Friday, May 3, 2024
Latest:

Computer Security Articles

RSS Reader for Computer Security Articles

Application Development

ComputerWorld Independent 

SHA-1 collision can break SVN code repositories

admin ,

Credit to Author: Lucian Constantin| Date: Mon, 27 Feb 2017 10:41:00 -0800

A recently announced SHA-1 collision attack has the potential to break code repositories that use the Subversion (SVN) revision control system. The first victim was the repository for the WebKit browser engine that was corrupted after someone committed two different PDF files with the same SHA-1 hash to it.

The incident happened hours after researchers from Google and Centrum Wiskunde & Informatica (CWI) in the Netherlands announced the first practical collision attack against the SHA-1 hash function on Thursday. Their demonstration consisted of creating two PDF files with different contents that had the same SHA-1 digest.

To read this article in full or to leave a comment, please click here

Read more
ComputerWorld Independent 

8 steps to regaining control over shadow IT

admin , , ,

Credit to Author: Ryan Francis| Date: Thu, 23 Feb 2017 12:17:00 -0800

A dangerous practice on the rise
0 shadow it intro

Image by Pexels

“Shadow IT” refers to the too-common practice whereby managers select and deploy cloud services without the consent or even the knowledge of the IT department. These services act as extensions of the corporation but are steered entirely by groups that lack the knowledge or process to ensure they follow necessary guidelines, introducing security, compliance, and brand risk throughout the enterprise. Gartner predicts that by 2020, one-third of security breaches will come in through shadow IT services.

To read this article in full or to leave a comment, please click here

Read more
ComputerWorld Independent 

Java and Python FTP attacks can punch holes through firewalls

admin , ,

Credit to Author: Lucian Constantin| Date: Tue, 21 Feb 2017 10:11:00 -0800

The Java and Python runtimes fail to properly validate FTP URLs, which can potentially allow attackers to punch holes through firewalls to access local networks.

On Saturday, security researcher Alexander Klink disclosed an interesting attack where exploiting an XXE (XML External Entity) vulnerability in a Java application can be used to send emails.

XXE vulnerabilities can be exploited by tricking applications to parse specially crafted XML files that would force the XML parser to disclose sensitive information such as files, directory listings, or even information about processes running on the server.

Klink showed that the same type of vulnerabilities can be used to trick the Java runtime to initiate FTP connections to remote servers by feeding it FTP URLs in the form of ftp://user:password@host:port/file.ext.

To read this article in full or to leave a comment, please click here

Read more
ComputerWorld Independent 

JavaScript-based attack simplifies browser exploits

admin , , ,

Credit to Author: Lucian Constantin| Date: Wed, 15 Feb 2017 10:13:00 -0800

Researchers have devised a new attack that can bypass one of the main exploit mitigations in browsers: Address space layout randomization (ASLR). The attack takes advantage of how modern processors cache memory and, because it doesn’t rely on a software bug, fixing the problem is not easy.

Researchers from the Systems and Network Security Group at Vrije Universiteit Amsterdam (VUSec) unveiled the attack, dubbed AnC, Wednesday after having coordinated its disclosure with processor, browser and OS vendors since October.

ASLR is a feature present in all major operating systems. Applications, including browsers, take advantage of it to make the exploitation of memory corruption vulnerabilities like buffer overflows more difficult.

To read this article in full or to leave a comment, please click here

Read more
ComputerWorld Independent 

Accenture wants to help businesses secure their blockchains

admin , ,

Accenture wants to help businesses use blockchain technologies more securely by locking away the encryption keys they use to sign transactions.

It’s built a system that blockchain developers can use to store credentials in specialized cryptoprocessors called hardware security modules (HSMs).

HSMs are typically used by banks to store the PINs associated with payment cards or the credentials used to make interbank payments over the SWIFT network, and are much more secure than storing the credentials, even in encrypted form, on network-connected servers from where attackers could steal them.

The PINs or credentials never leave the HSMs, and their use within them is strictly controlled.

To read this article in full or to leave a comment, please click here

Read more
ComputerWorld Independent 

5 things DevOps must do to secure containers

admin , ,
Can’t we all get along
secure containers

Image by Pixabay

Do deepening adoption and broader deployment of container technologies (from the likes of Docker, CoreOS and others) threaten to escalate into the latest skirmish between operations, developers and information security? Certainly, the potential exists to widen the rift, but in fact there is far more common ground than would initially suggest. Containerization introduces new infrastructure that operates dynamically and is open in nature, with more potential for cross-container activity. Containerization presents an almost unprecedented opportunity to embed security into the software delivery pipeline – rather than graft on security checks, container monitoring and policy for access controls as an afterthought.

To read this article in full or to leave a comment, please click here

Read more