Paranoid Technology All things cybersecurity

20Jan/20Off

Security Predictions (& Resolutions) for 2020

Our predictions from 2018, were still valid for 2019, so we skipped a year 😉 Since the decade has come to a close, sharing predictions for 2020 and beyond seems in order… starting with a strategic view of the trends and emerging business problems affecting CISOs today…

Predictions for 2020
1. Year of the IoT CISO – we did not reach Gartner’s 20 billion connected devices by 2020, but we are almost there… The attack surface is increasing rapidly – from personal wearables to medical devices to connected cars to toasters and more – as the proverb goes “where there’s entropy there is chaos” 😉 At least initially…

19Aug/15Off

And Now Look Who’s Going to Get Sued!

code-capture-1While many interesting topics came out of Black Hat recently, the one that caught my eye was in the opening remarks by Jeff Moss and the following article on software liability (’Software Liability is Inevitable’ - on ThreatPost), i.e. the idea that software developers, and the companies who employ them, should be liable for the quality of their code.

What’s that old Shakespeare saying? “The first thing we do, let’s kill all the lawyers!”  While I am generally speaking not a fan of lawsuits as a form of behavior modification, the idea of software liability is an intriguing one.  Who hasn’t been part of a company where’s software’s gone awry and caused anywhere from headaches to actual revenue loss?  What if you could make software developers responsible for that pain?  I can hear the developers groaning now - this is oppression!  Kill all the lawyers!  This is going to squash our creativity! …  Software development is actually going to be harmed, not helped.  No one will want to develop software if they’re afraid of getting sued.  Etc, etc.

But let’s think about it - what are the real Pros and Cons?

17Jan/13Off

More on Java Vulnerability… Got $5K???

deadly-javaWe deliberately did not report on this, but could not skip the update. Since last August things have not been going well for Java, researchers have discovered a flurry of vulnerabilities leading Apple to drop Java from its OS. Those of you that are Java users might have followed the recent software vulnerability that allows an attacker that to take over a machine using Java jvm. Consequently Oracle rushed out an update to fix the issue, well the researches  and hackers say otherwise.... KrebsOnSecurity reportedly came across an offer for a fully weaponized Java 7 Exploit for $5000, apperantly this is a brand-new 0 day flaw that Oracle did not fix in Java 7 Update 11 released a couple of days back.

Here is a excerpt from what Krebs came across on the hacker forum:

 

“.... New Java 0day, selling to 2 people, 5k$ per person

And you thought Java had epically failed when the last 0day came out. I lol’d. The best part is even-though java has failed once again and let users get compromised… guess what? I think you know what I’m going to say… there is yet another vulnerability in the latest version of java 7. I will not go into any details except with seriously interested buyers..............

15Jan/13Off

Red October Cyber Espionage Ring

large-red-october We thought it started with StuxNet and/or Flame - Red October cyber espionage ring has been in operation for 5 years, deep undercover. It targeted most major European governments, diplomatic offices all over the world. The most interesting thing this may not be a state sponsored attack, or so far it seems. During its 5 year existence Red October downloaded hundreds of terabytes of data to its operators. Who is behind this operation is currently unclear. Kaspersky Labs uncovered this espionage ring; senior Kaspersky researcher Roel Schouwenberg told SecurityWatch:...

14Nov/12Off

Skype Account Take Over Exploit

It looks like hackers have devised a way to take over your Skype account, folks at Skype seems to be on top of this problem, but regardless we thought it might be good to share with our readers.

Based on a posting from - http://habrahabr.ru/post/158545/

Here is what Google translate has to say about this post:

9Nov/12Off

Adobe Reader Zero Day Attack

Adobe officials say they're investigating claims of a recent attack. A newly published report claims the latest versions of the widely used Reader document viewer are under attack by exploit code that targets a previously unknown vulnerability.

The particular exploit is available in underground forums for as much as $50,000. It's significant because it pierces a security sandbox that until now has proved impervious to other online attacks, Krebson Security journalist Brian Krebs reported on Wednesday. The security mechanism is designed to minimize the damage of attacks that exploit buffer overflows and other types of software bugs by isolating Web content from sensitive parts of the underlying operating system.

1Jun/12Off

“Olympic Games” to include Cyber Warfare ;-)

Who knew?!! Stepped up by President Obama apparently "Olympic Games" was the code name for the cyber warfare program initiated under President Bush. According to the experts the program caused havoc at the Iranian nuclear facilities in Natanz and set back Iran in its enrichment efforts about 18 months to 2 years. It is not clear at this time if Iran is working on some retaliatory cyber weapon, but if not Iran someone else will attack our infrastructure sometime soon - and the utilities companies should seriously consider spending some major cash on fortifying systems that are on the field.

Read the article at NY Times.

12Apr/12Off

Facebook, Dropbox app security holes

It is hard to believe top notch companies in 2012 are still looking over the security reality, but believe it folks... The same security hole recently discovered in Facebook’s iOS and Android apps has now been found in Dropbox’s iOS app as well. The flaw allows anyone with physical access to your phone to copy your login credentials — the reason, because your login information is stored in unencrypted text files on your phone by both apps.

29Feb/12Off

HITB2012AMS Live-Hacking Competition

Here is a little press release from HackInTheBox Hackers Conference – This one is very interesting as it presents a live hack challenge to a bank and a defense attack simulation, read it below:

16Feb/12Off

Four out of Every 1,000 Public Keys Provide No Security

Another must share - found this on Ars Technica - According to researchers four out of every thousand public keys provide no security, this does not mean everything over SSL is broken, but the findings sure are an eye opener, here is the article:

An astonishing four out of every 1,000 public keys protecting webmail, online banking, and other sensitive online services provide no cryptographic security, a team of mathematicians has found. The research is the latest to reveal limitations in the tech used by more than a million Internet sites to prevent eavesdropping.