Search Results for "third party software"

BitSight: A Equifax For Security Risk?

I’ve opined in these pages and elsewhere that one of the big problems in the IT security space is the absence of actionable data. After all, problems like denial of service attacks, network compromises and inadvertent data leaks are all just risks that organizations and individuals must grapple with in our increasingly wired world. True – they’re new kinds of risks, but otherwise they’re not fundamentally different from problems like auto accidents, property crime or illness – things  that we do a good job accounting for. The difference, as I see it, is an absence of accepted and independent means of assessing the relative security posture of any organization. IT security is still so much dark magic: we rely on organizations to tell us about how secure they are. Organizations, in turn, rely on a complex and patchy network of security monitoring and detection tools, then try to read the […]

Continue Reading

With Settlement, FTC Issues Warning On IP-Enabled Cameras

The U.S. Federal Trade Commission (FTC) made one of its strongest statements to date on the issue of consumer privacy in the fast-emerging market for “smart” electronics: settling a complaint with the maker of SecurView, a line of home surveillance cameras that, it turned out, were just as easily used to spy into the homes of SecurView customers. In a statement on Wednesday, the FTC said that it settled a complaint against TRENDnet, the maker of the SecurView home security cameras. The FTC had charged the Torrance, California company with misrepresenting the security of its products. TRENDnet sold “faulty software that left (the cameras) open to online viewing” by anyone who knew the device’s IP address. Under the terms of its settlement with the Commission, TRENDnet must stop misrepresenting the “security, privacy, confidentiality, or integrity of the information that its cameras or other devices transmit,” as well as “the extent […]

Continue Reading

Microsoft Bug Bounties Flowing To Googlers

Two Google employees earned the distinction of receiving some of the first monetary rewards (a.k.a. “bounties”) issued under the company’s newly minted bounty program. Fermín Serna, a researcher in Google’s Mountain View, California headquarters, told The Security Ledger that he received a bounty issued by Microsoft this week for information on an Internet Explorer information leak that could allow a malicious hacker to bypass Microsoft’s Address Space Layout Randomization (or ASLR) technology. His bounty followed the first ever (officially) paid to a researcher by Microsoft: a bounty that went to Serna’s colleague, Ivan Fratic, a Google engineer based in Zurich, Switzerland, for information about a vulnerability in Internet Explorer 11 Preview. Fratic (@ifsecure) acknowledged the honor in a July 11 post on his Twitter account. In an e-mail exchange with The Security Ledger, Serna declined to discuss the details of his discovery until Microsoft had a patch ready to release. But […]

Continue Reading

Updated: Exploit Code Released For Android Security Hole

A security researcher has published what he claims is a proof of concept program that exploits a  security hole that affects hundreds of millions of Android mobile devices.* Pau Oliva Fora, a security researcher for the firm Via Forensics, published a small, proof of concept module that exploits the flaw in the way Android  verifies the authenticity of signed mobile applications. The flaw was first disclosed last week by Jeff Forristal, the Chief Technology Officer at Bluebox Security, ahead of a presentation at the Black Hat Briefings in August. Oliva Fora posted his “quick and dirty” proof of concept on GitHub, a code sharing website, on Monday. The simple program leverages APKTool, a common, open source tool for reverse engineering Android applications – decompiling and then recompiling their contents. APKTool is widely used for analyzing and making modifications to closed binaries. His script allows a user to select an Android […]

Continue Reading

Flaw Leaves 900M Android Devices Vulnerable

A security researcher claims to have uncovered a flaw in the Android security model that leaves almost all devices running the mobile operating system vulnerable to attacks and malicious software. Jeff Forristal, the Chief Technology Officer at Bluebox Security posted a description of the flaw on Wednesday. It affects Android devices running any version of the OS released in the past four years, starting with Version 1.6 (codename: “Donut” ) – a population of nearly 900 million devices. Discrepancies in how Android applications are cryptographically signed and then verified by Android allow a malicious attacker to modify the application package file (or APK) code without breaking the cryptographic signature. The implications of the flaw are huge. A malicious application installed on a vulnerable Android device could access any data stored on the device. For applications, such as mobile virtual private network (VPN), an attacker who could alter the application’s code or […]

Continue Reading
1 29 30 31 32 33 34