Web App Security

  • Most Topular Stories

  • RSA Signature Forgery in NSS

    Mozilla Security Blog
    Daniel Veditz
    24 Sep 2014 | 6:29 pm
    Issue A flaw in the Network Security Services (NSS) library used by Firefox and other products allows attackers to create forged RSA certificates. Mozilla has released updates to fix this vulnerability and you should apply these updates to ensure your safety on the internet. Impact to Users Users on a compromised network could be directed to sites using a fraudulent certificate and mistake them for legitimate sites. This could deceive them into revealing personal information such as usernames and passwords. It may also deceive users into downloading malware if they believe it’s coming from…
  • Most Contradictive Doorway Generator

    Unmask Parasites. Blog.
    Denis
    12 Sep 2014 | 11:57 am
    Check this thread on WordPress.org forum. The topic starter found a suspicious PHP file and asked what it was doing. The code analysis shows that it’s some sort of a spammy doorway. But it’s a very strange doorway and the way that it works doesn’t make sense to me. First of all, this script has a random text and code generator. The output it generates is [kind of] always unique. Here is a couple of output pages: http://pastebin.com/ymwMZMWP http://pastebin.com/Y6B7WM2T ... <title>Is. Last spots brows: Dwelling. Immediately moral.</title> </head>…
  • PLXsert warns of Spike DDoS Toolkit

    Liquidmatrix Security Digest
    Bill Brenner
    24 Sep 2014 | 8:01 am
    Akamai’s Prolexic Security Engineering and Research Team (PLXsert) is tracking the spread of Spike, a new malware toolkit that poses a threat to embedded devices, as well as Linux and Windows systems. Several versions of Spike can communicate and execute commands to infected Windows, desktop Linux and ARM-based devices running the Linux operating system (OS), PLXsert said in an advisory Wednesday morning. From the advisory: Binary payloads from this toolkit are dropped and executed after the successful compromise of targeted devices, which may include PCs, servers, routers, Internet of…
  • Shellshock attacks spotted in wild [Updated Sept 26]

    Zscaler Research
    Deepen Desai
    25 Sep 2014 | 6:19 pm
    [Updated Sept 26, 2014: added new analysis and exploit attempts] Background GNU Bash is susceptible to an arbitrary code execution vulnerability (CVE-2014-6271) dubbed as Shellshock. The vulnerability is due to failure to properly handle environment variables. A remote attacker can exploit this flaw by interacting with an application that uses BASH environment variables to override or bypass
  • Matchstick Brings Firefox OS to Your HDTV: Be the First to get a Developer Stick

    Mozilla Hacks - the Web developer blog
    Shawn Bow
    30 Sep 2014 | 7:00 am
    The first HDMI streaming stick powered by Firefox OS has arrived. It’s called Matchstick and we’re looking for your help to create apps for this new device. Background Matchstick stems from a group of coders that spent way too much time mired in the guts of platforms such as Boot to Gecko, XBMC, and Boxee. When Google introduced Chromecast we were excited about the possibilities but ultimately were disappointed when they pulled back on the device’s ultimate promise – any content on any HD screen, anywhere, anytime. We decided to make something better and more open, and to accomplish…
  • add this feed to my.Alltop

    Mozilla Security Blog

  • RSA Signature Forgery in NSS

    Daniel Veditz
    24 Sep 2014 | 6:29 pm
    Issue A flaw in the Network Security Services (NSS) library used by Firefox and other products allows attackers to create forged RSA certificates. Mozilla has released updates to fix this vulnerability and you should apply these updates to ensure your safety on the internet. Impact to Users Users on a compromised network could be directed to sites using a fraudulent certificate and mistake them for legitimate sites. This could deceive them into revealing personal information such as usernames and passwords. It may also deceive users into downloading malware if they believe it’s coming from…
  • Phasing Out Certificates with SHA-1 based Signature Algorithms

