Scary Beasts Security

FEBRUARY 20, 2014

One of my side projects is as an adviser and panelist for the non-profit Internet Bug Bounty (IBB). We recently added Adobe Flash Player as in scope for rewards. Earlier today, David Rude collected $10,000 for a vulnerability recently fixed in APSB13-28. My thoughts on this are too long to fit into a tweet, so I summarize them here: This shows that the IBB is serious about rewarding research which makes us all safer. $10,000 is a respectable reward by modern bug bounty program standards.

Internet 90

Internet Internet 90

NopSec

DECEMBER 4, 2014

Heartbleed (CVE-2014-0160) is a vulnerability with a CVSSv2 base score of only 5.0/10.0. Though its CVSS score is relatively low, Heartbleed has definitely been one of the most severe security events the Internet has never seen. It is found in the Open SSL cryptographic software library, which is omnipresent on the Internet, and it exploits a buffer over-read weakness in the library, a situation where more data can be read than should be allowed ( [link] ).

Risk 52

Risk Internet Internet Software 52

Kali Linux

OCTOBER 5, 2014

Squash the Bugs with Kali 1.0.9a Over the past couple of weeks, we’ve seen a bunch of nasty bugs hit the scene, from shellshock to Debian apt vulnerabilities. As we prefer not to ship vulnerable ISOs, we’ve rolled up new images for our Kali Linux and NetHunter releases as well our Amazon AWS images with the relevant security fixes in place.

Penetration Testing 52

Penetration Testing Encryption 52

Spinone

OCTOBER 5, 2014

Spinbackup is a premier Cloud-to-Cloud Backup Cloud Cybersecurity solutions provider for G Suite and Office 365. The company is an authorized Google Partner featured on the G Suite Marketplace, and an Advanced Technology Partner of Amazon. Over 1,000 organizations with more than 150,000 G Suite users and 20,000 individual Google users currently rely on Spinbackup. […] The post Cloud Data Protection Investment for Spinbackup first appeared on SpinOne.

Backups 52

Backups Technology Cybersecurity 52

Advertisement

Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.

Software

CompTIA on Cybersecurity

AUGUST 25, 2014

The Security Assessment Wizard — a new tool from CompTIA currently available to premier members — lets you walk customers and prospective clients through the gaps in their security profile. Using the tool positions you as a security expert attuned to the needs of business while simultaneously positioning you for sales. It’s an easy button we can all use.

52

52

Elie

JUNE 24, 2014

What’s the best icon to entice people to share something through their social networks? It turns out to be the one used on Android. While this may contradict guidelines proposed by some designers, this conclusion is based on the results of a survey of 7,500 users.

48

48

Scary Beasts Security

SEPTEMBER 25, 2014

AddressSanitizer, or ASAN , is an excellent tool for detecting subtle memory errors at runtime in C / C++ programs. It is now a productionized option in both the clang and gcc compilers, and has assisted in uncovering literally thousands of security bugs. ASAN works by instrumenting compiled code with careful detections for runtime errors. It is primarily a detection tool.

Engineering 56

Engineering Software Risk 56

NopSec

NOVEMBER 21, 2014

If you’re a security researcher or penetration tester you’re probably already well aware of the extensive array of tools available to help you. OpenVAS , Qualys, Nessus, Arachni, Burp, Wapiti, Skipfish, w3af … the list goes on and on. Choosing which tool to use may not be a simple task and should wind up raising even more questions to be answered. What are you looking to accomplish?

Penetration Testing 52

Penetration Testing Engineering Authentication 52

NopSec

OCTOBER 16, 2014

Google security researchers Bodo Moller, Thai Duong and Krzysztof Kotowicz recently uncovered a vulnerability in SSL 3.0 that could allow secure connections to be compromised by attackers. The researchers are calling the attack POODLE, or Padding Oracle On Downgraded Legacy Encryption. “SSL 3.0 is nearly 18 years old, but support for it remains widespread,” Moller wrote in a blog post describing the issue. “Most importantly, nearly all browsers support it and, in order to

Encryption 52

Encryption Risk Internet Internet 52

NopSec

OCTOBER 3, 2014

If you are like us at NopSec one of the companies that operators on Amazon AWS cloud, this past couple of days resembled a lot more a perilous path. A series of reboot of the entire Amazon cloud forced us and most AWS-based cloud providers to spend long hours in the office or remotely to make sure things were in order after the reboot. “These updates must be completed by Oct. 1 before the issue is made public as part of an upcoming Xen Security Announcement (XSA),” according to the A

Software 52

Software 52

Advertisement

After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!

Kali Linux

AUGUST 24, 2014

Now that we have caught our breath after the Black Hat and DEF CON conferences, we have put aside some time to fix an annoying bug in our 1.0.8 ISO releases related to outdated firmware as well as regenerate fresh new ARM and VMware images (courtesy of OffSec ) for our new 1.0.9 release. With this release come a few more updates worth mentioning: Rasberry Pi B+ ARM Image Support We are pleased to announce that we have updated our Raspberry Pi Kali image to support the new B+ model so that now it

Firmware 52

Firmware 52

Kali Linux

JULY 21, 2014

The long awaited Kali Linux USB EFI boot support feature has been added to our binary ISO builds, which has prompted this early Kali Linux 1.0.8 release. This new feature simplifies getting Kali installed and running on more recent hardware which requires EFI as well as various Apple Macbooks Air and Retina models. Besides the addition of EFI support, there is a whole array of tool updates and fixes that have accumulated over the past couple of months.

Penetration Testing 52

Penetration Testing Encryption 52

NopSec

JUNE 16, 2014

No industry is immune to IT security breaches. Recent breaches at Indiana University, Iowa State, the University of Maryland, and the University of North Dakota cumulatively impacted over 750,000 students, alumni, faculty and staff. In the case of higher educational institutions there is data exposure risk from personally identifiable information, such as social security numbers.

Data breaches 52

Data breaches Malware Passwords Education 52

Kali Linux

MAY 26, 2014

Kernel 3.14, Tool Updates, Package Improvements Kali Linux 1.0.7 has just been released, complete with a whole bunch of tool updates, a new kernel, and some cool new features. Check out our changelog for a full list of these items. As usual, you don’t need to re-download or re-install Kali to benefit from these updates - you can update to the latest and greatest using these simple commands: apt-get update apt-get dist-upgrade # If you've just updated your kernel, then: reboot Kali Linux En

Encryption 52

Encryption 52

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

Kali Linux

FEBRUARY 25, 2014

One of our goals when developing Kali Linux was to provide multiple metapackages that would allow us to easily install subsets of tools based on their particular needs. Until recently, we only had a handful of these meta packages but we have since expanded the metapackage list to include far more options: kali-linux kali-linux-all kali-linux-forensic kali-linux-full kali-linux-gpu kali-linux-pwtools kali-linux-rfid kali-linux-sdr kali-linux-top10 kali-linux-voip kali-linux-web kali-linux-wireles

Wireless 52

Wireless Penetration Testing Hacking Passwords 52

Kali Linux

JANUARY 19, 2014

Kali Linux in the Amazon EC2 Marketplace EDIT : For updated Kali Rolling images in the Amazon AWS, check this post. After several weeks of “back and forth” with the Amazon EC2 team, Kali Linux has finally been approved into the Amazon EC2 marketplace. This means that our users can now activate and access Kali Linux instances in the Amazon cloud quickly and easily.

Penetration Testing 52

Penetration Testing Internet Internet Accountability 52

Kali Linux

JANUARY 13, 2014

Kali Linux contains a large number of very useful tools that are beneficial to information security professionals. One set of such tools belongs to the Pass-the-Hash toolkit, which includes favorites such as pth-winexe among others, already packaged in Kali Linux. An example of easy command line access using pth-winexe is shown below. We constantly strive to include new, useful tools to our repositories.

Passwords 52

Passwords Authentication Information Security 52

Kali Linux

JANUARY 12, 2014

There’s been a fair amount of discussion around the recently introduced LUKS nuke patch we added to the cryptsetup package in Kali Linux. We wanted to take this opportunity to better explain this feature, as well as demonstrate some useful approaches which are worthwhile getting to know. LUKS Nuke in a Nutshell As explained well By Michael Lee in his ZDNet article , when creating an encrypted LUKS container, a master key is generated at random.

