Who is this moron?
Respectable security researchers don't encourage the creation of malware by running contests for it!
Think you have a gift for writing compact code that replicates using one of the web's most vexing classes of security vulnerabilities? Then Security researcher RSnake (aka Robert Hansen) would like to hear from you. He has set up a contest to see who can write a self-propagating cross-site scripting (XSS) worm using the fewest …
"Respectable security researchers don't encourage the creation of malware by running contests for it!" .... You can't fault the Speculative Phish though, Doc.
Although in the world of Ethical Crackers and Hackers Evolving Living Organic Networks, the bait would need to irresistible and forever gratifying....... two elements which are singularly missing.
I thought the basic idea was that one remains "unknown" as a crack hack so even the prize of bragging rights is a ego/super-ego trip wasted.
But with a Zero Day XSS Facility so easily XXXXPloitable, and with such Catastrophic Performance Potential to Critical InfraStructure Systems, one can fully understand the Panic. There is only one Practical Perfect Solution ....... Pay such a Potent Potential Attacker to Change the System which so easily Invites Attack..... for once released XSSXXXX Codes have AI Programmed and Program Led Hive Mind of their Own.
Not sure if developers care about your idea of respectable security research anymore, or to be honest if they ever did.
I must admit things like this do encourage me to get the latest books on website security though, so the industry does seem to be funding itself.
The amusing thing is the search for the signature premise, https is going to knobble that a bit, forcing the check to happen at the client, and even then obfuscation is getting well known in the web field, so not quite sure of the value. And I am fairly sure the browser makers are aware of the basic signatures already, as they keep plugging the holes.
I have seen some good ideas, to increase web security, but really we need an overhaul of the entire premise that the internet as it stands is ideal for secure transactions. I would suggest that the banks and payment gateway services all invest in diverse technologies, requiring the users to download software that is bullet proof to enable transactions. It is the lack of investment in IT that is causing this problem, along with dull diatribes about reinventing wheels and standards. If there is a panacea, then diversity is its mother.
From my research, it takes about a month for someone who is familiar with IT to create a setup where they can fuzz away for vulnerabilities in browsers, then perhaps a couple of hours a day to get an exploit. If the IT industry was proactive these people would be employed in jobs that helped the IT community, instead they are just creating market demand for their skillset in the future, at considerable risk to themselves, but hey at least they are living.
Security thru diversity is a useful mantra for the IT sector. As long as IT delivers productivity at an increase of one penny more on profit over a manual system, it is a viable solution for business. Diversity requires more people to operate, maintain and develop systems, and it increases security. Sure it is more expensive, but it does make the IT sector rich. In some ways these virus writers are doing us all a favour, but hey it remains illegal in most countries. Though this goes some way to explain why IT on the whole tends to give a degree of freedom to the writers, and the number of IT vigilantes is not great, in fact there is probably more of a dislike about animated gifs than there is viruses :)
Aren't there universities to be contacted, to let the students have a competition? Perhaps he could share his knowledge with some of the tutors? Actually use his skills to train students to become security experts? Oh, I forgot: he probably isn't part of the solution that _prevents_ these sorts of mayhem, he earns a living cleaning up.
"I would suggest that the banks and payment gateway services all invest in diverse technologies, requiring the users to download software that is bullet proof to enable transactions."
Interesting idea, it would probably improve security, but I think you would also lose
most of the benefits of online banking. My first objection is that the software would probably only be available for one operating system (read microshaft windoze). Also, you'd probably only be able to access your online bank/payment service from your own computer -- even if you were allowed to install the software from your bank at work, chances are there'd be a firewall blocking your banks protocol. Finally, any software more complex than "hello world" is extremely unlikely to be truly bullet proof.
In brief Google on Friday pledged to update its location history system so that visits to medical clinics and similarly sensitive places are automatically deleted.
In this post-Roe era of America, there is concern that cops and other law enforcement will demand the web giant hand over information about its users if they are suspected of breaking the law by seeking an abortion.
Google keeps a log of its users whereabouts, via its Location History functionality, and provides some controls to delete all or part of those records, or switch it off. Now, seemingly in response to the above concerns and a certain US Supreme Court decision, we're told Google's going to auto-delete some entries.
China's internet regulator has launched an investigation into the security regime protecting academic journal database China National Knowledge Infrastructure (CNKI), citing national security concerns.