    kwilson
    23 Sep 2014 | 3:13 pm
    Many of the certificates used by secure websites today are signed using algorithms based on a hash algorithm called SHA-1. The integrity of the hash algorithm used in signing a certificate is a critical element in the security of the certificate. Weaknesses in hash algorithms can lead to situations in which attackers can obtain fraudulent certificates. Mozilla, along with other browser vendors, is working on a plan to phase out support for the SHA-1 hash algorithm. SHA-1 is nearly twenty years old, and is beginning to show its age. In the last few years, collision attacks undermining some…
  • A Faster Content Security Policy (CSP)

    ckerschbaumer
    10 Sep 2014 | 9:14 am
    With the establishment of CSP Level 2, Mozilla shifted gears and reimplemented CSP in C++. This security feature first shipped in Firefox 4 (2011), and until now was implemented in a combination of JavaScript and C++. The new implementation is based solely on C++ and without the need to connect two languages, which increases performance and simplifies the implementation. This allows us faster turnaround when deploying new features established by future layers of the CSP standard. We’re thrilled to report that CSP in Firefox now works faster than ever. Performance measurements: We…
  • Phasing out Certificates with 1024-bit RSA Keys

    kwilson
    8 Sep 2014 | 3:09 pm
    For many years, Mozilla, NIST, the CA/Browser Forum, and others have been encouraging Certification Authorities (CAs) to upgrade their 1024-bit RSA keys to a stronger cryptographic algorithm (either longer RSA keys or ECDSA). We are actively working with CAs to retire SSL and Code Signing certificates that have 1024-bit RSA keys in an effort to make the upgrade as orderly as possible, and to avoid having system administrators find themselves in emergency mode because their SSL keys were compromised. Our multi-pronged approach includes removing the SSL and Code Signing trust bits from 1024-bit…
  • Public key pinning released in Firefox

    Sid Stamm
    2 Sep 2014 | 11:28 am
    Firefox now supports built-in public key pins, which means that a shortened list of acceptable certificate authorities (CAs) for participating sites is built into Firefox. In this first stage of pinning roll-out, protected domains include addons.mozilla.org and Twitter, to be followed by Google and other sites in upcoming versions of Firefox. That means that Firefox users will be even safer when visiting Mozilla and Twitter (and soon, Google). For the full list of pinned domains and rollout status, please see the Public Key Pinning wiki. Additionally, sites may advertise their support for…
 
  • add this feed to my.Alltop

    Unmask Parasites. Blog.

  • Most Contradictive Doorway Generator

    Denis
    12 Sep 2014 | 11:57 am
    Check this thread on WordPress.org forum. The topic starter found a suspicious PHP file and asked what it was doing. The code analysis shows that it’s some sort of a spammy doorway. But it’s a very strange doorway and the way that it works doesn’t make sense to me. First of all, this script has a random text and code generator. The output it generates is [kind of] always unique. Here is a couple of output pages: http://pastebin.com/ymwMZMWP http://pastebin.com/Y6B7WM2T ... <title>Is. Last spots brows: Dwelling. Immediately moral.</title> </head>…
  • Google -> Doorway -> Google -> Spam

    Denis
    11 Jun 2014 | 11:32 am
    Just a few thoughts about an interesting behavior of a black-hat SEO doorway. Typically hackers create doorways on compromised sites to make search engines rank them for certain keywords and then, when searchers click on the links in search results, those doorways redirect them further to a site that hackers really promote. Sometime that redirect may go through some TDS (traffic directing service) but the whole scheme remains pretty much the same: Search results -> doorway -> beneficiary site Today, when doing a backlink research of one of such pharma doorways, I encountered a different…
  • Working With the Darkleech Bitly Data

    Denis
    10 Feb 2014 | 9:08 am
    Data Driven Security took the time to analyze the raw data that I published in my recent post on Sucuri blog about how I used Bitly data to understand the scale of the Darkleech infection. In their article, they have a few questions about data formats, meaning of certain fields and some inconsistencies, so I’ll try to answer their questions here and explain how I worked with the data. So I needed to get information about all the links of the “grantdad” bitly account. I checked the API and somehow missed the “link_history” API request (it was the first time I…
  • Invasion of JCE Bots

