HTML5 Top 10 Attacks
Last week at Blackhat, our team member Shreeraj Shah presented on threats against HTML5. The talk discussed the Top 10 Threats and Security. If you missed unfortunately it, you can read the brief. His whitepaper and presentation can be found here -
5 Takeaways From Vegas
Mr. Diaz from Kaspersky labs highlights 5 interesting talks from his Blackhat 2012 trip. I have to agree that these were talks that with important security concerns for the future. He did miss to point out Shreeraj Shah’s presentation, see above.
Dropbox confirms it was hacked, offers users help
I don’t think it is clear to say that Dropbox was hacked. What is clear from the Dropbox investigation is that users use the same credentials across internet sites. They reported that some 300 Dropbox accounts were compromised because credentials stolen from other website cracks were active on Dropbox. Although this is a small number of accounts it does shed light on the problem of users with bad habits. Correlation engines are becoming better all the time, look at Google, or Spokeo, for example. Feeding cracked account information into correlation engines to find other patterns of account holders is key to exploiting an individual. I give Dropbox two thumbs up for the mitigation strategies they are putting into place; two-factor authentication, active login history, and forced password changes.
Temenos T24 R07.03 Authentication Bypass
Temenos is one of the world’s leading banking software vendors. An authentication bypass vulnerability was discovered in the password reset functionality because the application failed to properly enforce access control on the password reset functionality. Evidentially, Temenos knew of this vulnerability and released a patch, T24 R8.x. NTOSpider could help software vendors to discover this type and other types of web app vulnerabilities.
Media hype over security tools. Not everything you read is true.
This is a great article about media over hyping security products/solutions. We’re all too familiar with those free subscriptions to industry magazines. In some, we read really amazing reviews about solutions we might have tried before and which have completely failed in our environments. Then you scratch your head and ask if it’s possible for the vendor to have paid for the review which funded your subscription. The next article looks at media hype from a different perspective and how one media expert feeds other media experts to start a solution revolution. Notice I didn’t say media and technology experts.