I work in the field of Information Security (InfoSec), specifically website security. With that in mind, it’s but one very small piece of a very large pie. Security is complex,...
The post Website Security is Not an Absolute appeared first on PerezBox.
I reported the Flash 0-day (CVE-2015-7645) two weeks before it was found in the wild https://t.co/nYeAWRG5jO— Natalie Silvanovich (@natashenka) 16 Octobre 2015 |
| Angler EK successfully exploiting Flash 19.0.0.207 2015-10-29 |
 |
| Angler EK exploiting Flash 18.0.0.209 on Windows 10 (build 10240) through Edge |
 |
| CVE-2015-7645 in Nuclear Pack on 2015-10-30 |
 |
| Magnitude trying to exploit CVE-2015-7645 2015-11-10 |
 |
Spartan pushing Pony and Alphacrypt via CVE-2015-7645 2015-11-12 |
 |
| Necurs being dropped by Neutrino via CVE-2015-7645 2015-11-17 |
Bug Bounty and Responsible Disclosure
We bring back Samy Kamkar "Samy's My Hero," and bring on special guests Casey Ellis from BugCrowd and Katie Moussouris from HackerOne. We talk about the tough ethical questions and the future of bug bounties in 5 years.
Interview with Ron Gula
We interview Ron Gula, one of the first interviews conducted on Security Weekly. Ron is a leading cybersecurity thinker, innovator, and visionary in the information security industry.
Security Weekly Web Site: http://securityweekly.com
Hack Naked Gear: http://shop.securityweekly.com
Follow us on Twitter: @securityweekly
Special Segment: Making The Most Of Threat Intelligence
This week, Paul and Mike discuss the current state of threat intelligence. In this segment, Paul and Mike dive deep in using threat intelligence properly.
Security News: Chip and Pin Hacked
This week in the news we learn about how chip and pin was hacked in France and are you fooled by fake online reviews? For a full list of stories including links, visit the wiki http://wiki.securityweekly.com/wiki/index.php/Episode439#Stories_of_the_Week_-_7:00PM-8:00PM.
Security Weekly Web Site: http://securityweekly.com
Hack Naked Gear: http://shop.securityweekly.com
Follow us on Twitter: @securityweekly
Today Beau talks about MITM NTP, chip and pin vulnerabilities. and encrypting all the things by default.
For a full list of stories discussed today, visit our wiki: http://wiki.securityweekly.com/wiki/index.php/Hack_Naked_TV_October_23_2015
Security Weekly Web Site: http://securityweekly.com
Hack Naked Gear: http://shop.securityweekly.com
Follow us on Twitter: @securityweekly
Today Aaron talks about the E-Trade breach, China still hacking the US, CyberInsurance, and More.
Visit the wiki for a full list of stories: http://wiki.securityweekly.com/wiki/index.php/Hack_Naked_TV_October_20_2015
Security Weekly Web Site: http://securityweekly.com
Hack Naked Gear: http://shop.securityweekly.com
Follow us on Twitter: @securityweekly
Interview wth Peiter "Mudge" Zakto
Peiter C. Zatko, better known as Mudge, is a network security expert, open source programmer, writer, and a hacker. Peiter talks about his start in information security, rather him starting information security. Peiter talks about his early involvment in BGP and how to take down the internet.
Mobile Security and Privacy
We get Simple Nomad and David Schwartzberg to join us for a panel discussion on Mobile Security and Privacy. David Schwartzberg is a Sr. Security Engineer at MobileIron and Simple has been doing hacker and security-related things for over 30 years, wearing black, white, and gray hats at various points.
Hacker Jeopardy
Hacker Jeopardy includes popular topics such as famous hackers and decimal to binary conversions. Test your knowledge now!
Security Weekly Web Site: http://securityweekly.com
Hack Naked Gear: http://shop.securityweekly.com
Follow us on Twitter: @securityweekly
Interview with Mikko Hypponen
To kick off our ten-year anniversary we interview Mikko Hypponen of F-Secure. We talk about the first virus discovered, reviewing printed viruses, and more.
Visit our wiki for list of important links including the one that got him banned from Twitter: http://wiki.securityweekly.com/wiki/index.php/Episode438#Guest_Interview:_Mikko_Hypp.C3.B6nen_10:05_AM
L0pht Heavy Industries Panel
L0pht Heavy Industries was a hacker collective active between 1992 and 2000 and located in the Boston, Massachusetts area. We learn about the history of the L0pht and the future.
Security Weekly Web Site: http://securityweekly.com
Hack Naked Gear: http://shop.securityweekly.com
Follow us on Twitter: @securityweekly
Today Aaron talks about breaches of LoopPay, Uber, and Dow-Jones. For a full list of stories, visit http://wiki.securityweekly.com/wiki/index.php/Hack_Naked_TV_October_13_2015.
When you log into Facebook, you could see this this message warning you that a government-backed entity of some sort is trying to get into your account:
This isn’t the site’s first attempt to use its gatekeeping power to address security concerns. Facebook detects malware on your computer and if it finds any, you’re directed to one of several free online scanners — including our free online scanner — to clean your PC before you can log in.
What’s new about this warning is that it suggests a culprit — a government, which could possibly even be your government. It’s remarkable how accepted the idea is that state-backed organizations are carrying out cyber attacks so regularly that there’s a Facebook prompt specifically dedicated to the threat. But it’s indicative of the times we live in.
F-Secure Labs has warned about cyber threats from state-backed actors for years.
“We do this because these types of attacks tend to be more advanced and dangerous than others, and we strongly encourage affected people to take the actions necessary to secure all of their online accounts,” Facebook’s Chief Security Officer Alex Stamos explained in a post announcing the new prompt.
Our Security Advisor Sean Sullivan calls the feature a “good first step.”
Why?
“Facebook is widely used among human rights advocates and attorneys,” he told TrustedReviews. “When advocates report being targeted, I suspect that Facebook’s security team is readily able to cross-reference IP addresses which interact with and target various accounts. And so Facebook is then able to draw connections between people that might benefit from such notifications.”
Some in the media have spread some alarm about the feature.
Russia Today — an English-language media outlet sponsored by the Russian government — framed the feature as an attempt to get your phone number. The article features several references to the NSA, alluding to the revelations former contractor Edward Snowden began releasing in 2013. (This is ironic given F-Secure Labs’ recent report on The Dukes, which makes the case that the Russian government is involved with or abetting cyber attacks of its own that extend beyond surveillance into actual espionage.)
So does Facebook just want your phone number?
Nope.
“The feature doesn’t require a phone number,” Sean told me. “If you have an Android phone, iPhone, or an iPod touch – you can simply use the Facebook app to generate the approval codes.”
The suspicions being raised by non state-sponsored media could be tied to Facebook’s constant efforts to get you to offer it your mobile phone number to activate security features.
Our Chief Research Mikko Hypponen often points out that by pairing your profile with your phone number, websites can unlock a treasure trove of demographic data about you that makes you even more valuable to sell to advertisers. We cannot say for sure that Facebook does this. If you have a spare day or two, you can read through Facebook’s Terms and Policies to find out.
“Both Facebook and Twitter (and other sites) often ask me for my phone number for the sake of ‘security,'” Sean told me. “And while yes, it does offer some security enhancements, in the name of transparency, I wish they also mentioned the other uses.”
Be aware that if you want to use two-factor authentication to secure your account but don’t want to give the site your number, you do have options.
It’s good to be suspicious about sharing your phone number, but it’s also smart to be doubly suspicious when privacy concerns are being stoked by an arm of the Russian government.
In the past few years, Facebook — which used to be constantly ridiculed for its privacy and security concerns — has really stepped up its game in simplifying its privacy settings, preventing spam and controlling the spread of bad links. This is another promising step from a security team that seems eager to both protect its users and to make us all aware of the growing threat of state-backed attacks.
 |
| 2015-07-11 - bit.ly as https url shortener |
 |
| 2015-07-11 - tiny url as https url shortener |
 |
| 2015-06-12 - goo.gl as https url shorterner |
 |
| Two pass here : same source (Dailymotion), same country (Australia), same Traffer for same customer (how/why? same payload : Reactorbot srvdexpress3 .com) Different Legit part of the chain 2015-09-29 |
 |
VirtualDonna Traffers exploiting an https open redirect by Doubleclick in its chain to Angler EK GB - 2015-10-15 |
This week on Hack Naked TV, Aaron talks about breaches of LoopPay, Uber, and Dow-Jones.Visit our wiki for a complete list of articles and links covered in the show: http://wiki.securityweekly.com/wiki/index.php/Hack_Naked_TV_October_13_2015Security Weekly Web Site: http://securityweekly.comHack Naked Gear: http://shop.securityweekly.comFollow us on Twitter: @securityweekly
October is National Cyber Security Awareness Month in the US, and European Cyber Security Month in Europe. Basically, institutions in these two countries have decided that it’s time for people to get serious about cybersecurity. And they’re right to do it – according to F-Secure’s Business Security Insider blog, there was 81 cyberattacks every minute in 2014.
So hacking is a serious business for these attackers. And one security measure that experts would like to see used more widely is two-factor authentication.
Two-factor (or multi-factor) authentication refers to using more than one piece of information to safeguard access to accounts. Many popular services, such as Facebook and Twitter, offer it to users. However, very few services require it. It’s really more of an option for people interested in having a little bit of extra security for their accounts. A recent survey from Google points out that 89 percent of security experts use two-factor authentication for at least one of their online accounts.
But it’s less popular amongst non-experts. Only 62 percent of non-expert respondents to Google’s survey used two-factor authentication. Other studies indicate that two-factor authentication may be even less popular, with one recent consumer survey finding that 56 percent of respondents were unfamiliar with two-factor authentication.
Although two-factor authentication has been around for ages, it’s starting to become offered by many online services. Passwords are currently the standard in account security, but adding in two-factor authentication adds an extra layer of security. It basically means anyone that gets access to your password will essentially only have “half a key” to your account.
So why don’t more people use it? After all, nearly 80 percent of people are open to alternatives to traditional passwords. One reason might be that it’s too difficult or inconvenient. But the widespread use of mobile devices is making this much easier. Email and SMS messages seem to be easiest and the most popular, with one study finding almost 90 percent of participants using two-factor authentication did so by receiving a code through SMS or email, which they could then enter into a website to confirm their identity.
Another reason could be availability. It’s up to companies and organizations providing online accounts to offer two-factor authentication to customers. This website provides a pretty good list of different online services offering two-factor authentication, so it’s a pretty handy resource. You can also use the site to send tweets to companies not offering two-factor authentication (so don’t hesitate to send a message if you want someone providing you with a service to improve their account security features).
If you crunch the numbers provided by the site, you can get an idea about how common two-factor authentication is for different kinds of services:
So two-factor authentication is definitely more prominent in some industries than others. F-Secure Security Advisor Sean Sullivan says that it’s definitely worth choosing services offering two-factor authentication, especially for important accounts that you use daily, or contain really sensitive information.
“You should figure out what accounts are critical and focus on securing those by using strong, unique passwords and two-factor authentication,” he says. “Lots of companies will offer a monthly or periodic two-factor authentication check, which requires you to enter a code you receive via SMS into a pre-defined phone or computer. It’s really worth having a primary email account with one of these services, as you can centralize information there instead of spreading it around, which makes it easier to stay in control of your accounts.”
Next time you’re thinking about setting up an online account somewhere, you may want to circle back to whether or not they offer two-factor authentication. With the number of devices expected to explode as the Internet of Things becomes more and more popular, it only makes sense to consider whether you’re information is as secure as you’d like.
[ Image by momentcaptured1 | Flickr ]
Interview with Dafydd Stuttard
This week, we interview Dafydd Stuttard the creator of Burp Suite and the author of the Web Application hacker's Handbook. We talk about the source of the name "Burp" and the future of webapp scanning.
Security News - Facebook Sex tapes and rooting the OnHub
This week in security news, we talk about Stagefright 2.0, how to root your very own Google OnHub, breaking SHA-1, and AWS WAF's.
For a full list of stories, vist our wiki: http://wiki.securityweekly.com/wiki/index.php/Episode437#Stories_of_the_Week_-_7:00PM-8:00PM
Security Weekly Web Site: http://securityweekly.com
Hack Naked Gear: http://shop.securityweekly.com
Follow us on Twitter: @securityweekly
This week’s ruling by the European Court of Justice striking down the 2000 “Safe harbor” agreement between the European Union and and the United States was celebrated as vindication by privacy activists, who saw the decision as a first major international consequence of the Snowden revelations detailing the extraordinary extent of mass surveillance being conducted by the U.S. and its allies.
“The safe harbor agreement allowed U.S. companies to self-certify they abided by EU-strength data protection standards,” Politico’s David Meyer reported. “This gave them a relatively simple mechanism to start legally handling Europeans’ personal data.”
That simple mechanism did not abide by the Commissions own privacy standards, the Court decided.
“The court, by declaring invalid the safe harbor which currently permits a sizeable amount of the commercial movement of personal data between the EU and the U.S., has signaled that PRISM and other government surveillance undermine the privacy rights that regulates such movements under European law,” the EFF’s Danny O’Brien wrote.
A new Safe Harbor agreement is currently being negotiated and the Court’s ruling seems designed to speed that up. But for now many companies — especially smaller companies — and users are now in a sort of a legal limbo.
And that legal limbo may not be great news for your privacy, according to F-Secure Security Advisor Sean Sullivan, as it creates legal uncertainty that could easily be exploited by government spy agencies and law enforcement.
“Uncertainty is their bread and butter,” he told me.
To Sean, this ruling and the urge to break the old agreement without a new one yet in place represent an “old world” view of the Internet where geography was key.
