2014

article thumbnail

Internet Bug Bounty issues its first $10,000 reward

Scary Beasts Security

One of my side projects is as an adviser and panelist for the non-profit Internet Bug Bounty (IBB). We recently added Adobe Flash Player as in scope for rewards. Earlier today, David Rude collected $10,000 for a vulnerability recently fixed in APSB13-28. My thoughts on this are too long to fit into a tweet, so I summarize them here: This shows that the IBB is serious about rewarding research which makes us all safer. $10,000 is a respectable reward by modern bug bounty program standards.

article thumbnail

Find the Next Heartbleed-like Vulnerability

NopSec

Heartbleed (CVE-2014-0160) is a vulnerability with a CVSSv2 base score of only 5.0/10.0. Though its CVSS score is relatively low, Heartbleed has definitely been one of the most severe security events the Internet has never seen. It is found in the Open SSL cryptographic software library, which is omnipresent on the Internet, and it exploits a buffer over-read weakness in the library, a situation where more data can be read than should be allowed ( [link] ).

Risk 52
Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

Kali & NetHunter Security Release Fixes

Kali Linux

Squash the Bugs with Kali 1.0.9a Over the past couple of weeks, we’ve seen a bunch of nasty bugs hit the scene, from shellshock to Debian apt vulnerabilities. As we prefer not to ship vulnerable ISOs, we’ve rolled up new images for our Kali Linux and NetHunter releases as well our Amazon AWS images with the relevant security fixes in place.

article thumbnail

Cloud Data Protection Investment for Spinbackup

Spinone

Spinbackup is a premier Cloud-to-Cloud Backup Cloud Cybersecurity solutions provider for G Suite and Office 365. The company is an authorized Google Partner featured on the G Suite Marketplace, and an Advanced Technology Partner of Amazon. Over 1,000 organizations with more than 150,000 G Suite users and 20,000 individual Google users currently rely on Spinbackup. […] The post Cloud Data Protection Investment for Spinbackup first appeared on SpinOne.

Backups 52
article thumbnail

IDC Analyst Report: The Open Source Blind Spot Putting Businesses at Risk

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

article thumbnail

The IT Security Easy Button – Making Complicated Customer Conversations Easy

CompTIA on Cybersecurity

The Security Assessment Wizard — a new tool from CompTIA currently available to premier members — lets you walk customers and prospective clients through the gaps in their security profile. Using the tool positions you as a security expert attuned to the needs of business while simultaneously positioning you for sales. It’s an easy button we can all use.

52
article thumbnail

Choose the right sharing icon to boost user engagement

Elie

What’s the best icon to entice people to share something through their social networks? It turns out to be the one used on Android. While this may contradict guidelines proposed by some designers, this conclusion is based on the results of a survey of 7,500 users.

48

More Trending

article thumbnail

Using ASAN as a protection

Scary Beasts Security

AddressSanitizer, or ASAN , is an excellent tool for detecting subtle memory errors at runtime in C / C++ programs. It is now a productionized option in both the clang and gcc compilers, and has assisted in uncovering literally thousands of security bugs. ASAN works by instrumenting compiled code with careful detections for runtime errors. It is primarily a detection tool.

article thumbnail

Projecting Your Burp

NopSec

If you’re a security researcher or penetration tester you’re probably already well aware of the extensive array of tools available to help you. OpenVAS , Qualys, Nessus, Arachni, Burp, Wapiti, Skipfish, w3af … the list goes on and on. Choosing which tool to use may not be a simple task and should wind up raising even more questions to be answered. What are you looking to accomplish?

article thumbnail

Poodle SSLv3 vulnerability: What it is, how to discover it, how to defend against it

NopSec

Google security researchers Bodo Moller, Thai Duong and Krzysztof Kotowicz recently uncovered a vulnerability in SSL 3.0 that could allow secure connections to be compromised by attackers. The researchers are calling the attack POODLE, or Padding Oracle On Downgraded Legacy Encryption. “SSL 3.0 is nearly 18 years old, but support for it remains widespread,” Moller wrote in a blog post describing the issue. “Most importantly, nearly all browsers support it and, in order to

article thumbnail

Are the clouds in the sky rebooting?!

