Pwn2Own: All browsers fall!

 

This week Hewlett-Packard continued its annual Zero Cay Initiative (ZDI) Pwn2Own event. Pwn2own is hacking contest where HP awards security research team’s cash prizes for responsibly exposing security flaws in popular OS’s, Applications, and browsers. The Vendors then collaborate with each other to find solutions for the newly exposed threats.

This week on March 12^th the first day of the competition, Adobe Flash and Reader, IE 11 (Internet Explorer), and Firefox 27 had Security holes exposed. On March 13^th the second day of the competition all browsers had Security exploits exposed, including Google Chrome who had patched 7 security flaws a few days prior to the event.

When the dust had settled at the end of the Pwn2Own event all the major browsers had had security flaws exposed and the security teams had taken away $850,000 out of the $1,085,000 possible prize money. Team VUPEN won the highest gross of $400,000 in the competition having exposes 5 security flaws. In the end there remained only one prize that was left un-awarded which was for IE 11 w/EMET*.  So even though IE has a bad rap concerning security it is funny that it was the only unclaimed prize this year.

*EMET (Enhanced Mitigation Experience Toolkit) is a utility by Microsoft that helps prevent vulnerabilities in software from being exploited. EMET works by performing input validation against code in the program to prevent exploits of possible security holes. EMET can be downloaded directly from Microsoft and requires IE 10 or higher.

 

Reference

http://www.dedoimedo.com/computers/windows-emet.html

 

Villain attack our comiXs

As an avid comic book reader, which I’ve been my whole life ever since I can remember the Comixology breach has hit me close to home. You see I’ve recently adopted digital format comic books. I love collecting the physical comics, but I have begun using digital comics to complement the physical copies of my comics. I enjoy the freedom of digital format and being able to read my comics on the go so for that reason I am a member of Comixology.

Earlier this week I received an email from Comixology informing me that someone had broken into their system. The individual had gotten away with information like; email, usernames, and passwords. Comixology, in their letter assures that the passwords stolen where encrypted, but the truth is a hacker with enough skills and time could be able to decrypt them. They urge everyone to change their password as soon as possible. This breach makes me wonder if having multi-tier authentication could help alleviate these types of threats. Because even if a password did get compromised they would need to be able to bypass the next level of authentication in order to successfully log on to the users account.

Email from Comixology

Dear Comics Reader,

In the course of a recent review and upgrade of our security infrastructure, we determined that an unauthorized individual accessed a database of ours that contained usernames, email addresses, and cryptographically protected passwords.

Payment account information is not stored on our servers.

Even though we store our passwords in protected form, as a precautionary measure we are requiring all users to change their passwords on the comiXology platform and recommend that you promptly change your password on any other website where you use the same or a similar password. You can reset your comiXology.com password here.

We have taken additional steps to strengthen our security procedures and systems, and we will continue to implement improvements on an ongoing basis.

Please note that we will never ask you for personal or account information in an e-mail, so exercise caution if you receive emails that ask for personal information or direct you to a site where you are asked to provide personal information.

We apologize for the inconvenience. If you have any questions, please contact us by sending an email to support@comixology.com

Sincerely,

ComiXology

Wi-Fi Pandemic in our future?

British researchers from the University of Liverpool have created the first computer virus that spreads like the common cold meaning it spread like an airborne virus.

The new virus called “Chameleon” spreads by completing seven steps. First it identifies wireless access points with weak security. The virus then bypasses the encryption security on the access point. The virus then bypasses the administrative interface of the access point storing the settings and configuration, once the settings have been saved the virus will replace the AP’s firmware with the virus loaded firmware, reload the stored AP setting. Once these steps are completed the virus repeats the process by identifying more weak wireless access points.

The researchers said “It was assumed that it wasn’t possible to develop a virus to attack Wi-Fi networks” so they set out to prove that it could be done and that it could spread rather quickly in the public. With proper security configurations a user can protect themselves from infection through this type of attack, but I just have to ask WHY? Why help develop a new form of attack for hackers to exploit.