Informationweek Influencer

Jeremiah Grossman (@jeremiahg)

Twitter Bio:: Founder & CTO of WhiteHat Security, Web security enthusiast, hacker, 6-continent public speaker, TED alumni, Maui resident, Brazilian Jiu-Jitsu Black Belt.
Location:: Silicon Valley, Ca.
Website:: http://jeremiahgrossman.blogspot.com/

What is This?

Jeremiah Grossman's

Network

Jeremiah Grossman's Selections From the Web

Don’t Believe Everything You Read…Your RSA SecurID Token is Not Cracked

|5 Influencers

For years, the security community has benefited from a virtuous circle consisting of vendors, researchers and media. Researchers perform a valuable task in working to identify weaknesses in products and technologies that could lead, in theory or in practice, to potentially preventable exploits and attacks. Vendors take that research and use it to make more secure products. Finally, the media reports publicly on the process to help ensure practitioners and product users can accurately assess risks related to these potential vulnerabilities

“Flame” malware was signed by rogue Microsoft certificate

|5 Influencers

Microsoft released an emergency Windows update on Sunday after revealing that one of its trusted digital signatures was being abused to certify the validity of the Flame malware that has infected computers in Iran and other Middle Eastern Countries.

The compromise exploited weaknesses in Terminal Server, a service many enterprises use to provide remote access to end-user computers. By targeting an undisclosed encryption algorithm Microsoft used to issue licenses for the service, attackers were able to create rogue intermediate certificate authorities that contained the imprimatur of Microsoft's own root authority certificate—an extremely

FTC Settles With Ad Network Over Browser History Sniffing

|3 Influencers

The FTC has reached a settlement with Epic Marketplace, a large online ad network, related to what the FTC says is the company's practice of sniffing users' browser history for the purpose of serving them targeted ads related to a variety of sensitive topics. The settlement bars Epic from performing history sniffing and requires the company to destroy all of the data it's collected from consumers up to this point through history sniffing.The consent decree from the FTC is the latest in a series of actions from various agencies regarding the practice of history sniffing and tracking users across the Web. The FTC has been focusing on this practice

8 million leaked passwords connected to LinkedIn, dating website

|3 Influencers

A partial list of the 6.5 million passwords leaked by someone identified as dwdm. The list contains strong passwords that were unique to LinkedIn, leading to speculation that's were the passwords originated.

An unknown hacker has posted more than 8 million cryptographic hashes to the Internet that appear to belong to users of LinkedIn and a separate, popular dating website.

The massive dumps over the past three days came in postings to user forums dedicated to password cracking at insidepro.com. The bigger of the two lists contains almost 6.46 million passwords that have been converted into hashes using

Hackers Gain Access to Homes Through Webcams

|2 Influencers

CLEVELAND — Internet users are becoming vulnerable to hackers who can infiltrate software and gain access to webcams.

“The main thing to worry about is when software is able to turn on your camera without notifying you, without the user explicitly turning it on, that’s the main issue,” said Feross Aboukhadijeh, a student at Stanford University in California.

Via Skype, Feross told FOX 8 about his online discovery last year that criminals were able to “clickjack” – or trick – computer users into handing over control of their webcams via Adobe Flash Player. The move enabled hackers to turn on cameras and watch people without permission.

6.5 Million LinkedIn Password Hashes Leaked

|4 Influencers

The above comment might seem incredibly harsh, but really, there's no good excuse for a site this prominent to not have a salted, secure password hashing system. Even if they started with an unsalted password system, users can be migrated to the newer more secure system on next login.

The only way I could regain respect for LinkedIn is if we find that these unsalted hashes were from users who never logged in to LinkedIn after the security upgrade. From the replies of other HN users who have found their password hashes in the leaked list, this doesn't seem to be the case though.

I can understand database leaks. Bad things happen.

SQL Injection Attacks Targeting Small Business

|5 Influencers

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use. A SQL injection is a virus or bug that effects an application that is not properly coded or secured. There are many different configurations of various software used to build and run a website. An

Court: Taking over employee's social media account A-OK under CFAA

|7 Influencers

A federal judge rejected a Pennsylvania woman's argument that her employer violated a federal anti-hacking statute when it took control of her LinkedIn account after firing her. The court ruled the harms cited by the plaintiff were too speculative to pass muster under the Computer Fraud and Abuse Act (CFAA).Linda Eagle was the head of a company called Edcomm when it was acquired in 2010. But relations soured and Eagle was fired the following year. Eagle had shared her LinkedIn password with another Edcomm employee so that she could help Eagle manage the account. When Eagle was shown the door, her former assistant changed the password on her account,

NSA Chief Says Today's Cyber Attacks Amount to 'Greatest Transfer of Wealth ...

|4 Influencers

The general in charge of the National Security Agency on Monday said the lack of national cybersecurity leglislation is costing us big and amounting to what he believes is "the greatest transfer of wealth in history."

U.S. Army Gen. Keith B. Alexander urged politicians to stop stalling on approving a much-needed cybersecurity law - of which various versions currently are circulating in Congress. At the same time, he implored private companies to better cooperate with government agencies, many of whom remain mum because of privacy concerns.

"We can do the protection of civil liberties and privacy and cybersecurity as a nation.

More user passwords dumped, this time from alleged Billabong.com hack

|8 Influencers

Hackers dumped another huge cache of stolen passwords, this time exposing what they said are as many 35,000 plaintext passcodes from the website of clothing maker Billabong International.

A post on CodePaste.net claimed 20,000 to 35,000 user names and corresponding passwords were retrieved in the hack of billabong.com. But the post included only 1,435 plaintext user credentials and didn't explain the discrepancy. Australia-based Billabong provides the accounts to customers to make frequent online purchasing more easy. The post also included what it claimed were user names and hashed passwords