Vulnerabilities

03/14/2011

Open-Source Vulnerabilities Paint A Target On Android

In 2009, Red Hat, SuSE, and other Linux distributors fixed a major flaw that could have allowed any user to escalate his privileges and fully compromise a Linux system. The vulnerability, in theudev process, occurred because the device-resource-handling component did not verify that a certain type of message, known as a netlink message, came from the kernel.

A variant of the udev flaw, or CVE-2009-1185, is one component of the DroidDream attack identified earlier this month. That exploit, called exploid.c, uses a netlink message to create a user-controlled copy of the init process, which handles boot up, thus gaining root access. The init process reuses much of the code from the previously vulnerable udev process, according to Zach Lanier, a security consultant with mobile-security provider Intrepidus Group.

DarkReading

Posted at 10:50 AM in Articles, Mobile Devices, Published on DarkReading, Research, Security, Vulnerabilities | | Comments (0) | TrackBack (0)

|

09/14/2010

'App Store For Exploits' Could Reduce Enterprise Vulnerabilities

The Exploit Hub -- a proposed free market for the buying and selling of attacks that exploit specific software vulnerabilities -- sounds more like a threat than a security aid. Yet the brainchild of security testing firm NSS Labs could just be what the doctor ordered to help enterprises eliminate their vulnerabilities, security experts say.

The "app store for exploits" will allow security researchers and developers to sell validated exploits to known security professionals. NSS Labs plans to test every exploit in the marketplace to make sure each one works and does not carry malicious code. In addition, the company will check every buyer to prevent criminals from using the marketplace to fuel their own activities.

...

For enterprise security teams, this new, darker analog to Apple's App Store could help immensely, says one security specialist at a Fortune 100 firm, who spoke on condition of anonymity.

DarkReading

Posted at 04:53 PM in Articles, Enterprise Technology, Published on DarkReading, Research, Security, Vulnerabilities | | Comments (0) | TrackBack (0)

|

09/08/2010

Fraud At Sprint Offers Lessons For Enterprises, Experts Say

The recently revealed abuse of insiders' system privileges to commit fraud at Sprint could be a wake-up call for other enterprises to implement more stringent security practices, experts said this week.

Last week, nine Sprint employees were charged with misusing their access to the telecommunications giant's systems to redirect phone charges to other customers by "cloning" their cell phones -- to the tune of more than $15 million in fraudulent charges in the first six months of this year.

DarkReading

Posted at 12:12 PM in Consumer Technology, Enterprise Technology, Mobile Devices, Published on DarkReading, Security, Vulnerabilities | | Comments (0) | TrackBack (0)

|

08/31/2010

Could USB Flash Drives Be Your Enterprise's Weakest Link?

On any particular day, a horde of devices with flash memory are carried behind corporate firewalls and connected to business networks. It's a threat that many companies are not equipped to handle.

Last week, the U.S. military highlighted this fact when it confirmed that an attack on its systems in 2008 originated with a flash drive plugged into a military computer located in the Middle East. The infection "spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control," U.S. Deputy Secretary of Defense William J. Lynn III wrote in an Aug. 25 essay.

DarkReading

Posted at 07:07 PM in Articles, Enterprise Technology, Hardware, Mobile Devices, Published on DarkReading, Small and Medium Business, Vulnerabilities | | Comments (0) | TrackBack (0)

|

08/19/2010

InfoWorld Tech Watch Blog - Week of August 16, 2010

Published this week: Got Adobe ColdFusion? Start patchingNetwork Solutions versus the wily widgetIntel + McAfee = Desperate mobile move

Continue reading "InfoWorld Tech Watch Blog - Week of August 16, 2010" »

Posted at 01:47 PM in Antivirus, Blog, Consumer Technology, Enterprise Technology, Mobile Devices, Published on InfoWorld Tech Watch, Security, Software, Vulnerabilities | | Comments (0) | TrackBack (0)

|

08/09/2010

Flawed Deployments Undermine Kerberos Security

Significant weaknesses in the common configuration of Kerberos-based authentication servers could allow attackers to more easily circumvent security measures in networks that rely on the open authentication standard, according to recent research presented by consultants at the recent Black Hat USA 2010 conference.

The researchers found several common configuration problems that may allow attackers to significantly weaken the security that Kerberos provides.

DarkReading

Posted at 11:34 AM in Articles, Encryption, Enterprise Technology, Published on DarkReading, Research, Security, Vulnerabilities | | Comments (0) | TrackBack (0)

|

07/28/2010

ATMs At Risk, Researcher Warns At Black Hat

A security researcher today gave notice to companies that make automated teller machines (ATMs).

Here on the first day of the Black Hat conference, Barnaby Jack, director of research at IOActive, demonstrated attacks that would allow a criminal to compromise ATMs, allowing hypothetical thieves to steal cash, copy customers' ATM card data, or learn the master passwords of the machines. While one of the attacks required a few seconds to open the ATM and insert a USB drive with code to overwrite the system, the other attack used a remote management feature commonly found on standalone ATMs.

DarkReading

Posted at 09:08 AM in Articles, Consumer Technology, Cybercrime, Hacking, Published on DarkReading, Research, Security, Vulnerabilities | | Comments (0) | TrackBack (0)

|

06/07/2010

Open-Source Could Mean an Open Door for Hackers

The ability to access the code of open-source applications may give attackers an edge in developing exploits for the software, according to a paper analyzing two years' worth of attack data.

The paper, to be presented this week at the Workshop on the Economics of Information Security, correlated 400 million alerts from intrusion detection systems with known attributes of the targeted software and vulnerabilities. The data supports the assertion that flaws in open-source software tend to be attacked more quickly and more often than vulnerabilities in closed-source software, says Sam Ransbotham, assistant professor at Boston College's Carroll School of Management and the author of the paper.

Technology Review

Posted at 09:20 AM in Articles, Published on Technology Review, Research, Security, Vulnerabilities | | Comments (0) | TrackBack (0)

|

04/05/2010

Hacking the Smart Grid

Components of the next-generation smart-energy grid could be hacked in order to change household power settings or to spoof communications with a utility's network, according to a study of three pilot implementations.

The problems were highlighted in a presentation given last week by security researcher Joshua Wright of InGuardians, a consulting firm with many infrastructure companies among its clients. Vulnerabilities discovered by Wright could let attackers remotely connect to a device or to intercept communications with the managing power company.

The report caused a kerfuffle, and InGuardians has refused to disclose further details. However, one expert familiar with the content of Wright's presentation says that it highlights security problems with many devices.

Technology Review

Posted at 08:45 AM in Articles, Consumer Technology, Critical Infrastructure, Security, Software, Vulnerabilities | | Comments (0) | TrackBack (0)

|

03/30/2010

Soft Spots in Hardened Software

Over the past decade, Microsoft, the target of choice for many online attackers, has hardened its operating system, adopting technologies designed to make it harder for attackers to find and exploit vulnerabilities. Apple and many other software makers have followed suit, introducing similar additional security measures to their operating systems.

Yet last week, during the "Pwn2Own contest" at CanSecWest, a security conference in Vancouver, Canada, security researchers demonstrated that software makers need to do more to protect their programs. Using previously unknown vulnerabilities, the researchers were able to compromise Apple's Safari, Microsoft's Internet Explorer 8, and Mozilla's Firefox Web browsers by circumventing the latest security technologies in place in the operating system underneath.

Technology Review

Posted at 01:47 PM in Articles, Consumer Technology, Hacking, Research, Security, Software, Vulnerabilities | | Comments (0) | TrackBack (0)

|