HackDig : Dig high-quality web security articles for hacker

University Networks

The Atlantic Monthly just published a piece about the computer security challenges facing universities. Those challenges are serious: “Universities are extremely attractive targets,” explained Richard Bejtlich, the Chief Security Strategist at FireEye, which acquired Mandiant, the firm that investigated the hacking incident at the [New York] Times. “The sor
Publish At:2015-10-19 16:15 | Read:2918 | Comments:0 | Tags:Technical Insight Vulnerabilities Web Application Security a

When departments work at cross-purposes

Back in August, we wrote about how self-discipline can be one of the hardest parts of security, as illustrated by Snowden and the NSA. Just recently, Salon published an article about similar issues that plagued the CIA during the Cold War: How to explain the KGB’s amazing success identifying CIA agents in the field? So many of their agents were being uncov
Publish At:2015-10-08 03:05 | Read:3934 | Comments:0 | Tags:Technical Insight Web Application Security CIA Cold War KGB

Pro-Palestinian Hackers Took over Radio Tel Aviv Website

A group of pro-Palestinian hackers took over the official website of Radio Tel Aviv (TLV) on Sunday and left a deface page on the homepage showing anti-Israeli messages. A group of Palestinian-friendly hackers going with the handle of AnonCoders hacked and defaced the official website of Radio Tel Aviv. Hackers left a deface page along with messages both in
Publish At:2015-10-07 00:00 | Read:3945 | Comments:0 | Tags:Application Security Cyber Security Cyber Warfare Security U

WordPress Jetpack Plugin Patched Against Stored XSS Vulnerability

After a few critical bugs were recently discovered and patched in the core WordPress engine—a rarity with WordPress-related security issues—order has apparently been restored with the discovery of a critical vulnerability in a popular plugin.Insecure plugins have been at the heart of numerous attacks launched from compromised WordPress site. One was patched
Publish At:2015-10-03 02:30 | Read:2068 | Comments:0 | Tags:Vulnerabilities Web Security cross-site scripting stored cro

Patreon was warned of serious website flaw 5 days before it was hacked

Five days before Patreon.com officials said their donations website was plundered by hackers, researchers at a third-party security firm notified them that a serious programming error could lead to disastrous results. The researchers now believe the vulnerability was the entry point for attackers who went on to publish almost 15 gigabytes' worth of source co
Publish At:2015-10-02 23:15 | Read:2996 | Comments:0 | Tags:Risk Assessment Technology Lab data breach debugging patreon

PGP: Still hard to use after 16 years

Earlier this month, SC magazine ran an article about this tweet from Joseph Bonneau at the Electronic Frontier Foundation: Email from Phil Zimmerman: “Sorry, but I cannot decrypt this message. I don’t have a version of PGP that runs on any of my devices” PGP, short for Pretty Good Privacy, is an email encryption system invented by Phil Zimm
Publish At:2015-09-24 17:25 | Read:2496 | Comments:0 | Tags:Uncategorized AES cryptographer encrypting email encryption

Serious Imgur bug exploited to execute worm-like attack on 8chan users

A recently discovered attack on visitors of the 8chan image website went well beyond the venue's usual script-kiddie fare by combining two weaknesses on that property with a potentially catastrophic vulnerability on the wildly popular photo-sharing site Imgur.com.The result: the browsers of people who viewed certain Imgur-hosted images linked on one or more
Publish At:2015-09-23 08:25 | Read:3285 | Comments:0 | Tags:Risk Assessment Technology Lab 8chan Adobe Flash cross-site

Complexity and Storage Slow Attackers Down

Back in 2013, WhiteHat founder Jeremiah Grossman forgot an important password, and Jeremi Gosney of Stricture Consulting Group helped him crack it. Gosney knows password cracking, and he’s up for a challenge, but he knew it’d be futile trying to crack the leaked Ashley Madison passwords. Dean Pierce gave it a shot, and Ars Technica provides some context. A
Publish At:2015-08-31 12:50 | Read:1731 | Comments:0 | Tags:Technical Insight Tools and Applications Vulnerabilities Web

The Death of the Full Stack Developer

When I got started in computer security, back in 1995, there wasn’t much to it — but there wasn’t much to web applications themselves. If you wanted to be a web application developer, you had to know a few basic skills. These are the kinds of things a developer would need to build a somewhat complex website back in the day: ISP/Service Provide
Publish At:2015-08-28 14:30 | Read:2908 | Comments:0 | Tags:Industry Observations Technical Insight Vulnerabilities Web

Developers and Security Tools

A recent study from NC State states that, “the two things that were most strongly associated with using security tools were peer influence and corporate culture. As a former developer, and as someone who has reviewed the source code of countless web applications, I can say these tools are almost impossible to use for the average developer. Security tools are
Publish At:2015-08-27 20:55 | Read:2035 | Comments:0 | Tags:Technical Insight Vulnerabilities Web Application Security a

It Can Happen to Anyone

Earlier this summer, The Intercept published some details about the NSA’s XKEYSCORE program. Those details included some security issues around logging and authorization: As hard as software developers may try, it’s nearly impossible to write bug-free source code. To compensate for this, developers often rely on multiple layers of security; if attackers can
Publish At:2015-08-19 19:25 | Read:3153 | Comments:0 | Tags:Technical Insight Vulnerabilities Web Application Security A

Conspiracy Theory and the Internet of Things

I came across this article about smart devices on Alternet, which tells us that “we are far from a digital Orwellian nightmare.” We’re told that worrying about smart televisions, smart phones, and smart meters is for “conspiracy theorists.” It’s a great case study in not having a security mindset. This is what David Petraeus said about the Internet of Things
Publish At:2015-08-14 15:55 | Read:2230 | Comments:0 | Tags:Industry Observations Technical Insight Tools and Applicatio

Hammering at speed limits

Slate has a well-written article explaining an interesting new vulnerability called “Rowhammer.” The white paper is here, and the code repository is here. Here’s the abstract describing the basic idea: As DRAM has been scaling to increase in density, the cells are less isolated from each other. Recent studies have found that repeated accesses to DRAM rows
Publish At:2015-08-11 17:30 | Read:3021 | Comments:0 | Tags:Technical Insight Vulnerabilities Web Application Security A

Security Pictures

Security pictures are being used in a multitude of web applications to apply an extra step in securing the login process. However, are these security pictures being used properly? Could the use of security pictures actually aid hackers? Such questions passed through my mind when testing an application’s login process that relied on security pictures to provi
Publish At:2015-08-03 17:20 | Read:1823 | Comments:0 | Tags:Tools and Applications Vulnerabilities Web Application Secur

Why is Passive Mixed Content so serious?

One of the most important tools in web security is Transport Layer Security (TLS). It not only protects sensitive information during transit, but also verifies that the content has not been modified. The user can be confident that content delivered via HTTPS is exactly what the website sent. The user can exchange sensitive information with the website, secur
Publish At:2015-07-31 01:45 | Read:2772 | Comments:0 | Tags:Technical Insight Tools and Applications Vulnerabilities Web

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud