Inspiration & Genius – One and the Same

Clickjacking Attacks Unresolved

July 16th, 2011

I was reading through some Twitter posts recently and found a link to this one. It’s interesting to note what clickjacking actually is, and this article is quite revealing. The article is written by Lin-Shung Huang and Collin Jackson (Carnegie Mellon University) and is hosted on google docs here. You might have seen clickjacking through some Facebook issues recently called “likejacking”.

This article is a good read and will give you some flavor on what clickjacking is, and how it is used!

EDIT: …and here’s more information from Lenny Zeltser on the same subject – this is also a great read with some real time demo’s to watch also. It’s on his blog http://blog.zeltser.com.

Tags: , , , ,
Posted in Tech | No Comments »

PIN Pads Hacked at Michaels Stores Nationwide

May 14th, 2011

PIN Pads Hacked at Michaels Stores Nationwide

Here’s another example of hacking in plain sight. On reading this article though, you have to wonder how the terminals were hacked. These are the terminals where you swipe your debit card and enter a PIN number. In the original article there isn’t mention of how they were hacked, just that they were hacked. I’m even wondering if this was an inside job, or the POS vendor.

Suffice it to say there will always be risk, especially in public realms such as retail. Much as we say to be vigilant we can’t all be on the ball all of the time.

Tags: , , , , ,
Posted in Tech | No Comments »

Unpatched Exploit: Skype for MAC

May 6th, 2011

According to a Pure Hacking Blog Entry = http://www.purehacking.com/blogs/gordon-maddern/skype-0day-vulnerabilitiy-discovered-by-pure-hacking and The Register UK = http://www.theregister.co.uk/2011/05/06/skype_for_mac_critical_vulnerability/

There is a 0 Day exploit that exists for Skype on MAC. Windows and Linux are unaffected. Some best practices for Skype include setting your messages to only allow from Contacts. This does not protect you from infected contacts but it might help.

via Unpatched Exploit: Skype for MAC.

(these are not my words by the way – this is posted ‘as is’ from the original)

Tags: , , , ,
Posted in Tech | No Comments »

Cybercriminals shifting to smaller, more opportunistic attacks

April 19th, 2011

Here is an article about the traits of vulnerabilities, exploitation (hacking). It is interesting to see how the landscape has changed, in some respects dramatically.

Below are the key findings. I by no means assume any credit for this. I think the article is worth reading and the findings quite revealing.

Key findings

Large-scale breaches dropped dramatically while small attacks increased. The report notes there are several possible reasons for this trend, including the fact that small to medium-sized businesses represent prime attack targets for many hackers, who favor highly automated, repeatable attacks against these more vulnerable targets, possibly because criminals are opting to play it safe in light of recent arrests and prosecutions of high-profile hackers.

Outsiders are responsible for most data breaches. Ninety-two percent of data breaches were caused by external sources. Contrary to the malicious-employee stereotype, insiders were responsible for only 16 percent of attacks. Partner-related attacks continued to decline, and business partners accounted for less than 1 percent of breaches.

Physical attacks are on the rise. After doubling as a percentage of all breaches in 2009, attacks involving physical actions doubled again in 2010, and included manipulating common credit-card devices such as ATMs, gas pumps and point-of-sale terminals. The data indicates that organized crime groups are responsible for most of these card-skimming schemes.

Hacking and malware is the most popular attack method. Malware was a factor in about half of the 2010 caseload and was responsible for almost 80 percent of lost data. The most common kinds of malware found in the caseload were those involving sending data to an external entity, opening backdoors, and keylogger functionalities.

Stolen passwords and credentials are out of control. Ineffective, weak or stolen credentials continue to wreak havoc on enterprise security. Failure to change default credentials remains an issue, particularly in the financial services, retail and hospitality industries.

I would still suggest reading the article to frame the findings.

Tags: , , , ,
Posted in Tech | No Comments »

Facebook Adds Two-Factor Authentication

April 19th, 2011

From a post in Twitter that intrigued me – you have to read this short article. Go HERE and check it out. It would seem that Google and Facebook have better security than banks. I wonder why that is? …read on!

There is irony in that statement. A variable we don’t know is how strong the security surrounding the banks web servers and services is. One amusing fact is that a lot of supposedly high security, financial websites won’t allow special characters in passwords, allowing only numbers and letters. That is scary in itself. Even if the transmission is SSL enabled the lack of complexity will be a trip up.

That being said, this is about the article posted.

Tags: , , , , , ,
Posted in Tech | No Comments »

Reading Into RSA’s “Responsible Disclosure”

March 20th, 2011

Reverse Engineering RSA’s “Statement”, posted on Steve Gibon’s (GRC) Blog on 3/19/11.

Like most others in the security industry I was taken aback by news that RSA had been compromised. I was a little dismayed at the lack of information but didn’t dive to far into it, thinking that was the first disclosure – more to come later.

In his blog post Steve draws attention to the language used by RSA to announce the compromise, and in that language is ambiguity. Is that because, as Steve says, they know that giving fulling disclosure will cost millions and they are trying to avoid that? Or is it because they don’t yet know the extent of the breach? Either way less is more in the eyes of those that are wondering if their serial numbers are still secure, let alone if someone now knows the method of encryption etc.

I will always err on the side of caution, since security in industry is about the assumption of risk, and knowing that you will never be 100% secure – but we are relying on technology such as RSA. If they are not secure then the assumption of risk just rose dramatically. Erring on the side of caution doesn’t seem to be enough now.

My eyes are on RSA to see what happens next.

Tags: , , , , ,
Posted in Tech | No Comments »

Most Websites Vulnerable To Attack, WhiteHat Study Says

March 8th, 2011

From DarkReading.Com

The article contains links to a study that shows “Information Leakage” has replaced cross-site scripting (XSS) as the most common website vulnerability, and that the average web site is exposed 270 days of each year. That is sobering information.

Per my last few posts our game is mitigation of risk, taken against the business assumption of risk. We stand in front of that statement as security professionals and it’s up to us to make sure the business is aware of the risk.

That being said, there are really no guarantees of security. You can never be 100% secure, especially when human interaction is part of the equation.

“During 2010, 64% of websites had at least one Information Leakage vulnerability, overtaking CSS as the most prevalent vulnerability by a few tenths of a percent. Information Leakage describes a vulnerability in which a website reveals sensitive data, such as technical details of the Web application, environment, or user-specific data.”

I find it odd that a lot of folks that touch the information security world feel that the information in the above paragraph is acceptable. That’s not a blanket statement, just an observation. Enumerating services etc adds the picture the security professional (or hacker) is building about you website, and you operation in general. There could be attack vectors that need more than one variable to be effective and, whilst you may think you are secure, you may not be. That is a discussion for a later date.

That being said, this article mentioned in this post is interesting reading. Go ahead and take a look. Here’s the link again! Article @ DarkReading.Com

Tags: , , , , , ,
Posted in Tech | No Comments »

Viral and Malicious Facebook application for $25

February 8th, 2011

From Websense Community

Ever wondered how people manage to get a viral application on Facebook AND make money from it? Read this article from Websense on just how simple it can be.

It’s a scary thought that you don’t need to be a developer to make this scam work. I’m sure we’ve all seen just how annoying these things can be. Here’s why (and a little of how) it’s done.

This does NOT give you the tools to create the viral application, nor will it give you instructions how to do it. The intent here is to show the simplicity of the process.

Tags: , , ,
Posted in Tech | No Comments »

Scary, Scary Mobile Banking

February 1st, 2011

From Jack Mannino @ http://jack-mannino.blogspot.com

In short, this blog post shows a snippet from the Mastercard mobile payment sample code. In that code they (Mastercard) are providing a placeholder for hardcoding your companyID and companyPassword in plaintext string format. That’s a whole lot of ‘wtf’ if it’s true.

Go take a look and form your own opinion!

Tags: , , , , , ,
Posted in Tech | No Comments »

ATM Skimmers That Never Touch the ATM

January 30th, 2011

From www.krebsonsecurity.com – just when you thought ATM skimmers were bad, someone goes one step simpler. Using a micro camera inside a mirror, with a pin hole in the bottom this device records you keying in your ATM PIN.

Stepping back a step the thieves attach a skimmer to the door swipe controller that gets you into the ATM area – ingenious no? Read the article – it broadens the perspective of how rounded the thought process is of those that want to rip us off.

We can be as vigilant as possible, but it only takes one slip. Sad isn’t it?

Tags: , , , , , ,
Posted in Tech | No Comments »

« Older Entries
Newer Entries »

Genesis Framework

Genesis Framework for WordPress

Studiopress Themes

Scribble Theme - A Beautiful Frame For Your WordPress Website

Advertisements