“firewalls” have been obsolete for years. instead of protecting a perimeter and then assuming (incorrectly) that your corp network is safe, only let devices on your network that can cryptographically prove they belong there. it requires that you have your inventory shit together, of course.
Tag: security
The 0 Days Marketplace
0 days give you a ~6 month head start.
if we accept that the average zero-day exploit persists for 312 days before it is detected, this means that these firms probably provide access to at least 85 0-day exploits on any given day of the year
MITM attacks on routing
We have observed Man-In-the-Middle hijacks on more than 60 days so far this year. ~1500 individual IP blocks have been hijacked, in events lasting from minutes to days, by attackers working from various countries. It’s possible to drag specific Internet traffic halfway around the world, inspect it, modify it if desired, and send it on its way. Who needs fiberoptic taps?
if you liked it, should have put encryption on it.
Baseband exploits
we have a complete operating system with full access to the phone main memory, without any exploit mitigation, which automatically trusts every instruction it receives from the base station you’re connected to. What could possibly go wrong?
IE zeroday
i wonder if this could be used to install a real browser.
Researchers have uncovered new, currently unpatched vulnerabilities in multiple versions of Internet Explorer that criminals are actively exploiting to surreptitiously install unusually advanced malware on computers that visit booby-trapped websites.
Whitehat
The Internet Bug Bounty: Rewarding friendly hackers who contribute to a more secure internet.
so if i submit some iptable patches to block XP machines from the internet at the ISP level, i can collect a reward from microsoft?
250x faster OS updates
an “OS” update to chrome (1B installs) now takes 1 week, upgrading to win8 (100M sold in 6 months) is 250x slower.
Encryption push
this is huge. a lot of the core internet infrastructure was designed in a time when cleartext was the way to go and there were no adversaries. just like the NIST got 0wned and is now fully pushing towards a secure future, the same is happening to the IETF. it is refreshing to see all this and i hope they succeed. as a side effect, this will also put all the clowns out of business that mess with your http traffic.
Bulletproof suit
paging John Hawkins
At Garrison, we take pride in building relationships and trust with each and every one of our clients. That’s why, this year, it was crucial that we offer our clients a true bespoke suit. We created the bulletproof suits to keep our clients safe during their travels to dangerous places for work. We wanted to create a lightweight garment that not only looks professional but can also act as reliable body armor.
Reversible encryption
Adobe engineers used reversible encryption to scramble the passwords contained in a 9.3-gigabyte file that’s now available online. Surprisingly, they flouted almost universally recognized best practices that call for stored passwords to be protected by bcrypt or another one-way cryptographic hashing algorithm.
other than microsoft, there is no company that has screwed security up more than adobe. holes galore in pdf and flash and now this. also the entire source code of their products got stolen recently.
Gregor J. Rothfuss 