NopSec

If you are like us at NopSec one of the companies that operators on Amazon AWS cloud, this past couple of days resembled a lot more a perilous path. A series of reboot of the entire Amazon cloud forced us and most AWS-based cloud providers to spend long hours in the office or remotely to make sure things were in order after the reboot. “These updates must be completed by Oct. 1 before the issue is made public as part of an upcoming Xen Security Announcement (XSA),” according to the A

article thumbnail

Beware of Pixels & Trackers on U.S. Healthcare Websites

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

article thumbnail

Kali Linux 1.0.8 Release with EFI Boot Support

Kali Linux

The long awaited Kali Linux USB EFI boot support feature has been added to our binary ISO builds, which has prompted this early Kali Linux 1.0.8 release. This new feature simplifies getting Kali installed and running on more recent hardware which requires EFI as well as various Apple Macbooks Air and Retina models. Besides the addition of EFI support, there is a whole array of tool updates and fixes that have accumulated over the past couple of months.

article thumbnail

Lessons Learned from Data Breaches at Universities

NopSec

No industry is immune to IT security breaches. Recent breaches at Indiana University, Iowa State, the University of Maryland, and the University of North Dakota cumulatively impacted over 750,000 students, alumni, faculty and staff. In the case of higher educational institutions there is data exposure risk from personally identifiable information, such as social security numbers.

article thumbnail

Kali Linux 1.0.7 Release

Kali Linux

Kernel 3.14, Tool Updates, Package Improvements Kali Linux 1.0.7 has just been released, complete with a whole bunch of tool updates, a new kernel, and some cool new features. Check out our changelog for a full list of these items. As usual, you don’t need to re-download or re-install Kali to benefit from these updates - you can update to the latest and greatest using these simple commands: apt-get update apt-get dist-upgrade # If you've just updated your kernel, then: reboot Kali Linux En

article thumbnail

Passing the Hash with Remote Desktop

Kali Linux

Kali Linux contains a large number of very useful tools that are beneficial to information security professionals. One set of such tools belongs to the Pass-the-Hash toolkit, which includes favorites such as pth-winexe among others, already packaged in Kali Linux. An example of easy command line access using pth-winexe is shown below. We constantly strive to include new, useful tools to our repositories.

article thumbnail

Software Composition Analysis: The New Armor for Your Cybersecurity

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

article thumbnail

How to Nuke your Encrypted Kali Installation

Kali Linux

There’s been a fair amount of discussion around the recently introduced LUKS nuke patch we added to the cryptsetup package in Kali Linux. We wanted to take this opportunity to better explain this feature, as well as demonstrate some useful approaches which are worthwhile getting to know. LUKS Nuke in a Nutshell As explained well By Michael Lee in his ZDNet article , when creating an encrypted LUKS container, a master key is generated at random.

article thumbnail

Kali Linux 1.0.6 Release

Kali Linux

Kernel 3.12, LUKS nuke, Amazon AMI / Google Compute images and more! It’s been a while since our last minor release which makes 1.0.6 a more significant update than usual. With a new 3.12 kernel, a LUKS nuke feature , new Kali ARM build scripts , and Kali AMAZON AMI and Google Compute image generation scripts , not to mention numerous tool additions and updates - this release is really heavily laden with goodness.

article thumbnail

Emergency Self Destruction of LUKS in Kali

Kali Linux

Kali Linux Full Disk Encryption As penetration testers , we often need to travel with sensitive data stored on our laptops. Of course, we use full disk encryption wherever possible, including our Kali Linux machines, which tend to contain the most sensitive materials. Setting up full disk encryption with Kali is a simple process. The Kali installer includes a straightforward process for setting up encrypted partitions with LVM and LUKS.

article thumbnail

Together, we can make a difference

Scary Beasts Security

A couple of weeks back, I released a popular spreadsheet which lists many of the Adobe Flash Player 0-days used to harm people in the wild since 2010. I counted 18 and countless kind Twitterers pointed out some I may have missed. It was an interesting exercise, of course with an ulterior motive! Looking beyond the raw counts, the spreadsheet shouts two items: We should want to make a difference.

article thumbnail

From Complexity to Clarity: Strategies for Effective Compliance and Security Measures

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.

article thumbnail

Exile for the BBC Micro; some elegant solutions

Scary Beasts Security

[Prelude: sorry, this has nothing to do with security whatsoever. Feel free to bail now if you're not interested in a classic 1980's game, and rest assured that non-security posts to this blog will remain extremely rare.] The BBC Micro game Exile , released in 1988, has a realistic claim for the best game ever. I lost months of my youth to this game.