The U.S. government has suggested that it doesn’t need to respect borders when it comes to companies like Microsoft, Facebook and Google, which are headquartered in the U.S. but do business around the world. Last month, the Department of Justice said it could demand Microsoft turn over Hotmail data of any user, regardless where s/he lives.
“The cloud doesn’t have any borders,” Sean said. “Where stuff is located geographically is kind of quaint.”
You can test this out by using an app like Citizen Ex that tests your “Algorithmic Citizenship.” Sean, an American who lives in Finland, is identified as an American online — as much of the world would be.
What Europe gave up in privacy with Safe Harbor was, to some, made up for in creating a cohesive marketplace that made it easier for businesses to prosper.
Facebook and Google warned that the U.S.’s aggressive surveillance risked “breaking the Internet.” This ruling could be the first crack in that break.
Avoiding a larger crackup requires a “new world” view of the Internet that respects privacy regardless of geography, according to Sean. He’s hopeful that reform comes quickly and democratically in a way that doesn’t require courts to force politicians’ hands.
The U.S. showed some willingness to reform is surveillance state when it passed the USA FREEDOM Act — the first new limitations on intelligence gathering since 9/11. But more needs to be done, says the EFF. The digital rights organization is calling for “reforming Section 702 of the Foreign Intelligence Surveillance Amendments Act, and re-formulating Executive Order 12333.”
Without these reforms, it’s possible that any new agreement that’s reached between the U.S. and Europe might not reach the standards now reaffirmed by the European Court of Justice.
Cybersecurity professionals are the new guardians of big changes in the organization. Such professionals must practice business resiliency and adaptability, because they are now so integrated with digital business decisions that leaders cannot tell where business ends and cybersecurity begins.
The digital explosion and the race to the edge have achieved what previous waves of technology evolution have failed to do — to integrate cybersecurity professionals and business leaders into effective teams for the protection and safety of the organization.
Password Cracking With Larry
This week on Security Weekly, we are joined by none other than Larry Pesce. After his recent DerbyCon talk, Larry gives us some insight on his 600 dollar password cracking machine.
Security News
Today in the news, Kevin recaps the T-Mobile breach. Do we now let the fox watch the henhouse? Larry dives into a Nest (TM) of IoT (drink) devices. Paul tries to keep it together with a blog post on MS08-067.
For a full list of stories and links, visit the wiki: http://wiki.securityweekly.com/wiki/index.php/Episode436#Stories_of_the_Week_-_7:00PM-8:00PM
Security Weekly Web Site: http://securityweekly.com
Hack Naked Gear: http://shop.securityweekly.com
Follow us on Twitter: @securityweekly
I’m normally sympathetic to technology recruiters, but some are just hopeless. These, I have no sympathy for. An the SEO spammers, no sympathy for any of them. Every now and then, one is so obnoxious that I feel compelled to respond, and as a community service I’m sharing templates I use for responding to the worst of them.
For the recruiters:
[Dude/Dudette], I hate to be an ass, but really- digging up an ancient resume and throwing names at the wall to see if any stick- this is why recruiters like you and your ilk are loathed. As someone who spends a lot of time trying to help folks develop and advance their technology and security careers this shit really pisses me off.
I'm not interested in moving at this time, but not being a fool I would entertain appropriate offers. That means a minimum of [INSERT LARGE NUMBER HERE] plus options or equity, a maximum of [SMALL AMOUNT OF TIME HERE] hours per week dedicated to direct company work, support of my [LARGE NUMBER] of hours per week for community development and engagement, plus research time. Oh, and support of my [TRAVEL, SPEAKING, DRINKING, ETC.] schedule.
The one I use for SEO is specific to Security BSides, but feel free to adapt as appropriate for your needs:
I'm sorry [SEO SCUMBAG'S NAME HERE], but we're a global community of technology and security experts, many of us have been in the field since pre-Web days... and none of us has ever heard of you or your firm. We have a globally recognized and respected brand and have drawn several thousand participants to hundreds of events around the world without your help.
In fact, perhaps you would be interested in contracting with some of our technology, social media, and marketing experts to help build your brand- at competitive consulting rates, of course. If not, please remove this, and every other Security BSides affiliated email from your lists.
Yes, I can be a bit of an ass, but it is occasionally justified.
Jack
Today Aaron talks about BitPay, OPM, Volkswagen, and new TrueCrypt Flaws. For a full list of stories, visit the wiki: http://wiki.securityweekly.com/wiki/index.php/Hack_Naked_TV_October_1_2015#Aaron.27s_Stories
Security Weekly Web Site: http://securityweekly.com
Hack Naked Gear: http://shop.securityweekly.com
Follow us on Twitter: @securityweekly