    Denis
    27 Jan 2014 | 2:47 am
    Joomla has been one of the most popular CMS for a long time.  It powers a huge number of sites.  That’s great! The flip side of this fact is Joomla has been very popular for a long time and there are still very many sites that use older versions of Joomla as well as older version of Joomla components. For example, the 1.5.x branch of Joomla (2008-2010) still has a noticeable share in live Joomla sites. Old versions may work well for your site but they have multiple well known security holes, so they are the low hanging fruit for hackers. Let me show this using a real world example.
  • Reporting Suspicious Styles

    Denis
    22 Nov 2013 | 8:15 am
    Back in 2008, the very first task that I created Unmask Parasites for was scanning web pages for hidden links. I read an article about thousands of WordPress blogs being stuffed with dozens of invisible spammy links. I had a self-hosted WordPress blog too and that article made me think if there was some easy way to figure out whether my blog was hacked, something less laborious than manually examining the HTML code link by link. So I decided to create a tool that would show all domains that my web pages linked to highlighting those of them that had “invisible” styles. This approach has…
  • add this feed to my.Alltop

    Liquidmatrix Security Digest

  • PLXsert warns of Spike DDoS Toolkit

    Bill Brenner
    24 Sep 2014 | 8:01 am
    Akamai’s Prolexic Security Engineering and Research Team (PLXsert) is tracking the spread of Spike, a new malware toolkit that poses a threat to embedded devices, as well as Linux and Windows systems. Several versions of Spike can communicate and execute commands to infected Windows, desktop Linux and ARM-based devices running the Linux operating system (OS), PLXsert said in an advisory Wednesday morning. From the advisory: Binary payloads from this toolkit are dropped and executed after the successful compromise of targeted devices, which may include PCs, servers, routers, Internet of…
  • Data Breach Victims or Enablers?

    Bill Brenner
    19 Sep 2014 | 8:28 am
    Back in May,  my good friend Eric Cowperthwaite caused a stir with a blog post about security breach victims getting demonized for failing to prevent break-ins. Other industry friends passionately disagreed. My thinking on the matter continues to evolve. But as is usually the case, my thinking takes me to the middle. Companies that suffer a breach — Home Depot and Target have been among this year’s biggest poster children — are victims. They don’t set out to put their customers’ data in danger and they probably thought they were practicing all due diligence…
  • After 9-11, Fear Made Us Stupid

    Bill Brenner
    12 Sep 2014 | 6:31 am
    Included in all the tweets and Facebook postings about the 13th anniversary of 9-11 yesterday was this from friend and co-worker Martin McKeay: Never forget 9/11 and terrorism. But don’t forget how many rights have been taken from us in the name of fighting terrorism. He’s got that right. There’s been plenty of outrage in recent years over the U.S. government running wild, violating our privacy in the name of security. The Bush Administration was rightly criticized over warrantless wiretapping. More recently, the Obama Administration and such government agencies as the NSA…
  • Exposing Gregory Evans: It Can Be Done

    Bill Brenner
    5 Sep 2014 | 6:06 am
    Thanks to the efforts of Attrition.org, we’ve known for years that LIGATT Security and Gregory Evans can’t be trusted. That article includes a long list of examples where Evans has committed plagiarism and threatened those who question his credentials as a hacker. There are court documents on the Internet that add to the evidence. I won’t go into the full summary of misdeeds here, because veteran security professionals have heard and seen it all before. Besides, I can’t do it any better than Attrition.org already has. Despite all we know about Evans, the mainstream…
  • Five security lessons from ‘Mars Attacks!’

    Bill Brenner
    28 Aug 2014 | 4:32 pm
    If you look closely, the 1996 Tim Burton film “Mars Attacks!” offers us a few security lessons. Let the following clip play as I run through some examples… Lesson 1: If you release a white dove over someone’s head before you verify who you’re dealing with, you have failed to practice due diligence. The resulting bad press could damage your brand. Lesson 2: Regarding Jack Nicholson’s speech about two out of three branches of the government still working: Layers of security may be smart, but if it’s badly configured and government-issued, it…
 
  • add this feed to my.Alltop

    Zscaler Research

  • Shellshock attacks spotted in wild [Updated Sept 26]