Encryption 52

Encryption Backups Passwords 52

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk

Kali Linux

JANUARY 8, 2014

Kernel 3.12, LUKS nuke, Amazon AMI / Google Compute images and more! It’s been a while since our last minor release which makes 1.0.6 a more significant update than usual. With a new 3.12 kernel, a LUKS nuke feature , new Kali ARM build scripts , and Kali AMAZON AMI and Google Compute image generation scripts , not to mention numerous tool additions and updates - this release is really heavily laden with goodness.

Penetration Testing 52

Penetration Testing Software 52

Kali Linux

JANUARY 5, 2014

Kali Linux Full Disk Encryption As penetration testers , we often need to travel with sensitive data stored on our laptops. Of course, we use full disk encryption wherever possible, including our Kali Linux machines, which tend to contain the most sensitive materials. Setting up full disk encryption with Kali is a simple process. The Kali installer includes a straightforward process for setting up encrypted partitions with LVM and LUKS.

Passwords 52

Passwords Encryption 52

Scary Beasts Security

MARCH 21, 2014

A couple of weeks back, I released a popular spreadsheet which lists many of the Adobe Flash Player 0-days used to harm people in the wild since 2010. I counted 18 and countless kind Twitterers pointed out some I may have missed. It was an interesting exercise, of course with an ulterior motive! Looking beyond the raw counts, the spreadsheet shouts two items: We should want to make a difference.

Surveillance 50

Surveillance Software Internet Internet 50

Scary Beasts Security

SEPTEMBER 27, 2014

[Prelude: sorry, this has nothing to do with security whatsoever. Feel free to bail now if you're not interested in a classic 1980's game, and rest assured that non-security posts to this blog will remain extremely rare.] The BBC Micro game Exile , released in 1988, has a realistic claim for the best game ever. I lost months of my youth to this game.

Engineering 50

Engineering Accountability Hacking 50

Advertisement

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

Healthcare

Scary Beasts Security

JUNE 5, 2014

A couple of years ago, during an idle moment, I wondered what we could do if we had the hardware CPU primitive of pages with permissions execute-only (i.e. no read and write): [link] It turns out that aarch64 has exactly such support. Here's support heading in to the Linux kernel: [link] The original idea was to defeat ROP by having all of the instructions randomized a bit on a per-install basis.

Engineering 50

Engineering Hacking 50

Elie

MARCH 25, 2014

Half of Android users don’t bother to lock their phones, despite having the choice of using patterns, passwords, PINs, and even their faces to secure their devices. This contrasts starkly with a report from the Federal Communications Commission warning that up to 40 percent of robberies in major cities involve cell phones. More precisely, over 52 percent.

Passwords 48

Passwords 48

Elie

JANUARY 28, 2014

Marketers agree: screen size is a top priority for anyone shopping for their next cell phone but my new consumer survey challenges this conventional wisdom.

Marketing 48

Marketing 48

Elie

MAY 30, 2014

Worries about big data and privacy are all over the news, but our new research shows that big data can also help better understand users' privacy concerns.

Big data 48

Big data 48

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

Cybersecurity

Elie

SEPTEMBER 1, 2014

In-depth research publications, industry talks and blog posts about Google security, research at Google and cybersecurity in general in open-access.

Hacking 48

Hacking Cybersecurity 48

Elie

AUGUST 13, 2014

In-depth research publications, industry talks and blog posts about Google security, research at Google and cybersecurity in general in open-access.

Cybersecurity 48

Cybersecurity 48

Elie

AUGUST 1, 2014

In-depth research publications, industry talks and blog posts about Google security, research at Google and cybersecurity in general in open-access.

Cybersecurity 48

Cybersecurity 48

Elie

JULY 31, 2014

In-depth research publications, industry talks and blog posts about Google security, research at Google and cybersecurity in general in open-access.

Cybersecurity 48

Cybersecurity 48

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.