In its announcement of the investigation, the China Cyberspace Administration (CAC) said:
Air raid sirens sounded for over an hour in parts of Jerusalem and southern Israel on Sunday evening – but bombs never fell, leading some to blame Iran for compromising the alarms.
While the perpetrator remains unclear, Israel's National Cyber Directorate did say in a tweet that it suspected a cyberattack because the air raid sirens activated were municipality-owned public address systems, not Israel Defense Force alarms as originally believed. Sirens also sounded in the Red Sea port town of Eilat.
Netizens on social media and Israeli news sites pointed the finger at Iran, though a diplomatic source interviewed by the Jerusalem Post said there was no certainty Tehran was behind the attack. The source also said Israel faces cyberattacks regularly, and downplayed the significance of the incident.
Never mind what enterprise programmers are trained to do, a self-defined set of hackers has its own programming language zeitgeist, one that apparently changes with the wind, at least according to the relatively small set surveyed.
Members of Europe's Chaos Computer Club, which calls itself "Europe's largest association of hackers" were part of a pool for German researchers to poll. The goal of the study was to discover what tools and languages hackers prefer, a mission that sparked some unexpected results.
The researchers were interested in understanding what languages self-described hackers use, and also asked about OS and IDE choice, whether or not an individual considered their choice important for hacking and how much experience they had as a programmer and hacker.
After at least six years of peddling pilfered personal information, the infamous stolen-data market RaidForums has been shut down following the arrest of suspected founder and admin Diogo Santos Coelho in the UK earlier this year.
Coelho, 21, who allegedly used the mistaken moniker "Omnipotent" among others, according to the US indictment unsealed on Monday in the Eastern District of Virginia, is currently awaiting the outcome of UK legal proceedings to extradite him to the United States.
The six-count US indictment [PDF] charges Coelho with conspiracy, access device fraud, and aggravated identity theft following from his alleged activities as the chief administrator of RaidForums, an online market for compromised or stolen databases containing personal and financial information.
Analysis The Lapsus$ cyber-crime gang, believed to be based in Brazil, until recently was best known for attacks on that country's Ministry of Health and Portuguese media outlets SIC Noticias and Expresso.
However, the gang is climbing up the ladder, swinging at larger targets in the tech industry. Over the past few weeks, those have included Nvidia, Samsung, and Argentine online marketplace operator Mercado Libre. Now, Lapsus$ is suspected of attacking game developer Ubisoft.
Lapsus$ in February compromised Nvidia, stealing a terabyte of data that included proprietary information and employee credentials, and dumping some of the data online. The crew also demanded the GPU giant remove limits on crypto-coin mining from its graphics cards, and open-source its drivers.
The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.
NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.
"Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."
BadgerDAO, maker of a decentralized finance (DeFi) protocol, said on Wednesday that it is investigating reports that millions in user funds have been stolen.
"As Badger engineers investigate this, all smart contracts have been paused to prevent further withdrawals," the company wrote in a Twitter post. "Our investigation is ongoing and we will release further information as soon as possible."
PeckShield, a blockchain security firm, put the losses at $120.3 million, if translated to fiat currency.
A Ubiquiti developer has been charged with stealing data from the company and extortion attempts totalling $2m in what prosecutors claim was a vicious campaign to harm the firm's share price – including allegedly planting fake press stories about the breaches.
US federal prosecutors claimed that 36-year-old Nickolas Sharp had used his "access as a trusted insider" to steal data from his employer's AWS and GitHub instances before "posing as an anonymous hacker" to send a ransom demand of 50 Bitcoins.
The DoJ statement does not mention Sharp's employer by name, but a Linkedin account in Sharp's name says he worked for Ubiquiti as a cloud lead between August 2018 and March 2021, having previously worked for Amazon as a software development engineer.
A zero-day exploit said to have been developed by the NSA was cloned and used by Chinese government hackers on Windows systems years before the cyber-weapon was leaked online, it is claimed.
Check Point put out a report on Monday digging into Chinese malware it calls Jian, and argues persuasively this particular software nasty was spawned sometime around 2014 from NSA exploit code that eventually leaked online in 2017.
The timeline basically seems to be, according to Check Point:
Biting the hand that feeds IT © 1998–2022