vulnerabilities   872

« earlier    

KRACK Attacks: Breaking WPA2
We discovered serious weaknesses in WPA2, a protocol that secures all modern protected Wi-Fi networks. An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs).
security  vulnerabilities  krack  wifi  work 
yesterday by ahall
Falling through the KRACKs
I want to talk about why this vulnerability continues to exist so many years after WPA was standardized. And separately, to answer a question: how did this attack slip through, despite the fact that the 802.11i handshake was formally proven secure?
krack  security  wpa  wifi  ieee  crypto  vulnerabilities 
yesterday by jm
Pentagon Turns to High-Speed Traders to Fortify Markets Against Cyberattack
Oct. 15, 2017 7| WSJ | By Alexander Osipovich.

"What it would be like if a malicious actor wanted to cause havoc on U.S. financial markets?".....Dozens of high-speed traders and others from Wall Street are helping the Pentagon study how hackers could unleash chaos in the U.S. financial system. The Department of Defense’s research arm, DARPA, over the past year and a half has consulted executives at high-frequency trading firms and quantitative hedge funds, and people from exchanges and other financial companies, participants in the discussions said. Officials described the effort, the Financial Markets Vulnerabilities Project, as an early-stage pilot project aimed at identifying market vulnerabilities.

Among the potential scenarios: Hackers could cripple a widely used payroll system; they could inject false information into stock-data feeds, sending trading algorithms out of whack; or they could flood the stock market with fake sell orders and trigger a market crash......Among potential targets that could appeal to hackers given their broad reach are credit-card companies, payment processors and payroll companies such as ADP, which handles the paychecks for one in six U.S. workers, participants said.....The goal of Darpa’s project is to develop a simulation of U.S. markets, which could be used to test scenarios, Such software would need to model complex, interrelated markets—not just stocks but also markets such as futures—as well as the behavior of automated trading systems operating within them....Many quantitative trading firms already do something similar.......
In 2009, military experts took part in a two-day war game exploring a “global financial war” involving China and Russia, according to “Currency Wars: The Making of the Next Global Crisis,” a 2011 book by James Rickards. ....“Our charge at Darpa is to think far out,” he said. “It’s not ‘What is the attack today?’ but ‘What are the vectors of attack 20 years from now?’”
Pentagon  financial_markets  financial_system  vulnerabilities  high-frequency_trading  DARPA  traders  hedge_funds  Wall_Street  hackers  books  rogue_actors  scenario-planning  scenario  cyber_security  cyber_warfare  cyberattacks 
2 days ago by jerryking
Security Advisories for Firefox — Mozilla
Advisories from Firefox Browser with CVE and Issues Linkage
firefox  vulnerabilities  advisories 
19 days ago by carlosviansi
CLKSCREW: Exposing the perils of security-oblivious energy management | the morning paper
> In this work, we present the CLKSCREW attack, a new class of fault attacks that exploit the security-obliviousness of energy management systems to break security. A novel benefit for the attackers is that these fault attacks become more accessible since they can now be conducted without the need for physical access to the devices or fault injection equipment.

Demonstrating the potency of the attack on commodity ARM devices (a Nexus 6 phone), the authors show how it can be used to extract secret keys from an ARM TrustZone, and can escalate privileges to load self-signed code into Trustzone.

You thought Rowhammer was bad!
security  hardware  vulnerabilities  power-management 
26 days ago by absfac
Tornado-Ravaged Hospital Took Storm-Smart Approach During Rebuild - Risk & Compliance Journal.
Aug 30, 2017 | WSJ | By Ben DiPietro.

...................“Preparation for what these events can be–and belief they can actually happen–is important so you make sure you are preparing for them,” ....trying to undertake whatever is your organizational mission in the midst of a tornado or other devastating event is much harder, given the high emotions and stress that manifests itself at such moments.

“Understand the possibilities and pre-planning will make that go a lot better,”

As Hurricane Harvey has shown, extreme weather events can devastate a region’s infrastructure. Hospital operator Mercy had its own experience of this in 2011 when a tornado ripped through Joplin, Mo., killing 161 people and destroying its hospital.

Hospital operator Mercy took the lessons it learned from that tornado experience and incorporated them into the design of the new hospital–and also changed the way it plans and prepares for disasters. The new facility reflects a careful risk assessment, as Mercy took into account not only the physical risk of tornadoes but the risks to power supplies and medical supplies.

“We always prepare, always have drills for emergencies, but you never quite can prepare for losing an entire campus,” ....“Now we are preparing for that…it definitely changed the way we look at emergency management.”

