Feed aggregator

More Trouble For jQuery As Second Compromise Reported

Threatpost for B2B - Wed, 09/24/2014 - 14:40
The website for JavaScript library jQuery is under attack for the second time in a week.

Travel Site Viator Announces 1.4 M Implicated in Breach

Threatpost for B2B - Wed, 09/24/2014 - 14:08
Travel website Viator.com is in the middle of notifying approximately 1.4 million of its customers that their personal information – payment card data included – may have been compromised.

Health Insurance Marketplaces Could Improve Information Security

Threatpost for B2B - Wed, 09/24/2014 - 12:18
The marketplaces set up to provide health insurance to Americans under Obamacare are generally doing a good job of protecting personally identifiable information but can also improve security practices.

September's 3x CON: Part 2

Secure List feed for B2B - Wed, 09/24/2014 - 12:00

What, Where & When: The 0x07th edition of SEC-T, an annual Stockholm-based conference, was held on 18-19 September at the stunning Anrika Nalen venue, just a 15 minute walk from the famous Gamla Stan.

The Schedule
This conference features only one track of presentations, which – in my opinion – is quite a good thing, because you don't have to make any difficult choices This year, besides the regular full-time presentations, the agenda included a couple of 30-minute long "small talks" as well as a bunch of lightning talks of 10-20 minutes each.

SEC-T badge

The Talks
The conference kicked off with an excellent speech given by the founder of Recurity Labs, Felix "FX" Lindner, who has proven that an opening keynote doesn't necessarily have to be boring. After lunch, Andreas Lindh presented some really cool attacks on broadband modems, including DNS poisoning and attacks that exploit CSRF vulnerabilities to send or manipulate SMS messages. This was certainly one of my favourite talks, together with the really scary presentation given by Hugo Teso on aviation security. It's terrifying how easily an experienced hacker can exploit aviation protocols and avionics systems to change the on-board system configuration, including changes to the flight path!

The keynote

Amongst other talks, Meredith L. Patterson highlighted some pressing issues concerning the APIs of popular software, but, apparently, not everybody agrees with her highly-critical point of view. At the beginning of the second day, my colleague, David Jacoby, gave an entertaining presentation on how he hacked his home, including successful attacks on his NAS storage, ISP provided router, smart TV and other devices he found connected to the Internet.

Last, but not least, there were also some short but interesting lightning talks from a number of speakers (including myself :)) on topics such as URL parsing, hard drive cryptography and breaking out of the AngularJS sandbox. I did a short presentation about my background research on the current threat landscape for SOHO devices, which turned out to be quite in line with the conference's theme, featuring research on vulnerabilities in the so-called Internet-of-Things.

The Crew

In conclusion, this was a really nice conference, profiting from its one-track only schedule, very high-quality presentations and unique atmosphere. Congrats to the whole SEC-T crew – really good job, guys! And see you all next year!

Mozilla Latest to Part Ways With SHA-1

Threatpost for B2B - Wed, 09/24/2014 - 11:30
Mozilla announced that it will begin phasing out support for SHA-1 certificates, and will no longer trust them after Jan. 1, 2017.

Microsoft Starts Online Services Bug Bounty

Threatpost for B2B - Tue, 09/23/2014 - 15:52
Microsoft today launched the Microsoft Online Services Bug Bounty Program which will pay out a minimum of $500 for vulnerabilities found in its cloud services such as Office 365.

High-Volume, High-Rate DDoS Attacks Persist

Threatpost for B2B - Tue, 09/23/2014 - 15:12
A new report illustrates the continued proliferation of both high-volume and high-rate distributed denial of service attacks, like the ones executed via NTP amplification, over the last few months.

JQuery Website Redirecting to RIG Exploit Kit

Threatpost for B2B - Tue, 09/23/2014 - 15:01
jQuery.com, website for the popular jQuery JavaScript library, is redirecting visitors to a site hosting the RIG exploit kit, security company RiskIQ said.

Blackphone Gets Bug Bounty Program Off Ground

Threatpost for B2B - Tue, 09/23/2014 - 12:10
Secure smartphone manufacturer Blackphone announced today that it has launched a bug bounty program hosted on the Bugcrowd platform.

Malware-Laced Emails Appear to Come From LogMeIn

Threatpost for B2B - Tue, 09/23/2014 - 11:10
Spam emails pretending to be a security update for LogMeIn users, including a new security certificate countering Heartbleed attacks, are making the rounds, warns the SANS Institute.

September's 3x CON: Part 1

Secure List feed for B2B - Tue, 09/23/2014 - 10:11

What, Where & When: the 4th edition of 44CON, an annual IT Security Conference organized by Sense/Net Ltd, took place on 10-12 September in London, at a venue near the Earl's Court exhibition center. Geeks, who happened to enjoy somewhat spooky historical monuments, could take a five minute walk from the venue to visit an old and impressive cemetery, one of the London's Magnificent Seven.

The Schedule this year was packed with three tracks of (mostly) 1h long presentations within a wide range of topics: from social engineering to exploitation techniques, from crypto-currencies to IoT related threats, to GSM hacking. Some amazing workshops were running simultaneously in rooms that were bearing the familiar names of AES, 2DES and Blowfish.

44CON Badge: BusBlaster v3

This year's Badge is not only extremely handsome, but also may turn out to be very handy, at least for hardware-oriented researchers, as it happens to be a BusBlaster v3 board, especially customized for 44CON (you can find the full specification here). This small cute thingy can be used to program and debug embedded ARM devices.

The Talks
With so many things going on simultaneously, it was impossible to fully attend even a third of them. Moreover, the online schedule didn't include the description of the talks, so in some cases choosing the right track in advance was kind of a lottery. Nevertheless, the overall quality of presentations was so high, that no matter which talks you chose, you always ended up with some new, valuable information.

Joshua J. Drake on the stage

From the selection of very good talks I attended, here are my favourite ones:

  • "Researching Android devices security with the help of a droid army", by Joshua J. Drake (@jduck) in which – in a quite entertaining way – Joshua explained how and why he built his research lab, capable of testing 40+ Android devices at the same time. I was really impressed by the framework Joshua invented for managing his "droid army".
  • "I hunt TR-069 Admins: pwning ISPs like a boss", by Shahar Tal (@jifa). This talk was especially interesting to me, as I'm currently involved in researching threats for small network devices, such as residential gateways (aka SOHO routers), from which a fair share is using the TR-069 protocol to talk to the ISP's Auto Configuration Servers. It turns out (not really surprisingly, if you ask me), that this protocol is poorly secured and highly vulnerable, and might be exploited in a way that could affect a whole set of devices. And the worst thing about it is that the average user can't do much to improve the security of their network, even if they have sufficient knowledge. Most of the responsibility lies with the service providers, together with hardware vendors, who don't seem concerned enough about security issues...
  • "On Her Majesty's Secret Service: GRX and Spy Agency", by Stephen Kho and Rob Kuiters. This quite an intriguing talk on how and why GCHQ hacked the Belgian GRX provider was given by experts from the KPN CISO team and concluded the 2nd day of the conference. The first part of the talk was a technical description of the GRX protocol, it's functionality and weaknesses, and which kind of information can be leaked; in the second part the speakers presented the results of "extensive network scanning" that they conducted during the last several months. It's really scary that there are a lot of devices running vulnerable and *terribly* outdated software on GRX networks.

Socializing at 44CON

The Networking has been made easier with Gin O'Clock, a one-hour break in the afternoon schedule (on both conference days), which was especially dedicated for human interaction and socialization in the intimate atmosphere of the conference bar. A traditional red double-decker bus was there to provide British ale, cider and Pimm's; every attendee was also offered a free glass of gin & tonic.

Some of The Materials have already been published and they are available at Slideshare.

Overall, The Experience was really great and we are looking forward to attending the next 44CON in 2015!

Charney on Trustworthy Computing: ‘I Was the Architect of These Changes’

Threatpost for B2B - Tue, 09/23/2014 - 08:53
Scott Charney, the head of Microsoft’s Trustworthy Computing efforts, said that he was the one who decided it was time to move the TwC group in a new direction and integrate the security functions more deeply into the company as a whole. “I was the architect of these changes. This is not about the company’s […]

Researcher Discloses Wi-Fi Thermostat Vulnerabilities

Threatpost for B2B - Mon, 09/22/2014 - 15:14
Digital thermostat maker Heatmiser is in the process of contacting its customers about a series of security issues that could open a Wi-Fi connected version of its product to takeover.

Kyle and Stan Malvertising Network Nine Times Bigger Than First Reported

Threatpost for B2B - Mon, 09/22/2014 - 14:11
The Kyle and Stan malvertising network has compromised more than nine times as many domains as originally reported two weeks ago.

Fitness App Patches Privacy Vulnerability

Threatpost for B2B - Mon, 09/22/2014 - 12:04
Details of a patched privacy vulnerability in MyFitnessPal, a popular fitness and nutrition mobile application, were disclosed this week, three months after a fix was deployed.

Productivity Gains Trumping Security as BYOD Grows

Threatpost for B2B - Mon, 09/22/2014 - 08:00
A new study from Raytheon and the Ponemon Institute paints a grim picture for BYOD security, but one expert sees some straightforward solutions to implementing BYOD securely.

New Research Refines Security Vulnerability Metrics

Threatpost for B2B - Fri, 09/19/2014 - 14:23
Research from the University of Maryland proposes new security metrics that can help enterprises understand risks to their products and prioritize patching and vulnerability management.
Syndicate content