Social Network For Security Executives: Network, Learn & Collaborate
Bangalore-based Anand Prakash discovered a serious flaw on the developer sites beta.facebook.com and mbasic.beta.facebook.com. On the regular Facebook site, the limit is set to 10-12 invalid attempts, but on these beta sites there was none, and it’s mean, could launch a brute force attack to crack the code and gain entry to a user’s account. The issue was reported to Facebook in late February via the regular channels and fixed the next day, with a $15,000 reward sent out just eight days later.
Intel announced in a company blog post that it has purchased Israeli company Replay Technologies. The company provides an unusual 3D video rendering capability it calls “free dimensional” or freeD™ video, according to Intel. The system can freeze action from any angle then rotate all around it, much like the bullet-time effect used in the Matrix. it’s compute-intensive and the system takes a bunch of servers running Intel chips to make it work. In fact, to make the 3D broadcasting magic happen at the NBA, Replay created a seamless 3-D video rendering of the court using 28 ultrahigh-definition cameras positioned around the arena and connected to Intel-based servers, a lot of Intel servers.
Qualcomm is working with Red Hat to port a version of the Enterprise Linux Server for ARM Development Preview. Servers based on ARM-architecture, though, are almost nonexistent commercially. Now, a full port of the Red Hat OS will allow developers to write applications for Qualcomm's server chips. The Enterprise Linux Server port will have drivers and firmware to comply with Qualcomm's server chip specifications as well as ARM's Server Base System Architecture (SBSA) and SBSA is a specification for standardized hardware features across all ARM server chips.
Microsoft has released the next version of its Dynamics AX enterprise resource planning software, giving companies a path to running more of their businesses in the cloud. It’s all run through a browser-based portal, so people can access it wheresver they are, and on any sort of device, whether that’s a desktop PC, a smartphone or something in between. Dynamics AX also connects with Microsoft’s Power BI to do data visualization, which means users can get an easy, at-a-glance look at key business metrics, and implement custom visualizations for understanding data apart from this Dynamics AX joins Microsoft's other cloud-based business applications, including Power BI, Office 365 and Dynamics CRM Online, which are all aimed at letting businesses get away from running on-premises applications and focus on using Microsoft's cloud.
Electronic Frontier Foundation (EFF) has announced the release of its millionth free HTTPS certificate as part of the company’s ‘Let's Encrypt Certificate Authority’ concept. Last year EFF, who co-founded Let's Encrypt CA with Mozilla and researchers from the University of Michigan, made public its aim of building a more secure future for the World Wide Web. This began with issuing and managing free certificates for any website that needs them, aiding in the transition from HTTP to the more secure HTTPS protocol on the web.
A piece of ransomware designed to target OS X systems has been delivered to users via the official installer for the Bit Torrent client Transmission. There are two installers for Transmission 2.90 contained a new piece of OS X malware that they have dubbed KeRanger and which they believe is the first fully functional ransomware targeting OS X. The ransomware can bypass Apple’s Gatekeeper protection system because the malicious Transmission versions are signed with a valid app development certificate issued by Apple. Once it infects a system, KeRanger looks for 300 different file types — including documents, images, multimedia files, archives, source code, emails, certificates and databases — and encrypts them using the AES specification.
Google announced on Monday that it has decided to open source its Vendor Security Assessment Questionnaire (VSAQ) framework to help companies improve their security programs. The VSAQ framework released by Google as open source includes four questionnaire templates for web app security, security and privacy programs, physical and data center security, and infrastructure security. These base templates can be modified to include questions specific to the company using the VSAQ. The decision to release VSAQ as open source comes after some of the vendors who completed the questionnaires expressed interest in using them to assess their own suppliers.
Google has patched another series of Critical vulnerabilities in Android, including a remote code execution (RCE) flaw in mediaserver and several elevations of privilege (EoP) issues in various drivers and components. The 16 security patches for 19 vulnerabilities in this month’s Nexus Security Bulletin, which is the eighth monthly update coming from the company since the Stagefright flaw was discovered in July last year to affect nearly 1 billion devices. Those Security Bulletin reveals that seven of these vulnerabilities were rated Critical, ten were rated High, and two Moderate. While many of these flaws were EoP issues, Google also resolved information disclosure bugs in the mobile OS, along with a mitigation bypass vulnerability, and a remote denial of service flaw.
The IP PIN tool hosted on irs.gov allows taxpayers to generate or recover a six-digit number that provides an extra layer of protection aginast fraudulent tax returns. But the Internal Revenue Service (IRS) announced on Monday that it has temporarily suspended its Identity Protection (IP) PIN tool while it further strengthens its security. The problem, is that the IP PIN can be easily obtained by answering four knowledge-based authentication (KBA) questions from Equifax. The answers to these questions can often be found on free online services, allowing fraudsters to easily get the PINs they need to file tax returns on behalf of victims.
Adobe released updates on Tuesday for its Acrobat, Reader and Digital Editions products to address several critical vulnerabilities that can lead to code execution. The release of Acrobat and Reader versions 15.010.20060, 15.006.30121 and 11.0.15 for Windows and Mac, Adobe resolved three flaws, including a couple of memory corruption issues (CVE-2016-1007, CVE-2016-1009) and a directory search path bug (CVE-2016-1008) — all of which can be exploited to execute arbitrary code. The company updated the Windows, Mac, Android and iOS versions to 4.5.1 in order to fix a critical memory corruption vulnerability that could lead to code execution.
