Last month, Michal Nemcok blogged about the lack of security in the Progressive Insurance diagnostic monitoring dongle. By hacking the monitoring device, someone may be able to gain access to and change the behavior of the car, itself. Now, this is serious stuff – vulnerabilities that might impact the operation of the thing that carries your body...

Anyone who has ever visited blog posts on the Forbes website has properly been irritated from time-to-time by its practice of displaying a "Thought of the Day" for a few seconds before it passes you onto the article that you actually wish to read. We all understand that Forbes has to make money like any other web publisher, but the "thought" (which...

Attackers can use gaps in the X-Frame Options (XFO) support on Google’s Play Store web application to remotely install malware onto users’ Android devices. “A malicious user can leverage either a Cross-Site Scripting (XSS) vulnerability in a particular area of the Google Play Store web application, or a Universal XSS (UXSS) targeting affected...

In the face of the current wave of cyber threats, the U.S. government announced this week in Washington DC that as part of the Homeland Security initiative the current administration is creating a new agency called the Cyber Threat Intelligence Integration Centre (CTIIP) to monitor cybersecurity threats by acquiring, pooling and analysing any...

Today’s VERT Alert addresses 9 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-601 on Wednesday, February 11.MS15-009Multiple Memory Corruption Vulnerabilities in Internet ExplorerMULTIPLEMultiple Elevation of Privilege Vulnerabilities in Internet...

In February’s Patch Tuesday, Microsoft issued an update to fix a privately reported critical vulnerability in Group Policy that could allow potential attackers to achieve remote code execution (RCE) in domain networks. If successfully exploited, an attacker could gain complete control of a vulnerable system, install programs, view data and even...

With cybercrime and major hacking incidents reaching epidemic proportions, the importance of locating application-layer vulnerabilities is rising. Developers and companies are constantly striving to scan their code and improve code integrity in the early development stages, but no application is completely vulnerability-free and external scrutiny...

Major cyber security incidents continue to hit the headlines. Security and privacy are top concerns for IT and security professionals, especially after 2014’s highly publicized data breaches. Companies around the globe were victim to malware, stolen data and exploited vulnerabilities. Big companies weren’t immune to this, with Target, JPMogan Chase,...

It seems only fitting that 2014 should have ended with the much publicized hacking of Sony as the American public was inundated all year with one sensational account after another of damaging data security breaches. Those surrounding Target, UPS, K-Mart, Staples, Dairy Queen and Home Depot have certainly received the full attention of the media, as...

Patch Tuesday, the unofficial day on which Microsoft regularly releases security updates for its software products, has long been a staple of the information security community. On the second (and sometimes fourth) Tuesday of every month, Microsoft releases a unique set of security bulletins that provide patches for a range of new Common...

Cross-Site Scripting (XSS) vulnerabilities can, unfortunately, be found in all types of web-based applications. Indeed, they appear to be rather ubiquitous across the web. XSS falls into the category of code injection vulnerabilities and is a result of web-based applications consuming user-supplied input without proper filtering and sanitization....

Last week, the information security community was saddened to learn of Joseph Edwards, a 17-year-old secondary school student who committed suicide after his computer became infected with ransomware. Edwards’ computer was corrupted by Reveton (or Police Ransomware), a common type of malware that locks a victim’s computer, claims that the victim is...

If you’re following threat feeds, you’ve probably heard about GHOST (CVE 2015-0235), the new critical vulnerability that Qualys disclosed yesterday. This vulnerability has been found in glibc, the GNU C library, and it affects all Linux systems dating back to 2000. Redhat listed it on their CVE database as ‘critical’ with a CVSS v2 score of 6.8....

There’s a lot of chatter going on right now related to the GHOST vulnerability that was announced yesterday. Lots of folks are talking about the vulnerability, particularly focused on the threat advisory published by Qualys. However, I thought I would spend a little time looking at the history of this vulnerability and how its underlying bug was...

Researchers have discovered a critical vulnerability (CVE-2015-0235) in the Linux GNU C Library (glibc) that could potentially allow attackers to execute code on servers and gain remote control of Linux machines, without the necessary system credentials. This flaw is found in most versions of Linux, in which a buffer overflow can be exploited by...

Here's a piece of advice for anyone responsible for securing a corporation's data: If you discover security researcher Randy Westergren is using your app, you had best take a long hard look at whether you are protecting your users' information properly. Because, if you're not, there's a good chance that he might be about to tell you what you're...

We’ve looked at the Tripwire IP360 Scoring System and how risk is commonly used in two different scenarios, so I figured it was worthwhile to dive into the other complex element of Tripwire’s scoring: skill. Skill is a term that, even within the IP360 Scoring System, has evolved over the years and it’s worth looking at the evolution of the word in...

The ever-controversial hacker-turned-millionaire-entrepreneur Kim Dotcom has announced the public beta launch of an end-to-end encrypted audio and video chat service, which he calls MegaChat. Anyone with an account on Mega's file-sharing file-syncing service can now access what is claimed to be a more secure alternative to Skype, boasting end-to-end...

Cross-site scripting, commonly referred to as XSS, is listed third in the OWASP Top 10 for 2013 Web Application Security risks. Unlike SQL injection attacks, which target data on the server, XSS provides a vector for attacking the users of a vulnerable web site. At a general level, XSS is when an attacker can cause a web site to render with...

Hacker Halted is an IT security conference with the intention of educating the attendees in security and ethics. Last year, the conference was held in Atlanta on October 16-17. What VERT Presented at Hacker Halted VERT presented an implementation of a protocol independent fuzzer, which was built using python. We developed a fuzzer because we...