Hacking & Security

Infocon: green

SANS [Internet Storm Center] - 20 min 56 sek zpět
HP iLO3/iLO4 Remote Unauthorized Access with Single-Sign-On
Kategorie: Hacking & Security

More Cybercrime and Hacking News

Computerworld.com [Hacking News] - 20 min 58 sek zpět
View more Cybercrime and Hacking news and analysis from Computerworld.com
Kategorie: Hacking & Security

Why Are We So Slow To Detect Data Breaches?

DarkReading.com - 47 min 59 sek zpět
Poor instrumenting of network sensors, bad SIEM tuning and lack of communication between security team members allows breaches more time to fester
Kategorie: Hacking & Security

With bug bounties, Microsoft extends an olive branch to hacker community

InfoWorld.com [Security] - 19 Červen, 2013 - 22:24

Extending an olive branch to the hacker community, Microsoft today announced three bug bounty programs through which the

Kategorie: Hacking & Security

Microsoft to Offer Standing Bug Bounty

Krebs on Security - 19 Červen, 2013 - 22:15

Microsoft said today it will pay up to $100,000 to security researchers who find and report novel methods for bypassing the security built into the latest version of the company’s flagship operating system. Researchers who go the extra mile and can also demonstrate a way to block the new attack method they’ve reported can earn an extra $50,000.

The bug bounty program is a remarkable shift for a company that has for the most part eschewed paying researchers for finding security vulnerabilities in its products. But unlike tech giants like Facebook, Google, Mozilla and Twitter — which have for some time now offered bounties ranging from a few hundred to several thousand dollars to researchers who report bugs in their products or Web properties — Microsoft is reserving its reward money for research on products that are still in beta.

The reward program — which officially launches June 26, 2013 — will pay up to $100,000 USD for “truly novel exploitation techniques” against protections built into the latest version of Windows  – Windows 8.1 Preview. Additionally, Microsoft will pay up to $50,000 USD for defensive ideas that accompany a qualifying mitigation bypass submission,” the company said in a blog post today.

These two offers are open-ended, but for just 30 days beginning June 26, Microsoft is offering a separate bounty of up to $11,000 for critical flaws in Internet Explorer 11 Preview on the latest version of Windows (Windows 8.1 Preview).

On Monday, I asked Mike Reavey, director of Microsoft’s Security Response Center, whether the company was concerned that restricting the offering to beta products might be perceived as a promotional gimmick for Windows 8, which has registered flagging sales and mixed reviews. Reavey said the research gleaned from the bug bounty program may well turn out to be useful in hardening older versions of Windows and IE, but in any case the company was focused on fixing big security issues before releasing these products for broader use.

“These are unique programs, because you don’t see white-market vulnerability brokers incentivizing research on products before they’re released,” Reavey said, referring to bug bounty programs run by companies like iDefense and HP Tipping Point, which pay researchers for critical bugs in third-party software and then work with vendors (including Microsoft) to help fix the problems.

Vulnerability researchers have long dug through beta versions of Microsoft products, only to sit on their findings until the product is officially released. That’s because vulnerability brokers don’t typically pay for bugs in beta versions of popular software. But by tying its offer of up to $11,000 to a 30-day preview window only, Microsoft removes the incentive for researchers to hold onto their findings, said Jeremiah Grossman, chief technology officer for WhiteHat Security Inc.

“When any IE preview edition comes out, researchers will start pounding on it looking for bugs, but but since bug brokers don’t pay for preview vulnerabilities the researchers have to hold on to their bugs and hope that they’re still there when the product is finally released,” Grossman said. “Microsoft really is targeting that window of time with this offering.”

Charlie Miller, a former analyst at the National Security Agency and a security researcher who has found his share of bugs in big name software -most notably Apple’s products), applauded Microsoft for trying to fix flaws in software before most customers start using it.

“The whole industry has evolved over the past few years, so there’s now less of a focus on finding and fixing bugs and more of a focus on making exploitation of bugs more difficult,” said Miller, now a security engineer at Twitter. “Most people don’t care about software betas, and Microsoft is trying to change that, and I think that’s good. They’re trying to get the bugs worked out before the software is in most peoples’ hands.”

