Mingis on Tech: The alphabet soup of mobile device management
Do you know your MDM from MAM and EMM? It's all about BYOD, and how companies can keep data safe while making it easier for workers to be productive with their own devices.
Application Development
Google Docs phishing scam underscores OAuth security risks
Credit to Author: Michael Kan| Date: Thu, 04 May 2017 16:20:00 -0700
Google has stopped Wednesday’s clever email phishing scheme, but the attack may very well make a comeback.
One security researcher has already managed to replicate it, even as Google is trying to protect users from such attacks.
“It looks exactly like the original spoof,” said Matt Austin, director of security research at Contrast Security.
The phishing scheme — which may have circulated to 1 million Gmail users — is particularly effective because it fooled users with a dummy app that looked like Google Docs.
To read this article in full or to leave a comment, please click here
Open-source developers targeted in sophisticated malware attack
Credit to Author: Lucian Constantin| Date: Thu, 30 Mar 2017 04:30:00 -0700
For the past few months, developers who publish their code on GitHub have been targeted in an attack campaign that uses a little-known but potent cyberespionage malware.
The attacks started in January and consisted of malicious emails specifically crafted to attract the attention of developers, such as requests for help with development projects and offers of payment for custom programming jobs.
The emails had .gz attachments that contained Word documents with malicious macro code attached. If allowed to execute, the macro code executed a PowerShell script that reached out to a remote server and downloaded a malware program known as Dimnie.
To read this article in full or to leave a comment, please click here
Adobe Reader, Edge, Safari and Ubuntu fall in first day at Pwn2Own
Credit to Author: Lucian Constantin| Date: Thu, 16 Mar 2017 10:37:00 -0700
Bug hunters have gathered again to test their skills against some of the most popular and mature software programs during the Pwn2Own hacking contest. During the first day, they successfully demonstrated exploits against Microsoft Edge, Apple’s Safari, Adobe Reader and Ubuntu Desktop.
The Pwn2Own contest runs every year during the CanSecWest security conference in Vancouver, British Columbia. It’s organized and sponsored by the Zero Day Initiative (ZDI), an exploit acquisition program operated by Trend Micro after its acquisition of TippingPoint.
This year the contest has a prize pool of $1 million for exploits in five categories: virtual machines (VMware Workstation and Microsoft Hyper-V); web browser and plugins (Microsoft Edge, Google Chrome, Mozilla Firefox, Apple Safari and Flash Player running in Edge); local escalation of privilege (Microsoft Windows, macOS and Ubuntu Desktop); enterprise applications (Adobe Reader, Word, Excel and PowerPoint) and server side (Apache Web Server on Ubuntu Server).
To read this article in full or to leave a comment, please click here
How much are vendor security assurances worth after the CIA leaks?
Credit to Author: Lucian Constantin| Date: Mon, 13 Mar 2017 08:40:00 -0700
Following the recent revelations about the U.S. Central Intelligence Agency’s cyberespionage arsenal, software vendors reiterated their commitments to fix vulnerabilities in a timely manner and told users that many of the flaws described in the agency’s leaked documents have been fixed.
While these assurances are understandable from a public relations perspective, they don’t really change anything, especially for companies and users that are the target of state-sponsored hackers. The software they use is not less safe, nor better protected, than it was before WikiLeaks published the 8,700-plus CIA documents last Tuesday.
To read this article in full or to leave a comment, please click here
Hackers exploit Apache Struts vulnerability to compromise corporate web servers
Credit to Author: Lucian Constantin| Date: Thu, 09 Mar 2017 04:19:00 -0800
Attackers are widely exploiting a recently patched vulnerability in Apache Struts that allows them to remotely execute malicious code on web servers.
Apache Struts is an open-source web development framework for Java web applications. It’s widely used to build corporate websites in sectors including education, government, financial services, retail and media.
On Monday, the Apache Struts developers fixed a high-impact vulnerability in the framework’s Jakarta Multipart parser. Hours later, an exploit for the flaw appeared on Chinese-language websites, which was almost immediately followed by real-world attacks, according to researchers from Cisco Systems.
To read this article in full or to leave a comment, please click here
CA to acquire security testing firm Veracode for $614M
Credit to Author: John Ribeiro| Date: Tue, 07 Mar 2017 03:58:00 -0800
CA Technologies is acquiring application security testing company Veracode for $614 million in cash, in a bid to broaden its development and testing offering for enterprises and app developers.
The acquisition is expected to be completed by the second quarter of this year.
Privately held Veracode has offices in Burlington, Mass. and London, and employs over 500 people worldwide. The company has around 1,400 small and large customers.
Offering a software-as-a-service platform, Veracode is focused on technologies that let developers improve the security of applications from inception through production.
“Embedding security into the software development lifecycle and making it an automated part of the continuous delivery process means that developers can write code without the hassles of a manual and fragmented approach to security,” CA president and chief product officer Ayman Sayed wrote in a blog post.
To read this article in full or to leave a comment, please click here
Slack bug paved the way for a hack that can steal user access
Credit to Author: Michael Kan| Date: Thu, 02 Mar 2017 12:36:00 -0800
One bug in Slack, the popular work chat application, was enough for a security researcher to design a hack that could trick users into handing over access to their accounts.
Bug bounty hunter Frans Rosen noticed he could steal Slack access tokens to user accounts due to a flaw in the way the application communicates data in an internet browser.
“Slack missed an important step when using a technology called postMessage,” Rosen said on Wednesday in an email.
PostMessage is a kind of command that can let separate browser windows communicate with each other. In Slack, it’s used whenever the chat application opens a new window to enable a voice call.
To read this article in full or to leave a comment, please click here