Disclosing a flaw in a widely used system without making someone at least a little angry requires a delicate touch. But Andrew Auernheimer, a.k.a. “Weev,” a 26-year-old finder of security vulnerabilities, is anything but delicate.Two years ago, Auernheimer and a friend made a surprising discovery about the way AT&T was protecting its web database of iPad cellular data accounts: That is, AT&T wasn’t protecting it at all. Any customer could access his or her account data by going to an AT&T URL containing their iPad’s unique numerical identifier. No password, cookie, or login procedure was required to bring up a user’s private information. Auernheimer
WASHINGTON—Asserting that cyberattacks against the U.S. don't come only from China, the U.S. and Chinese defense ministers said they agreed Monday to work together on cyber issues to avoid miscalculations that could lead to future crises.
Defense Secretary Leon Panetta said that since China and the United States have advanced cyber capabilities, it is important to develop better cooperation.
"It's true, as the general pointed out, that obviously there are other countries, actors, others involved in some of the attacks that both of our countries receive," Mr. Panetta told reporters after an afternoon meeting in the Pentagon
Less than 24 hours after Oracle patched a dangerous security hole in its Java software that was being used to seize control over Windows PCs, miscreants in the Underweb were already selling an exploit for a different and apparently still-unpatched zero-day vulnerability in Java, KrebsOnSecurity has learned.On Sunday, Oracle rushed out a fix for a critical bug in Java that had been folded into exploit kits, crimeware made to automate the exploitation of computers via Web browser vulnerabilities. On Monday, an administrator of an exclusive cybercrime forum posted a message saying he was selling a new Java 0day to a lucky two buyers. The cost: starting
Like a lot of hackers, I have always found Neal Stephenson‘s works (especially Snow Crash, Diamond Age, Cryptonomicon, and REAMDE) particularly resonant. So when Black Hat announced that Stephenson would attend as a keynote speaker / interviewee, that provided half the reason I originally wanted to attend the conference. In my excitement, I didn’t even realize that they’d asked Brian Krebs to lead the conversation with him, so for me
Millions of Internet users in Brazil have fallen victim to a sustained attack that exploited vulnerabilities in DSL modems, forcing people visiting sites such as Google or Facebook to reach imposter sites that installed malicious software and stole online banking credentials, a security researcher said.The attack, described late last week during a presentation at the Virus Bulletin conference in Dallas, infected more than 4.5 million DSL modems, said Kaspersky Lab Expert Fabio Assolini, citing statistics provided by Brazil's Computer Emergency Response Team. The CSRF (cross-site request forgery) vulnerability allowed attackers to use a simple
After clicking on "Visit Google Drive on the web", users are automatically logged into their Google account without having to enter a password The Windows and Mac OS X desktop clients for Google's Drive file storage and synchronisation service open a backdoor to users' Google accounts which could allow the curious to access a Drive user's email, contacts and calendar entries.The sync tool includes a "Visit Google Drive on the web" link which opens Drive's web interface in the default browser and automatically logs the user in. Somewhat problematic is the fact that this session can then be used to switch to
Brian Kreb was recently shocked when his hosting provider sent him his password in plain text. He wrote a post about it and made
Last week, security firm RSA detailed a new cybecriminal project aimed at recruiting 100 botmasters to help launch a series of lucrative online heists targeting 30 U.S. banks. RSA’s advisory focused primarily on helping financial institutions prepare for an onslaught of more sophisticated e-banking attacks, and has already received plenty of media attention. I’m weighting in on the topic because their analysis seemed to merely scratch the surface of a larger enterprise that speaks volumes about why online attacks are becoming bolder and more brash toward Western targets.RSA wasn’t specific about where it got its intelligence, but the report’s
May 21, 2012 — CSO — Named late last week to replace Howard Schmidt as the top White House cybersecurity adviser, Michael Daniel is a 17-year veteran of the Office of Management and Budget (OMB) and has been its intelligence branch chief for the past 11 years. But he has stayed largely under the radar, even in the cybersecurity community.
Brian Krebs, a well-connected former Washington Post reporter and author of the respected blog KrebsonSecurity, said he did not know Daniel or what his politics are.
The author of Blackhole, an exploit kit that booby-traps hacked Web sites to serve malware, has done so well for himself renting his creation to miscreants that the software has emerged as perhaps the most notorious and ubiquitous crimeware product in the Underweb. Recently, however, the author has begun buying up custom exploits to bundle into a far more closely-held and expensive exploit pack, one that appears to be fueling a wave of increasingly destructive online extortion schemes.An exploit pack is a software toolkit that gets injected into hacked or malicious sites, allowing the attacker to foist a kitchen sink full of browser exploits
- The Language of UX: Beyond Buzzwords -
- Discover the opportunities and challenges associated with mobile retail - Mobile Commerce World - Mobile Commerce World
- Get practical strategies to build a solid plan for profitability and success - Mobile Commerce World - Mobile Commerce World
- Delve into technologies and business issues around mobile payments and wallets - Mobile Commerce World - Mobile Commerce World
- Explore best practices for marketers in the new mobile world - Mobile Commerce World - Mobile Commerce World
- Meeting the Unilever eScience Challenges: To out-compute is to out-compete
- How to Automate CE 2.0 Service Delivery
- BYOD and Windows 7 Migration are the Questions. Is Desktop as a Service the Answer?
- Intelligent Management of WAS Applications: Reduce Cost, Complexity, and Errors
- Data Center Performance: Optimization Secrets Revealed