Cloud Security is one of the buzzwords in the industry today. But, what does it mean? Are there new kinds of threats with the cloud?
Continue reading “Cloud Security – An Overview”
Cross Site Request Forgery – Explained in detail
What is so cross-site about Cross Site Request Forgery? What kinds of forgery can be committed using XSRF?
Continue reading “Cross Site Request Forgery – Explained in detail”
The Sony Hack – Whodonit?
For those closely tracking the Sony Pictures Entertainment hack this past month, any regret over not having read a detective novel lately was likely laid to rest.
Continue reading “The Sony Hack – Whodonit?”
Top Breaches of 2014
In no particular order:
Continue reading “Top Breaches of 2014”
“Clandestine Fox” eats Windows XP
A new Day Zero vulnerabilty in nearly all versions of IE has been discovered and announced publicly by FireEye, a security company.
Continue reading ““Clandestine Fox” eats Windows XP”
Heartbleed Bug – Don’t trust the “HTTPS”
You have always been told to look for the Lock symbol in any website; that the lock indicates that you can a) trust that the website says they are who they are b) that any data you exchange with the website will be encrypted and no one else can read it. For eg. when you log in to your bank account, the lock gives you the assurance that no hacker on the internet can read your password and that you are indeed logging on to your bank’s website and not a bogus pretender bank website.
Though these things are true, a bug has been recently discovered in a software called OpenSSL. This bug can mean that, for websites that use the particular versions of OpenSSL that are affected, both of the above assertions may not be true. This bug enables a malicious hacker on the internet with no knowledge of any password related to the site with a vulnerable OpenSSL to a) possibly read any encrypted data that is flowing between the site and its users b) Use this knowledge of encrypted data, specifically private keys, to impersonate the affected website.
The malicious user can do all of the above because the so called “Heartbleed Bug” allows a malicious user to read a portion of website memory. This memory will contain at various points in time, private keys, passwords and other sensitive information which the malicious user can steal for further hacking.
It appears that the bug has been out in the open for more than 2 years and a public announcement regarding the bug was made last week – sending security professionals into a tizzy.
According to Netcraft, over a half a million websites continue to be affected by this vulnerability. A fairly recent list of websites affected is available on GitHub and includes popular websites like yahoo.com. Ironically, it appears as if the website of openssl.org itself is vulnerable.
Websites that use a vulnerable version of SSL would do well to move to a version that is patched.
Secure your network – Pitfalls to be avoided
We have all seen lists upon lists of “How to secure your network”. We have grown immune to these well meaning rants, just as a teenager blocks out his parent’s “lectures” (No parent would call it a “lecture” while all kids will insist it is a “lecture, a boring one at that”). So, we decided to put on our thinking caps, after vigorously dusting it, and tried to come up with a list pitfalls to avoid; that will, hopefully, not be relegated to the annals of lecture fiefdom.
Continue reading “Secure your network – Pitfalls to be avoided”
Updates on the Target breach
The ‘Certificate Transparency’ Initiative
Before we get into what is certificate transparency and why there is a Google initiative currently running to implement this, let’s understand a bit of the background.
Continue reading “The ‘Certificate Transparency’ Initiative”
Neiman Marcus Breach
Another breach in the retail industry – The Neiman Marcus Breach
Continue reading “Neiman Marcus Breach”