Faraday: Collaborative pen test and vulnerability management platform

Faraday is an integrated multi-user penetration testing environment that maps and leverages all the knowledge you generate in real time. It gives CISOs a better overview of their team’s job, tools and results. You can run it on Windows, Linux and OS X. The main purpose of Faraday is to re-use the available tools in the community to take advantage of them in a multi-user way. Faraday supports more than 50 tools, including Burp Suite, … More

Chrome vulnerability lets attackers steal movies from streaming services

A significant security vulnerability in Google technology that is supposed to protect videos streamed via Google Chrome has been discovered by researchers from the Ben-Gurion University of the Negev Cyber Security Research Center (CSRC) in collaboration with a security researcher from Telekom Innovation Laboratories in Berlin, Germany. The video below shows how easily content can be stolen from a protected video: The vulnerability in the encryption technology, Widevine EME/CDM, opens an easy way for attackers … More

Week in review: Docker security, SWIFT warns of new attacks, SAP vulnerability exploited

Here’s an overview of some of last week’s most interesting news and articles: SWIFT warns of new attacks, Bangladesh Bank heist linked to Sony hack They believe that its customers are facing “a highly adaptive campaign targeting banks’ payment endpoints.” Internet of Fail: How modern devices expose our lives During the past few years we’ve seen examples of all sorts of IoT devices exhibiting glitches, getting hacked, manipulated, and the information they hold exfiltrated. CryptXXX … More

Vulnerability management trends in Asia Pacific

A new study conducted by Forrester Consulting evaluated perceived challenges, drivers and benefits of various vulnerability management strategies and investments based on responses from information security professionals in Australia, China, Japan, New Zealand and Singapore. According to survey results, one of the top security priorities of companies is protecting customer data, with a focus on application security, data security and protection of customers’ personal information. Despite their customer focus, only 22 percent of security decision … More

SAP vulnerability exploited to compromise enterprises worldwide

A SAP vulnerability, patched over five years ago, is being leveraged to exploit SAP systems of many large-scale global enterprises, US-CERT warns. At least 36 organizations in the US, the UK, Germany, China, India, Japan, and South Korea, spanning a number of industries, have had their SAP business applications compromised via this flaw, says SAP security company Onapsis. The company’s researchers have discovered that the exploitation of this flaw and the compromises of those organizations … More

Facebook vulnerability allowed access to personal and payment information

Bitdefender has discovered a significant vulnerability within Facebook which allowed access to any user account through simple social login manipulation. The attacker was able to gain access to personal user information, a contacts list for potential malware distribution and payment information – allowing purchases to be made in the user’s name. Attack vector The attack vector in this case – social logins – are an alternative to traditional authentication. This form of access offers users … More

Microsoft plugs online services account hijacking vulnerability

London-based security researcher and bug hunter Jack Whitton has discovered a serious cross-site request forgery flaw affecting Microsoft’s authentication system for online services. A successful exploitation of the vulnerability could allow attackers to collect users’ login tokens and use them to impersonate users on Microsoft’s services, but the good news is that the Redmond giant took only two days to plug the security hole once they knew about it. “Microsoft, being a huge company, have … More

SideStepper vulnerability can be used to install malicious apps on iOS

Check Point researchers have identified SideStepper, a vulnerability that can be used to install malicious apps on iPhones and iPads to steal login credentials and sensitive data. SideStepper allows an attacker to get around security enhancements in iOS 9 which are supposed to protect users from installing malicious enterprise apps. These enhancements require the user to take several steps in device settings to trust an enterprise developer certificate, thereby making it harder to install a … More

Phishing underground: Exploiting the human vulnerability

At the RSA Conference in San Francisco, PhishLabs exposed the murky evolution of a thriving, sophisticated phishing underworld. Their report is based on more than one million confirmed malicious phishing sites residing on more than 130,000 unique domains, and the movement of more than 90 threat actor groups and organizations actively deploying spear phishing. Key findings Spear phishing remains the primary initial attack vector used by APT actors. However, 22 percent of spear phishing attacks … More

Severe and unpatched eBay vulnerability allows attackers to distribute malware

Check Point researchers have discovered a severe vulnerability in eBay’s online sales platform, which allows criminals to distribute malware and run phishing campaigns. This vulnerability allows attackers to bypass eBay’s code validation and control the vulnerable code remotely, to execute malicious Javascript code on targeted eBay users. If this flaw is left unpatched, eBay users will continue to be exposed to potential phishing attacks and data theft. Details An attacker can target eBay users by … More