Informationweek Influencer
Avram Marius (d3v1l) (@securityshell)
- Twitter Bio:
- Security Engineer at http://randomstorm.com
- Location:
- Romania
- Website:
- http://security-sh3ll.blogspot.com
Avram Marius (d3v1l)'s Selections From the Web
Twitter users with SMS enabled are vulnerable to an attack that allows anyone to post to their account. The attacker only needs knowledge of the mobile number associated with a target’s Twitter account. Messages can then be sent to Twitter with the source number spoofed.Like email, the originating address of a SMS cannot be trusted. Many SMS gateways allow the originating address of a message to be set to an arbitrary identifier, including someone else’s number.Facebook and Venmo were also vulnerable to the same spoofing attack, but the issues were resolved after disclosing to their
Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats. Don't show me this againHi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats. Don't show me this againDon't forget you can subscribe to the SophosLabs YouTube channel to find all our latest videos. Don't show me this againHi there! If you're new here, you might want to subscribe to our RSS feed for updates. Don't show me this againAlready using Google+? Find us on Google+ for the latest security news. Don't show me this againHe'
Less than 24 hours after Oracle patched a dangerous security hole in its Java software that was being used to seize control over Windows PCs, miscreants in the Underweb were already selling an exploit for a different and apparently still-unpatched zero-day vulnerability in Java, KrebsOnSecurity has learned.On Sunday, Oracle rushed out a fix for a critical bug in Java that had been folded into exploit kits, crimeware made to automate the exploitation of computers via Web browser vulnerabilities. On Monday, an administrator of an exclusive cybercrime forum posted a message saying he was selling a new Java 0day to a lucky two buyers. The cost: starting
Hackers dumped another huge cache of stolen passwords, this time exposing what they said are as many 35,000 plaintext passcodes from the website of clothing maker Billabong International.
A post on CodePaste.net claimed 20,000 to 35,000 user names and corresponding passwords were retrieved in the hack of billabong.com. But the post included only 1,435 plaintext user credentials and didn't explain the discrepancy. Australia-based Billabong provides the accounts to customers to make frequent online purchasing more easy. The post also included what it claimed were user names and hashed passwords
After clicking on "Visit Google Drive on the web", users are automatically logged into their Google account without having to enter a password The Windows and Mac OS X desktop clients for Google's Drive file storage and synchronisation service open a backdoor to users' Google accounts which could allow the curious to access a Drive user's email, contacts and calendar entries.The sync tool includes a "Visit Google Drive on the web" link which opens Drive's web interface in the default browser and automatically logs the user in. Somewhat problematic is the fact that this session can then be used to switch to
In late 2010, Sean Brooks received three e-mails over a span of 30 hours warning that his accounts on LinkedIn, Battle.net, and other popular websites were at risk. He was tempted to dismiss them as hoaxesâuntil he noticed they included specifics that weren't typical of mass-produced phishing scams. The e-mails said that his login credentials for various Gawker websites had been exposed by hackers who rooted the sites' servers, then bragged about it online; if Brooks used the same e-mail and password for other accounts, they would be compromised too.
The warnings Brooks and millions of other people received that December weren't fabrications.
Rarely does a week go by without a friend or family member getting their login credentials compromised, then reused for malicious purposes. My wife is always on the lookout on Facebook, warning relatives and friends to change their passwords. Many people don't understand how their credentials get compromised. Password reuse on several websites is usually the culprit. Password reuse is a problem even if the website encrypts the passwords in their databases. An attacker only needs to insert some evil code, and allow it to do the work for them.
This is one of the many reasons how the Internet is a like a field of mines, where malicious
This is the story about how I cracked 122 million unique passwords using John the Ripper and oclHashcat-plus.
It was several months ago, when I saw a tweet from KoreLogic about a torrent file containing various password hash lists for a total of 146 million passwords. This very big amount of password hashes at first discouraged me, as I only ownÂ
I don't know why but powershell and meterpeter just dont play nice. Part of it is the whole interactive shell-ness of powershell. so if you just type "powershell" once you drop to a cmd.exe you wont ever get the powershell prompt. In a similar vain i've been unable to get any sort of combination of execute -f powershell.exe -a " blah blah" to work either. If anyone has the magic syntax i know lots of people that would be interested. (actually carlos perez hooked me up...answer below) so, you can run powershell scripts via bat files and those execute just fine from within cmd.exe or from the "execute" command OR the encoded command [command]
Posted on 8 August 2012. | The median annual attack incidents on the 50 Web applications observed was 274 times a year, with one target experiencing more than 2,700 attack incidents.
Posted on 8 August 2012. | Amazon and Apple have apparently decided to make changes in their procedures that would prevent other hackers to replicate the attack.
Posted on 8 August 2012. | Brendon Lynch, Microsoft Chief Privacy Officer, confirmed that, despite all the opposition, the company still means to ship IE10 with Do Not Track on by default.
Posted on 7 August 2012. |
Upcoming Events
Live Events
- I Can See Clearly Now - E2 Conference Boston
- Get practical strategies to build a solid plan for profitability and success - Mobile Commerce World - Mobile Commerce World
- Learn how to enage customers through mobility - Mobile Commerce World - Mobile Commerce World
- Learn how to best integrate mobile commerce with your current systems -- Mobile Commerce World - Mobile Commerce World
- How to Choose a SaaS Vendor - E2 Conference Boston
This Week's Issue
Free Print Subscription
SubscribeSpecial Issue
Current Government Issue
- The Government CIO 25: These influential and accomplished government IT leaders are finding ways to be cost efficient and still innovate.
- Rethink Video Surveillance: It's not just about networked cameras anymore. New technology provides analytics, automation, facial recognition, real-time alerts and situational-awareness capabilities.
- Read the Current Issue
Related Whitepapers
Related Reports
