Post Tagged with: "Web"

Heartbleed For Poets And Other Must-Reads

April 10, 2014 18:380 comments
The (nerdy) Heartbleed SSL vulnerability story has jumped into the mainstream led to lots of rumination about the proper short and long term response.

It’s H-Day + 2 – two full days since we learned that one of the pillars of online security, OpenSSL, has contained a gaping security hole for the past two years that rendered its protections illusory. As I wrote over on Veracode’s blog today: this one hurts. It exposes private encryption keys, allowing encrypted SSL sessions to be revealed. Trend Micro data suggests around 5% of one million Internet top-level domains are vulnerable.  IOActive notes that Heartbleed also appears to leave data such as user sessions subject to hijacking, exposes encrypted search queries and leaves passwords used to access online services subject to snooping, provided the service hasn’t updated their OpenSSL instance to the latest version. In fact, its safe to bet that the ramifications of Heartbleed will continue to be felt for months – even years to come. In the meantime, there is a lot of interesting coverage and […]

Read more ›

Vulnerability Undermines WordPress Two-Factor Plugins

February 14, 2014 15:291 comment
Two factor authentication plugins on Wordpress may be vulnerable to attack, Duo Security warned.

The firm Duo Security* said that it has discovered a vulnerability that affects a range of two-factor authentication plugins for the WordPress content management platform. The vulnerability could allow a malicious insider to use credentials for one WordPress site to log into a different site that is part of a ‘multi-site’ WordPress deployment without needing to pass a multi-factor authentication test. In a blog post on Thursday, DUO co-founder and CTO Jon Oberheide said that the vulnerability was discovered as part of an internal review of DUO’s two factor WordPress plugin, but that researchers realized it affects at least two other multi-factor plugins. DUO issued a warning to users of its plugin. The company also reached out to WordPress and to the publishers of other multi factor authentication plugins to address the issue, Oberheide wrote. DUO makes multi-factor authentication technology that allows users to log-in using a combination of username, […]

Read more ›

In Next Phase: Web Tracking Cookies Grow Legs

January 30, 2014 12:20Comments Off
In Next Phase: Web Tracking Cookies Grow Legs

It’s easy to focus on the low hanging fruit in the Internet of Things revolution – the Internet-connected thermostats, connected vehicles and lawn sprinklers that you can manage from the Web.   But the biggest changes are yet to come – as powerful, wearable technology, remote sensors and powerful data analytics combine to map and record our every waking (and sleeping) moment. I got a glimpse of that reading this article over at the blog StreetFightMag.com, a site that concentrates on the hyperlocal marketing sector. Hyperlocal was a big thing about six or seven years ago, as online media outfit (and their advertisers) decided that consumers were losing interest in the thin gruel that online mass-media provided, but remained intensely interested in local news and affairs. Alas, capitalizing on the relatively small-scale opportunities in ‘hyperlocal’ proved harder than anyone thought, as this week’s decision to shutter AOL’s remaining Patch web […]

Read more ›

Cisco Survey: 100% of Fortune 500 Hosting Malware?

January 16, 2014 08:00Comments Off
Cisco Survey: 100% of Fortune 500 Hosting Malware?

If you’re working in IT at a Fortune 500 firm, Cisco Systems has some unwelcome news: you have a malware problem. According to the 2013 Annual Security Report from the networking giant, 100 percent of 30 Fortune 500 firms it surveyed sent traffic to Web sites that host malware. Ninety-six percent of those networks communicated with hijacked servers operated by cyber criminals or other malicious actors and 92 percent transmitted traffic to Web pages without content, which typically host malicious activity. “It was surprising that it was 100 percent, but we know that it’s not if you’re going to be compromised, but when,” said Levi Gundert, a technical lead in Cisco’s Threat Research, Analysis and Communications (TRAC) group in an interview with The Security Ledger. Among the high points (or low points) in Cisco’s Report: Cisco observed the highest number of vulnerabilities and threats on its Intellishield alert service in the 13 years […]

Read more ›

Thingful is a Facebook for Smart Devices

December 16, 2013 10:591 comment
Thingful is a Facebook for Smart Devices

The data on exactly how many Internet of Things devices will be online by the end of the decade is a matter of debate. Cisco famously put the number at 50 billion by 2020, though Morgan Stanley thinks it could be as high as 75 billion. The analyst firm IDC estimates the number at 50 billion. But others have put the number lower. Gartner puts the number of connected things at around 30 billion by 2020. We might all be better off taking a cue from McDonald’s and just start using the phrase “billions and billions” by the end of the decade. As with McDonald’s hamburgers – the exact number doesn’t really matter, so long as everyone agrees that it’s going to be big. Really big. But all those devices – and the near-limitless IPV6 address space that will accommodate them – do present a management and governance problem: how […]

