Its fairly esoteric but if any of the security professionals out there have ever pen tested a java script application, you know just how vulnerable they can be. Node.js is just the shiny new java script framework and tne newest heir apparent to JQuery. The problem with Node.js is that in order to write anything… Continue reading Node.js Has Vulnerabilities
With the advent of the new Boothole, it might be time to learn how to automate your patching and get on a blue-green path so you can patch and test quickly to respond to these kinds of threats. For those who haven’t seen it, Boothole is an issue where the attackers can gain control of… Continue reading Start Your Patching Engines
Enron started it but the other power companies have all picked up the practice of playing the spot market for energy production and consumption. This works a lot like the Wall Street Futures Market where there is certain amount of financial speculation that goes on around both the supply and demand. If demand is high,… Continue reading High Wattage IoT Devices Used to Manipulate Energy Market
Fancy Bear or APT28, depending on how you name them, has been hacking US companies and the US Department of Energy. I’m guessing, that like Norway, Russia is hurting due to the low oil prices. Here’s a short lesson in how economics can impact target selection by an APT. In order to understand it, you… Continue reading What is Russia Up To Now?
In a recent release FireEye identified a misinformation campaign but this time it wasn’t coming from Facebook, Twitter or any other social media. The news agencies had their content management systems hacked and the hackers were publishing fake news in psy-ops bid to sway public opinion against NATO. The attack appears to have been running… Continue reading Fake News from Actual News Outlets
At least in the Netherlands, you do it by spoofing a bicycle approaching a light. This causes the light to change to allow the bicycle to pass. At least in theory, this could be used to grid lock an entire city. IoT security strikes again.
Apparently CryptoCore has raked in about $200 million USD from practicing low tech techniques like Spear Phishing and Whaling. The executives running the cryptocurrency exchanges were targeted in order to steal the wallet credentials. Worse yet, is that they have been very effective in covering their trail. Its likely to be based in eastern Europe,… Continue reading Spear Phishing and Cryptocurrency Hacking
There are a bunch of new exploits out that use bluetooth to do a whole list of dirty deeds. It covers everything from simple data harvesting.. collecting your emails, your text messages, and your whole phone book to actually being able to send things as you to other people. These are basically replay attacks where… Continue reading Turn off Your Bluetooth ASAP
In talking to one of my colleagues and explaining the difference between DevOps and DevSecOps to a colleague, I came across an interesting set of Google search results. When I google for ‘misconfigured AWS S3 bucket data breach’, I get 81,000+ results. 7 million Indian financial records exposed, 128 million US household records exposed, UK… Continue reading DevSecOps is Critical
More on the IoT “Revolution” we have going on. Your IoT devices and other service accounts probably account for the bulk of the entries in your Active Directory or LDAP. When was the last time any of them had their credentials updated? What do those accounts access? When did you last audit them to be… Continue reading Service Accounts Now More Numerous than Human Accounts