Web App Security

  • Most Topular Stories

  • A Faster Content Security Policy (CSP)

    Mozilla Security Blog
    ckerschbaumer
    10 Sep 2014 | 9:14 am
    With the establishment of CSP Level 2, Mozilla shifted gears and reimplemented CSP in C++. This security feature first shipped in Firefox 4 (2011), and until now was implemented in a combination of JavaScript and C++. The new implementation is based solely on C++ and without the need to connect two languages, which increases performance and simplifies the implementation. This allows us faster turnaround when deploying new features established by future layers of the CSP standard. We’re thrilled to report that CSP in Firefox now works faster than ever. Performance measurements: We…
  • Most Contradictive Doorway Generator

    Unmask Parasites. Blog.
    Denis
    12 Sep 2014 | 11:57 am
    Check this thread on WordPress.org forum. The topic starter found a suspicious PHP file and asked what it was doing. The code analysis shows that it’s some sort of a spammy doorway. But it’s a very strange doorway and the way that it works doesn’t make sense to me. First of all, this script has a random text and code generator. The output it generates is [kind of] always unique. Here is a couple of output pages: http://pastebin.com/ymwMZMWP http://pastebin.com/Y6B7WM2T ... <title>Is. Last spots brows: Dwelling. Immediately moral.</title> </head>…
  • After 9-11, Fear Made Us Stupid

    Liquidmatrix Security Digest
    Bill Brenner
    12 Sep 2014 | 6:31 am
    Included in all the tweets and Facebook postings about the 13th anniversary of 9-11 yesterday was this from friend and co-worker Martin McKeay: Never forget 9/11 and terrorism. But don’t forget how many rights have been taken from us in the name of fighting terrorism. He’s got that right. There’s been plenty of outrage in recent years over the U.S. government running wild, violating our privacy in the name of security. The Bush Administration was rightly criticized over warrantless wiretapping. More recently, the Obama Administration and such government agencies as the NSA…
  • RIG EK outbreak continues

    Zscaler Research
    Pradeep Kulkarni
    8 Sep 2014 | 11:50 pm
    During daily data mining activities, we observe continual outbreaks of many exploit kits (EK) such as RIG EK. Logs are monitored and analyzed to come up with new protections, which are eventually deployed in the Zscaler cloud. The dynamic nature of EK’s landing page code, presents a constant challenge in providing generic detections. We need to take a look at various aspects of EK’s such as URLs
  • WebIDE, Storage inspector, jQuery events, iframe switcher + more – Firefox Developer Tools Episode 34

    Mozilla Hacks - the Web developer blog
    Heather Arthur
    16 Sep 2014 | 9:02 am
    A new set of Firefox Developer Tools features has just been uplifted to the Aurora channel. These features are available right now in Aurora, and will be in the Firefox 34 release in November. This release brings new tools (storage inspector, WebIDE), an updated profiler, and handy enhancements to the existing tools: WebIDE WebIDE, a new tool for in-browser app development, has been enabled by default in this release. WebIDE lets you create a new Firefox OS app (which is just a web app) from a template, or open up the code for an already created app. From there you can edit the app’s…
  • add this feed to my.Alltop

    Mozilla Security Blog

  • A Faster Content Security Policy (CSP)

    ckerschbaumer
    10 Sep 2014 | 9:14 am
    With the establishment of CSP Level 2, Mozilla shifted gears and reimplemented CSP in C++. This security feature first shipped in Firefox 4 (2011), and until now was implemented in a combination of JavaScript and C++. The new implementation is based solely on C++ and without the need to connect two languages, which increases performance and simplifies the implementation. This allows us faster turnaround when deploying new features established by future layers of the CSP standard. We’re thrilled to report that CSP in Firefox now works faster than ever. Performance measurements: We…
  • Phasing out Certificates with 1024-bit RSA Keys

    kwilson
    8 Sep 2014 | 3:09 pm
    For many years, Mozilla, NIST, the CA/Browser Forum, and others have been encouraging Certification Authorities (CAs) to upgrade their 1024-bit RSA keys to a stronger cryptographic algorithm (either longer RSA keys or ECDSA). We are actively working with CAs to retire SSL and Code Signing certificates that have 1024-bit RSA keys in an effort to make the upgrade as orderly as possible, and to avoid having system administrators find themselves in emergency mode because their SSL keys were compromised. Our multi-pronged approach includes removing the SSL and Code Signing trust bits from 1024-bit…
  • Public key pinning released in Firefox

