Exynos Vulnerability on Samsung Devices
I recently purchased a Samsung Galaxy Note II and have been thoroughly enjoying it. The number of diverse applications is pretty amazing.
Unfortunately, a few days ago, a colleague passed an article along detailing an exploit associated with my brand of phone. The exploit is connected to the Exynos processor and the capability to obtain access to all physical memory.
Potential LogMeIn, DocuSign Email Leaks
On Friday, December 14, Brian Krebs posted an entry titled, “LogMeIn, DocuSign Investigate Breach Claims” to his blog, Krebs on Security.
Without completely repeating what he said, it appears several users of LogMeIn remote access software, as well as users of DocuSign electronic signatures, have reported an increase in malicious spam emails to the email addresses associated with the aforementioned products.
A Potential New Leash on the Data-Mining Monsters
Yesterday, the Senate Judiciary Committee gave approval to a privacy bill sponsored by Sen. Al Franken (D-Minn.), known as the Location Privacy Protection Act. This bill, a revamped version of one Franken attempted to push forth in 2011, is aimed at putting control over your location data into your own hands.
pgpass_creds – A new Metasploit Post Module
I recently contributed a module, pgpass_creds, to the Metasploit Framework. It is a post module that grabs cleartext PostgreSQL credentials when applications that utilize libpq, such as
pgAdmin3, store their credentials. You can grab the module by updating to the latest version of Metasploit using
PostgreSQL is a popular, open source database. PostgreSQL offers a C programming interface, libpq, that allows clients to pass queries to the PostreSQL backend server.
P2PE Challenges – Looking at Endpoint Devices
The Payment Card Industry Security Standards Council (PCI SSC) made several significant developments in their point-to-point encryption (P2PE) program this year, with assessor training, releasing the program guide, and opening up their report submission portal for P2PE assessment reports.
Somewhat interestingly, the market hasn’t shown much enthusiasm for this. I think we can attribute this to a few particular factors, most of which center around endpoint devices. This proves somewhat convenient, as I said in my last blog post that I’d discuss the first of the six domains in my subsequent post.
A Hacker’s Bucket List
As a technologist and security enthusiast, part of the “fun” we have at work is tossing around attack scenarios and challenging each other with situational risk. This time it started out with:
If I steal credit card track data, I can make HUGE purchases (and perhaps return for cash).
If I steal PIN data, I can get cash directly.
If I steal health-related data in bulk from a doctor’s office, the most profitable thing I can do with it is…
iPhone 5 Launch Day: An Identity Thief’s Dream
16 times (not nine). 16 TIMES! That’s how many times I needed to provide my Social Security number (SSN) to activate my new iPhone 5 today. With the congestion and havoc of iPhone launch day, the systems at the retailer where I picked up my phone were crashing continuously. Each attempt to activate my new phone required two entries of my Social Security number.
E-Discovery - Overlooked Sources for Early Case Assessment
Whether you are experienced with electronic discovery (e-discovery) or new to the process, the presentation of a new legal hold can be an intimidating situation. Knowing the magnitude of the hold, the repercussions and the work effort can make anyone wonder, “How big is this case going to be?”
Early case assessment (ECA) is done to bring clarity to the situation. ECA is the first step in determining the size of the project.
Secure Application Development and the OWASP Top 10 (Pt. 3 of 10)
This is part 3 of a 10-part series. Be sure to check out part 1 and part 2 if you haven’t already.
Some of you may already be familiar with the Open Web Application Security Project (OWASP) and its Top 10 2010 list due in part to Requirement 6.5 of the Payment Card Industry Data Security Standard (PCI DSS):
6.5 Develop applications based on secure coding guidelines. Prevent common coding vulnerabilities in software development processes.
For those of you who are not familiar with OWASP and their Top 10, the OWASP Top 10 2010 was aimed at highlighting simple problems that can plague applications and ultimately undermine security.
If you missed it, be sure to check out the previous posts on A1: Injection and A2: Cross-Site Scripting (XSS). Here’s the third OWASP application security risk - Broken Authentication and Session Management.