By: - Independent Computer Security Analyst

@gcluley

Android users exposed to malware by installer hijacking vulnerability

March 27th, 2015

Security researchers have warned about a widespread vulnerability in Android devices, that could see attackers sneakily modify or entirely replace seemingly benign apps with malware, without users becoming aware. In other words, a user might attempt to install a legitimate version of “Angry Birds” but instead end up with a Flashlight app that’s harbouring malware. […]



By:

To Patch or Not To Patch, Which is Riskier?

March 16th, 2015

Patching systems in an enterprise is a complex and risky activity. It’s extremely time-consuming if you do it right. It’s even more time consuming if you don’t do it right. And in either case, there is fallout to deal with after patching. The patches don’t get applied to some systems, some systems stop working after […]



By: - Sr. Director Solutions and Strategy

@donleatham

Open Source Security – A Change In the Wind?

March 12th, 2015

As we approach the April anniversary of the Heartbleed security defect (CVE-2014-0160), it’s an understatement to say the last year has been rough sledding for OpenSSL. Since OpenSSL is a critical building block for the tools used to initiate and manage most secured transactions on the internet (e.g. SSL and TLS,) there’s a lot riding […]



By: - Independent Computer Security Analyst

@gcluley

Government report and US senator criticises Air Traffic Control network security

March 10th, 2015

New York Senator Charles Schumer held a press conference this weekend, demanding “immediate action” to improve the security of the Federal Aviation Administration’s computer systems. His concern? That terrorists could break into national air traffic control systems run by the FAA, and use them to wreak havoc in the skies above America. The Democratic senator […]



By:

You’re Still Using Clear Text Passwords!?

March 9th, 2015

This week I was doing some poking around in the hacking forums. Someone recently posted a huge password list. These get circulated around from time to time. It’s a long list of words and character sequences people commonly use for passwords. The intent is that you feed the list to a tool like John the […]



By:

Does Open Source Mean Open Season?

March 2nd, 2015

There has long been a debate over whether open source software is generally more secure or less secure than commercial software. Proponents of open source say it’s more secure because more people are looking at the code, increasing the chances that problems will be seen, documented, and corrected. Proponents of commercial software claim that vendors […]



By: - Independent Computer Security Analyst

@gcluley

What’s worse than Superfish? Meet PrivDog, leaving users wide open to attacks

February 24th, 2015

Last week, a storm erupted on the net after it became widely known that Superfish – software that was being pre-installed on Lenovo PCs – could compromise users’ security and privacy. The problem with Superfish was not just that it injected money-making ads into websites, but that it used a self-signed root certificate to intercept […]



By:

Hacking (Protecting) Your POS System

February 23rd, 2015

In the House of Cards series of posts, I walked you through gaining access to a company’s network through an online portal in order to exfiltrate credit card data. It was a lengthy process, but the target company had enough data to make the time investment worthwhile. Most credit card data thefts come from POS […]



By:

Is Your Organization a House of Cards – Part 6

February 17th, 2015

This is the last in a series of posts describing how a typical credit card data theft occurs, from the hacker’s point of view. If you haven’t read the prior posts, check out parts 1, 2, 3, 4, and 5 to see how we got here. At this point, I have credentials for an online invoicing portal […]



By: - Independent Computer Security Analyst

@gcluley

Android and Windows battle for top position on the malware front, claims report

February 16th, 2015

We all know that malware is a huge problem on the Windows platform. Every day, something like 400,000 new Windows malware variants are dissected by security labs, and most people’s anti-virus software is set to download updates on a pretty much continual basis in an attempt to keep up. It sounds bad because it *is* […]


By:

Is Your Organization a House of Cards – Part 5

February 9th, 2015

This is another in a series of posts (parts 1, 2, 3, 4 ) discussing how I’m infiltrating an airline’s network to gain access to credit card data. I’ve identified a vendor for the airline and am in the process of retrieving saved passwords from the vendor’s Chief Accountant’s browsers. My goal is to find credentials […]


By:

Is Your Organization a House of Cards – Part 4

February 2nd, 2015

In previous posts (part 1, part 2, part 3) I have been taking you through the steps to steal credit card information from Lychee Air, an airline in China. So far I have managed to break into the network of a catering company who works with Lychee Air. I have downloaded account info for their […]


By: - Independent Computer Security Analyst

@gcluley

Dirty sex website xHamster exploited in malvertising campaign

January 29th, 2015

For anyone thinks that they can get their sexual kicks surfing the seedier parts of the internet, rather than lurking about your city’s red light district, I’ve got some bad news for you. You can catch an infection in real life, and you can catch one on your computer too. xHamster, one of the world’s […]


By:

Is Your Organization a House of Cards – Part 3

January 26th, 2015

In my last 2 posts (part 1, part 2) I explained I will be walking you through the attack of an airline company in order to obtain credit card data I can sell. I’ve identified an airline, Lychee Air, flying out of Hangzhou Airport. I was able to use a not-so-public IP camera to watch […]


By:

Is Your Organization a House of Cards – Part 2

January 19th, 2015

In my last post, I explained I will be walking you through the attack of an airline company in order to obtain credit card data I can sell. Now I have my project defined. The first step is to identify a target. Because I’m looking specifically for an airline, I can’t just start scanning ports […]



IT Secured. Success Optimized.™

Contact Lumension | Privacy Policy

Connect & Follow Us

blog.lumension.com