    Sid Stamm
    2 Sep 2014 | 11:28 am
    Firefox now supports built-in public key pins, which means that a shortened list of acceptable certificate authorities (CAs) for participating sites is built into Firefox. In this first stage of pinning roll-out, protected domains include addons.mozilla.org and Twitter, to be followed by Google and other sites in upcoming versions of Firefox. That means that Firefox users will be even safer when visiting Mozilla and Twitter (and soon, Google). For the full list of pinned domains and rollout status, please see the Public Key Pinning wiki. Additionally, sites may advertise their support for…
  • Update on reviewing our data practices and Bugzilla development database disclosure

    jstevensen
    27 Aug 2014 | 5:02 pm
    As we indicated in the post titled “MDN Disclosure”, we began several remediation measures, including a review of data practices surrounding user data. We have kicked off a larger project to better our practices around data, including with respect to the various non-Mozilla projects we support. We are implementing immediate fixes for any discovered issues across the organization, and are requiring each business unit to perform a review of their data practices and, if necessary, to implement additional protections based on that review. As we proceed through our broader remediation program,…
  • mozilla::pkix ships in Firefox!

    David Keeler
    20 Aug 2014 | 10:35 am
    In April, we announced an upcoming certificate verification library designed from the ground up to be fast and secure. A few weeks ago, this new library – known as “mozilla::pkix” – shipped with Firefox and is enabled by default. Please see the original announcement for more details. Along with using more verifiably secure coding practices, we took the opportunity to closely adhere to the X.509 certificate verification specifications for the Internet. For example, we prevent certificates from being misused in ways that legacy libraries often do not. This protects user…
 
  • add this feed to my.Alltop

    Unmask Parasites. Blog.

  • Most Contradictive Doorway Generator

    Denis
    12 Sep 2014 | 11:57 am
    Check this thread on WordPress.org forum. The topic starter found a suspicious PHP file and asked what it was doing. The code analysis shows that it’s some sort of a spammy doorway. But it’s a very strange doorway and the way that it works doesn’t make sense to me. First of all, this script has a random text and code generator. The output it generates is [kind of] always unique. Here is a couple of output pages: http://pastebin.com/ymwMZMWP http://pastebin.com/Y6B7WM2T ... <title>Is. Last spots brows: Dwelling. Immediately moral.</title> </head>…
  • Google -> Doorway -> Google -> Spam

    Denis
    11 Jun 2014 | 11:32 am
    Just a few thoughts about an interesting behavior of a black-hat SEO doorway. Typically hackers create doorways on compromised sites to make search engines rank them for certain keywords and then, when searchers click on the links in search results, those doorways redirect them further to a site that hackers really promote. Sometime that redirect may go through some TDS (traffic directing service) but the whole scheme remains pretty much the same: Search results -> doorway -> beneficiary site Today, when doing a backlink research of one of such pharma doorways, I encountered a different…
  • Working With the Darkleech Bitly Data

    Denis
    10 Feb 2014 | 9:08 am
    Data Driven Security took the time to analyze the raw data that I published in my recent post on Sucuri blog about how I used Bitly data to understand the scale of the Darkleech infection. In their article, they have a few questions about data formats, meaning of certain fields and some inconsistencies, so I’ll try to answer their questions here and explain how I worked with the data. So I needed to get information about all the links of the “grantdad” bitly account. I checked the API and somehow missed the “link_history” API request (it was the first time I…
  • Invasion of JCE Bots

    Denis
    27 Jan 2014 | 2:47 am
    Joomla has been one of the most popular CMS for a long time.  It powers a huge number of sites.  That’s great! The flip side of this fact is Joomla has been very popular for a long time and there are still very many sites that use older versions of Joomla as well as older version of Joomla components. For example, the 1.5.x branch of Joomla (2008-2010) still has a noticeable share in live Joomla sites. Old versions may work well for your site but they have multiple well known security holes, so they are the low hanging fruit for hackers. Let me show this using a real world example.
  • Reporting Suspicious Styles

