2014

article thumbnail

Internet Bug Bounty issues its first $10,000 reward

Scary Beasts Security

One of my side projects is as an adviser and panelist for the non-profit Internet Bug Bounty (IBB). We recently added Adobe Flash Player as in scope for rewards. Earlier today, David Rude collected $10,000 for a vulnerability recently fixed in APSB13-28. My thoughts on this are too long to fit into a tweet, so I summarize them here: This shows that the IBB is serious about rewarding research which makes us all safer. $10,000 is a respectable reward by modern bug bounty program standards.

article thumbnail

Find the Next Heartbleed-like Vulnerability

NopSec

Heartbleed (CVE-2014-0160) is a vulnerability with a CVSSv2 base score of only 5.0/10.0. Though its CVSS score is relatively low, Heartbleed has definitely been one of the most severe security events the Internet has never seen. It is found in the Open SSL cryptographic software library, which is omnipresent on the Internet, and it exploits a buffer over-read weakness in the library, a situation where more data can be read than should be allowed ( [link] ).

Risk 52
Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

Kali & NetHunter Security Release Fixes

Kali Linux

Squash the Bugs with Kali 1.0.9a Over the past couple of weeks, we’ve seen a bunch of nasty bugs hit the scene, from shellshock to Debian apt vulnerabilities. As we prefer not to ship vulnerable ISOs, we’ve rolled up new images for our Kali Linux and NetHunter releases as well our Amazon AWS images with the relevant security fixes in place.

article thumbnail

Cloud Data Protection Investment for Spinbackup

Spinone

Spinbackup is a premier Cloud-to-Cloud Backup Cloud Cybersecurity solutions provider for G Suite and Office 365. The company is an authorized Google Partner featured on the G Suite Marketplace, and an Advanced Technology Partner of Amazon. Over 1,000 organizations with more than 150,000 G Suite users and 20,000 individual Google users currently rely on Spinbackup. […] The post Cloud Data Protection Investment for Spinbackup first appeared on SpinOne.

Backups 52
article thumbnail

Prevent Data Breaches With Zero-Trust Enterprise Password Management

Keeper Security is transforming cybersecurity for people and organizations around the world. Keeper’s affordable and easy-to-use solutions are built on a foundation of zero-trust and zero-knowledge security to protect every user on every device. Our next-generation privileged access management solution deploys in minutes and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance.

article thumbnail

The IT Security Easy Button – Making Complicated Customer Conversations Easy

CompTIA on Cybersecurity

The Security Assessment Wizard — a new tool from CompTIA currently available to premier members — lets you walk customers and prospective clients through the gaps in their security profile. Using the tool positions you as a security expert attuned to the needs of business while simultaneously positioning you for sales. It’s an easy button we can all use.

52
article thumbnail

I am a legend: Hacking Hearthstone with machine-learning Defcon talk wrap-up

Elie

In-depth research publications, industry talks and blog posts about Google security, research at Google and cybersecurity in general in open-access.

Hacking 48

More Trending

article thumbnail

Using ASAN as a protection

Scary Beasts Security

AddressSanitizer, or ASAN , is an excellent tool for detecting subtle memory errors at runtime in C / C++ programs. It is now a productionized option in both the clang and gcc compilers, and has assisted in uncovering literally thousands of security bugs. ASAN works by instrumenting compiled code with careful detections for runtime errors. It is primarily a detection tool.

article thumbnail

Projecting Your Burp

NopSec

If you’re a security researcher or penetration tester you’re probably already well aware of the extensive array of tools available to help you. OpenVAS , Qualys, Nessus, Arachni, Burp, Wapiti, Skipfish, w3af … the list goes on and on. Choosing which tool to use may not be a simple task and should wind up raising even more questions to be answered. What are you looking to accomplish?

article thumbnail

Poodle SSLv3 vulnerability: What it is, how to discover it, how to defend against it

NopSec

Google security researchers Bodo Moller, Thai Duong and Krzysztof Kotowicz recently uncovered a vulnerability in SSL 3.0 that could allow secure connections to be compromised by attackers. The researchers are calling the attack POODLE, or Padding Oracle On Downgraded Legacy Encryption. “SSL 3.0 is nearly 18 years old, but support for it remains widespread,” Moller wrote in a blog post describing the issue. “Most importantly, nearly all browsers support it and, in order to

article thumbnail

Are the clouds in the sky rebooting?!

NopSec

If you are like us at NopSec one of the companies that operators on Amazon AWS cloud, this past couple of days resembled a lot more a perilous path. A series of reboot of the entire Amazon cloud forced us and most AWS-based cloud providers to spend long hours in the office or remotely to make sure things were in order after the reboot. “These updates must be completed by Oct. 1 before the issue is made public as part of an upcoming Xen Security Announcement (XSA),” according to the A

article thumbnail

Optimizing The Modern Developer Experience with Coder

Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.

article thumbnail

Kali Tools Website Launched, 1.0.9 Release

Kali Linux

Now that we have caught our breath after the Black Hat and DEF CON conferences, we have put aside some time to fix an annoying bug in our 1.0.8 ISO releases related to outdated firmware as well as regenerate fresh new ARM and VMware images (courtesy of OffSec ) for our new 1.0.9 release. With this release come a few more updates worth mentioning: Rasberry Pi B+ ARM Image Support We are pleased to announce that we have updated our Raspberry Pi Kali image to support the new B+ model so that now it

article thumbnail

Kali Linux 1.0.8 Release with EFI Boot Support

Kali Linux

The long awaited Kali Linux USB EFI boot support feature has been added to our binary ISO builds, which has prompted this early Kali Linux 1.0.8 release. This new feature simplifies getting Kali installed and running on more recent hardware which requires EFI as well as various Apple Macbooks Air and Retina models. Besides the addition of EFI support, there is a whole array of tool updates and fixes that have accumulated over the past couple of months.

article thumbnail

Lessons Learned from Data Breaches at Universities

NopSec

No industry is immune to IT security breaches. Recent breaches at Indiana University, Iowa State, the University of Maryland, and the University of North Dakota cumulatively impacted over 750,000 students, alumni, faculty and staff. In the case of higher educational institutions there is data exposure risk from personally identifiable information, such as social security numbers.

article thumbnail

Kali Linux 1.0.7 Release

Kali Linux

Kernel 3.14, Tool Updates, Package Improvements Kali Linux 1.0.7 has just been released, complete with a whole bunch of tool updates, a new kernel, and some cool new features. Check out our changelog for a full list of these items. As usual, you don’t need to re-download or re-install Kali to benefit from these updates - you can update to the latest and greatest using these simple commands: apt-get update apt-get dist-upgrade # If you've just updated your kernel, then: reboot Kali Linux En

article thumbnail

The Tumultuous IT Landscape Is Making Hiring More Difficult

After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!

article thumbnail

Kali Linux Metapackages

Kali Linux

One of our goals when developing Kali Linux was to provide multiple metapackages that would allow us to easily install subsets of tools based on their particular needs. Until recently, we only had a handful of these meta packages but we have since expanded the metapackage list to include far more options: kali-linux kali-linux-all kali-linux-forensic kali-linux-full kali-linux-gpu kali-linux-pwtools kali-linux-rfid kali-linux-sdr kali-linux-top10 kali-linux-voip kali-linux-web kali-linux-wireles

article thumbnail

Kali Linux Amazon EC2 AMI

Kali Linux

Kali Linux in the Amazon EC2 Marketplace EDIT : For updated Kali Rolling images in the Amazon AWS, check this post. After several weeks of “back and forth” with the Amazon EC2 team, Kali Linux has finally been approved into the Amazon EC2 marketplace. This means that our users can now activate and access Kali Linux instances in the Amazon cloud quickly and easily.

article thumbnail

Passing the Hash with Remote Desktop

Kali Linux

Kali Linux contains a large number of very useful tools that are beneficial to information security professionals. One set of such tools belongs to the Pass-the-Hash toolkit, which includes favorites such as pth-winexe among others, already packaged in Kali Linux. An example of easy command line access using pth-winexe is shown below. We constantly strive to include new, useful tools to our repositories.

article thumbnail

How to Nuke your Encrypted Kali Installation

Kali Linux

There’s been a fair amount of discussion around the recently introduced LUKS nuke patch we added to the cryptsetup package in Kali Linux. We wanted to take this opportunity to better explain this feature, as well as demonstrate some useful approaches which are worthwhile getting to know. LUKS Nuke in a Nutshell As explained well By Michael Lee in his ZDNet article , when creating an encrypted LUKS container, a master key is generated at random.

article thumbnail

The Importance of User Roles and Permissions in Cybersecurity Software

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

article thumbnail

Kali Linux 1.0.6 Release

Kali Linux

Kernel 3.12, LUKS nuke, Amazon AMI / Google Compute images and more! It’s been a while since our last minor release which makes 1.0.6 a more significant update than usual. With a new 3.12 kernel, a LUKS nuke feature , new Kali ARM build scripts , and Kali AMAZON AMI and Google Compute image generation scripts , not to mention numerous tool additions and updates - this release is really heavily laden with goodness.

article thumbnail

Emergency Self Destruction of LUKS in Kali

Kali Linux

Kali Linux Full Disk Encryption As penetration testers , we often need to travel with sensitive data stored on our laptops. Of course, we use full disk encryption wherever possible, including our Kali Linux machines, which tend to contain the most sensitive materials. Setting up full disk encryption with Kali is a simple process. The Kali installer includes a straightforward process for setting up encrypted partitions with LVM and LUKS.

article thumbnail

Together, we can make a difference

Scary Beasts Security

A couple of weeks back, I released a popular spreadsheet which lists many of the Adobe Flash Player 0-days used to harm people in the wild since 2010. I counted 18 and countless kind Twitterers pointed out some I may have missed. It was an interesting exercise, of course with an ulterior motive! Looking beyond the raw counts, the spreadsheet shouts two items: We should want to make a difference.

article thumbnail

Exile for the BBC Micro; some elegant solutions

Scary Beasts Security

[Prelude: sorry, this has nothing to do with security whatsoever. Feel free to bail now if you're not interested in a classic 1980's game, and rest assured that non-security posts to this blog will remain extremely rare.] The BBC Micro game Exile , released in 1988, has a realistic claim for the best game ever. I lost months of my youth to this game.

article thumbnail

IDC Analyst Report: The Open Source Blind Spot Putting Businesses at Risk

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

article thumbnail

Execute without read

Scary Beasts Security

A couple of years ago, during an idle moment, I wondered what we could do if we had the hardware CPU primitive of pages with permissions execute-only (i.e. no read and write): [link] It turns out that aarch64 has exactly such support. Here's support heading in to the Linux kernel: [link] The original idea was to defeat ROP by having all of the instructions randomized a bit on a per-install basis.

article thumbnail

Predicting a Hearthstone opponent’s deck using machine learning

Elie

In-depth research publications, industry talks and blog posts about Google security, research at Google and cybersecurity in general in open-access.

article thumbnail

Pricing hearthstone cards with unique abilities: VanCleef and The Twilight Drake

Elie

In-depth research publications, industry talks and blog posts about Google security, research at Google and cybersecurity in general in open-access.

article thumbnail

How to find undervalued Hearthstone cards automatically

Elie

In-depth research publications, industry talks and blog posts about Google security, research at Google and cybersecurity in general in open-access.

article thumbnail

Beware of Pixels & Trackers on U.S. Healthcare Websites

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

article thumbnail

How to appraise Hearthstone card values

Elie

In-depth research publications, industry talks and blog posts about Google security, research at Google and cybersecurity in general in open-access.

article thumbnail

Choose the right sharing icon to boost user engagement

Elie

What’s the best icon to entice people to share something through their social networks? It turns out to be the one used on Android. While this may contradict guidelines proposed by some designers, this conclusion is based on the results of a survey of 7,500 users.

48
article thumbnail

Using big data to understand users' privacy concerns

Elie

Worries about big data and privacy are all over the news, but our new research shows that big data can also help better understand users' privacy concerns.

article thumbnail

Meaning matters: why google switched to numeric captchas

Elie

In-depth research publications, industry talks and blog posts about Google security, research at Google and cybersecurity in general in open-access.

article thumbnail

Software Composition Analysis: The New Armor for Your Cybersecurity

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?