security   461240

« earlier    

Checklist-Driven Security Considered Harmful - Paragon Initiative Enterprises Blog
Application security has a checklist problem; we propose a better way forward.
security 
12 hours ago by geetarista
How To Add A Security Key To Your Gmail (Tech Solidarity)
Once you've verified a phone number, you'll see this 2-step verification screen:
security  mail 
13 hours ago by Spigot
VM escape - QEMU Case Study (2017-04-28) - .:: Phrack Magazine ::.
Virtual machines are nowadays heavily deployed for personal use or within the enterprise segment. Network security vendors use for instance different VMs to analyze malwares in a controlled and confined environment. A natural question arises: can the malware escapes from the VM and execute code on the host machine? Last year, Jason Geffner from CrowdStrike, has reported a serious bug in QEMU affecting the virtual floppy drive code that could allow an attacker to escape from the VM [1] to the host. Even if this vulnerability has received considerable attention in the netsec community - probably because it has a dedicated name (VENOM) - it wasn't the first of it's kind. In 2011, Nelson Elhage [2] has reported and successfully exploited a vulnerability in QEMU's emulation of PCI device hotplugging. The exploit is available at [3]. Recently, Xu Liu and Shengping Wang, from Qihoo 360, have showcased at HITB 2016 a successful exploit on KVM/QEMU. They exploited two vulnerabilities (CVE-2015-5165 and CVE-2015-7504) present in two different network card device emulator models, namely, RTL8139 and PCNET. During their presentation, they outlined the main steps towards code execution on the host machine but didn't provide any exploit nor the technical details to reproduce it. In this paper, we provide a in-depth analysis of CVE-2015-5165 (a memory-leak vulnerability) and CVE-2015-7504 (a heap-based overflow vulnerability), along with working exploits. The combination of these two exploits allows to break out from a VM and execute code on the target host. We discuss the technical details to exploit the vulnerabilities on QEMU's network card device emulation, and provide generic techniques that could be re-used to exploit future bugs in QEMU. For instance an interactive bindshell that leverages on shared memory areas and shared code.
security  vm  networking 
14 hours ago by Chirael
Cryptographic Storage Cheat Sheet - OWASP
Algorithms, key size and parameters report – 2014
architecture  crypto  data  security 
15 hours ago by cwensel

« earlier    

related tags

#tw  00000  1stia  2017  2fa  account  alexa  amazon  analysis  anbar  android  anonym  anonymous  app  appliance  apps  architecture  automotive  aws-security-viz  aws  backscatter  badtech  bas  bgp  bigbrother  blockchain  blogs  book  browser  browsers  cars  chrome  container  crime  crm  crypto  cyberwar  darkweb  data  debugging  deepweb  delete  design  development  digitalrights  disposable  diyala  ec2  ecs  email  encryption  extension  facebook  facepalm  fail2ban  filetype:pdf  finance  firefox  firewall  fortify  free  freeware  funny  garbage  geo-location  go  go_tr  golang  google  googlechrome  groups  gwt  gwtrpc  hardware  hif  hijack  home  http  https  humor  important  informatiebeveiliging  infosec  internet  iot  java  key-management  keys  kubernetes  lasc  leak  legal  letsencrypt  linux  macron  mail  military  network  networking  nist  nsa  oauth  ohforfuckssake  openssl  owasp  paper  parameter.store  password  phishing  phones  php  pki  plugin  plugins  podcast  politics  privacy  programming  radio  rails  raspberrypi  read  reference  replyall  review  rpi  russia  rutbah  safetynet  salahaddin  salahaddinopscommand  samarra  samarraops  scary  search  securitystupidity  server  service  software  ssh  ssl  standards  surveillance  sysadmin  technology  temp  theft  tls  toc  tools  troyhunt  trusted  tutorial  vim  visualization  visualize  visualizing  vm  vpn  web  windows  windows10  wired  wireless  wordpress  wow  zoomeye 

Copy this bookmark:



description:


tags: