Twitter feeds have been abuzz with talk of the latest Twitter worm that lures victims into a “scareware” page telling them they have a virus, only to subsequently infect them with real malware. Twitter engineers have done a stellar job reducing the spread of the malware from thousands of results this morning to none this afternoon. The caveat here is that the worm seems to be adjusting from direct links to goo.gl (Google’s URL shortener) links. These may be harder … →
The IBM.com developer portal was defaced early Sunday morning by a group of Indonesian hackers calling themselves Hmei7. Although the vulnerability exploited by the hackers is still unknown, Hmei7 differentiates itself from other groups by releasing tools to the underground hacking community. The tools page listed in some of the very numerous group defacements includes a variety of web application security scanners as well as a custom rootkit for Hmei7 access. At the time of this writing, Hmei7 is credited with 30,928 defacements–and the … →
Today Apple launched the Mac App Store, a marketplace for small apps and widgets on Mac OSX. Until recently, the “app” marketplace has been dominated by smartphone based stores such as the iPhone App Store (which also services iPod and iPad users) and the Android Marketplace. Recently, however, Google launched the Chrome Web Store for browser extensions in an attempt to gain market share before the Mac App Store launched. In a lot of ways, the so-called “App War” is heating up as … →
Google launched the Chrome Web Store this week, much to the delight of Chrome users and Google shareholders alike. Branching off of the success of the Android Market (also owned by Google), the Chrome Web Store allows developers to easily sell Chrome browser extensions. The popularity of OSX “widgets” (and the announced Mac App Store), Windows “gadgets” and, of course, smart phone app stores proves that there is a consistent market for these small, easy to use and powerful applications. One of … →
Many claim that Stuxnet will usher in a new kind of ‘cyber war’. Stuxnet does introduce a previously unexplored area of attacking power facilities via USB stick, however, vulnerabilities in these systems–theoretically accessible to foreign hackers–are not new at all. SCADA systems that control the United States power grid have been widely declared as vulnerable to hackers for several years. These systems could theoretically be attacked at any time, but because these attempts are not packaged in an accessible piece … →
No self respecting security engineer will tell you that they rely on automated vulnerability scanners to do the bulk of their analysis. Juicy findings that demonstrate the severity of the threat they represent usually come from thorough manual analysis. As a security engineer, it is this manual analysis of software that I live for, and it is by far my favorite part of testing. However, this is not to say that vulnerability scanners do not play an important role: without … →
