2011

article thumbnail

Alert: vsftpd download backdoored

Scary Beasts Security

[With thanks to Mathias Kresin for being the first to notice] An incident, what fun! Earlier today, I was alerted that a vsftpd download from the master site (vsftpd-2.3.4.tar.gz) appeared to contain a backdoor: [link] The bad tarball is (sha256sum): 2a4bb16562e0d594c37b4dd3b426cb012aa8457151d4718a5abd226cef9be3a5 vsftpd-2.3.4.tar.gz And, of course, the GPG signature notices: $ gpg.

79
article thumbnail

What phishing sites look like ? (study)

Elie

In this post we are going to take a closer look on what are the current phishing tactics employed in the wild. The trends uncovered by analyzing our new data-set of 5000 recents phishing sites will change the way you think about phishing.

Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

New Opt-in Privacy Rule for Cookies

Privacy and Cybersecurity Law

The Information Commissioner’s Office (ICO) has sent a clear message to UK website owners to “try harder” on compliance with the […].

article thumbnail

Fiddling with Chromium's new certificate pinning

Scary Beasts Security

Over the past few years, there have been various high-profile incidents and concerns with the Certificate Authority-based infrastructure that underpins https connections. Various different efforts are underway to tackle the problem; many are enumerated here: [link] And in terms of things baked directly into the browser, we have things like Firefox's Certificate Patrol add-on: [link] My colleague Adam Langley summarized some features and directions we've been exploring in Chromium recently, it's

article thumbnail

Prevent Data Breaches With Zero-Trust Enterprise Password Management

Keeper Security is transforming cybersecurity for people and organizations around the world. Keeper’s affordable and easy-to-use solutions are built on a foundation of zero-trust and zero-knowledge security to protect every user on every device. Our next-generation privileged access management solution deploys in minutes and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance.

article thumbnail

Dangerous file write bug in Foxit PDF Reader

Scary Beasts Security

This is fixed in the recently released Foxit PDF Reader v4.3.1.0218. That release is marked as an important security update , although this file bug is not mentioned. Recently, I've been playing around with the various JavaScript APIs available in various different PDF readers. In case you wanted to do the same, I made some little tools, including a simple one to execute PDF-based JS via an URL: [link] The serious bug I found in Foxit PDF Reader permits arbitrary files to be written with arbitra

50
article thumbnail

Multi-browser heap address leak in XSLT

Scary Beasts Security

It's not often that I find a bug that affects multiple different codebases in the same way, but here is an interesting info-leak bug that is currently unpatched in Firefox, Internet Explorer and Safari. I'm releasing it now for a few reasons: The bug was already publicly noted here. This bug cannot damage anyone in and of itself; it's a low severity info-leak that does not corrupt anything.

More Trending

article thumbnail

Bug bounties vs. black (& grey) markets

Scary Beasts Security

I'm just back from the fun that was HiTB Amsterdam 2011. (Plug: you should check out one of the HiTB series if you haven't yet; Dhillon and crew invariably put a good, intimate conf together). I sat on the day 2 keynote panel on "The economics of vulnerabilities". As usual, talking about this topic was great fun and the audience asked some great questions.

article thumbnail

Busy Chrome day.

Scary Beasts Security

I did a bunch of fairly interesting things with my corporate hat on today (not to be confused with any of my personal research ;-) Firstly, Chrome 10 went out with a record $16k+ series of rewards. It's continually humbling to see such a wide range of researchers and a wide range of bug categories! [link] Also, there are some nice new security pieces in Chrome 10.

50
article thumbnail

I got accidental code execution via glibc?!

Scary Beasts Security

The story of Chromium security bug 48733 , with guest Cris Neckar, part I It has been a long time now, but the story of Chromium security bug 48733 deserves to be told. It involves intrigue in glibc and even gcc; and notably I accidentally executed arbitrary code whilst playing with this bug! The bug was reported in July 2010, and there were instantly some WTF aspects.

50
article thumbnail

Some less obvious benefits of HSTS

Scary Beasts Security

HSTS , standing for HTTP Strict Transport Security, is a relatively new standard that aims to bolster the strength of HTTPS connections. Hopefully it's about to catch on. Google Chrome has supported HSTS for a while now, and Firefox support is imminent. The stated benefits of HSTS include: Defenses against sslstrip-like attacks. The initial navigation to blah.com is automatically upgraded to HTTPS.

50
article thumbnail

Optimizing The Modern Developer Experience with Coder

Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.

article thumbnail

A harmless SVG + XSLT curiousity

Scary Beasts Security

How do you execute code in a turing complete language via the tag? Why, by combining an XSL transform into an SVG image of course! I stumbled across this old file in my archives: [link] If you run it e.g. in Chrome, it'll consume a load of CPU (and subsequently memory if you let it crank). I expect it'll do the same in any WebKit browser, and Opera's error message implies it has all the pieces to follow suit if I tweaked the file a bit.

50
article thumbnail

Evolution of the https lock icon (infographic)

Elie

Since the introduction of HTTPS by Netscape, the lock icon have been the indicator of choice to tell users that their communication is secure. Over the years, this “prestigious” icon shape and position kept changing from browser to browser and from version to version so I made a couple of infographic to illustrate this. I hope you will enjoy them.

48
article thumbnail

Using the microsoft geolocalization api to retrace where a windows laptop has been

Elie

EDIT (Tuesday 2nd August) Microsoft Statement is available from here EDIT (Sunday 31th July) The flaw is fixed: I had a phone call with some people from Microsoft yesterday (yes on a Saturday) and they told me they fixed the problem. I will update this post with their response as soon as it is out.

48
article thumbnail

Tracking users that block cookies with a http redirect

Elie

While the standard technique to track users across multiples sites / visits is to use cookies this is by no means the only way to do this. Last year Samy, with his famous evercookie application, showed that in fact many browser storages (Flash, locale storage) can be used to store a unique identifier.

48
article thumbnail

The Tumultuous IT Landscape Is Making Hiring More Difficult

After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!

article thumbnail

Five surprising captcha schemes

Elie

Since I started doing research on CAPTCHA security two years ago, I have relentlessly collected samples of all the different schemes I have encountered. In this blog post, I want to share with you five of the most crazy, funny, and interesting schemes I collected.

48
article thumbnail

Some insights about password shapes

Elie

Today, I would like to share with you some insights that I discovered about password “shapes.” More specifically, I will discuss some of the interesting metrics I computed from the RockYou database, which is, as far as I know, the largest password database ever leaked, with 32 million passwords!

article thumbnail

The USA Patriot Act – Implications for Cloud Computing

Privacy and Cybersecurity Law

European cloud users are expressing increasing concern over the effect of the USA Patriot Act. The Act entitles US authorities […].

40
article thumbnail

New European “Cookie Law” Guidance Published

Privacy and Cybersecurity Law

On 26 May 2011, new rules on the use of website cookies will come into force and threatens to drastically […].

article thumbnail

The Importance of User Roles and Permissions in Cybersecurity Software

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

article thumbnail

Porn domain not that sexy: no rush to have.xxx

Elie

While their is a huge hype surrounding.xxx domains and companies rushing to buy them to protect their brand, it seems that registration data disagree with this. My analysis of the 50000 most popular websites in the world shows that only 24% of them actually registered their.xxx domain.

48