Domain: infosecinstitute.com
Stories and comments across the archive that link to infosecinstitute.com.
Comments · 14
-
HUGE number of vulnerabilities in Flash
There are so many vulnerabilities in Flash that it has seemed possible that Adobe is selling vulnerabilities, as the 2nd story linked below says. The only other theory is that Adobe Systems programmers have been getting no testing or other management.
Articles keep criticizing Flash, Flash, Flash. They should criticize "Adobe Systems Management".
It seems possible that Microsoft and other companies learned from Adobe Systems how much users were weak to abuse.
Stories:
Adobe Flash Player: List of security vulnerabilities. "Total number of vulnerabilities: 1,006".
Huge Adobe Flash security vulnerability revealed after hacking group's documents leaked. (July 8, 2015) "The huge weakness was revealed as part of documents leaked after a cyberattack on Hacking Team, a government-sponsored spying group, that seems to have been using it to break into computers."
Adobe Flash vulnerabilities -- a never-ending string of security risks (June 29, 2015)
Kill Flash now. Or patch these 36 vulnerabilities. "One bug being exploited right now in the wild." (June 16, 2016)
Adobe deploys security update to fix 52 vulnerabilities in Flash. (July 13, 2016) "Some of the critical flaws could lead to remote code execution on your PC."
Most Exploited Vulnerabilities: by Whom, When, and How. (Dec. 29, 2016) "The Adobe Flash Player comprised six of the top 10 vulnerabilities triggered by the exploit kits in a period from November 16, 2015, to November 15, 2016." -
This isn't about government surveillance
It's about how ridiculously easy it is for hackers to pwn your laptop and watch you over your webcam. The "community" that does that sort of thing has become pretty sophisticated in their tools.
Yeah the government could be watching me too. But while I oppose that on philosophical grounds, I don't personally do anything that might interest the government. Hackers OTOH are less discriminating, and it's easier to just eliminate the possibility of compromising pictures or even blackmail by covering the camera with some tape. The 1 cent it'll cost you is the cheapest insurance you can buy. -
Re:How long will it be
You mean like a dictionary? https://crackstation.net/buy-c... Or just simple tools? http://resources.infosecinstit...
-
Re:I'll go the other way here, spearphishing
real-world big-business, hand-crafted, artisan spamming
Yes, more or less. The "big-business" stuff, I can handle. There's a profit motive and when they discover that there's no money to be made, they'll move on.
The stuff I worry about is based on other motives which people may not recognize as quickly. Our neighborhood has been the occasional target of several spear phishing attacks. Purportedly about security, police activity and local crime, we have received some carefully crafted personalized e-mail that turns out to originate from phony domains, set up with false local identification but from out-of-state origins. There are no obvious services being sold or evil links to click.
In my case, I am fortunate to have occasional contact with federal law enforcement (due to security clearances). When I mentioned the oddball e-mail at a recent review, I was told that there was an ongoing investigation into some domestic groups related to it. And not to click the links or in any way reply to the messages. That's fine in my case, but what about my poor neighbors who think that, because they are not being sold something, it must be OK?
-
Re:Link to source
The link is right next to the title, like is has been for all Slashdot articles for a while.
-
Link to source
I know that no one reads TFA, but at least link to the source. I'm assuming it's the following article: http://resources.infosecinstitute.com/doesnt-any-presidential-candidate-know-how-to-secure-wordpress/
However, that data points to Democratic candidate Jim Webb as having the highest rating with an A- and doesn't include Ben Carson at all. -
Read the paper. Disagree with "symbols"
>> Symbols appear to be less predictable and placed in different locations of the password
I disagree with the paper's conclusion based on the passwords I've seen, which FREQUENTLY just end in a "!" or other common character. Here's a different paper that goes into symbol frequency; I pulled out the relevant bit.
In almost all cases (90%), only a single special character was used. The most popular special character sequences were all single characters: exclamation point (“!” – 29%), period (“.” – 19%), “at” symbol (“@” – 15%) and hash (“#” – 14%). These were followed by the single dash (“-“), dollar sign (“$”), space (” “), asterisk (“*”), and plus sign (“+”), each making up between 3% and 6% of the single-character special character population. Passwords containing multiple special characters mainly (68%) just repeated the same special character, such as “##” or “???.” - http://resources.infosecinstit...
-
One can know how to conquer...
...without being able to achieve it.
http://resources.infosecinstit...Invincibility lies in defense, only victory is found in attack.
http://orbilu.uni.lu/handle/10... -
eDiscovery Retention Policy
>> anyone who has handled email admin for a big business knows they have email "retention polices" where they explicitly delete all email older than X days...to preemptively destroy evidence that might be used against them...
He's right. Here's a typical article relaying that point from last month:
http://resources.infosecinstit... -
Thar be whales!
My favorite term that explains everything that's wrong with having a CEO who is technologically clueless: whaling
-
Re:The rootkit would just infect the kernel
But unless the bootloader is designed to require a signed kernel, the bootloader can be configured to load a Linux kernel that chain-loads a compromised Windows kernel. And at that point, Microsoft will add the bootloader to the blacklist in a Windows update.
True, but with TPM enabled Windows Update should be able to download code that checks the boot path status and then alerts the user that their Windows has been compromised. Chapter 8 – UEFI and the TPM: Building a foundation for platform trust. TPM is not a requirement for Secure Boot, but I don't really see how it can be that effective without it. I wouldn't be surprised if some pressure is brought to bear on vendors to enable TPM by default.
-
SCADA Security Course
You can actually learn how to do this yourself at this course I took:
http://infosecinstitute.com/courses/scada_security_training.html -
Re:Gotta wonder...
That's the great part about Free Software -- no advertisement or marketing is necessary! You either use it and get something out of it...or use it, don't get anything out of it, and move on to the next candidate.
I love it when ACs make suspiciously laudatory comments about a particular piece of commercial software. Makes the developer look bad, even if they aren't the ones posting.
PS, Helix is good enough for...
NW3C: Linux Forensics
SANS Track 508: System Forensics, Investigation and Response
InfoSec Institute: Computer Forensics Training
SEARCH: Basic Investigators Training -
Advanced Ethical Hacking at InfoSec Institute
If you are looking for VOIP hacking and security, I attended the Advanced Ethical Hacking course at InfoSec Institute. It was pretty good.