** Protecting What Matters Most **
Mercy took the lessons it learned from that devastating weather event and applied them when it was time to build its latest hospital, which was constructed in a way to better withstand tornadoes while providing more secure systems infrastructure and adding backup systems to ensure operations continued unimpeded, ......Even the way medical supplies were stored was changed; instead of storing supplies in the basement, where they were inaccessible in the immediate aftermath of the tornado, they now are kept on each floor so staff don’t need to go hunting around for things they need during an emergency.....“The first priority is to save lives, the second is to minimize damage to the facility,”

** Focus on the Worst **
many companies worry about low-severity, high-frequency events–those things that happen a lot. They instead need to focus more on high-severity events that can cause a company to impair its resilience. “....identify and work on a worst-case scenario and make sure it is understood and the company is financially prepared for it,”

work with its key vendors and suppliers to know what each will do in the face of a disaster or unexpected disruption. “...large companies [should] know their key vendors prior to any major incidents,” ...“Vendors become partners at that time and you need to know people will do what you need them to do.”

A company needs to assess what is most important to its operations, map who their vendors are in those areas and engage them in various loss scenarios .... It should review its insurance policy language against possible weather events, identify any gaps and either revise policies to fill those holes or to at least make sure executives understand what the risks are of leaving those gaps unattended.
See also :
What to Do Before Disaster Strikes - ☑
September 27, 2005 | WSJ | By GEORGE ANDERS.
start by cataloging what could go wrong. GM, for example, has created "vulnerability maps" that identify more than 100 hazards, ranging from wind damage to embezzlement. Such maps make it easier for managers to focus on areas of greatest risk or gravest peril.
disasters  disaster_preparation  Hurricane_Harvey  improbables  extreme_weather_events  hospitals  tornadoes  design  rebuilding  preparation  emergencies  lessons_learned  worst-case  natural_calamities  anticipating  insurance  vulnerabilities  large_companies  redundancies  business-continuity  thinking_tragically  high-risk  risk-management  isolation  compounded  network_risk  black_swan  beforemath  frequency_and_severity  resilience 
6 weeks ago by jerryking
The DETER Project
research project and operator of DETERLab, an advanced testbed facility where leading researchers and academics conduct critical cybersecurity experimentation and educational exercises.
security  projects  research  testing  testbed  vulnerabilities  hacking 
6 weeks ago by mdelatorre
Security vulnerability detection scan for CI/CD pipeline with JFrog Xray
Scan and detect vulnerabilities in your builds, as early on in the CI/CD process as possible, without interfering in development time.
xray  git  ci  vulnerabilities  article 
6 weeks ago by vonc

« earlier    

related tags

2016  admin  advisories  alumni  analysis  anchor_tenants  anticipating  api  app  application  arachni  article  automation  bank_of_canada  beforemath  beroot  black  black_swan  blackmail  blockchain  books  browsers  bruteforce  bugbounty  bugs  burp-suite  burp_suite  business-continuity  campaigns  ci  cia  cisco  commercial_real_estate  compounded  computer_security  computer_viruses  crowdsourcing  crypto  cve  cvss  cyber_security  cyber_warfare  cyberattacks  cybersecurity  cyberthreats  cyberweapons  darpa  data_breaches  database  dependency-check  design  disappointment  disaster_preparation  disasters  disclosure  disclosures  disruption  docker  documentation  embedded  emergencies  encryption  ethereum  ethics  exploits  extreme_weather_events  financial_institutions  financial_markets  financial_system  firefox  frequency_and_severity  fuck-everything  fuzzing  git  google  hacker  hackers  hacking  harden  hardening  hardware  hat  headers  hedge_funds  high-frequency_trading  high-risk  hospitals  howto  http  hurricane_harvey  ieee  illusions  improbables  infosec  injection  insurance  intel  iot  iota  isis  isolation  israel  ivey  java  javascript  kali  krack  large_companies  lastpass  law_firm_security  leak  leon_panetta  lessons_learned  linux  london  london_bridge  macos  mailinglists  malware  mappedin  mapping  medicine  microsoft  natural_calamities  nc  netcat  network  network_risk  networking  nexpose  nikto  nodejs  north_korea  nrtv  nsa  online  onlinetools  openvas  oscp  owasp  paper  pdf  pen  penetration  pentagon  pentest  pentesting  policy  pop-ups  port  power-management  preparation  pretense_of_knowledge  primary_field_research  privesc  project-zero  projects  rank  ranked  ranking  ransomware  real_estate  rebuilding  reddit  redundancies  reits  research  resilience  retailers  rfw  risk-management  risks  rogue_actors  scale  scan  scanner  scanners  scanning  scenario-planning  scenario  scoring  search  search_engine  searchengine  seccubus  security  security_&_intelligence  server  service  shadow_brokers  sherlock  shopping_malls  small_blogs  software  sql  ssh  ssl  ssrf  statistics  stats  store_closings  string  strings  terrorism  test  testbed  testing  thinking_tragically  tldr  tls  tool  tools  top50  tornadoes  traders  u.s._cyber_command  under_appreciation  vendors  vep  via-hackernews  vulnerability  vulnerability_disclosure  w3af  wall_street  web  webapps  webservers  white  wifi  wikileaks  windows  wordpress  work  worst-case  wpa  wpa2  xml  xray  zero_day 

Copy this bookmark: