2012

article thumbnail

The dirty secret of browser security #1

Scary Beasts Security

Here's a curiousity that's developing in modern browser security: The security of a given browser is dominated by how much effort it puts into other peoples' problems. This may sound absurd at first but we're heading towards a world where the main browsers will have (with a few notable exceptions): Rapid autoupdate to fix security issues. Some form of sandboxing.

article thumbnail

How we broke the nucaptcha video scheme and what we propose to fix it

Elie

NuCaptcha is the first widely deployed video captcha scheme. Since Technology Review interviewed me about NuCaptcha in October 2010, I have been working on evaluating its security and usability.

Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

Leveson: Proposals for New Data Privacy rules in the UK

Privacy and Cybersecurity Law

The Leveson Inquiry recently published its findings into UK press regulation. However Leveson also commented on the UK data privacy […].

article thumbnail

Stronger customer authentication only way to mitigate risk of bank fraud

Dark Reading

Sitting at the core of every financial transaction is trust. Without it, or worse, relying on unvalidated resources like personal identifiable information (PII) to identify customers, puts every banking transaction at risk. The recent article, “$850 Million Scheme Exploited Facebook: Authentication, Secure Browsing Would Have Reduced Losses,” illustrates just how important customer authentication is.

Banking 40
article thumbnail

Prevent Data Breaches With Zero-Trust Enterprise Password Management

Keeper Security is transforming cybersecurity for people and organizations around the world. Keeper’s affordable and easy-to-use solutions are built on a foundation of zero-trust and zero-knowledge security to protect every user on every device. Our next-generation privileged access management solution deploys in minutes and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance.

article thumbnail

Reemerging from the Flood

NopSec

Some of you probably wondered where the NopSec crew and I ended up these days… already tired for blog writing? Not quite. Most of people at NopSec live between Manhattan and Brooklyn. And most of the people at NopSec even though safe and sound suffered inconveniences and damages from hurricane Sandy. As far as I am concerned most of the trees in the garden where I live in the East Village were downed during the storm, many flooded garages and basements, for at least tree days I did not hav

Banking 40
article thumbnail

Some random observations on Linux ASLR

Scary Beasts Security

I've had cause to be staring at memory maps recently across a variety of systems. No surprise then that some suboptimal or at least interesting ASLR quirks have come to light. 1) Partial failure of ASLR on 32-bit Fedora My Fedora is a couple of releases behind, so no idea if it's been fixed. It seems that the desire to pack all the shared libraries into virtual address 0x00nnnnnn has a catastrophic failure mode when there are too many libraries: something always ends up at 0x00110000.

51

More Trending

article thumbnail

Chrome 20 on Linux and Flash sandboxing

Scary Beasts Security

[Very behind on blog posts so time to crank some out] A week or so ago, Chrome 20 was released to the stable channel. There was little fanfare and even the official Chrome blog didn't have much to declare apart from bugfixes. There were some things going on under the hood for the Linux platform, though. Security things, and some of them I implemented and am quite excited by.

50
article thumbnail

vsftpd-3.0.0 and seccomp filter sandboxing is here!

Scary Beasts Security

vsftpd-3.0.0 is released. Aside from the usual few fixes, I'm excited about built-in support for Will Drewry's seccomp filter, which landed in Ubuntu. To give it a whirl, you'll need a 64-bit Ubuntu 12.04 (beta at time of writing), and a 64-bit build of vsftpd. Why all the excitement? vsftpd has always piled on all of the Linux sandboxing / privilege facilities available, including chroot, capabilities, file descriptor passing, pid / network / etc. namespaces, rlimits, and even a ptrace-based de

article thumbnail

vsftpd-3.0.0-pre2

Scary Beasts Security

Just a quick note that vsftpd-3.0.0 is imminent. The big-ticket item is the new seccomp filter sandboxing support. Please test this, particularly on 64-bit Ubuntu Precise Beta 2 (or newer) or if you use SSL support. I would love to get a quick note (e-mail or comment here) even if just to say it seems to work in your configuration.

50
article thumbnail

vsftpd-3.0.0-pre1 and seccomp filter

Scary Beasts Security

For the brave, there now exists a pre-release version of vsftpd-3.0.0: [link] [link] The most significant change is an initial implementation of a secondary sandbox based on seccomp filter , as recently merged to Ubuntu 12.04. This secondary sandbox is pretty powerful, but I'll go into more details in a subsequent post. For now, suffice to say I'm interested in testing of this new build, e.g.

50
article thumbnail

Optimizing The Modern Developer Experience with Coder

Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.

article thumbnail

On the failings of Pwn2Own 2012

Scary Beasts Security

This year's Pwn2Own and Pwnium contests were interesting for many reasons. If you look at the results closely, there are many interesting observations and conclusions to be made. $60k is more than enough to encourage disclosure of full exploits As evidenced by the Pwnium results , $60k is certainly enough to motivate researchers into disclosing full exploits, including sandbox escapes or bypasses.

article thumbnail

Chrome Linux 64-bit and Pepper Flash

Scary Beasts Security

Flash on Linux hasn't always been the best experience in the stability and security departments. Users of 64-bit Linux, in particular, have to put up with NSPluginWrapper , a technology which bridges a 64-bit browser process to the 32-bit Flash library. In terms of sandboxing, your distribution might slap a clunky SELinux or AppArmor policy on Flash, but it may or may not be on by default.

article thumbnail

Another Type of Correlation – Vulnerability Correlation

NopSec

The other day I was thinking about the concept of “event correlation” embedded into various SIEM products. Security events can be verified and false positives eliminated via correlation with other information such OS fingerprinting, netflows, vulnerability information, etc. It is the value proposition of SIEM and their added value even though it does not work all the times.

Risk 40
article thumbnail

What’s the matter with vulnerability management?

NopSec

Every day I get tot talk to a lot of infosec professionals and business people regarding vulnerability management. They tell me that using the various $BRANDS of commercial vulnerability scanners out there and they tell me they are very frustrated. Information overload The average scanner produced a huge amount of “raw” data that they to sort through.

article thumbnail

The Tumultuous IT Landscape Is Making Hiring More Difficult

After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!

article thumbnail

Pension Schemes Failing on Data Privacy

Privacy and Cybersecurity Law

We are all familiar with the ongoing saga of data breach, notifications to the Information Commissioner’s Office and the risk […].

article thumbnail

Wither ‘Big Brother’? B.C. Privacy Commissioner Reins-in Government of British Columbia Criminal Record Checks

Privacy and Cybersecurity Law

In keeping with her stance on overly-invasive employee background checks, British Columbia’s Information and Privacy Commissioner, Elizabeth Denham, has issued […].

article thumbnail

Is the new Regulation back on track?

Privacy and Cybersecurity Law

The Data Protection Regulation is potentially back on track after a major roadblock was resolved. Germany is reported to have agreed […].

40
article thumbnail

Copying ID documents – Dutch data regulator issues guidance

Privacy and Cybersecurity Law

We have all been asked before to provide copies of our passports to organisations such as telecoms providers, hotels and car rental companies. […].

40
article thumbnail

The Importance of User Roles and Permissions in Cybersecurity Software

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

article thumbnail

It’s Friday 13th! Time to consider the cost of getting privacy wrong

Privacy and Cybersecurity Law

Today is Friday 13th; so timely to consider the news stories this week saying that Google will soon be fronting up to […].

40
article thumbnail

New European A29 Guidance on “Privacy in the Cloud”

Privacy and Cybersecurity Law

Privacy debates in connection with cloud computing often generate more heat than light! Some regulators (not in the UK!) have […].

40
article thumbnail

OCR releases audit protocols for HIPAA Security, Privacy and Breaches

Privacy and Cybersecurity Law

The Department of Health & Human Services (HHS) is required under Section 13411 of the HITECH Act to conduct periodic […].

40
article thumbnail

Cookie Consent Exemptions – The Article 29 Working Party’s View

Privacy and Cybersecurity Law

There have been further developments this week on the new ‘cookies rule’ with the Article 29 Working Party issuing its […].

article thumbnail

IDC Analyst Report: The Open Source Blind Spot Putting Businesses at Risk

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

article thumbnail

Article 29 Working Party adopts document on BCRs for processors

Privacy and Cybersecurity Law

Following our recent blog post, the Article 29 Working Party has adopted a document (WP195) on Binding Corporate Rules (“BCRs”) for processors […].

40
article thumbnail

Upcoming seminars on the draft Data Protection Regulation

Privacy and Cybersecurity Law

As you may already know, we’re hosting two seminars next week on the draft Data Protection Regulation. On Tuesday, 19 […].

40
article thumbnail

Privacy and data interception in Saudi Arabia

Privacy and Cybersecurity Law

As part of our coverage of global privacy and data security issues, we thought you would be interested in a […].

40
article thumbnail

The FTC’s Myspace Consent Order May Impact Use by Mobile App Developers of Unique IDs

Privacy and Cybersecurity Law

On May 8th, the FTC released its proposed consent order in its investigation of Myspace.com, finding the social networking site […].

Mobile 40
article thumbnail

Beware of Pixels & Trackers on U.S. Healthcare Websites

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

article thumbnail

NIST Releases Cloud Computing Guidance

Privacy and Cybersecurity Law

Following on the heels of its December guidance on cloud privacy and security, NIST has released SP 800-146, “Cloud Computing […].

40
article thumbnail

The new ICO guidance on Cookies

Privacy and Cybersecurity Law

The UK “grace period” for implementation of the cookie consent rule expired last Friday. The long-promised update to the ICO […].

article thumbnail

Five Key Messages from our Data Protection Regulation Update

Privacy and Cybersecurity Law

Firstly, many thanks to those of you who joined us at our legal update seminar last week on the Data […].

40
article thumbnail

Article 29 Working Party Opinion on BCRs for Processors Imminent

Privacy and Cybersecurity Law

The draft agenda for the next Article 29 Working Party meeting on 6-7 June includes a draft opinion on Binding […].

40
article thumbnail

Software Composition Analysis: The New Armor for Your Cybersecurity

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?