    Deepen Desai
    25 Sep 2014 | 6:19 pm
    [Updated Sept 26, 2014: added new analysis and exploit attempts] Background GNU Bash is susceptible to an arbitrary code execution vulnerability (CVE-2014-6271) dubbed as Shellshock. The vulnerability is due to failure to properly handle environment variables. A remote attacker can exploit this flaw by interacting with an application that uses BASH environment variables to override or bypass
  • Malvertising campaign leading to Zemot

    Chris Mannon
    19 Sep 2014 | 1:52 pm
    Malvertising has become a serious problem for advertisers and their clients alike. Times of Israel has been affected already by such an attack. During our analysis, we discovered multiple other legitimate websites affected by the same malvertising campaign. We have informed the website owners to take action. Below is a brief timeline of attack. A legitimate site leveraging zedo
  • Nuclear exploit kit - complete infection cycle

    Dhruval Gandhi
    18 Sep 2014 | 2:58 pm
    Zscaler ThreatLabZ has been seeing a steady increase in the Nuclear Exploit Kit (EK) traffic over the past few weeks. The detection of malicious activity performed by this EK remains low, due to usage of dynamic content and heavy obfuscation. In this blog, we will walk you through a complete Nuclear EK infection cycle with a live example. We will also share details of the identified payload,
  • RIG EK outbreak continues

    Pradeep Kulkarni
    8 Sep 2014 | 11:50 pm
    During daily data mining activities, we observe continual outbreaks of many exploit kits (EK) such as RIG EK. Logs are monitored and analyzed to come up with new protections, which are eventually deployed in the Zscaler cloud. The dynamic nature of EK’s landing page code, presents a constant challenge in providing generic detections. We need to take a look at various aspects of EK’s such as URLs
  • Nuclear Exploit Kit and Flash CVE-2014-0515

    rubin azad
    5 Sep 2014 | 8:13 pm
    For this blog, we'd like to walk you through a recent attack involving Nuclear Exploit Kit (EK) that we analyzed. It was found leveraging CVE-2014-0515, a buffer overflow in Adobe Flash Player discovered in April 2014. Nuclear Exploit kit targets a number of known vulnerabilities including: pdf - PDF:Exploit.PDF-JS swf - CVE-2014-0515 jar  - CVE-2012-0507 Below are the files which were
  • add this feed to my.Alltop

    Mozilla Hacks - the Web developer blog

  • Matchstick Brings Firefox OS to Your HDTV: Be the First to get a Developer Stick

    Shawn Bow
    30 Sep 2014 | 7:00 am
    The first HDMI streaming stick powered by Firefox OS has arrived. It’s called Matchstick and we’re looking for your help to create apps for this new device. Background Matchstick stems from a group of coders that spent way too much time mired in the guts of platforms such as Boot to Gecko, XBMC, and Boxee. When Google introduced Chromecast we were excited about the possibilities but ultimately were disappointed when they pulled back on the device’s ultimate promise – any content on any HD screen, anywhere, anytime. We decided to make something better and more open, and to accomplish…
  • Generational Garbage Collection in Firefox

    Steve Fink
    25 Sep 2014 | 10:30 am
    Generational garbage collection (GGC) has now been enabled in the SpiderMonkey JavaScript engine in Firefox 32. GGC is a performance optimization only, and should have no observable effects on script behavior. So what is it? What does it do? GGC is a way for the JavaScript engine to collect short-lived objects faster. Say you have code similar to: function add(point1 point2) { return [ point1[0] point2[0] point1[1] point2[1] ] } Without GGC, you will have high overhead for garbage collection (from here on, just “GC”). Each call to…
  • Low price smartphones – memory management and optimization on Firefox OS

    Danny Liang
    19 Sep 2014 | 4:44 am
    We know how to generate memory a footprint to debug memory leaks and to prevent abusing memory resources. Now, we would like to introduce the memory management and optimizations under the limited memory resources on Firefox OS. How to get more memory on Firefox OS? There are three types of events which can get more memory when there is not enough memory on Firefox OS: Low memory killer (LMK) Memory pressure event Out of memory (OOM) Low memory killer (LMK) LMK is a policy to obtain memory resources by killing processes in Android; we integrate it into Firefox OS. When cache size or available…
  • Introducing fxpay for in-app payments