    Denis
    22 Nov 2013 | 8:15 am
    Back in 2008, the very first task that I created Unmask Parasites for was scanning web pages for hidden links. I read an article about thousands of WordPress blogs being stuffed with dozens of invisible spammy links. I had a self-hosted WordPress blog too and that article made me think if there was some easy way to figure out whether my blog was hacked, something less laborious than manually examining the HTML code link by link. So I decided to create a tool that would show all domains that my web pages linked to highlighting those of them that had “invisible” styles. This approach has…
  • add this feed to my.Alltop

    Liquidmatrix Security Digest

  • After 9-11, Fear Made Us Stupid

    Bill Brenner
    12 Sep 2014 | 6:31 am
    Included in all the tweets and Facebook postings about the 13th anniversary of 9-11 yesterday was this from friend and co-worker Martin McKeay: Never forget 9/11 and terrorism. But don’t forget how many rights have been taken from us in the name of fighting terrorism. He’s got that right. There’s been plenty of outrage in recent years over the U.S. government running wild, violating our privacy in the name of security. The Bush Administration was rightly criticized over warrantless wiretapping. More recently, the Obama Administration and such government agencies as the NSA…
  • Exposing Gregory Evans: It Can Be Done

    Bill Brenner
    5 Sep 2014 | 6:06 am
    Thanks to the efforts of Attrition.org, we’ve known for years that LIGATT Security and Gregory Evans can’t be trusted. That article includes a long list of examples where Evans has committed plagiarism and threatened those who question his credentials as a hacker. There are court documents on the Internet that add to the evidence. I won’t go into the full summary of misdeeds here, because veteran security professionals have heard and seen it all before. Besides, I can’t do it any better than Attrition.org already has. Despite all we know about Evans, the mainstream…
  • Five security lessons from ‘Mars Attacks!’

    Bill Brenner
    28 Aug 2014 | 4:32 pm
    If you look closely, the 1996 Tim Burton film “Mars Attacks!” offers us a few security lessons. Let the following clip play as I run through some examples… Lesson 1: If you release a white dove over someone’s head before you verify who you’re dealing with, you have failed to practice due diligence. The resulting bad press could damage your brand. Lesson 2: Regarding Jack Nicholson’s speech about two out of three branches of the government still working: Layers of security may be smart, but if it’s badly configured and government-issued, it…
  • 5 Things a Revere, MA Upbringing Taught Me About Infosec

    Bill Brenner
    27 Aug 2014 | 12:48 pm
    Growing up in Revere, Mass., taught me some very simple lessons about information security. Note: When people hear the name Revere, they think of these things: Paul Revere’s ride, guns, the IROC-Z automobile, lots of gold chains and language that doesn’t include the letter r at the end of a word. Information security? You probably think I’ve lost what little sanity I had. But I’m serious. Revere incident 1: Me and two friends are followed a quarter-mile up the beach and pounced upon because I apparently said something someone mistook as an insult against his…
  • The Stupid, It Burns

    Dave Lewis
    25 Aug 2014 | 8:55 am
    There are times where I just marvel at the abject stupidity of some folks. Case in point was the posting on Pastebin over the weekend where a group of “hackers” (wow, I use that term lightly) calling themselves “Wycked” posted a database dump from McDonald’s Malaysia. The premise being that they compromised the site. Small problem with that however. You see, the “Havij Injection Project” already posted that same database dump in February 2012. Don’t piss on my leg and tell me that it is raining. The stupid, it burns. The post The Stupid, It…
 
  • add this feed to my.Alltop

    Zscaler Research

  • RIG EK outbreak continues

    Pradeep Kulkarni
    8 Sep 2014 | 11:50 pm
    During daily data mining activities, we observe continual outbreaks of many exploit kits (EK) such as RIG EK. Logs are monitored and analyzed to come up with new protections, which are eventually deployed in the Zscaler cloud. The dynamic nature of EK’s landing page code, presents a constant challenge in providing generic detections. We need to take a look at various aspects of EK’s such as URLs
  • Nuclear Exploit Kit and Flash CVE-2014-0515

    rubin azad
    5 Sep 2014 | 8:13 pm
    For this blog, we'd like to walk you through a recent attack involving Nuclear Exploit Kit (EK) that we analyzed. It was found leveraging CVE-2014-0515, a buffer overflow in Adobe Flash Player discovered in April 2014. Nuclear Exploit kit targets a number of known vulnerabilities including: pdf - PDF:Exploit.PDF-JS swf - CVE-2014-0515 jar  - CVE-2012-0507 Below are the files which were
  • A look at the new Gameover Zeus variant

