Search results for: zero trust

Researcher releases exploit for OS X 0-day that gives root access

Italian security researcher Luca Todesco has published PoC exploit code for a newly discovered zero-day privilege escalation flaw affecting OS X Yosemite (v10.10) and Mavericks (v10.9). Symantec experts have analysed the exploit and say it works as described.“The exploit uses two different vulnerabilities to create a memory corruption in the OS X kernel. This is then used to bypass security features that block exploit code from running, providing the attacker with root access,” they explained.“While … More

Week in review: New OS X threats, and how to protect your privacy on Windows 10

Here’s an overview of some of last week’s most interesting news and articles:What’s the state of your software?In the face of the repeated high profile breaches of US Office of Personnel Management (OPM), Target and Sony, it may be tempting to throw up one’s hands and give up on building secure applications or fixing vulnerabilities in the applications that have already been deployed. The truth is that most organisations are yet to seriously address this … More

Rowhammer.js: The first remote software-induced hardware-fault attack

A group of Austrian and French researchers have devised a relatively simple way to remotely exploit the Rowhammer bug present in some computer chips. Their version of the attack is JavaScript-based, doesn’t require physical access to the machine or the execution of native code or access to special instructions, and can be performed on millions of users simultaneously.The existence of the Rowhammer (or Row Hammer) bug is not news: since 2012, chip makers have been … More

Week in review: Tools for detecting Hacking Team spyware, vulnerable Smart Home Hubs, and the most sophisticated Android malware ever exposed

Week in review: Tools for detecting Hacking Team spyware, vulnerable Smart Home Hubs, and the most sophisticated Android malware ever exposedHere’s an overview of some of last week’s most interesting news and articles:The NYSE system crash was an infosec incidentAs security professionals, we often spend most of our time thinking about the “C” and “I” in the CIA triad. After all, these are the “sexy” aspects of infosec. Who doesn’t want to protect their organization … More

Microsoft plugs another Windows zero-day with emergency patch

Microsoft has released an emergency update that plugs a critical zero-day vulnerability (CVE-2015-2426) that affects all supported versions of Windows and could allow attackers to remotely execute code on the victims’ computer.The bug is found in the Microsoft OpenType Font Driver, and can be exploited by tricking users into opening a specially crafted document or visiting an untrusted webpage that contains embedded OpenType fonts.“When this security bulletin was issued, Microsoft had information to indicate that … More

Week in review: HackingTeam breach and consequences, and Android games unmasked as phishing tools

Here’s an overview of some of last week’s most interesting news and articles:Hacking Team hacked, 400GB+ of company documents and emails leakedHacking Team, the (in)famous Italian company that provides offensive intrusion and surveillance software to governments, intelligence and law enforcement agencies around the world, has been hacked. Let’s Encrypt CA releases transparency report before its first certificateThe non-profit CA launched by the EFF, Mozilla and several other businesses and organizations is determined to gain and … More

Sensitive info of over 21.5M people, including SSNs and fingerprints, stolen in OPM hack

The US Office of Personnel Management (OPM) has revealed on Thursday the full extent of the information stolen in the two data breaches it suffered in 2014.In the first breach, personnel data (name, birth date, address, SSNs) of 4.2 million current and former Federal government employees had been stolen. In the second one, the number of affected individuals is a staggering 21.5 million.“While investigating this incident, in early June 2015, OPM discovered that additional information … More

Week in review: Popular VPNs leaking data, and the new issue of (IN)SECURE Magazine

Here’s an overview of some of last week’s most interesting news and articles:5 ways to stop the Internet of Things from becoming the Internet of ThievesThis is the Internet universalized, embedded more deeply into every aspect of our lives, using volumes of data to automate what we humans don’t always get right. But it won’t be possible to take human nature completely out of the mix. (IN)SECURE Magazine issue 46 released(IN)SECURE Magazine is a free … More

You’ve been breached, now what?

Everybody tends to think that hackers will never ever target them or their company/organization until a breach occurs. This article concentrate on post-incident actions and provide some advice on what to do after you have been hacked. Step 1: Avoid panic and focusMany companies aggravate the consequences of a data breach and disrupt legal investigation through enormous internal panic. Keep in mind that you are not the first victim of hacking, nor the last one. … More

Week in review: TLS security, malicious Tor exit nodes, how to find a free, secure proxy service

Here’s an overview of some of last week’s most interesting news, podcasts, reviews and articles:Penetration Testing With Raspberry PiRaspberry Pi is a small and portable single board computer that can be transformed into a penetration testing system. This book will show you how.How to evaluate the efficiency of a Data Loss Prevention solutionHow do you measure the Return of Investment on Data Loss Prevention (DLP) technologies? How do you know that your DLP solution is … More

Week in review: Rethinking security, LastPass breach, and stronger data protection rules for Europe

Here’s an overview of some of last week’s most interesting news, podcasts and articles:How data-centric security worksIn this podcast recorded at Infosecurity Europe 2015, Rui Melo Biscaia, Product Management Director at Watchful Software, talks about the importance of having another layer in place on top of your IDS, IPS, firewalls, etc. This is where data-centric security comes into the picture.Trojan uses steganography to hide itself in image filesThe Dell SecureWorks CTU research team has recently … More

Zero Trust approach to network security

Zero Trust is an alternative security model that addresses the shortcomings of failing perimeter-centric strategies by removing the assumption of trust.With Zero Trust there is no default trust for any entity—including users, devices, applications, and packets—regardless of what it is and its location on or relative to the corporate network.This paper discusses the need for a Zero Trust approach to network security, how the Palo Alto Networks next-generation security platform delivers on these requirements, and … More