This month marks the 11th anniversary of the National Cyber Security Awareness Month. Sponsored by the Department of Homeland Security and in cooperation with the National Cyber Security Alliance and the Multi-State Information Sharing and Analysis Center, National Cyber Security Month was created to raise awareness among the public about cyber security. As the same for last year, this year’s theme is Our Shared Responsibility. With the internet becoming a more integral part of our daily lives, it’s important for everyone to take necessary actions to protect yourself and to make…
  • add this feed to my.Alltop

    Blog - CloudEntr

  • 4 reasons why your client's data is your data

    Christopher Bartik
    17 Oct 2014 | 12:03 pm
    If information is power, let’s face it, you’re getting closer and closer to super-man/woman status, but before you step inside that booth and go about your day saving lives, you may want to brush up on what today’s grateful citizens are expecting of you. After all, they have entrusted you with all sorts of sensitive information, including their customers’ and clients’ files, applications, credential data, etc.As the number of data breaches continues to rise, service organizations and others who deal in high volumes of privileged information may find themselves yearning for the days…
  • Don't become a breached whale: Password tips to keep you afloat

    Christopher Bartik
    26 Aug 2014 | 6:30 am
    It’s late at night. You’ve just gotten home from a long day at work and the last thing you want to think about is anything requiring you to well, think. The couch beckons and soon enough you’re flipping through your DVR looking for your Game of Thrones fix. Most days you’ll fall into detached, trancelike viewing, but today something on the news sparks your attention: There was a robbery in your neighborhood. The news reporter says the thief is taking advantage of all the people who leave their doors unlocked. From the couch, you look to your own front door and see that it is, indeed,…
  • Cloud Sprawl: A Business's Guide to Secure Cloud Data for Employees and Customers

    Macey Morrison
    21 Aug 2014 | 7:02 am
    Shadow IT, a shady landscape for business, or is it?Cloud sprawl causes headaches for all of us… we have too many cloud services for CRM, accounting, and file sharing not to mention those “personal” services that we’re all guilty of bringing into the workplace. And to add further complexity, others don’t always use the same apps to solve the same problem that we do. Different people have unique preferences and businesses deploy competing services.Take Sarah in marketing for instance. She may love Dropbox personally, but Bill in Finance wants budgets shared in SkyDrive, while Mary in…
  • Deconstructing big time data breaches: Where the big boys failed and what your business can learn

    Christopher Bartik
    12 Aug 2014 | 10:40 am
    These days, it seems not a day goes by without a data breach story appearing in the news. As these security incidents become more prevalent - not to mention more costly - one of the best things that small businesses can do to prevent them is to learn from others' mistakes.We see that the biggest enterprises are not infallible to data protection issues like breaches. And we obviously hear about them because bigger brands are newsworthy. This is good for small businesses though, because while their drama unfolds in the media it gives us a very public playbook of how it happened and how they…
  • Gemalto Bundles Secure File Sharing and Access Management to Offer All-in-One Identity Cloud Solution

    Macey Morrison
    30 Jul 2014 | 6:00 am
    This week, the CloudEntr Team is excited to announce that we have listened to our customers concerns regarding data risk in the cloud, taking on the other piece of the cloud security puzzle: file sharing and collaboration.Our CloudEntr access management solution has expanded to now offer an all-in-one solution for secure application access and file sharing in the cloud. We are thrilled to enable SMBs to capitalize on the cost efficiency and convenience of the cloud with the peace of mind of knowing their and their customer’s data is secure. The file encryption and collaboration feature…
 
  • add this feed to my.Alltop

    Quotium

  • Securing .Net Applications with Agility, Automation & DevOps through example with .Net & TFS

    Quotium Research Center
    21 Oct 2014 | 7:41 am
    The post Securing .Net Applications with Agility, Automation & DevOps through example with .Net & TFS appeared first on www.quotium.com
  • Securing Agile Software

    Quotium Research Center
    13 Oct 2014 | 5:18 am
    We will take an overview of Agile and more importantly the process at the center of it that powers development of Agile Software. We’ll see an effective way to deal with the challenge to integrate security in that process and how we can turn that into an opportunity !   The post Securing Agile Software appeared first on www.quotium.com
  • State of Application Security Survey

    Quotium Research Center
    24 Sep 2014 | 1:19 am
    The post State of Application Security Survey appeared first on www.quotium.com
  • Partnerships and Integrations

    Quotium Research Center
    22 Sep 2014 | 12:59 am
    More partnerships and integrations coming soon… Version One is a leading agile development management software provider. Quotium Seeker has the ability to open defects directly in Version One based on the findings from a test.  In an agile environment, it is important to be able to manage the different aspects of the project from one […] The post Partnerships and Integrations appeared first on www.quotium.com
  • Scrum Vs Kanban

    Quotium Research Center
    20 Sep 2014 | 4:52 pm
    Scrum and Kanban are both widely used methodologies in AGILE. Practitioners of both speak a lot on the positives of the respective methodologies and share success stories. People often try to evaluate the two and make a judgment about which one is better. In this article I have tried to discuss some visible differences between […] The post Scrum Vs Kanban appeared first on www.quotium.com
Log in