There is an increasing level of noise in the enterprise about Bringing Your Own Device (BYOD). That you like it or not, it is most probably happening right now within your company unless your are “lucky enough” to be able to enforce strict controls as to what devices are allowed and able to access your data.
For a true BYOD concept, meaning with no restrictions on what that device might be, there are only 2 possible way to enable it:
1) To allow network access to your data/application directly from any devices
or
2) To make your data/application available from the Internet, and the easiest incarnation of that is through web applications.
With the first approach, focusing on the network access, the positives are that you can have more control over the environment from which the data/application is accessed from. Such as enforcing a minimum set of security controls and quarantine non compliant devices. The negatives, though, are the need for a ...
>>[READ MORE]
Smile, you are being recorded!
#62 - Posted on
13 February 2012 - Author: SM - Category: Hacking
The BBC has recently ran an article about a hacker who has published details on how to hack a certain type of webcam. This story is interesting for several reasons.
First, it further highlights how fragile our privacy has become since we live in a digital world with details of our life being kept on the internet: personal blogs, twitter feeds, Facebook or Government/Health records, etc. All this data is available online if you have the right access to the system it is held on. But it is not just still photos or lines of texts, it can also be live pictures through personal webcams or state surveillance cameras. Again, that data is available if you have the right credentials. In this case, hundreds of Trendnet webcam users thought/thinks their live video feed was protected through the use of a userid and password, but a bug in its firmware allows anyone to access it by...
>>[READ MORE]
Koobface, The dangerous game of naming and shaming
#61 - Posted on
24 January 2012 - Author: SM - Category: Security
There has been wide coverage of the naming and shaming of the supposedly perpetrators behind the Koobface botnet that has affected Facebook and other social sites for a few years.
The gang leader was first named on Dancho Danchev’s blog, then the Facebook’s security team threaten and did reveal the gang’s real identity, the New York times even ran an article on it and finally Sophos published another in-depth look at how they also discovered their identity. In between, many other sites jumped in to share that information.
I am slightly uncomfortable with this approach.
It appeared to have worked in this instance as the bonnet Command & Centre has been turned off, and it also appears they named the right perso...
>>[READ MORE]
Most websites are vulnerable to a hash collision DOS attack
#60 - Posted on
3 January 2012 - Author: SM - Category: Hacking, Security
By websites, I should really have said Web Applications, but the end result is the same: A server which is serving pages on the Internet could see its CPU usage increasing to a level making that server unusable for a few minutes or more. All that from a relatively small specially crafted malicious HTTP request.
This vulnerability exists in most languages used to develop web applications: PHP, ASP.Net, Java, Python, Ruby, etc. And it has been known to exist in theory since 2003!
Last week, Alexander Klink and Julian Wälde explained at the 28th Chaos Communication Congress in Germany how exactly the theory became reality and the impact on the different web application languages were affected.
The core of the issue is the way hash lists have been implemented in those languages. By “Hash” they both refer to a specific type of data structure and the cryptographic function. A >>[READ MORE]