Read more ›

Fix From LG Ends Involuntary SmartTV Snooping, But Privacy Questions Remain

November 25, 2013 12:51Comments Off
Fix From LG Ends Involuntary SmartTV Snooping, But Privacy Questions Remain

The electronics firm LG issued a software update for some “Smart TV” models that were discovered spying on owners, but the company still faces scrutiny over its privacy policy. The company issued a firmware update for its LG 42LN575V model television sets, which were the subject of scrutiny last week after a UK-based technology consultant using the handle “DoctorBeet” discovered that his LG television was transmitting information about his viewing habits to company servers without his consent. The blogger, “DoctorBeet” (aka Jason Huntley, of Yorkshire, England) first wrote about his discovery on November 18, setting off a small firestorm of controversy. An analysis by Huntley uncovered a number of sketchy or outright illegal data harvesting behaviors. Among them: His LG television sent information on which channels he viewed to an LG-owned web domain. (The domain in question was not in service at the time.) The LG television relayed information on […]

Read more ›

Malware Supply Chain Links Eleven Attacks

November 12, 2013 10:59Comments Off
Malware Supply Chain Links Eleven Attacks

Fresh off their discovery of a previously unknown (‘zero day’) security hole in Microsoft’s Internet Explorer web browser, researchers at the security firm Fireeye say that they have evidence that a string of sophisticated attacks have a common origin. In a report released on Monday (PDF), the firm said that many seemingly unrelated cyber attacks identified in the last year appear to be part of a “broader offensive fueled by a shared development and logistics infrastructure” — what Fireeye terms a ‘supply chain’ for advanced persistent threat (APT) attacks. At least 11 APT campaigns targeting “a wide swath of industries” in recent months were found to be built on a the same infrastructure of malicious applications and services, including shared malware tools and malicious binaries with the same timestamps and digital certificates. “Taken together, these commonalities point to centralized APT planning and development,” Fireeye wrote. The attacks link at least 11 separate […]

Read more ›

Ephemeral, In-Memory Attack Used With New IE 0Day

November 11, 2013 09:45Comments Off
Ephemeral, In-Memory Attack Used With New IE 0Day

It was just last week that we wrote about research from the security firm Triumfant that found evidence for the growing use of ephemeral “diskless” malware. That point was driven home over the weekend, with a report from the firm Fireeye that found a new Internet Explorer zero day vulnerability was being used in conjunction with a disk-less variant of the Hydraq (aka “McRAT”) Trojan horse program.   Fireeye first called attention to the existence of attacks exploiting new, “zero day” (or previously unknown) vulnerabilities in the Internet Explorer web browser on Friday. The company discovered the malicious activity on the web site of a “strategically important website” that was being used as a “watering hole” to attack visitors who were “interested in national and international security policy.” The company described two IE vulnerabilities: an information leakage hole and an IE out-of-bounds memory access vulnerability. The information leak affects Windows XP […]

Read more ›

Report: Adobe Data Breach Ten Times Bigger Than First Reported

October 30, 2013 11:18Comments Off
Report: Adobe Data Breach Ten Times Bigger Than First Reported

The huge security breach at software maker Adobe is even bigger than first reported, with more than 150 million credentials stolen, including records on up to 38 million active customers, according to a report by Brian Krebs at the web site Krebsonsecurity.com. Krebs said in a story posted Tuesday that Adobe’s initial estimates that user names and passwords for around three million customers was well short of the actual number taken by hackers who breached the company’s network. Citing a file posted by the website Anonnews.org, Krebs said the actual number of affected Adobe accounts stolen is much larger: 150 million username and hashed password pairs including credentials for 38 million “active” accounts, according to Adobe spokesperson Heather Edell. Edell told Krebs that Adobe has just completed a campaign to contact active users whose user IDs and encrypted passwords were stolen (including this author). Those customers are being encouraged to change […]

Read more ›

Exclusive: Apple Store Favorite IZON Cameras Riddled With Security Holes

October 24, 2013 10:276 comments
Exclusive: Apple Store Favorite IZON Cameras Riddled With Security Holes

It’s another day, another face-palm moment for the home surveillance camera industry. Just one month after the Federal Trade Commission (FTC) settled a complaint with the maker of SecurView, a line of poorly secured home surveillance cameras, a researcher at the firm Duo Security has found a slew of even more serious security holes in the IZON Camera – a popular product that is sold in Apple Stores and Best Buy, among others. A review by The Security Ledger found dozens of such systems accessible via the public Internet, in some cases allowing anyone to peer into the interiors of private residences and businesses. Mark Stanislav, the Security Evangelist at the firm Duo Security, presented the details of a security audit of the IZON camera at a security conference in New York on Tuesday. Stanislav documented troubling security lapses including a wide-open configuration with exposed ports for accessing the device […]

Read more ›

Security Ledger Uses: