encryption

Application Security ‘Precrimes’ Report: SQL Injection, Crypto Hacks in 2013

We have plenty of industry-provided reports that tell us what happened in the past. The annual Verizon Databreach Investigations Report is due out any day, providing data on breaches investigated by that company’s incident response professionals, as well as information from law enforcement agencies around the world. And, with the first quarter gone, its safe to assume that similar reports will follow from Symantec and others.   But what about the threats for 2013? That’s where Veracode’s State of Software Security (SoSS) report comes in. Released to the public today, SoSS documents the kinds of software vulnerabilities that company found during 2012. And, where there are vulnerabilities, there will be attacks, Veracode CTO Chris Wysopal says. So what’s on tap for 2013? SQL injection attacks are likely to be one of the main attack types against web-based applications this year, as they were last year, Veracode says. That’s because SQL […]

EverNote Latest Site Hacked In Coordinated Attack

The online personal and business productivity service Evernote.com said on Saturday that it is the victim of a hack that exposed encrypted user password information, forcing password resets across a broad swath of the service’s 50 million registered users. The Redwood City, California-based firm revealed in a blog post that its internal security team discovered “suspicious activity on the Evernote network” that “appears to have been a coordinated attempt to access secure areas of the Evernote Service.” The company said it sent password reset messages to its users as a “precaution” but didn’t believe that stored information in users’ accounts or payment information had been exposed. The hack is just the latest of a prominent online firm. In recent weeks, Twitter, Facebook, Apple and Microsoft have all reported compromises of their internal networks. Those intrusions were linked to attacks aimed at developers and relied on exploits of previously unknown “zero day” […]

Bit9 Defends Response To Hack, Promises More Details

The security firm Bit9 defended its response to a hack of its own network last week and promised to release more information to the public about what happened – just not quite yet. In a blog post dated Saturday, February 9, the company’s CTO, Harry Sverdlove, said that the company responded promptly to the attack and contacted customers as soon as it completed its own investigation of the hack, which allowed unknown assailants to sign malicious programs using a Bit9 code signing server. That malware was subsequently released on networks of Bit9 customers. Sverdlove said the company’s “first and foremost priority was to inform our customers quickly and directly,” and that the company did so “as soon as we understood and had mitigated the attack, and we were able to provide actionable advice.” The blog post by Sverdlove, just a day after a post by Bit9 CEO Patrick Morley that disclosed […]

Researchers: Hole In TLS Encryption Could Expose Secure Web Sessions

Researchers at the University of London are going public with a paper that claims to have found a flaw in the specification for Transport Layer Security (TLS) that could leave supposedly secure Web, IM, VoIP and other online sessions exposed to prying eyes. The researchers, Nadhem Al Fardan and Kenny Patterson of the Information Security Group at Royal Holloway, University of London said that the security hole stem from a flaw in the TLS specification, rather than a bug in how TLS is implemented. The two researchers have developed proof of concept attacks that take advantage of the flaw, and that could be used to recover a complete block of TLS-encrypted plaintext, the researchers said. Al Fardan is a Ph.D student in the Information Security Group. Patterson is a professor of Information Security there. The two have  discovered other, serious holes in TLS before. Notably: the two discovered a critical […]