Security_Guy

Advanced Techniques to Bypass & Defeat XSS Filters, Part 1

November 30, 2018 by drd_

drd_

There is no shortage of defenses against cross-site scripting (XSS) since it is so prevalent on the web today. Filters are one of the most common implementations used to prevent this type of attack, usually configured as a blacklist of known bad expressions or based on regex evaluation. But there…

Continue Reading

Marriott breach leaves 500 million exposed with passport, card numbers stolen

November 30, 2018 by Megan Geuss

Megan Geuss

Enlarge / Marriott Hotel brands like the W hotel were breached between 2014 and 2018. (credit: Craig Warga/Bloomberg via Getty Images) On Friday, Marriott International announced a system breach that has affected approximately 500 million customers, with stolen information including names, credit card numbers, mailing addresses, email addresses, and passport…

Continue Reading

Announcing the Google Security and Privacy Research Awards

November 29, 2018November 30, 2018 by Google Security PR

Google Security PR

Posted by Elie Bursztein and Oxana Comanescu, Google Security and Privacy GroupWe believe that cutting-edge research plays a key role in advancing the security and privacy of users across the Internet. While we do significant in-house research and engineering to protect users’ data, we maintain strong ties with academic institutions…

Continue Reading

Discover XSS Security Flaws by Fuzzing with Burp Suite, Wfuzz & XSStrike

November 27, 2018 by drd_

drd_

Cross-site scripting is one of the most common vulnerabilities found on the web today, with repercussions of this type of flaw ranging from harmless defacement to sensitive data exposure. Probing for XSS can be tedious and time-consuming for an attacker, but luckily there are tools available to make things a…

Continue Reading

How to Listen to Radio Conversations on Android with an RTL-SDR Dongle & OTG Adapter

November 27, 2018 by Kody

Kody

Everyone from first responders to hotel cleaning staff use radios operating in the sub-megahertz range to communicate, often without even encoding the transmission. While encoding and encryption are increasingly used in radio communication, an RTL-SDR adapter and smartphone are all it takes to start listening in on radio conversations happening…

Continue Reading

Industry collaboration leads to takedown of the “3ve” ad fraud operation

November 27, 2018November 27, 2018 by Google Security PR

Google Security PR

Posted by Per Bjorke, Product Manager, Ad Traffic QualityFor years, Google has been waging a comprehensive, global fight against invalid traffic through a combination of technology, policy, and operations teams to protect advertisers and publishers and increase transparency throughout the advertising industry.Last year, we identified one of the most complex…

Continue Reading

How to extract HTTPS websites subdomains from Certificate Transparency logs

November 26, 2018 by Andrea Fortuna

Andrea Fortuna

…using a small python script! SSL certificate system suffer of several structural flaws that weaken the reliability and effectiveness of encrypted Internet connections and can compromise critical TLS/SSL mechanisms, such us domain validation, end-to-end encryption, and the chains of trust set up by certificate authorities. Certificate Transparency is a Google‘s…

Continue Reading

VirtualBox NAT DHCP/BOOTP server vulnerabilities

November 21, 2018November 21, 2018 by Reno Robert

Reno Robert

Continuing from my previous blog posts, this is another old set of VirtualBox bugs which can lead to VM escape. VirtualBox guest in NAT mode (default networking configuration) enables a per VM DHCP server which assigns IP address to guest. [email protected]:~$ ifconfig enp0s3enp0s3 Link encap:Ethernet HWaddr 08:00:27:b8:b7:4c inet addr:10.0.2.15 Bcast:10.0.2.255…

Continue Reading

Buyer’s Guide: Top 20 Hacker Holiday Gifts of 2018

November 20, 2018 by Hoid

Hoid

For the uninitiated, it can be difficult to buy that special hacker in your life a perfect holiday gift. That's why we've taken out the guesswork and curated a list of the top 20 most popular items our readers are buying. Whether you're buying a gift for a friend or…

Continue Reading

Now it’s Office’s turn to have a load of patches pulled

November 20, 2018 by Peter Bright

Peter Bright

Enlarge (credit: Benjamin) After endless difficulties with the Windows 10 October 2018 update—finally re-released this month with the data-loss bug fixed—it seems that now it's the Office team's turn to release some updates that need to be un-released. On November's Patch Tuesday two weeks ago, Microsoft released a bunch of…

Continue Reading

XSS Injection Campaign Exploits WordPress AMP Plugin

November 20, 2018 by Mikey Veenstra

Mikey Veenstra

News broke last week disclosing a number of vulnerabilities in the AMP For WP plugin, installed on over 100,000 WordPress sites. WordPress contributor Sybre Waaijer identified the security issue and confidentially disclosed it to the WordPress plugins team. To exploit the flaw, an attacker needs to have a minimum of subscriber-level access…

Continue Reading

Hacking Gear: 10 Essential Gadgets Every Hacker Should Try

November 20, 2018 by distortion

distortion

If you've grown bored of day-to-day hacking and need a new toy to experiment with, we've compiled a list of gadgets to help you take password cracking and wireless hacking to the next level. If you're not a white hat or pentester yourself but have one to shop for, whether…

Continue Reading

Combating Potentially Harmful Applications with Machine Learning at Google: Datasets and Models

November 15, 2018November 30, 2018 by Aaron Stein

Aaron Stein

Posted by Mo Yu, Damien Octeau, and Chuangang Ren, Android Security & Privacy Team[Cross-posted from the Android Developers Blog]In a previous blog post, we talked about using machine learning to combat Potentially Harmful Applications (PHAs). This blog post covers how Google uses machine learning techniques to detect and classify PHAs.…

Continue Reading

Spectre, Meltdown researchers unveil 7 more speculative execution attacks

November 14, 2018 by Peter Bright

Peter Bright

Enlarge (credit: Aurich Lawson / Getty Images) Back at the start of the year, a set of attacks that leveraged the speculative execution capabilities of modern high-performance processors was revealed. The attacks were named Meltdown and Spectre. Since then, numerous variants of these attacks have been devised. In tandem, a…

Continue Reading

Windows 10 October 2018 Update is back, this time without deleting your data

November 13, 2018 by Peter Bright

Peter Bright

Enlarge / This message, shown during Windows upgrades, is going to be salt in the wound. Just over a month since its initial release, Microsoft is making the Windows 10 October 2018 Update widely available today. The update was withdrawn shortly after its initial release due to the discovery of…

Continue Reading