Kategorie: Hacking & Security

Microsoft Establishes Rewards Programs for Windows 8.1, Internet Explorer 11 Preview Security Bugs

DarkReading.com - 19 Červen, 2013 - 22:06
Microsoft is launching new programs to get its hands on cutting edge exploits developed by researchers
Kategorie: Hacking & Security

Security Needs More Designers, Not Architects

DarkReading.com - 19 Červen, 2013 - 19:25
The better we design the user experience, the more we reduce our risk
Kategorie: Hacking & Security

German company will continue to update Ruby on Rails 2.3

The H Security - 19 Červen, 2013 - 16:59
Makandra plans to continue providing security updates for the old 2.3.x branch once Ruby on Rails 4.0 is released and official support is ended    

Kategorie: Hacking & Security

NetTraveler using PRISM phishing lures

The H Security - 19 Červen, 2013 - 16:49
A recently discovered email indicates that the spear phishing campaign from the group behind NetTraveler is still operating, despite being exposed by Kaspersky    

Kategorie: Hacking & Security

LibreOffice 4.0.4 arrives with 98 improvements

The H Security - 19 Červen, 2013 - 16:33
The latest version of the open source office suite brings a number of bug fixes and small improvements. The next release of LibreOffice will be version 4.1, which is expected next month    

Kategorie: Hacking & Security

Oracle bug accidentally removes GPL licence from MySQL man pages

The H Security - 19 Červen, 2013 - 15:38
A bug in Oracle's build system changed the licensing on the manual pages of MySQL, removing the GPL licence. The bug is being corrected and new all-GPL builds will be available soon    

Kategorie: Hacking & Security

First alpha version of OpenMandriva released

The H Security - 19 Červen, 2013 - 15:32
The OpenMandriva developers have released the first alpha version of OpenMandriva Lx 2013, the first version of the distribution to be released under the governance of the new OpenMandriva Association    

Kategorie: Hacking & Security

Java 7 Update 25 fixes 40 security issues, enables certificate revocation checking

InfoWorld.com [Security] - 19 Červen, 2013 - 15:05

Oracle addressed 40 security issues in Java and enabled online certificate revocation checking by default in its scheduled critical patch update for Java on Tuesday.

Thirty-four vulnerabilities patched in the newly released Java 7 Update 25 (Java 7u25) version affect only client deployments of Java. Another four affect both client and server deployments, one affects the Java installer and one the Javadoc tool that's used to create HTML documentation files.

Kategorie: Hacking & Security

Java 7 Update 25 fixes 40 security issues, enables certificate revocation checking

InfoWorld.com [Security] - 19 Červen, 2013 - 15:05

Oracle addressed 40 security issues in Java and enabled online certificate revocation checking by default in its scheduled critical patch update for Java on Tuesday.

Thirty-four vulnerabilities patched in the newly released Java 7 Update 25 (Java 7u25) version affect only client deployments of Java. Another four affect both client and server deployments, one affects the Java installer and one the Javadoc tool that's used to create HTML documentation files.

Kategorie: Hacking & Security

Edward Snowden asylum : Hong Kong, Ecuador and Iceland

The Hacker News - 19 Červen, 2013 - 14:52
Edward Snowden, an American former contractor for the National Security Agency (NSA), came forward as the whistle-blower in one of the biggest internal leaks in U.S. intelligence history now seeking asylum According to the United Nations High Commissioner for Refugees, Snowden would not be given preferential treatment if he were to apply for asylum in Hong Kong.  <!-- adsense --> He
Kategorie: Hacking & Security

Making peril permanent: Google's Gmail app redesign

InfoWorld.com [Security] - 19 Červen, 2013 - 14:43

Google's recent update of its Gmail app made archive the default setting, encouraging its users to save their email, literally, forever.

This may mean a doctor's message about a medical condition, a love note, a conversation about an employer, a neighbor, or with a therapist, may be preserved for decades and, consequently, is left forever at risk.

Kategorie: Hacking & Security

Making peril permanent: Google's Gmail app redesign

InfoWorld.com [Security] - 19 Červen, 2013 - 14:43

Google's recent update of its Gmail app made archive the default setting, encouraging its users to save their email, literally, forever.

This may mean a doctor's message about a medical condition, a love note, a conversation about an employer, a neighbor, or with a therapist, may be preserved for decades and, consequently, is left forever at risk.

Kategorie: Hacking & Security

Making peril permanent: Google's Gmail app redesign

InfoWorld.com [Security] - 19 Červen, 2013 - 14:43

Google's recent update of its Gmail app made archive the default setting, encouraging its users to save their email, literally, forever.

This may mean a doctor's message about a medical condition, a love note, a conversation about an employer, a neighbor, or with a therapist, may be preserved for decades and, consequently, is left forever at risk.

Kategorie: Hacking & Security

Java 7 Update fixes 40 security issues, turns on certificate revocation check

Computerworld.com [Hacking News] - 19 Červen, 2013 - 14:35
Oracle addressed 40 security issues in Java and enabled online certificate revocation checking by default in its scheduled critical patch update for Java on Tuesday.
Kategorie: Hacking & Security
Syndikovat obsah