This site uses cookies to improve your experience. To help us insure we adhere to various privacy regulations, please select your country/region of residence. If you do not select a country, we will assume you are from the United States. Select your Cookie Settings or view our Privacy Policy and Terms of Use.
Cookie Settings
Cookies and similar technologies are used on this website for proper function of the website, for tracking performance analytics and for marketing purposes. We and some of our third-party providers may use cookie data for various purposes. Please review the cookie settings below and choose your preference.
Used for the proper function of the website
Used for monitoring website traffic and interactions
Cookie Settings
Cookies and similar technologies are used on this website for proper function of the website, for tracking performance analytics and for marketing purposes. We and some of our third-party providers may use cookie data for various purposes. Please review the cookie settings below and choose your preference.
Strictly Necessary: Used for the proper function of the website
Performance/Analytics: Used for monitoring website traffic and interactions
Here's a curiousity that's developing in modern browser security: The security of a given browser is dominated by how much effort it puts into other peoples' problems. This may sound absurd at first but we're heading towards a world where the main browsers will have (with a few notable exceptions): Rapid autoupdate to fix security issues. Some form of sandboxing.
NuCaptcha is the first widely deployed video captcha scheme. Since Technology Review interviewed me about NuCaptcha in October 2010, I have been working on evaluating its security and usability.
Sitting at the core of every financial transaction is trust. Without it, or worse, relying on unvalidated resources like personal identifiable information (PII) to identify customers, puts every banking transaction at risk. The recent article, “$850 Million Scheme Exploited Facebook: Authentication, Secure Browsing Would Have Reduced Losses,” illustrates just how important customer authentication is.
Keeper Security is transforming cybersecurity for people and organizations around the world. Keeper’s affordable and easy-to-use solutions are built on a foundation of zero-trust and zero-knowledge security to protect every user on every device. Our next-generation privileged access management solution deploys in minutes and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance.
Some of you probably wondered where the NopSec crew and I ended up these days… already tired for blog writing? Not quite. Most of people at NopSec live between Manhattan and Brooklyn. And most of the people at NopSec even though safe and sound suffered inconveniences and damages from hurricane Sandy. As far as I am concerned most of the trees in the garden where I live in the East Village were downed during the storm, many flooded garages and basements, for at least tree days I did not hav
I've had cause to be staring at memory maps recently across a variety of systems. No surprise then that some suboptimal or at least interesting ASLR quirks have come to light. 1) Partial failure of ASLR on 32-bit Fedora My Fedora is a couple of releases behind, so no idea if it's been fixed. It seems that the desire to pack all the shared libraries into virtual address 0x00nnnnnn has a catastrophic failure mode when there are too many libraries: something always ends up at 0x00110000.
Web browsers with some form of multi-process model are becoming increasingly common. Depending on the exact setup, there can be significant consequences for security posture and exploitation methods. Spray techniques Probably the most significant security effect of multi-process models is the effect on spraying. Spraying, of course, is a technique where parts of a processes' heap or address space are filled with data helpful for exploitation.
Web browsers with some form of multi-process model are becoming increasingly common. Depending on the exact setup, there can be significant consequences for security posture and exploitation methods. Spray techniques Probably the most significant security effect of multi-process models is the effect on spraying. Spraying, of course, is a technique where parts of a processes' heap or address space are filled with data helpful for exploitation.
[Very behind on blog posts so time to crank some out] A week or so ago, Chrome 20 was released to the stable channel. There was little fanfare and even the official Chrome blog didn't have much to declare apart from bugfixes. There were some things going on under the hood for the Linux platform, though. Security things, and some of them I implemented and am quite excited by.
vsftpd-3.0.0 is released. Aside from the usual few fixes, I'm excited about built-in support for Will Drewry's seccomp filter, which landed in Ubuntu. To give it a whirl, you'll need a 64-bit Ubuntu 12.04 (beta at time of writing), and a 64-bit build of vsftpd. Why all the excitement? vsftpd has always piled on all of the Linux sandboxing / privilege facilities available, including chroot, capabilities, file descriptor passing, pid / network / etc. namespaces, rlimits, and even a ptrace-based de
Just a quick note that vsftpd-3.0.0 is imminent. The big-ticket item is the new seccomp filter sandboxing support. Please test this, particularly on 64-bit Ubuntu Precise Beta 2 (or newer) or if you use SSL support. I would love to get a quick note (e-mail or comment here) even if just to say it seems to work in your configuration.
For the brave, there now exists a pre-release version of vsftpd-3.0.0: [link] [link] The most significant change is an initial implementation of a secondary sandbox based on seccomp filter , as recently merged to Ubuntu 12.04. This secondary sandbox is pretty powerful, but I'll go into more details in a subsequent post. For now, suffice to say I'm interested in testing of this new build, e.g.
Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.
This year's Pwn2Own and Pwnium contests were interesting for many reasons. If you look at the results closely, there are many interesting observations and conclusions to be made. $60k is more than enough to encourage disclosure of full exploits As evidenced by the Pwnium results , $60k is certainly enough to motivate researchers into disclosing full exploits, including sandbox escapes or bypasses.
Flash on Linux hasn't always been the best experience in the stability and security departments. Users of 64-bit Linux, in particular, have to put up with NSPluginWrapper , a technology which bridges a 64-bit browser process to the 32-bit Flash library. In terms of sandboxing, your distribution might slap a clunky SELinux or AppArmor policy on Flash, but it may or may not be on by default.
The other day I was thinking about the concept of “event correlation” embedded into various SIEM products. Security events can be verified and false positives eliminated via correlation with other information such OS fingerprinting, netflows, vulnerability information, etc. It is the value proposition of SIEM and their added value even though it does not work all the times.
Every day I get tot talk to a lot of infosec professionals and business people regarding vulnerability management. They tell me that using the various $BRANDS of commercial vulnerability scanners out there and they tell me they are very frustrated. Information overload The average scanner produced a huge amount of “raw” data that they to sort through.
After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!
In keeping with her stance on overly-invasive employee background checks, British Columbia’s Information and Privacy Commissioner, Elizabeth Denham, has issued […].
How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.
In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.
The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.
Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?
We organize all of the trending information in your field so you don't have to. Join 28,000+ users and stay up to date on the latest articles your peers are reading.
You know about us, now we want to get to know you!
Let's personalize your content
Let's get even more personalized
We recognize your account from another site in our network, please click 'Send Email' below to continue with verifying your account and setting a password.
Let's personalize your content