    Deepen Desai
    30 Aug 2014 | 9:52 am
    Background Zeus, also known as Zbot is one of the most notorious and wide-spread information stealing banking Trojans. It was first spotted in early 2007 and since then over the years it has evolved into a very sophisticated malware family with such features as: Man-in-The-Browser keystroke logging Form grabbing Web injects Kernel-mode rootkit update Custom
  • Dissecting the CVE-2013-2460 Java Exploit

    Sameer Patil
    28 Jul 2014 | 3:43 am
    Introduction In this vulnerability, code is able to get the references of some restricted classes which are cleverly used for privilege escalation and bypassing the JVM sandbox. The vulnerable “invoke” method of the “sun.tracing.ProviderSkeleton” class is used to issue calls to the Class.forName() method for loading internal restricted classes and methods. Vulnerability Exploitation
  • De-obfuscating the DOM based JavaScript obfuscation found in EK’s such as Fiesta and Rig

    Pradeep Kulkarni
    23 Jul 2014 | 12:07 am
    There is little doubt that exploit kit (EK) developers are continuing to improve their techniques and are making exploit kits harder to detect. They have heavily leveraged obfuscation techniques for JavaScript and are utilizing browser functionality to their advantage. Recent exploit kits such as ‘Fiesta’ and ‘Rig’ for example, have been found to be using DOM based JavaScript obfuscation. In
  • add this feed to my.Alltop

    Mozilla Hacks - the Web developer blog

  • WebIDE, Storage inspector, jQuery events, iframe switcher + more – Firefox Developer Tools Episode 34

    Heather Arthur
    16 Sep 2014 | 9:02 am
    A new set of Firefox Developer Tools features has just been uplifted to the Aurora channel. These features are available right now in Aurora, and will be in the Firefox 34 release in November. This release brings new tools (storage inspector, WebIDE), an updated profiler, and handy enhancements to the existing tools: WebIDE WebIDE, a new tool for in-browser app development, has been enabled by default in this release. WebIDE lets you create a new Firefox OS app (which is just a web app) from a template, or open up the code for an already created app. From there you can edit the app’s…
  • Single Div Drawings with CSS

    Lynn Fisher
    15 Sep 2014 | 3:29 am
    Why A Single Div? In May of 2013 I attended CSSConf and saw Lea Verou speak about the humble border-radius. It was an eye-opening talk and I realized there was much about CSS behavior I did not fully understand. This reminded me of my time as a fine arts student where I was constantly pushed to become a master of my chosen medium. As a web designer, CSS is my medium and so I challenged myself to learn all I could about it and to explore and experiment with its limits. But why a single div? When I was learning to paint, my class did these color mixing exercises where we created the many colors…
  • Firefox Add-on Enables Web Development Across Browsers and Devices

    Dave Camp
    11 Sep 2014 | 8:10 am
    Developing across multiple browsers and devices is the main issue developers have when building applications. Wouldn’t it be great to debug your app across desktop, Android and iOS with one tool? We believe the Web is powerful enough to offer a Mobile Web development solution that meets these needs! Enter an experimental Firefox add-on called the Firefox Tools Adaptor that connects the Firefox Developer Tools to other major browser engines. This add-on is taking the awesome tools we’ve built to debug Firefox OS and Firefox on Android to the other major mobile browsers starting with Chrome…
  • 350 posts on Hacks in 2 years!

    Robert Nyman [Editor]
    10 Sep 2014 | 5:37 am
    Two years ago, we made a number of changes to the Mozilla Hacks blog. Since then we’ve had over three million unique visitors and 350 quality posts in just less than two years – almost one every second day! Part of these changes included: A clear focus on learning about the Open Web & open source – more detail in What Mozilla Hacks is A dedicated Editor, me, working with ensuring consistency, quality & versatility of the articles Articles covering both interesting technologies and possibilities but also learning lessons of how to build exciting solutions and work…
  • Enabling Voice Input into the Open Web and Firefox OS

    Sandip Kamat
    9 Sep 2014 | 2:13 pm
    With the advent of smartphones triggered by iPhone in 2007, Touch became the primary mode of input for interacting with these devices. And now with the advent of wearables (and other hands-free technologies that existed before), Voice is becoming another key method of input. The possibilities of experiences Voice Input enables are huge, to say the least. They go beyond just merely interacting with in-vehicle devices, accessories and wearables. Just think of the avenues Voice Input opens up for bringing more technologies to more people. It’s enormous: Accessibility, Literacy, Gaming, VR…
 
