Two chaps claim to have discovered how to trivially circumvent Microsoft's Enhanced Mitigation Experience Toolkit (EMET) using Redmond's own compatibility tools.
A report [PDF] by the duo at Duo Security describes how the Windows on Windows (WoW64) environment can be abused to bypass builtin security tools.
The Stagefright vulnerabilities are the gifts that keep on giving.
Months after the potentially devastating security flaws in the mobile OS were publicly disclosed, Google continues to send out patches addressing vulnerabilities related to the initial reports.
Using a password manager is one of the biggest ways that average computer users can keep their online accounts secure, but their protection is pretty much meaningless when an end user's computer is compromised. Underscoring this often ignored truism is a recently released hacking tool that silently decrypts all user names, passwords, and notes stored by the KeePass password manager and writes them to a file.
Thousands of routers mandated for use by a major Singaporean telco and operated by 'top enterprises" around the world are open to a remote zero day exploit that allows routers to be completely hijacked and is indefensible by most users.
Vantage Point Security senior security consultant Lyon Yang does not wish to disclose the name of the affected internet provider but says the ZHONE routers are required for subscribers to be able to connect to the service.
With apologies to George R. R. Martin, the drama around legitimate security research is starting to rival anything the Starks, Lannisters and Targaryens could muster.
Hardly a month goes by without some white-hat bug hunter wedged between a vendor or government threatening legal or regulatory action against disclosures that would serve only to make something more secure. Clearly some points on this vendor-researcher-policymaker triangle just don’t get that subtlety.
Soon after Dutch newspaper Volkskrant reported [in Dutch] about the Android vulnerability on the 27th of June, some members of the (security) community raised concerns about our attack.
It would be "nothing new" and "overrated". Some people [in Dutch] suggested that having a strong password already helps a lot, while others doubt the possibility of uploading malicious code on the Google Play Store and/or maintain that your phone will display plenty of warnings if you were to try this attack. They all miss the point.
An upcoming talk covering security problems in Internet-connected cameras has been canceled after opposition from some manufacturers.
Gianni Gnesa was scheduled to give a presentation titled "Abusing Network Surveillance Cameras" on Oct. 14 at the Hack in the Box GSEC conference in Singapore.
In the wake of last week's cookie security warning, accomplished Polish penetration tester Dawid Czagan has dug up a separate issue with Apple's Safari.
The bug Czagan has reported to Apple relates to its handling of the HTTPOnly flag, again leaving cookies open to attack.
A whole lot of work rolling out HTTP security is being undermined by bad browser implementation that facilitates man-in-the-middle attacks.
CERT has warned that all of the major browser vendors have a basic implementation error that mean “cookies set via HTTP requests may allow a remote attacker to bypass HTTPS and reveal private session information”.
Uber is attempting to squash the use of hacked customer accounts that have most likely been sold on the dark web and are currently being used in China.
Several Uber customers tweeted that their Uber app notified them that they had recently taken a Uber ride in China, when in fact they were nowhere near that country, according to Motherboard.
