Scary Beasts Security

JULY 26, 2015

I just released vsftpd-3.0.3, as noted on the vsftpd home page. It's actually been almost three years(!) since vsftpd-3.0.2, so things do seem to be getting very stable and calming down. The exception to things getting very stable and calming down seems to be SSL over FTP, which has been a constant source of, uh, joy, for some time now. Some issues fixed relate to security and warrant describing here because I think they are interesting.

Authentication 92

Authentication 92

Tech Republic Security

DECEMBER 22, 2015

This comprehensive guide includes everything you need to know about Apple's OS X El Capitan, including features, requirements, upgrade options, software updates, and more.

Software 91

Software 91

Elie

JANUARY 31, 2015

19.5% of HTTPS-enabled sites in Alexa's Top 1 Million trigger or will soon trigger a Chrome security warning because they are using the now deprecated SHA-1 signature algorithm to sign their HTTPS certificate. Soon those sites will be flagged by all major browsers as insecure.

62

62

NopSec

DECEMBER 4, 2015

According to FireEye, a U.S. based provider of next generation threat protection, it takes companies, on average, more than 200 days to detect they are being hacked. Couple that result with the 2015 Verizon Data Breach Investigations Report that found 99.9 percent of vulnerabilities were exploited over a year since they were disclosed, and you can see that protecting data from hackers is in a sublime state of disrepair.

InfoSec 52

InfoSec Technology Encryption Data breaches 52

Advertisement

Keeper Security is transforming cybersecurity for people and organizations around the world. Keeper’s affordable and easy-to-use solutions are built on a foundation of zero-trust and zero-knowledge security to protect every user on every device. Our next-generation privileged access management solution deploys in minutes and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance.

Passwords

Kali Linux

OCTOBER 14, 2015

Kali Sana Release Aftermath Kali Linux 2.0 has been out for a couple of months and the response has been great, with well over a million unique downloads of Kali 2.0 as a testament. Release day was somewhat hectic for us, as we did not anticipate the sheer volume of traffic … which we somehow always underestimate. In the first few days after the release of 2.0, we had ten times the download volume of 1.0 in a similar period, back in 2013.

52

52

Privacy and Cybersecurity Law

AUGUST 6, 2015

It has been reported today by the Reuters news agency that the European Commission is working with the US on […].

52

52

Spinone

AUGUST 17, 2015

Beware! The latest news of cyber security industry is more than disturbing. According to Imperva Hacker Intelligence Initiative report – a well known cyber security company – cybercriminals may now easily get access to all users’ files in cloud services such as Google Drive , Microsoft OneDrive, Dropbox, and Box, if they are able to get into the computer, on which the clients of these services are installed.

Accountability 40

Accountability Backups Encryption Passwords 40

CompTIA on Cybersecurity

JULY 22, 2015

A security breach in this constantly connected world can mean anything from being inconvenienced to being extorted — and for businesses that don’t properly secure their networks it can mean massive losses in profits and time. At a time when it’s harder than ever to find highly skilled IT security staff, CompTIA’s 11th Annual Information Security Trends study shows data breaches cropping up with growing frequency, and recovery taking longer than ever before.

Data breaches 40

Data breaches Information Security 40

NopSec

DECEMBER 1, 2015

OpenVAS (Open Vulnerability Assessment Scanner) – is an open source security vulnerability scanner and manager. It is an open source fork of the commercial vulnerability scanner Nessus and it provides several options to manage distributed, remote, local scans and add several other specialized vulnerability scanners to the mix. Since OpenVAS 8 was released with improved Master-Slave support for better distributed and load-balanced scanning, NopSec decided to build a proof of concept securit

Architecture 52

Architecture Technology Software 52

Kali Linux

AUGUST 10, 2015

Our Next Generation Penetration Testing Platform We’re still buzzing and recovering from the Black Hat and DEF CON conferences where we finished presenting our new [Kali Linux Dojo](](/docs/development/dojo-mastering-live-build/), which was a blast. With the help of a few good people , the Dojo rooms were set up ready for the masses - where many generated their very own Kali 2.0 ISOs for the first time.

Penetration Testing 52

Penetration Testing Wireless Mobile Information Security 52

Advertisement

Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.

Software

Kali Linux

JULY 5, 2015

We’ve been awfully quiet lately, which usually means something is brewing below the surface. In the past few months we’ve been working feverishly on our next generation of Kali Linux and we’re really happy with how it’s looking so far. There’s a lot of new features and interesting new aspects to this updated version, however we’ll keep our mouths shut until we’re done with the release.

52

52

Kali Linux

MAY 25, 2015

For the latest information, please see our documentation on Docker Last week we received an email from a fellow penetration tester, requesting official Kali Linux Docker images that he could use for his work. We bootstrapped a minimal Kali Linux 1.1.0a base and registered it under our Kali Linux Docker account. A few minutes later, said fellow pentester was up and running with Metasploit and the Top 10 Kali Linux tools on his Macbook Pro.

Accountability 52

Accountability Technology 52

Kali Linux

MAY 3, 2015

A short while ago, we packaged and pushed out a few important wireless penetration testing tool updates for aircrack-ng, pixiewps and reaver into Kali’s repository. These new additions and updates are fairly significant, and may even change your wireless attack workflows. Here’s a short run-down of the updates and the changes they bring.

Penetration Testing 52

Penetration Testing Wireless 52

NopSec

APRIL 29, 2015

This blog post is the first of a series documenting the journey into Machine Learning Algorithms NopSec is undertaking as part of Unified VRM data analytics capabilities. In our last sprint, as part of Unified VRM, we started using Machine Learning – [link] – to spot trends in past clients vulnerability data in order to abstract areas of the security program that need improvement in the future.

Software 52

Software Risk 52

Advertisement

After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!

Kali Linux

APRIL 26, 2015

Vulnerability scanning is a crucial phase of a penetration test and having an updated vulnerability scanner in your security toolkit can often make a real difference by helping you discover overlooked vulnerable items. For this reason, we’ve manually packaged the latest and newly released OpenVAS 8.0 tool and libraries for Kali Linux. Although nothing major has changed in this release in terms of running the vulnerability scanner, we wanted to give a quick overview on how to get it up and

Penetration Testing 52

Penetration Testing Passwords Internet Internet 52

NopSec

APRIL 24, 2015

NopSec has just launched ThreatForce – a flagship security vulnerability search engine that makes it easy for security analysts to gain a consolidated view of vulnerabilities by CVE correlated with threat, exploit and other public sources. NopSec ThreatForce offers a summary and detailed results with correlation and links to: Exploit-DB and Metasploit DB of exploits All related patch links under different vendors covering Linux, Unix, Windows, and mobile OS flavors.

Engineering 52

Engineering Mobile Malware Risk 52

NopSec

APRIL 9, 2015

As part of the DevOps movement, it would be desirable to scan your web application for security vulnerability as part of the Continuous Integration loop or the minute a code change is detected. Now it’ s possible with NopSec Unified VRM Web Application module linked API. With the current release of Unified VRM – 3.4.7 – customers can call our RESTful API to automatically scan their web application assets based on a certain trigger event, such as: As part of script invoked in a

52

52

NopSec

MARCH 27, 2015

At NopSec, we are using vagrant and packer to spin up local dev environments and build our instances across the various hypervisor and cloud providers we use. We have packer scripts that build our VirtualBox and VMware images used in local development and our various instances used in our cloud providers. An issue I had to solve recently was how best to share development vagrant boxes within our team.

Information Security 52

Information Security 52

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

NopSec

MARCH 27, 2015

Penetration tests are point-in-time adversarial tests aimed at testing the intrusion prevention, detection, and incident response capabilities and controls of an organization. Usually well-trained penetration testers produce reports including the attack vectors and exploits used to successfully attack the network / application and the related vulnerabilities / CVEs exploited during the penetration test.

Penetration Testing 52

Penetration Testing CISO Accountability 52

NopSec

FEBRUARY 25, 2015

A couple of days ago I read an interesting article in the Tenable Network Security Blog — here — where the author was arguing that the number of security vulnerabilities detected in a network is not a good indicator of risk that the network itself is facing against motivated attackers and malware. In the above-mentioned blog post, the author states “Telling an organization that they have 10,324 vulnerabilities, whilst shocking, doesn’t convey the actual risks faced”

Risk 52

Risk Media Malware Engineering 52

Kali Linux

FEBRUARY 8, 2015

After almost two years of public development (and another year behind the scenes), we are proud to announce our first point release of Kali Linux - version 1.1.0. This release brings with it a mix of unprecedented hardware support as well as rock solid stability. For us, this is a real milestone as this release epitomizes the benefits of our move from BackTrack to Kali Linux over two years ago.

Penetration Testing 52

Penetration Testing Wireless Firmware 52

NopSec

JANUARY 27, 2015

Our partner Qualys discovered a new vulnerability nick-named “GHOST” (called as such because it can be triggered by the GetHOST functions) and worked with most of the Linux operating system distributions to patch it as of January 27th 2015. The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials.

DNS 52

DNS Internet Internet Risk 52

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk

Elie

DECEMBER 10, 2015

Over the last two years, the number of encrypted emails received by Gmail has almost doubled, as I reported earlier on the Google security blog. This very encouraging trend is sadly accompanied with an increase of SMTP TLS downgrade attacks, which prevent encryption of emails in transit as discussed in our research paper on the state of email transport security.

Encryption 48

Encryption 48

Elie

AUGUST 29, 2015

Phishing is a social-engineering attack where the attacker entice his victims to give-up their credentials for a given website by impersonating it. Believe it or not phishing campaigns are well organized and follow a very strict playbook. This post aim at shedding some light on how phishing campaign works under the hood, showcase which infrastructure phishers use to steal users credentials and provide advice on how to defend against it.

Phishing 48

Phishing Social Engineering Engineering 48

Elie

APRIL 5, 2015

To celebrate the new Hearthstone extension, Blackrock Mountain, I’m releasing a Hearthstone 3D card viewer written in pure Javascript. I feel Blackrock Mountain’s release is the perfect opportunity to showcase HTML5’s top notch performance and inspire more people to do cool visualizations on the web. With well over 500 cards, it’s high time to create a tool with powerful filtering and attractive visualization to explore the cards in an interesting fashion that works both on desktops and tablets.

48

48

Privacy and Cybersecurity Law

DECEMBER 27, 2015

The Trans-Pacific Partnership Agreement (the “TPP Agreement”) is a regional trade and investment agreement negotiated by 12 Pacific Rim countries […].

Marketing 40

Marketing Encryption 40

Advertisement

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

Healthcare

Privacy and Cybersecurity Law

DECEMBER 18, 2015

As we all know, the EU decided to invalidate Safe Harbor on 6 October 2015. Please see our Insight article […].

Marketing 40

Marketing 40

Digital Shadows

DECEMBER 18, 2015

In the world of cybercrime, malicious software (malware) plays an important role. But if you’re a cybercriminal, how do you. The post Criminal Services – Crypting first appeared on Digital Shadows.

Cybercrime 40

Cybercrime Malware Software 40

Privacy and Cybersecurity Law

DECEMBER 17, 2015

The EU Parliament LIBE Committee has approved the Data Protection Reform package as reported by Privacy Laws and Business today. For […].

40

40

Digital Shadows

DECEMBER 11, 2015

An actor identifying itself as “Hacker Buba” recently claimed to have breached Invest Bank and posted purported customer and client. The post ‘Hacker Buba’: Failed extortion, what next? first appeared on Digital Shadows.

Banking 40

Banking Cybercrime 40

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

Cybersecurity