Software

Home Invasion: Home Routers May Be The Next Big Hack

Most of us have broadband at home. It’s always there. It works and, for the most part, we don’t think about it until it goes down. Our amnesia extends to the humble home gateway or broadband router that is our connection to the global Internet. That piece of CPE (or customer-premises equipment) probably sits on our desk, or down in our basement gathering dust. Strong password? Meh. Firmware update? Hey, ‘if it ain’t broke…don’t fix it!” But all those small, insecure devices could add up to a major security crisis for users and their Internet Service Provider (ISP), according to researchers at the firm IOActive. Writing on the IOActive blog, researchers Ehab Hussein (@_obzy_) and Sofiane Taimat (@_sud0) say that millions of  vulnerable home routers and gateways are vulnerable to trivial attacks. Those devices could be harnessed by cyber criminal groups, state-backed actors or hacktivists for malware distribution, spam or […]

Continue Reading

Welcoming A New Sponsor: The Trusted Computing Group!

The Security Ledger is a new, online publication that’s serious about reporting on security and “The Internet of Things.” While we’ve had tremendous success in our first six months of operation, any new endeavor involves some risk. That’s why I’m thrilled to have had the backing of some forward-looking sponsors: Qualys and Veracode. And today, I’m happy to add a new name to that list: The Trusted Computing Group (TCG). For those of you who aren’t familiar with TCG, its best known as the group behind the Trusted Platform Module (TPM) secure, cryptographic chip that ships with almost every modern desktop and notebook PC. The TPM assures a hardware-based root of trust on compliant system, allowing TPM-equipped systems to securely generate cryptographic keys that can authenticate each endpont for use in secure, online transactions and communications. But TCG actually does a lot more. As a security beat reporter, for example, I […]

Continue Reading

D.C. Insider Site NationalJournal.com Serving Malware

Watering hole -style attacks are all the rage these days, as our recent coverage on the attacks against Facebook and Twitter suggest. That makes us look askance at any report of a web site compromise – especially at a site that’s known to serve an audience that’s of interest to sophisticated, nation-state backed hacking crews.   That’s why it caught our attention this week that the web site for the DC-insider magazine The National Journal (nationaljournal.com) was found serving malware. According to a blog post by Anup Ghosh at the security firm Invincea, The National Journal’s Web site was serving up attacks to visitors of the site on Tuesday. The discovery was surprising, as the magazine acknowledged an earlier compromise on February 28th and said that it had since secured its site. That National Journal, part of The Atlantic Media Company, is widely read within Washington D.C.’s political circles. It […]

Continue Reading

Many Watering Holes, Targets In Hacks That Netted Facebook, Twitter and Apple

The attacks that compromised computer systems at Facebook, Twitter, Apple Corp. and Microsoft were part of a wide-ranging operation that relied on many “watering hole” web sites that attracted employees from prominent firms across the U.S., The Security Ledger has learned. The assailants responsible for the cyber attacks used at least two mobile application development sites as watering holes in addition to the one web site that has been disclosed: iPhoneDevSDK.com. Still other watering hole web sites used in the attack weren’t specific to mobile application developers – or even to software development. Still, they served almost identical attacks to employees of a wide range of target firms, across industries, including prominent auto manufacturers, U.S. government agencies and even a leading candy maker, according to sources with knowledge of the operation. More than a month after the attacks came to light, many details remain under tight wraps. Contacted by The Security […]

Continue Reading

With $Pi Million At Stake, Chrome Withstands Hacker Assault

With $3.14159 million in prize money at stake, Google’s Chrome OS has withstood attempts to hack it in the company’s semi-annual Pwnium contest in Vancouver, a Google spokeswoman told The Security Ledger. In a statement Thursday, Google spokeswoman Jessica Kositz said that the company did not receive any winning entries during the day-long contest, but that the company is evaluating work that may qualify for a partial prize:  a potentially infinite series of Google Wallet transfers in the amounts:  $1 followed by $.50 followed by $.25 followed by $.125 and so on. OK – We made that last part up. Pwnium runs alongside the better known pwn2own contest at CanSecWest. This year, Google is providing funding for both contests. However, in 2012 the company pulled its support for pwn2own, objecting to the lack of a requirement of “responsible disclosure” – in which entrants must disclose the details of their exploits to the […]

Continue Reading
1 117 118 119 120 121 123