    Kumar McMillan
    17 Sep 2014 | 2:56 pm
    A while ago Mozilla announced navigator.mozPay() for accepting payments on Firefox OS. This was our first step toward helping developers do commerce on the web. It solved the problem of processing payments but what about the rest? Today we’re announcing an early peek at fxpay, a library for the rest of what you need as a developer to sell digital products in your app. This small JavaScript library (11kB minified) gives you some nice additional features on top of payment processing: Work with a catalog of in-app products without hosting your own server Securely verify each payment in one…
  • WebIDE, Storage inspector, jQuery events, iframe switcher + more – Firefox Developer Tools Episode 34

    Heather Arthur
    16 Sep 2014 | 9:02 am
    A new set of Firefox Developer Tools features has just been uplifted to the Aurora channel. These features are available right now in Aurora, and will be in the Firefox 34 release in November. This release brings new tools (storage inspector, WebIDE), an updated profiler, and handy enhancements to the existing tools: WebIDE WebIDE, a new tool for in-browser app development, has been enabled by default in this release. WebIDE lets you create a new Firefox OS app (which is just a web app) from a template, or open up the code for an already created app. From there you can edit the app’s…
 
  • add this feed to my.Alltop

    Ajaxian » Front Page

  • Scaling up CSS

    Michael Mahemoff
    5 Sep 2014 | 9:05 pm
    CSS has a habit of creeping up on you. If you’re not careful, your humble stylesheet can go from a few flourishes to a giant maintenance tangle. Before you can say “12-deep nested div”, your in a world of duplication and complexity that prevents you from making timely user-interface updates. [Medium's](https://medium.com) one organisation that’s been through the growing pains of CSS and Jacob Thornton (“Fat”) has an in-depth case study we can all learn from. Medium’s CSS is actually pretty f***ing good is the claim and it’s hard to argue with the…
  • Mobile Proxies: A New Era Dawns

    Michael Mahemoff
    7 Mar 2013 | 6:35 pm
    This week, Chrome For Android M26 was announced. It has the literally-awesome ability to record video via `getUserMedia()`, but enough about making Skype irrelevant. What’s even more interesting is the new data compression feature. Which, to be clear, is experimental, has to be switched on, doesn’t apply to secure (SSL) sites, and it’s only running in the beta app. With this feature, Google will be delivering streamlined responses, leading to substantial performance improvements and bandwidth savings. In the latest Mobile Web Thursday’s, Google’s Pete Le Page…
  • Here comes Traversty traversing the DOM

    jvaughan
    1 Nov 2012 | 6:59 pm
    The Traversty DOM utility has as its purpose to allow you to traverse the DOM and manage collections of DOM elements. Proponents admit core Traversty traversal methods are inspired by Prototype’s DOM Traversal toolkit, but now in a multi-element environment that is more like jQuery and less like Prototype’s single element implementation.
  • Fat Fractal enters the BaaS fray

    jvaughan
    26 Sep 2012 | 7:24 pm
    What has sometimes been described as mobile middleware has taken a new tack. Now, the idea of Backend as a Service (BaaS) has begun to take off in the mobile application development space. Proponents of BaaS say it helps developers easily build mobile apps, or any other applications connected to a cloud backend. Some of their views suggest a wholly new computer architecture is in the works. Fact Fractal is among the horses running in the BaaS stakes.
  • Windows 8 HTML5 WinRT RSS reader app

    jvaughan
    23 Aug 2012 | 7:33 pm
    WinJS is a JavaScript framework for Windows 8, and David Rousset uses it here to create a quick RSS reader. He shows how in a tutorial series. This first article shows the way to build a welcome screen that employs WinJS ListView control. Blend and CSS3 are employed. The second tutorial shows work on the detail view displayed after a click-on-item. This uses a transition animation. Time to go through the two tutorials is estimated at 30 minutes. Check out the Windows 8 HTML5 WinRT RSS reader app.
  • add this feed to my.Alltop