article thumbnail

Survey: most people don't lock their android phones - but should

Elie

Half of Android users don’t bother to lock their phones, despite having the choice of using patterns, passwords, PINs, and even their faces to secure their devices. This contrasts starkly with a report from the Federal Communications Commission warning that up to 40 percent of robberies in major cities involve cell phones. More precisely, over 52 percent.

article thumbnail

Phone screen size: bigger isn't always better

Elie

Marketers agree: screen size is a top priority for anyone shopping for their next cell phone but my new consumer survey challenges this conventional wisdom.

article thumbnail

Using big data to understand users' privacy concerns

Elie

Worries about big data and privacy are all over the news, but our new research shows that big data can also help better understand users' privacy concerns.

article thumbnail

Successful Change Management with Enterprise Risk Management

Speaker: William Hord, Vice President of ERM Services

A well-defined change management process is critical to minimizing the impact that change has on your organization. Leveraging the data that your ERM program already contains is an effective way to help create and manage the overall change management process within your organization. Your ERM program generally assesses and maintains detailed information related to strategy, operations, and the remediation plans needed to mitigate the impact on the organization.

article thumbnail

I am a legend: Hacking Hearthstone with machine-learning Defcon talk wrap-up

Elie

In-depth research publications, industry talks and blog posts about Google security, research at Google and cybersecurity in general in open-access.

Hacking 48
article thumbnail

Predicting a Hearthstone opponent’s deck using machine learning

Elie

In-depth research publications, industry talks and blog posts about Google security, research at Google and cybersecurity in general in open-access.

article thumbnail

Pricing hearthstone cards with unique abilities: VanCleef and The Twilight Drake

Elie

In-depth research publications, industry talks and blog posts about Google security, research at Google and cybersecurity in general in open-access.

article thumbnail

How to find undervalued Hearthstone cards automatically

Elie

In-depth research publications, industry talks and blog posts about Google security, research at Google and cybersecurity in general in open-access.

article thumbnail

Cover Your SaaS: How to Overcome Security Challenges and Risks For Your Organization

Speaker: Ronald Eddings, Cybersecurity Expert and Podcaster

So, you’ve accomplished an organization-wide SaaS adoption. It started slow, and now just a few team members might be responsible for running Salesforce, Slack, and a few others applications that boost productivity, but it’s all finished. Or is it? Through all the benefits offered by SaaS applications, it’s still a necessity to onboard providers as quickly as possible.

article thumbnail

How to appraise Hearthstone card values

Elie

In-depth research publications, industry talks and blog posts about Google security, research at Google and cybersecurity in general in open-access.

article thumbnail

Meaning matters: why google switched to numeric captchas

Elie

In-depth research publications, industry talks and blog posts about Google security, research at Google and cybersecurity in general in open-access.

article thumbnail

Security Doom Scenarios….OK….name your passwords’ directory “Password”

NopSec

Usually I am not particularly a big fan of security doom scenarios, but looking at this week’s security news and the usual New Year’s security predictions I have to admit that I grew a bit concerned about the overall info security outlook. Here is the canvas: Sabotage attacks from Iran targeting US industrial control systems and critical infrastructure modeled after Stuxnet, Duqu, and Wiper are growing in frequency.

article thumbnail

Take Your XSS and POST It

NopSec

Parameter injection is one of the most common classes of web application vulnerabilities exploited in the wild. This class of vulnerability implies that attackers inject known malicious strings into Hypertext Transfer Protocol (HTTP) request parameters in an attempt to cause unexpected application behavior. This class of vulnerability encompasses a large variety of attack methods including, but not limited to, cross-site scripting (XSS), SQL injection (SQLi), local file includes, and path trav

article thumbnail

How Preparation and Strategy Can Be Used to Fight and Defeat Any Ransomware Attack

Speaker: Karl Camilleri, Cloud Services Product Manager at phoenixNAP

Did you know that 2021 was a record-breaking year for ransomware? The days of a “once in a while” attack against businesses and organizations are over. Cyberthreats have become a serious issue. With 495.1 million attacks, the threat marked a 148% increase compared to 2020 and was the most expensive year on record! As a result, data protection needs to be a concern for most banks, businesses, and information technology specialists.