Search results for: zero trust
Italian security researcher Luca Todesco has published PoC exploit code for a newly discovered zero-day privilege escalation flaw affecting OS X Yosemite (v10.10) and Mavericks (v10.9). Symantec experts have analysed the exploit and say it works as described.“The exploit uses two different vulnerabilities to create a memory corruption in the OS X kernel. This is then used to bypass security features that block exploit code from running, providing the attacker with root access,” they explained.“While … More →
Here’s an overview of some of last week’s most interesting news and articles:What’s the state of your software?In the face of the repeated high profile breaches of US Office of Personnel Management (OPM), Target and Sony, it may be tempting to throw up one’s hands and give up on building secure applications or fixing vulnerabilities in the applications that have already been deployed. The truth is that most organisations are yet to seriously address this … More →
A group of Austrian and French researchers have devised a relatively simple way to remotely exploit the Rowhammer bug present in some computer chips. Their version of the attack is JavaScript-based, doesn’t require physical access to the machine or the execution of native code or access to special instructions, and can be performed on millions of users simultaneously.The existence of the Rowhammer (or Row Hammer) bug is not news: since 2012, chip makers have been … More →
Week in review: Tools for detecting Hacking Team spyware, vulnerable Smart Home Hubs, and the most sophisticated Android malware ever exposedHere’s an overview of some of last week’s most interesting news and articles:The NYSE system crash was an infosec incidentAs security professionals, we often spend most of our time thinking about the “C” and “I” in the CIA triad. After all, these are the “sexy” aspects of infosec. Who doesn’t want to protect their organization … More →
Microsoft has released an emergency update that plugs a critical zero-day vulnerability (CVE-2015-2426) that affects all supported versions of Windows and could allow attackers to remotely execute code on the victims’ computer.The bug is found in the Microsoft OpenType Font Driver, and can be exploited by tricking users into opening a specially crafted document or visiting an untrusted webpage that contains embedded OpenType fonts.“When this security bulletin was issued, Microsoft had information to indicate that … More →
Here’s an overview of some of last week’s most interesting news and articles:Hacking Team hacked, 400GB+ of company documents and emails leakedHacking Team, the (in)famous Italian company that provides offensive intrusion and surveillance software to governments, intelligence and law enforcement agencies around the world, has been hacked. Let’s Encrypt CA releases transparency report before its first certificateThe non-profit CA launched by the EFF, Mozilla and several other businesses and organizations is determined to gain and … More →
The US Office of Personnel Management (OPM) has revealed on Thursday the full extent of the information stolen in the two data breaches it suffered in 2014.In the first breach, personnel data (name, birth date, address, SSNs) of 4.2 million current and former Federal government employees had been stolen. In the second one, the number of affected individuals is a staggering 21.5 million.“While investigating this incident, in early June 2015, OPM discovered that additional information … More →
Here’s an overview of some of last week’s most interesting news and articles:5 ways to stop the Internet of Things from becoming the Internet of ThievesThis is the Internet universalized, embedded more deeply into every aspect of our lives, using volumes of data to automate what we humans don’t always get right. But it won’t be possible to take human nature completely out of the mix. (IN)SECURE Magazine issue 46 released(IN)SECURE Magazine is a free … More →
Everybody tends to think that hackers will never ever target them or their company/organization until a breach occurs. This article concentrate on post-incident actions and provide some advice on what to do after you have been hacked. Step 1: Avoid panic and focusMany companies aggravate the consequences of a data breach and disrupt legal investigation through enormous internal panic. Keep in mind that you are not the first victim of hacking, nor the last one. … More →
Here’s an overview of some of last week’s most interesting news, podcasts, reviews and articles:Penetration Testing With Raspberry PiRaspberry Pi is a small and portable single board computer that can be transformed into a penetration testing system. This book will show you how.How to evaluate the efficiency of a Data Loss Prevention solutionHow do you measure the Return of Investment on Data Loss Prevention (DLP) technologies? How do you know that your DLP solution is … More →
Here’s an overview of some of last week’s most interesting news, podcasts and articles:How data-centric security worksIn this podcast recorded at Infosecurity Europe 2015, Rui Melo Biscaia, Product Management Director at Watchful Software, talks about the importance of having another layer in place on top of your IDS, IPS, firewalls, etc. This is where data-centric security comes into the picture.Trojan uses steganography to hide itself in image filesThe Dell SecureWorks CTU research team has recently … More →
Zero Trust is an alternative security model that addresses the shortcomings of failing perimeter-centric strategies by removing the assumption of trust.With Zero Trust there is no default trust for any entity—including users, devices, applications, and packets—regardless of what it is and its location on or relative to the corporate network.This paper discusses the need for a Zero Trust approach to network security, how the Palo Alto Networks next-generation security platform delivers on these requirements, and … More →
