Infosecurity.US

Information Security & Occasional Forays Into Adjacent Realms

  • Web Log

Proof(s) →

May 26, 2018 by Marc Handelman in Attacks, Attack Analysis, Attack Kill Chain, Attack-Proof Code, Code

Kevin Hartnett, Senior Writer at Quanta Magazine, expounds on the notion of formal code verification when used to provide assurance of attack-proof code... Similar to unsinkable ocean liners? Or, is it only a matter of time before a successful attack is mounted thereupon? Is attack-proof code provable utilizing proofs (as in mathematical proofs)? You be the judge.

'“They were not able to break out and disrupt the operation in any way,” said Kathleen Fisher, a professor of computer science at Tufts University and the founding program manager of the High-Assurance Cyber Military Systems (HACMS) project. “That result made all of DARPA stand up and say, oh my goodness, we can actually use this technology in systems we care about.”' - via Kevin Hartnett, Senior Writer at Quanta Magazine

May 26, 2018 /Marc Handelman
Attacks, Attack Analysis, Attack Kill Chain, Attack-Proof Code, Code

Node Package Manager, Tribulátio, In Paradiso

August 23, 2017 by Marc Handelman in Attacks, Attack Analysis, Security Development, Security Failure, Security Flaws, Information Security, Infosec Competence

Well, looks like there is a bit of bother at npm, what with the security failures of recent import. Read Adam Shostack's well-crafted piece detailing what's broken, and what to do about it (it being fairly obvious once you read his thoughtful post). Enjoy.

"In June, security researcher ChALkeR explained how he "obtained direct publish access to 14% of npm packages (including popular ones). The estimated number of packages potentially reachable through dependency chains is 54%." Then, there was a typo-squatting attack that went undetected for two weeks. And just a few days ago, Ivan Akulov reported on malicious packages in npm." - via Adam Shostack, writing at IANS

August 23, 2017 /Marc Handelman
Attacks, Attack Analysis, Security Development, Security Failure, Security Flaws, Information Security, Infosec Competence

DNSChanger, Redux →

December 19, 2016 by Marc Handelman in All is Information, Attacks, Steganography, Information Security, Web Security

Apparently, DNSChanger has reared it's pernicious head again, infecting large numbers of unwary users and vectored through steganographic code malware inclusion within major news site banner ads... This time, per The Hacker News reporter Swati Khandelwal, comes the bad news of both the vector and the attack.

December 19, 2016 /Marc Handelman
All is Information, Attacks, Steganography, Information Security, Web Security

FossHub, The Hack →

August 08, 2016 by Marc Handelman in All is Information, Information Security, Attacks

Meanwhile, in OpenSource Software nonsense-hacks-perpetrated-by-children-with-heads-full-of-mush, comes word of a FOSSHub hack by a group monikered Cult of Peggle, according to Ionut Arghire, writing at InfosecIsland.

Apparently, both Audacity and ClassicShell (distributed via FossHub, and due to the attack) now exhibit the behavior of malware-laden install files... In this case, a ridiculous attack, targeting the highly-regarded sound editing and shell throwback products facilitating an MBR overwrite...

August 08, 2016 /Marc Handelman
All is Information, Information Security, Attacks