    Didier Stevens

  • Announcement: PDFiD Plugins

    Didier Stevens
    30 Sep 2014 | 2:30 pm
    I have a new version of PDFiD. One with plugins and selections. Here’s a preview:
  • Update: XORSearch With Shellcode Detector

    Didier Stevens
    28 Sep 2014 | 5:00 pm
    XORSearch allows you to search for strings and embedded PE-files brute-forcing different encodings. Now I added shellcode detection. This new version of XORSearch integrates Frank Boldewin’s shellcode detector. In his Hack.lu 2009 presentation, Frank explains how he detects shellcode in Microsoft Office documents by searching for byte sequences often used in shellcode. I integrated Frank’s methods in XORSearch, so that you can use it for any file type, not only Microsoft Office files. Frank was kind enough to give me his source code for the detection engine. However, I did not…
  • Video: PDF Creation – Public Tools

    Didier Stevens
    23 Sep 2014 | 1:27 pm
    Have you subscribed to my new video blog: videos.didierstevens.com ? If not, you missed my new video where I show my public tools to create PDFs.
  • FileScanner.exe Part 4

    Didier Stevens
    17 Sep 2014 | 5:00 pm
    Please read part 1, part 2 and part 3 for more info. A few remarks for people having issues running my program. Folder Release contains a 32-bit executable that requires the Visual C++ Redistributable Packages for Visual Studio 2013. Folder Release CRT contains a 32-bit executable with embedded C runtime, it does not require the redistributable. Folder x64 contains 64-bit executables. I included a rule file as example, filescanner-analysis-01.txt: #Comment exhaustive PK:start:str=PK $META:icontent:str=MANIFEST.MF JAR:and:PK $META CLASS:start:CAFEBABE MZ:start:4D5A PDF:start:str=%PDF-…
  • FileScanner.exe Part 3

    Didier Stevens
    16 Sep 2014 | 5:00 pm
    FileScanner.exe is a new Windows tool I developed. Read part 1 and part 2 for more info. To let you choose the files filescanner will scan, you can provide the following arguments: filename, @filename, folder and ?f:. Filename and folder are self-descriptive. When you pass argument @filename, filename is a textfile that contains filenames to scan. ?f: stands for all fixed drives on the machine, for example: C:\ D:\. You can provide more than one argument. To scan the subfolders of a folder you provided, use option -s. By default, FileScanner provides the following information for scanned…
  • add this feed to my.Alltop

    CERIAS Combined Feed

  • Sensors Everywhere Could Mean Privacy Nowhere, Expert Says

    CERIAS Webmaster
    18 Sep 2014 | 5:34 am
    Eugene Spafford, professor of computer science at Purdue University and executive director of the Center for Education and Research in Information Assurance and Security (CERIAS), says the so-called “Internet of Things” will see small microprocessors and sensors placed seemingly everywhere, and these devices will collect much data about us - often without our knowledge. More information »
  • National Cyber Security Hall of Fame announces Final Selectees for the Class of 2014

    CERIAS Webmaster
    10 Sep 2014 | 7:25 am
    PRESS RELEASE - Baltimore, MD (September 1, 2014) (http://www.cybersecurityhalloffame.com/) Mike Jacobs, Chairman of the Advisory Board for the National Cyber Security Hall of Fame, released the names of 5 innovators who will be enshrined in the Hall of Fame on Thursday, October 30th at a gala at the Four Seasons in Baltimore. In announcing the inductees, Jacobs, the first Information Assurance Director for the National Security Agency (NSA) and a respected cybersecurity consultant to government and industry said, “these honorees continue to advance our goal of “respecting the past” in…
  • CERIAS Researchers Win Student Paper Award

