background preloader

IT Security

Facebook Twitter

Drupal sites had “hours” to patch before attacks started. Nearly a million websites running the popular Drupal content management system had only hours to update their software before attacks likely compromised the systems, thanks to a widespread vulnerability, the Drupal security team warned this week.

Drupal sites had “hours” to patch before attacks started

On October 15, the security team for the Drupal content management system announced the discovery of a critical security flaw that could allow attackers to steal data or compromise vulnerable sites. Within seven hours of the announcement, attackers had begun broadly scanning for and attacking Drupal sites, according to the project’s security team, which provided the details in an October 29 public service announcement. “Systematic attacks were launched against a wide variety of Drupal websites in an attempt to exploit this vulnerability,” the group stated in its update. Phishing scam that penetrated Wall Street just might work against you, too. Researchers have uncovered a group of Wall Street-savvy hackers that has penetrated the e-mail accounts of more than 100 companies, a feat that has allowed them to obtain highly valuable plans concerning corporate acquisitions and other insider information.

Phishing scam that penetrated Wall Street just might work against you, too

FIN4, as the group is known, relies on a set of extremely simple tactics that in many cases has allowed them to remain undetected since at least the middle of 2013, according to a report published Monday from security firm FireEye. Members boast a strong command of the English language and knowledge of corporate finance and Fortune 500 culture. They use that savvy to send highly targeted spearphishing e-mails that harvest login credentials for Microsoft Outlook accounts. The group then uses compromised accounts of one employee, customer, or partner to send spearphishing e-mails to other company insiders. The FIN4 campaigns were ongoing at the time Monday's report was being written. Massive Security Bug In OpenSSL Could Affect A Huge Chunk Of The Internet. Why does the government disallow dynamic languages?

This Q&A is part of a weekly series of posts highlighting common questions encountered by technophiles and answered by users at Stack Exchange, a free, community-powered network of 100+ Q&A sites.

Why does the government disallow dynamic languages?

Patrick asks: I know some people who are currently working on a project for the US military (low security level, non-combat, human resources type data). An initial state of the project code was submitted to the military for review, and they ran the program through some sort of security analyzer tool. Aircrack-ng. FOCA: Informática 64. DEFCON 18: FOCA2: The FOCA Strikes Back 1/3. 'FOCA' And The Power Of Metadata Analysis. Metadata is an interesting -- and often unrealized -- problem for anyone who uses office applications, like Microsoft Office, OpenOffice, and Adobe Acrobat.

'FOCA' And The Power Of Metadata Analysis

Metadata is an interesting -- and often unrealized -- problem for anyone who uses office applications, like Microsoft Office, OpenOffice, and Adobe Acrobat.I've written about it before because its impact is often misunderstood both from the publicity and security standpoint. On one hand, metadata provides the necessary data to help organize documents in enterprise document management systems. How easy is it to hack JavaScript in a browser? This Q&A is part of a weekly series of posts highlighting common questions encountered by technophiles and answered by users at Stack Exchange, a free, community-powered network of 100+ Q&A sites.

How easy is it to hack JavaScript in a browser?

Jesus Rodriguez asks: My question has to do with JavaScript security. Imagine an auth system where you're using a JavaScript framework like Backbone or AngularJS, and you need secure endpoints. That's not a problem, as the server always has the last word and will check if you're authorized to do what you want. Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331” In March, readers followed along as Nate Anderson, Ars deputy editor and a self-admitted newbie to password cracking, downloaded a list of more than 16,000 cryptographically hashed passcodes.

Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”

Within a few hours, he deciphered almost half of them. The moral of the story: if a reporter with zero training in the ancient art of password cracking can achieve such results, imagine what more seasoned attackers can do. Imagine no more. We asked three cracking experts to attack the same list Anderson targeted and recount the results in all their color and technical detail Iron Chef style. Shamir's Secret Sharing. Shamir's Secret Sharing is an algorithm in cryptography created by Adi Shamir.

Shamir's Secret Sharing

It is a form of secret sharing, where a secret is divided into parts, giving each participant its own unique part, where some of the parts or all of them are needed in order to reconstruct the secret. Counting on all participants to combine together the secret might be impractical, and therefore sometimes the threshold scheme is used where any of the parts are sufficient to reconstruct the original secret. Mathematical definition[edit] Philips Smart TVs wide open to Gmail cookie theft, other serious hacks.

Internet-connected TVs manufactured by Philips running the latest firmware update are wide open to browser cookie theft and other serious attacks by hackers within radio range, a security researcher has warned.

Philips Smart TVs wide open to Gmail cookie theft, other serious hacks

The hacks work against Philips Smart televisions that have a feature known as Miracast enabled, Luigi Auriemma, a researcher with Malta-based ReVuln (Twitter handle @revuln), told Ars. Miracast allows TVs to act as Wi-Fi access points that nearby computers and smartphones can connect to so their screen output can be displayed on the larger set. The hacking vulnerability is the result of a recent firmware update that allows anyone within range to connect to the TV, as long as they know the hard-coded authentication password "Miracast.

" Once someone has connected to the Miracast-enabled Wi-Fi network, they can use publicly available software to download any personal files that may be contained on USB drives plugged in to the Philips Smart TV.