Apple’s iOS operating system for iPhones and iPads is no stranger to eerie bug’s .a bug which causes users to receive ghost emails from 1969 and 1970 that cannot be deleted. the issue probably stems from the way iOS handles UNIX time, or Epoch time as it’s also called. In UNIX time, January 1, 1970, at midnight, is the starting time when counting started. From the looks of it, this bug looks the extension of the earlier infamous ‘January 1, 1970’ bug which can brick some devices. The Jan 1, 1970 has been fixed by Apple in the forthcoming iOS 9.3 software update. But Apple has so far not commented on the bug.
Project BLAID is a wearable device dedicated to helping blind and visually impaired people navigate via a device worn around the shoulders. Users will be able to interact with the device by means of voice recognition and buttons. The device itself is equipped with cameras that detect the user's surroundings and communicate information to the individual via speakers and vibration motors and Toyota also plans to eventually integrate mapping, object identification, and facial recognition technologies.
Microsoft announced plans to port its SQL Server software onto Linux. Microsoft, this move aims to give it a competitive edge against its database rivals like Oracle and IBM's DB2, and to boost the market for its SQL Server by a large margin. The research firm also noted that mainstream commercial distributors like Red Hat Enterprise Linux and SUSE Linux Enterprise Server will likely be supported before the formal product release in mid-2017. The main goal of this strategy is to serve as an on-ramp to bring these folks onto Microsoft's Azure cloud. Azure has the capability to work with both Linux and Windows servers, so having a SQL Server stack that can sit on top of either one may make it more attractive to customers shopping for cloud services.
The U.S. military is spending millions on an advanced implant that would allow a human brain to communicate directly with computers. The Defense Advanced Research Projects Agency (DARPA), hopes the implant will allow humans to directly interface with computers, which could benefit people with aural and visual disabilities, such as veterans injured in combat. The implantable device aims to convert neurons in the brain into electronic signals and provide unprecedented data-transfer bandwidth between the human brain and the digital world and In January, DARPA announced it plans to spend up to $62 million on the project, which is part of its Neural Engineering System Design program.
Researchers with Dell SecureWorks here this week released an open-source homegrown tool that detects when attackers attempt to steal Windows Active Directory domain administrator credentials. DCEPT (Domain Controller Enticing Password Tripwire) tool is basically a deception-style “honeytoken” approach to catch the bad guys in the act of scraping domain credentials. It places phony credentials on the network as a lure. So if an attacker tries to pull cached credentials from a server, DCEPT detects the activity and then alerts a SIEM or other monitoring mechanism. DCEPT comes as a Docker container build for its server component. It alo decrypts Kerberos pre-authentication packets and inspects them to see if they were the fake passwords being used in the network
The Windows Runtime (WinRT) PDF Renderer library, or just WinRT PDF, is one of the powerful components built into the recent releases of Windows OS that allows the developers to integrate PDF viewing functionality in their own apps. However, it has been discovered that WinRT PDF, the default PDF reader for Windows 10, leaves Edge users susceptible to a new series of attacks that are amazingly similar to how Flash, Java, and Acrobat have exposed Web users in the past few years. security researcher with IBM’s X-Force Advanced Research team said that since Microsoft Edge uses WinRT PDF as its default reader, any PDF embedded in the web page will be opened within the library. This makes room for the attackers to abuse the vulnerability via a PDF file. They can open a PDF secretly off-screen with help of CSS and execute the malicious code.
The Google's convolutional neural network called PlaNet that can identify where photos were taken based on the pixels in the image. PlaNet doesn't rely directly on image metadata, which often includes geolocation information. Rather, it calculates likely locations from the massive set of geocoded images used to train it (490 million Google+ images) and to test it (126 million Google+ images). And also Emphasizing on artificial intelligence, Google CEO Sundar Pichai said, "Machine learning is a core, transformative way by which we're rethinking everything we're doing."
Scientists have discovered that feeding knowledge directly into the brain could be as easy as going to sleep. This was made possible at HRL laboratories based in California where researchers claimed a 33 percent improved learning. It seems, soon the Matrix-movie like realities could be a possibility. Researchers working on this claim to have developed a simulator which can feed information directly into a person’s brain. Once the information is fed, that can be used to teach a person new skills in a shorter amount of time.
According to researchers at Beijing-based threat intelligence start-up ThreatBook that the DarkHotel threat group is targeting executives at telecommunications companies in North Korea and China. The group is using spearphishing messages with malicious documents attached -- specifically, a crafted SWF file embedded as a downloadable link in a Word document & the SWF file exploits Adobe Flash vulnerability CVE-2015-8651 and also the payload, update.exe, is a Trojan downloader, disguised as a component of OpenSSL to compromise a variety of anti-detection measures, including anti-sandbox, and anti-anti-virus, as well as just-in-time decryption.
Google's data loss prevention system for Gmail can now recognize text in images to block sensitive information from passing through corporate communication channels. Gmail DLP has been enhanced with optical character recognition (OCR) technology, which cans identity alphanumeric characters in image files as per Google announced. OCR will allow Google for Work administrators to analyze common image file types that accompany Gmail messages and extract any text pictured within for compliance with content rules. Non-compliant content can be blocked, before any damage is done, or reviewed.