security

Another Window for Hackers: QR Codes {2}

by Joshua L
The article I read for this week talks about how susceptible smartphone users are that use QR code reader applications. QR codes are a relatively new technology and they are apparently really easy to make and modify. This poses a problem for mobile phone users because if they scan a code that a hacker designed and stuck over an existing code on an item, they can easily be sent to a url that is malicious. These codes are very useful but it seems as though they can create a serious issue if the design is not improved. If the technology becomes more universal and these issues are not handled now they can really do mass amounts of damage in the future. read more...

Security vs Privacy {3}

by Miguel V
The article I chose for this week is labeled “Cybersecurity bill passes, Obama threatens veto.” This article talks about a controversial cybersecurity bill that was approved late Thursday, even though President Obama is threatening to veto the bill, citing concerns that the bill’s language doesn’t go far enough to protect citizens’ privacy. This article mentions that “companies would be incentivized to voluntarily share information with the government, and the United States could share crucical attack information with companies.”It also mentions that government’s top cybersecurity advisors widely agree that cyber criminals have the capability to take down the country’s critical financial, energy or communications infrastructure. Cyber attacks are now leveling the playing field, recently attacking Iran in the Stuxnet incident. A worm ordered the centrifuges in an Iranian nuclear facility to spin out of control ultimately destroying it. read more...

Malware in JavaScript? {3}

by Quoc L
In this age of mobile connectivity, hacker and exploiter is always looking for new technique in hide their malicious programs. ESET senior researcher have found a new malware exploit using JavaScript. These malware are hidden within the JavaScript OnMouseMove Event code. When  guest visit the compromised site and used their mouse, the malware will instantly active. The malware  avoid detection from security web crawler by reminding deactivate whenever there no mouse movement. Another technique that hacker use it by place snippet of code within a applet, which will later decode the applet and install the malicious software into your computer. read more...

Static Analysis for JavaScript Security {6}

by Daniel S
As discussed in class, JavaScript is a client-side scripting language for Web-application clients. The article presents ACTARUS, which is used for detecting security issues in JavaScript programs.  ACTARUS is a novel taint-analysis algorithm. The article also discusses different types of security vulnerabilities in today’s Web-applications, such as injection. Injection occurs when an attacked successfully sends untrusted data to an interpreter, causing the interpreter to execute unintended commands. Another seuriy vulnerability is cross-site scripting (XSS), which is where an attacker injects a malicious script into people’s web browsers, which will cause an execution of some sort. Document Object Model (or DOM)-based XSS is an exploit with JavaScript code. Lastly, the article discusses unvalidated redirects and forwards as an form of security breach. This exploit causes the user to be redirected to unintended Web sites, perform unauthorized AJAX requests, and connect to servers using ports or protocols. read more...

How Cyber Criminals Make Money And What Tricks They Use To Get Info! {2}

by Jamal A
The article I read talks about how cyber criminals make profit and how they hack into computer systems. We hear pretty much every week that there is a big security breach where tons of personal information is stolen.  We have been hearing that for years, but what we don’t know is that, behind these attacks there are some really high organized criminal enterprises.  Personal information is the currency for the cyber criminals. It’s literally what cybercriminals trade in. Hackers who obtain this data can sell it to a variety of buyers, including identity thieves, organized crime rings, spammers and botnet operators, who use the data to make even more money.  In reality, some attacks are targeted towards a particular businesses or organization for the purpose of stealing some sensitive information or large amount of money. But most victims are chosen randomly. Smaller businesses, for instance, might not feel the need to spend time and money fully securing their network since they’re small and not vulnerable because they think who would want to target us. read more...

Face recognition to decides who drives {5}

by Ricardo C
In this article the author talks about a system who would recognize someone’s face and determine if he or she is able to drive a vehicle. A Waterloo company pair up with the University of Windsor and developed an algorithm for a face recognition system and a blood-alcohol level sensor on a steering wheel. According to the article the facial recognition system has a database that the owner of the car can control and determines who drives the car.
This system will also help to reduce auto thefts since the car will not start if the person is not on the database. The article also mentions that the technology will be packed with sensors built into a steering wheel that would detect a driver’s blood alcohol level when his or her hands are placed on the wheel. The system will determine if there is an exceeded limit of alcohol in the individual and would halt the car. read more...

IPv6 Is Not Ready For DDoS Attacks {1}

by Toan T
This article talks about how internet users that are on IPv6 is more susceptible of DDoS attacks than people that are on IPv4. Studies have shown that hackers have set their sights on IPv6 after the first incident that has happened on the new network. However, there are really no defense to these attacks because the technology is quite new and if an attack is executed, network administrators will have their hands tied together without knowing what to do. About 21% of users that are on IPv6 reported that they didn’t even know that they were possible victims of such attack. The best solution to combat DDoS at this moment is to have the networks not exist at all which certain will not happen since there is money on the line. With more IPv6 networks being deployed down the road, it is unknown whether if there is any solution that to prevent such type of incident from happening in the near future. read more...

Lacking security for databases {1}

by Edwin T
Hackers attacking a network are ususally trying to go after the database.  The article i read discussed the measures some companies take in order to protect their databases.  Unfortunately, they are not good enough.  Companies such as Epsilon and Sony have suffered attacks where information gets stolen, this is because they believe protecting their perimeter is sufficient to protect the database.  Firewalls and security protocols are essential but organizations should be thinking about implementing new security measures.  “the closer we get to the data, we see fewer preventive controls and more detection measures” said Josh Shaul, CTO of Application Security.  Having continuous real-time monitoring that detects suspicious or unauthorized activity allows security administrators to stop anyone from accessing information they shouldn’t be accessing.  SQL injection remains a  very popular way to trick the database into returning results.  Continuous monitoring is new technology that is catching on quick and many companies are implementing it to have something to rely on if the perimeter security measures are breached. read more...

Rising Data Breaches in Hospitals {Comments Off on Rising Data Breaches in Hospitals}

by Jim J
Figures in data breaches from hospitals continue to go up this year. Compared with 8% in 2008, compromises in data security have one up to a staggering 31%. Few of these problems are caused by hand made errors, instead, the reason for the rise in the breach of data security are the growing use of portable devices which include both laptops and handheld devices in the medical industry. With the plethora of devices and applications available nowadays, regulation is simply too slow to keep up with technology and update policies to control handling data the proper way. And last, more companies outsource work to third-parties which further complicate policies they follow in protecting user data. read more...

HTML E-Mail Security Concerns {2}

by Daniel S
Carl Both had discovered a flaw within Microsoft and Netscape programs that allows forwarded e-mails to be traced and read. After dabbling around with JavaScript, he had discovered that by adding a certain line of code into any e-mail, he would be able to have access to it once someone forwards that e-mail as long as they too were using HTML/Java-enabled readers. In disbelief, he had tested out this discovery amongst a handful of friends, and sure enough, every forwarded e-mails, along with the comments were being copied and sent to Carl. After contacting Microsoft, he received a reply back that they too acknowledge about the known problem, however they were not going to do anything about it due to customer convenience. read more...