  • add this feed to my.Alltop

    Ajaxian » Front Page

  • Scaling up CSS

    Michael Mahemoff
    5 Sep 2014 | 9:05 pm
    CSS has a habit of creeping up on you. If you’re not careful, your humble stylesheet can go from a few flourishes to a giant maintenance tangle. Before you can say “12-deep nested div”, your in a world of duplication and complexity that prevents you from making timely user-interface updates. [Medium's](https://medium.com) one organisation that’s been through the growing pains of CSS and Jacob Thornton (“Fat”) has an in-depth case study we can all learn from. Medium’s CSS is actually pretty f***ing good is the claim and it’s hard to argue with the…
  • Mobile Proxies: A New Era Dawns

    Michael Mahemoff
    7 Mar 2013 | 6:35 pm
    This week, Chrome For Android M26 was announced. It has the literally-awesome ability to record video via `getUserMedia()`, but enough about making Skype irrelevant. What’s even more interesting is the new data compression feature. Which, to be clear, is experimental, has to be switched on, doesn’t apply to secure (SSL) sites, and it’s only running in the beta app. With this feature, Google will be delivering streamlined responses, leading to substantial performance improvements and bandwidth savings. In the latest Mobile Web Thursday’s, Google’s Pete Le Page…
  • Here comes Traversty traversing the DOM

    jvaughan
    1 Nov 2012 | 6:59 pm
    The Traversty DOM utility has as its purpose to allow you to traverse the DOM and manage collections of DOM elements. Proponents admit core Traversty traversal methods are inspired by Prototype’s DOM Traversal toolkit, but now in a multi-element environment that is more like jQuery and less like Prototype’s single element implementation.
  • Fat Fractal enters the BaaS fray

    jvaughan
    26 Sep 2012 | 7:24 pm
    What has sometimes been described as mobile middleware has taken a new tack. Now, the idea of Backend as a Service (BaaS) has begun to take off in the mobile application development space. Proponents of BaaS say it helps developers easily build mobile apps, or any other applications connected to a cloud backend. Some of their views suggest a wholly new computer architecture is in the works. Fact Fractal is among the horses running in the BaaS stakes.
  • Windows 8 HTML5 WinRT RSS reader app

    jvaughan
    23 Aug 2012 | 7:33 pm
    WinJS is a JavaScript framework for Windows 8, and David Rousset uses it here to create a quick RSS reader. He shows how in a tutorial series. This first article shows the way to build a welcome screen that employs WinJS ListView control. Blend and CSS3 are employed. The second tutorial shows work on the detail view displayed after a click-on-item. This uses a transition animation. Time to go through the two tutorials is estimated at 30 minutes. Check out the Windows 8 HTML5 WinRT RSS reader app.
  • add this feed to my.Alltop

    Didier Stevens

  • FileScanner.exe Part 2

    Didier Stevens
    15 Sep 2014 | 5:00 pm
    My new FileScanner tool allows you to use rules to scan files. Here is how you define rules. Rule syntax If you provide rules to FileScanner, it will only report files that match one rule or several rules (unless you instruct it to report all scanned files). A rule has a name, a type and one or more conditions. These elements are separated by the : character (colon). A name can be any string, and it is best unique if you have several rules (but this is not enforced). If a name starts with a $ character (dollar), the rule is only tested if it is referred to by another rule. Valid rule types…
  • Update: SpiderMonkey

    Didier Stevens
    14 Sep 2014 | 8:00 am
    During my PDF training at 44CON I got the idea for a simple modification: now with document.write(), a third file is created. The file is write.bin.log and contains the pure UNICODE data, e.g. without 0xFFFE header. To extract shellcode now, you no longer need to edit write.uc.log to remove the 0xFFFE header. I also included binaries for Windows and Linux (compiled on CentOS 6.0) in the ZIP file. js-1.7.0-mod-b.zip (https) MD5: 85B369B5650D4C041D21E8574CF09B9A SHA256: D3827DF7B2EA81EEE91181B2DE045320E1CFEC46EED33F7CD84CA63C3A36BC38
  • Introducing Filescanner.exe

    Didier Stevens
    2 Sep 2014 | 5:17 pm
    Filescanner is a tool I started to develop almost 2 years ago. Back then, I needed a stand-alone, single executable tool that would allow me to search for files based on their content. Filescanner is a Windows tool. Without any options, the tool will report some properties of the scanned file: Remark that the first 4 bytes of the scanned file are reported. Here are the options: Option -f does a full read of the file and calculates some properties like entropy, md5, … You can also output CSV with option -v and search through subfolders with option -s. Rules can be defined to select…
  • Update: Calculating a SSH Fingerprint From a (Cisco) Public Key

    Didier Stevens
    1 Sep 2014 | 1:17 pm
    I think there’s more interest for my program to calculate the SSH fingerprint for Cisco IOS since Snowden started with his revelations. I fixed a bug with 2048 bit (and more) keys. cisco-calculate-ssh-fingerprint_V0_0_2.zip (https) MD5: C304299624F12341F9935263304F725B SHA256: 2F2BF65E6903BE3D9ED99D06F0F38B599079CCE920222D55CC5C3D7350BD20FB
  • A Return: The Puzzle

    Didier Stevens
    21 Aug 2014 | 12:19 pm
    It’s been some time that I posted a puzzle. So here is a new little puzzle. What is special about this file?
  • add this feed to my.Alltop

    CERIAS Combined Feed

  • National Cyber Security Hall of Fame announces Final Selectees for the Class of 2014

    CERIAS Webmaster
    10 Sep 2014 | 7:25 am
    PRESS RELEASE - Baltimore, MD (September 1, 2014) (http://www.cybersecurityhalloffame.com/) Mike Jacobs, Chairman of the Advisory Board for the National Cyber Security Hall of Fame, released the names of 5 innovators who will be enshrined in the Hall of Fame on Thursday, October 30th at a gala at the Four Seasons in Baltimore. In announcing the inductees, Jacobs, the first Information Assurance Director for the National Security Agency (NSA) and a respected cybersecurity consultant to government and industry said, “these honorees continue to advance our goal of “respecting the past” in…
  • What is wrong with all of you? Reflections on nude pictures, victim shaming, and cyber security

    Gene Spafford
    4 Sep 2014 | 8:06 pm
    [This blog post was co-authored by Professor Samuel Liles and Spaf.] Over the last few days we have seen a considerable flow of news and social media coverage of untended exposure of celebrity photographs (e.g., here). Many (most?) of these photos were of attractive females in varying states of undress, and this undoubtedly added to the buzz. We have seen commentary from some in the field of cybersecurity, as well as more generally-focused pundits, stating that the subjects of these photos “should have known better.” These commentators claim that it is generally known that passwords/cloud…
  • CERIAS Researchers Win Student Paper Award

    CERIAS Webmaster
    26 Aug 2014 | 11:23 am
    CERIAS researchers won the Best Student Paper award at the 23rd USENIX Security Symposium, a top-tier computer systems security conference. The paper, “DSCRETE: Automatic Rendering of Forensic Information from Memory Images via Application Logic Reuse,” was co-authored by Ph.D. students Brendan Saltaformaggio and Zhongshu Gu, with CS Professors Xiangyu Zhang and Dongyan Xu. This award was presented at the conference on August 20 in San Diego. (Photo: Brendan Saltaformaggio accepting the award from Dr. Kevin Fu, Chair of the conference.) Figure 1. DSCRETE is a memory forensics tool for…
  • Videos from the 15th Annual CERIAS Symposium

    Gene Spafford
    11 Jul 2014 | 1:30 pm
    We are now releasing videos of our sessions at this year’s CERIAS Symposium from late March. We had a fascinating session with David Medine, chair of the PCLOB discussing privacy and government surveillance with Mark Rasch, currently the CPO for SAIC. If you are interested in the issues of security, counterterrorism, privacy, and/or government surveillance, you will probably find this interesting: https://www.youtube.com/watch?v=kHO7F8XjvrI We are also making available videos of some of our other speakers — Amy Hess, Exec. Deputy Director of the FBI; George Kurtz, President & CEO of…
  • Update on “Patching is Not Security”

    Gene Spafford
    9 Jul 2014 | 12:09 pm
    A few weeks ago, I wrote a post entitled “Patching Is Not Security.” Among other elements, I described a bug in some Linksys routers that was not patched and was supporting the Moon worm. Today, I received word that the same unpatched flaw in the router is being used to support DDOS attacks. These are not likely to be seen by the owners/operators of the routers because all the traffic involved is external to their networks — it is outbound from the router and is therefore “invisible” to most tools. About all they might see is some slowdown in their connectivity. Here’s some of the…
 
  • add this feed to my.Alltop

    blog.hotspotshield.com

  • 5 Million Gmail Passwords Leaked: Was Yours One of Them?

