security

I was right about the Myspace.com data: it is indeed old

You may have heard reports recently about a security incident involving Myspace. We would like to make sure you have the facts about what happened, what information was involved and the steps we are taking to protect your information. WHAT HAPPENED? Shortly before the Memorial Day weekend, we became aware that stolen Myspace user login data was being made available in an online hacker forum. The data stolen included user login data from a portion of accounts that were created prior to June 11, 2013 on the old Myspace platform. Source: https://myspace.com/pages/blog   But there is more: WHAT INFORMATION WAS…


Quoted in SecurityWeek.com on the Myspace.com leak

Ionut Arghire of SecurityWeek wrote a very good article about the potential breach of Myspace.com: 427 Million MySpace Passwords Appear For Sale and I was quoted a lot! Thanks, Ionut! I wrote more extensively about what I think of this leak: Myspace.com was apparently hacked, 360Mil accounts on sale and nobody knows any details There are many things that aren’t right with this breach. Read the article above… Another question, after reading the above article: how come that Troy Hunt didn’t get it? Maybe because it is only available for money? The data hasn’t been tested at all and according to Troy’s article it…


Myspace.com was apparently hacked, 360Mil accounts on sale and nobody knows any details

“Myspace was hacked” writes LeakedSource on their dedicated page for MySpace.com. They do not add any kind of details about this hack except that they received a copy of the data from an email address (not from the hacker). As a matter of fact, there is nowhere on the web any kind of details, not to even say proof, that this has indeed happened. This includes Myspace’s site as well. Leakedsource appears to be the only entity that knows something about these over 427 Mil passwords (for 360 Mil users). But then, Leakedsource only retweets on their wall what two…


To Pentest or not to Pentest: is this really the question?

I wrote before about Pentesting in the article “What is Pentesting, Vulnerability Scanning, which one do you need?” . If you’re a company having web services of any kind or a kind of backend, you are asking yourself if you should only do pentesting or make things right and do the entire risk assessment and threat modeling exercise. Pentesting is like an insurance showing to the external world that your product will not be hacked easily once it is live. The common understanding these days, is that pentesting identifies such errors and helps the company to fix them. It might find…


Microsoft EMET has a problem with Java – but who doesn’t ?

EMET stands for Enhanced Mitigation Experience Toolkit – and it is a tool that you MUST have installed on your Windows PC. EMET is a utility that helps prevent vulnerabilities in software from being successfully exploited.EMET achieves this goal by using security mitigation technologies. These technologies function as special protections and obstacles that an exploit author must defeat to exploit software vulnerabilities. These security mitigation technologies do not guarantee that vulnerabilities cannot be exploited. However, they work to make exploitation as difficult as possible to perform. For more information about EMET, click the following article number to view the article…


A new type of fraud: News Scareware

After posting the article with the ads, I thought that I covered all stupid things that online publications do to force their readers to pay, subscribe or to disable ad blockers. Well, this was not correct… The stupidity goes on… with Washington Post.   They request your email address in order to allow you to read any article. I tried first to add some bogus email address so that I move on. But, these guys take things really serious. They connect to the SMTP server and try to authenticate if the user exists. If it doesn’t work, you get an…


What’s the issue with the mobile apps permissions?

If an App requires some permissions like Access Camera, Access Microphone, does it mean that they can do with these devices of a smartphone whatever they want, whenever they want? Short answer Yes, but it is not so simple Long answer There are rumours, that apps like WhatsApp, Facebook, G+, etc., are using the camera and microphone to spy on users, even when the device is in idle mode or when the app is not running in the foreground. It was also stated that exactly this was part of their EULAs and hence a legal procedure. This is Google’s permission for “android.permission.CAMERA” / “android.hardware.camera2” and…


What is Pentesting, Vulnerability Scanning, which one do you need?

I get very often asked about these two concepts and I noticed that there is a lot of unclarity around these topics. At the end, I will tell you my own opinion and give you some advices.   Vulnerability scan Also known as Vulnerability Assessment, looks for known vulnerabilities in your systems and reports potential exposures. Vulnerability assessments are performed by using an off-the-shelf software package, such as Nessus or OpenVas to scan an IP address or range of IP addresses for known vulnerabilities. For example, the software has signatures for the Heartbleed bug or missing Apache web server patches…


About ransomware, Google malvertising and Fraud

I am sick and tired to see so many people affected by this wave of ransomware attacks. I don’t want to go into details about Ransomware like Locky because it has been written quite a lot about it. The most common way that Locky arrives is as follows: You receive an email containing an attached document. The document advises you to enable macros “if the data encoding is incorrect.” If you enable macros, you don’t actually correct the text encoding (that’s a subterfuge); instead, you run code inside the document that saves a file to disk and runs it. The…


Nissan’s connected car app offline after trivial to exploit vulnerability revealed

On Wednesday Nissan disabled an app that allowed owners of its electric Leaf car to control their cars’ heating and cooling from their phones, after the Australian researcher Troy Hunt showed he could use it to control others’ cars as well. The NissanConnect EV app, formerly called CarWings, enabled a remote hacker to access the Leaf’s temperature controls and review its driving record, merely by knowing the car’s VIN (vehicle identification number). The app will turn the climate control on or off—it decided not to bother requiring any kind of authentication. When a Leaf owner connects to their car via a smartphone, the only information that…


By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close