Top 5 email security best practices to prevent malware distribution
Credit to Author: Ryan Francis| Date: Thu, 06 Apr 2017 06:29:00 -0700
Pwn2Own ends with two virtual machine escapes
Credit to Author: Lucian Constantin| Date: Mon, 20 Mar 2017 12:08:00 -0700
Two teams of researchers managed to win the biggest bounties at this year’s Pwn2Own hacking contest by escaping from the VMware Workstation virtual machine and executing code on the host operating system.
Virtual machines are in used in many scenarios to create throw-away environments that pose no threat to the main operating system in case of compromise. For example, many malware researchers execute malicious code or visit compromise websites inside virtual machines to observe their behavior and contain their impact.
One of the main goals of hypervisors like VMware Workstation is to create a barrier between the guest operating system that runs inside the virtual machine and the host OS where the hypervisor runs. That’s why VM escape exploits are highly prized, more so than browser or OS exploits.
To read this article in full or to leave a comment, please click here
Adobe Reader, Edge, Safari and Ubuntu fall in first day at Pwn2Own
Credit to Author: Lucian Constantin| Date: Thu, 16 Mar 2017 10:37:00 -0700
Bug hunters have gathered again to test their skills against some of the most popular and mature software programs during the Pwn2Own hacking contest. During the first day, they successfully demonstrated exploits against Microsoft Edge, Apple’s Safari, Adobe Reader and Ubuntu Desktop.
The Pwn2Own contest runs every year during the CanSecWest security conference in Vancouver, British Columbia. It’s organized and sponsored by the Zero Day Initiative (ZDI), an exploit acquisition program operated by Trend Micro after its acquisition of TippingPoint.
This year the contest has a prize pool of $1 million for exploits in five categories: virtual machines (VMware Workstation and Microsoft Hyper-V); web browser and plugins (Microsoft Edge, Google Chrome, Mozilla Firefox, Apple Safari and Flash Player running in Edge); local escalation of privilege (Microsoft Windows, macOS and Ubuntu Desktop); enterprise applications (Adobe Reader, Word, Excel and PowerPoint) and server side (Apache Web Server on Ubuntu Server).
To read this article in full or to leave a comment, please click here
How much are vendor security assurances worth after the CIA leaks?
Credit to Author: Lucian Constantin| Date: Mon, 13 Mar 2017 08:40:00 -0700
Following the recent revelations about the U.S. Central Intelligence Agency’s cyberespionage arsenal, software vendors reiterated their commitments to fix vulnerabilities in a timely manner and told users that many of the flaws described in the agency’s leaked documents have been fixed.
While these assurances are understandable from a public relations perspective, they don’t really change anything, especially for companies and users that are the target of state-sponsored hackers. The software they use is not less safe, nor better protected, than it was before WikiLeaks published the 8,700-plus CIA documents last Tuesday.
To read this article in full or to leave a comment, please click here
Hackers exploit Apache Struts vulnerability to compromise corporate web servers
Credit to Author: Lucian Constantin| Date: Thu, 09 Mar 2017 04:19:00 -0800
Attackers are widely exploiting a recently patched vulnerability in Apache Struts that allows them to remotely execute malicious code on web servers.
Apache Struts is an open-source web development framework for Java web applications. It’s widely used to build corporate websites in sectors including education, government, financial services, retail and media.
On Monday, the Apache Struts developers fixed a high-impact vulnerability in the framework’s Jakarta Multipart parser. Hours later, an exploit for the flaw appeared on Chinese-language websites, which was almost immediately followed by real-world attacks, according to researchers from Cisco Systems.
To read this article in full or to leave a comment, please click here
HackerOne offers bug bounty service for free to open-source projects
Credit to Author: Lucian Constantin| Date: Fri, 03 Mar 2017 12:41:00 -0800
HackerOne, the company behind one of the most popular vulnerability coordination and bug bounty platforms, has decided to make its professional service available to open-source projects for free.
“Here at HackerOne, open source runs through our veins,” the company’s representatives said in a blog post. “Our company, product, and approach is built on, inspired by, and driven by open source and a culture of collaborative software development. As such, we want to give something back.”
HackerOne is a platform that makes it easier for companies to interact with security researchers, triage their reports, and reward them. Very few companies have the necessary resources to build and maintain bug bounty programs on their own with all the logistics that such efforts involve, much less so open-source projects that are mostly funded through donations.
To read this article in full or to leave a comment, please click here
Google discloses unpatched IE flaw after Patch Tuesday delay
Credit to Author: Lucian Constantin| Date: Fri, 24 Feb 2017 10:44:00 -0800
Google’s Project Zero team has disclosed a potential arbitrary code execution vulnerability in Internet Explorer because Microsoft has not acted within Google’s 90-day disclosure deadline.
This is the second flaw in Microsoft products made public by Google Project Zero since the Redmond giant decided to skip this month’s Patch Tuesday and postpone its previously planned security fixes until March.
Microsoft blamed the unprecedented decision to push back scheduled security updates by a month on a “last minute issue” that could have had an impact on customers, but the company hasn’t clarified the nature of the problem.
To read this article in full or to leave a comment, please click here
8 steps to regaining control over shadow IT
Credit to Author: Ryan Francis| Date: Thu, 23 Feb 2017 12:17:00 -0800