    Peter Nguyen
    15 Sep 2014 | 11:28 pm
    Media outlets were abuzz recently with news that millions of Gmail passwords were leaked online. The story is enough to send the 425 million active Gmail users into a tailspin, but it’s important to keep calm and look at the facts. Could your password be one of those compromised? And even if you weren’t a victim this time, how can you protect your email account in the future? What Actually Happened? On September 10, the passwords of approximately five million Gmail accounts were posted on a Russian Bitcoin security forum. Google, which owns the Web-based email service, insists its…
  • Apple’s New iPhone 6: Examining the Highlights and Security Features

    Peter Nguyen
    12 Sep 2014 | 1:03 am
    During the past few months, millions of mobile users and die-hard Apple fans eagerly await the announcement of the iPhone 6. Apple’s loyal iPhone fans, after all, have long awaited a device with a bigger screen, a better mobile camera, access to a contactless payment technology, and much more. After much ado, the hot new phone was revealed this week by Apple CEO Tim Cook, and it could be a game-changer for the company. For three years in a row, Apple reigned as the world’s most valuable brand, according to Business Insider. This past year, under the direction of Cook, the company…
  • Researchers say your mobile carrier’s network isn’t all that secure

    Robert Siciliano
    8 Sep 2014 | 11:30 pm
    Recently, researchers have discovered that the tools that update your smartphone’s operating system over the air have holes that hackers can slip into! It’s estimated that as many as two billion handsets are vulnerable, and in some instances, security patches haven’t even been released. The open mobile alliance device management (OMA-DM) protocol is used by around a hundred smartphone companies to release software updates and conduct network administration. And that’s what they say where the problem lies. A hacker must know the handset’s distinct international mobile station…
  • The Celebrity Photo Hacks: What We Know So Far and How to Stay Secure

    Peter Nguyen
    5 Sep 2014 | 12:07 am
    Celebrity watchers are seeing more of their favorite starlets than ever before after their private Internet accounts were recently hacked. This case provides a timely reminder of the importance of online security. Although details are still sketchy, some pretty poignant facts and implications have emerged, along with some valuable takeaways. Read on to discover how these celebrities were exposed, and how to make sure that it doesn’t happen to you. An iCloud Tragedy Examined: What Happened With These Stars? If you’ve been following the entertainment headlines, you’d know that…
  • Will the EU’s “Right to be Forgotten” Rule Transform the Internet?

    Peter Nguyen
    27 Aug 2014 | 10:56 pm
    There is a specter haunting the European Union (EU): the specter of forgetfulness. A set of regulatory laws passed by the Union in recent years guarantees citizens the Right to be Forgotten, promising the ability to clean the online record of bad decisions. The right was recently upheld in the highest EU courts, signaling that it may be here to stay. On the surface, the law seems like a privacy advocate’s dream; however, once the surface is scratched, deeper concerns become apparent. What Is It? The Right to be Forgotten (or RtbF) is a legal construct of the European Union. In 1995, the…
  • add this feed to my.Alltop

    Blog - CloudEntr

  • Don't become a breached whale: Password tips to keep you afloat

    Christopher Bartik
    26 Aug 2014 | 6:30 am
    It’s late at night. You’ve just gotten home from a long day at work and the last thing you want to think about is anything requiring you to well, think. The couch beckons and soon enough you’re flipping through your DVR looking for your Game of Thrones fix. Most days you’ll fall into detached, trancelike viewing, but today something on the news sparks your attention: There was a robbery in your neighborhood. The news reporter says the thief is taking advantage of all the people who leave their doors unlocked. From the couch, you look to your own front door and see that it is, indeed,…
  • Cloud Sprawl: A Business's Guide to Secure Cloud Data for Employees and Customers