    CERIAS Webmaster
    26 Aug 2014 | 11:23 am
    CERIAS researchers won the Best Student Paper award at the 23rd USENIX Security Symposium, a top-tier computer systems security conference. The paper, “DSCRETE: Automatic Rendering of Forensic Information from Memory Images via Application Logic Reuse,” was co-authored by Ph.D. students Brendan Saltaformaggio and Zhongshu Gu, with CS Professors Xiangyu Zhang and Dongyan Xu. This award was presented at the conference on August 20 in San Diego. (Photo: Brendan Saltaformaggio accepting the award from Dr. Kevin Fu, Chair of the conference.) Figure 1. DSCRETE is a memory forensics tool for…
  • Videos from the 15th Annual CERIAS Symposium

    Gene Spafford
    11 Jul 2014 | 1:30 pm
    We are now releasing videos of our sessions at this year’s CERIAS Symposium from late March. We had a fascinating session with David Medine, chair of the PCLOB discussing privacy and government surveillance with Mark Rasch, currently the CPO for SAIC. If you are interested in the issues of security, counterterrorism, privacy, and/or government surveillance, you will probably find this interesting: https://www.youtube.com/watch?v=kHO7F8XjvrI We are also making available videos of some of our other speakers — Amy Hess, Exec. Deputy Director of the FBI; George Kurtz, President & CEO of…
  • Update on “Patching is Not Security”

    Gene Spafford
    9 Jul 2014 | 12:09 pm
    A few weeks ago, I wrote a post entitled “Patching Is Not Security.” Among other elements, I described a bug in some Linksys routers that was not patched and was supporting the Moon worm. Today, I received word that the same unpatched flaw in the router is being used to support DDOS attacks. These are not likely to be seen by the owners/operators of the routers because all the traffic involved is external to their networks — it is outbound from the router and is therefore “invisible” to most tools. About all they might see is some slowdown in their connectivity. Here’s some of the…
 
  • add this feed to my.Alltop

    Security Bloggers Network

  • 2 Apple security fumbles: Random MAC and Password Prediction

    Lance Cottrell
    30 Sep 2014 | 1:45 pm
    Apple is getting taken to task for a couple of security issues. First, their recently announced “Random MAC address” feature does not appear to be as effective as expected. The idea is that the iOS 8 device will use randomly generated MAC addresses to ping WiFi base stations when it is not actively connected to […]
  • System Center Support for Windows 10

    Windows IT Pro
    30 Sep 2014 | 1:43 pm
    Microsoft has added additional support information for Windows 10 and System Center Configuration Manager. read more
  • You Can Now Watch the Windows 10 Info Launch for Yourself

    Windows IT Pro
    30 Sep 2014 | 1:22 pm
    Not available as a live streaming event, the Windows 10 information showcase is now available for replay. read more
  • Three Reasons to Attend our Upcoming WAF Webinar

    Diane Garey, Product Marketing
    30 Sep 2014 | 1:01 pm
    Web application security is important. Just in the past month, we’ve seen significant web breaches at JP Morgan Chase, healthcare.gov and one of my favorite websites, Fiverr. WAFs can help protect your web applications but you need to use them effectively. Join our upcoming webinar to get good … The post Three Reasons to Attend our Upcoming WAF Webinar appeared first on Alert Logic.
  • When Good Federation Goes Bad

    Windows IT Pro
    30 Sep 2014 | 12:16 pm
    There are good and bad ways to implement single sign on to SaaS providers. The bad way will train users to avoid it. Like most people, I like getting a good deal. I'm also not much of a cook. What do these two r...
  • add this feed to my.Alltop

    blog.hotspotshield.com

  • Shellshock Could be a Bigger Threat Than the Heartbleed Bug

    Peter Nguyen
    29 Sep 2014 | 11:21 pm
    Back in April, the Internet was reeling from the threat of Heartbleed, a bug that targeted OpenSSL encryption and stole up to 64kb of data at a time. Millions of users and companies were affected by the bug, and 40 percent of Internet users actively changed their passwords when news of the vulnerability broke. Today, there’s a new threat. Shellshock, a Bash Bug, is leaving Mac users, and Linux, Ubuntu, and other systems vulnerable to attack. What is a Bash Bug? A computer’s shell is a way for the user to send requests or communicate with a computer, and bash is actually an acronym…
  • Your Search History Could Be Driving Up the Cost of Your Next Vacation!

    Peter Nguyen
    25 Sep 2014 | 11:21 pm
    There are few things quite as satisfying as securing a great travel deal. You’re giddy with excitement as you anticipate your upcoming journey. But did you know that someone else had just bought an identical seat on the same flight or secured a similar room in the same hotel and paid a whole lot less for it, just because they had been browsing different websites? Could your browser history really stand in the way of securing the best travel deals? It doesn’t sound fair, but experts say that it’s happening more often than you’d think. How Different are the Prices? According to USA…
  • Could Google’s Project Zero Make the Internet More Secure?

    Peter Nguyen
    22 Sep 2014 | 11:57 pm
    The Internet is a dangerous place. There are all kinds of malware that could infect your devices and steal your data and info. Google’s Project Zero aims to make the Internet more secure so that users have less worry about the bad guys of cyberspace. What exactly is Project Zero, and will it really help? Project Zero: The Idea Behind It In mid-July, Chris Evans of Google said on the company’s security blog, “You should be able to use the web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets, or monitor your…
  • Hackers Are Using Cameras to (Unsuccessfully) Mine Bitcoins

    Peter Nguyen
    17 Sep 2014 | 11:09 pm
    Cybercriminals have recently taken a fresh approach at hacking into user devices, branching out into the Internet of Things to attack security cameras. Although the implications are disturbing, this first attack turned out to be a fairly harmless and largely ineffective attempt to mine bitcoins. What is Bitcoin Mining? Bitcoins are a popular form of digital currency widely used among criminals, digital and otherwise. While there’s nothing illegal about the bitcoins themselves, their very nature draws an unsavory audience. Bitcoins are virtually untraceable, making them a preferred method of…
  • 5 Million Gmail Passwords Leaked: Was Yours One of Them?

    Peter Nguyen
    15 Sep 2014 | 11:28 pm
    Media outlets were abuzz recently with news that millions of Gmail passwords were leaked online. The story is enough to send the 425 million active Gmail users into a tailspin, but it’s important to keep calm and look at the facts. Could your password be one of those compromised? And even if you weren’t a victim this time, how can you protect your email account in the future? What Actually Happened? On September 10, the passwords of approximately five million Gmail accounts were posted on a Russian Bitcoin security forum. Google, which owns the Web-based email service, insists its…
  • add this feed to my.Alltop

    Quotium

  • State of Application Security Survey

    Quotium Research Center
    24 Sep 2014 | 1:19 am
    The post State of Application Security Survey appeared first on www.quotium.com
  • Partnerships and Integrations

    Quotium Research Center
    22 Sep 2014 | 12:59 am
    More partnerships and integrations coming soon… Version One is a leading agile development management software provider. Quotium Seeker has the ability to open defects directly in Version One based on the findings from a test.  In an agile environment, it is important to be able to manage the different aspects of the project from one […] The post Partnerships and Integrations appeared first on www.quotium.com
  • Scrum Vs Kanban

    Quotium Research Center
    20 Sep 2014 | 4:52 pm
    Scrum and Kanban are both widely used methodologies in AGILE. Practitioners of both speak a lot on the positives of the respective methodologies and share success stories. People often try to evaluate the two and make a judgment about which one is better. In this article I have tried to discuss some visible differences between […] The post Scrum Vs Kanban appeared first on www.quotium.com
  • Extracting Information from the web logs

    Quotium Research Center
    20 Sep 2014 | 4:47 pm
    Every team wants to reproduce a production like performance test so as the produce the maximum number of issues as could be observed in production environment. Running a production like performance test is as if every performance test manager’s dream. But it is no cake walk. To execute such a test, a lot of factors […] The post Extracting Information from the web logs appeared first on www.quotium.com
  • Scaling up or scaling out

    Quotium Research Center
    20 Sep 2014 | 4:37 pm
    To manage the increasing load / performance requirements, many times scaling the infrastructure become an essential activity. This scale up can be achieved through two options Scale up: Increasing the capabilities of existing infrastructure and system Scale out: Increase the number of boxes / servers in the system (or infrastructure) While designing the application and […] The post Scaling up or scaling out appeared first on www.quotium.com
 
Log in