    Macey Morrison
    21 Aug 2014 | 7:02 am
    Shadow IT, a shady landscape for business, or is it?Cloud sprawl causes headaches for all of us… we have too many cloud services for CRM, accounting, and file sharing not to mention those “personal” services that we’re all guilty of bringing into the workplace. And to add further complexity, others don’t always use the same apps to solve the same problem that we do. Different people have unique preferences and businesses deploy competing services.Take Sarah in marketing for instance. She may love Dropbox personally, but Bill in Finance wants budgets shared in SkyDrive, while Mary in…
  • Deconstructing big time data breaches: Where the big boys failed and what your business can learn

    Christopher Bartik
    12 Aug 2014 | 10:40 am
    These days, it seems not a day goes by without a data breach story appearing in the news. As these security incidents become more prevalent - not to mention more costly - one of the best things that small businesses can do to prevent them is to learn from others' mistakes.We see that the biggest enterprises are not infallible to data protection issues like breaches. And we obviously hear about them because bigger brands are newsworthy. This is good for small businesses though, because while their drama unfolds in the media it gives us a very public playbook of how it happened and how they…
  • Gemalto Bundles Secure File Sharing and Access Management to Offer All-in-One Identity Cloud Solution

    Macey Morrison
    30 Jul 2014 | 6:00 am
    This week, the CloudEntr Team is excited to announce that we have listened to our customers concerns regarding data risk in the cloud, taking on the other piece of the cloud security puzzle: file sharing and collaboration.Our CloudEntr access management solution has expanded to now offer an all-in-one solution for secure application access and file sharing in the cloud. We are thrilled to enable SMBs to capitalize on the cost efficiency and convenience of the cloud with the peace of mind of knowing their and their customer’s data is secure. The file encryption and collaboration feature…
  • And Then There was One: Secure File Sharing & Access in the Cloud from CloudEntr

    Ella Segura
    28 Jul 2014 | 6:00 am
    Ella Segura serves as the Product Manager for CloudEntr, guiding the product road map and all new features and developments.Businesses Unique, All-in-One Solution for Securing Access and Files in the Cloud Gone are the days that businesses operated their own little fiefdoms, where IT reigned supreme and all the people thankfully fell in line behind the resources that were given to them.Enter the internet and the cloud.Today, businesses are connected more than ever before and their on-location castle walls, no matter how strong, are no longer sufficient. We communicate through many channels:…
 
  • add this feed to my.Alltop

    Quotium

  • Partnership

    Quotium Research Center
    15 Sep 2014 | 12:34 am
    Version One is a leading agile development management software provider. Quotium Seeker has the ability to open defects directly in Version One based on the findings from a test.  In an agile environment, it is important to be able to manage the different aspects of the project from one central location. The ability to integrate […] The post Partnership appeared first on www.quotium.com
  • Inside sales specialist

    Quotium Research Center
    27 Aug 2014 | 3:34 am
    Quotium is looking for Inside sales specialists to support our sales managers. The role will be focused on the identification (and generation) of leads through research, networking, cold calling and the development of contact/prospect relationships. Responsibilities: - Lead generation, prospecting and qualification– engage in different activities to identify new opportunities and generate relevant sales leads – qualify leads by active […] The post Inside sales specialist appeared first on www.quotium.com
  • Some key (yet funny) terminologies in AGILE Scrum

    Quotium Research Center
    18 Jul 2014 | 3:03 am
    Agile has been the buzz word of the industry since 4-5 years now. It has turned around many businesses. It has not just drastically changed the cost side of the profitability tree but also improved upon the revenue side by shipping better products. Agile practitioners are no longer willing to even talk about the traditional […] The post Some key (yet funny) terminologies in AGILE Scrum appeared first on www.quotium.com
  • Leading the KANBAN way!!!

    Quotium Research Center
    18 Jul 2014 | 1:47 am
    What is Kanban? KANBAN is a Toyota principle and literally means ‘Signboard’ in Japanese. Kanban advocates continuous improvement and emphasizes on making everyone get an explicit and clear idea of the entire process. It advocates minimum work in progress inventory and just in time production. This allows team to bring continuous improvement in their operations […] The post Leading the KANBAN way!!! appeared first on www.quotium.com
  • DSDM Project Lifecycle

    Quotium Research Center
    18 Jul 2014 | 1:34 am
    A DSDM project consists of three key phases – Pre project phase Project lifecycle phase and Post project phase Pre project phase: In the pre project discussions happen at super management level wherein the business problems are identified, applications (to be built) are decided, these applications are prioritized, budget is allocated for the same and […] The post DSDM Project Lifecycle appeared first on www.quotium.com
Log in