Tell us how to infect an iPhone remotely, and we’ll give you $1,000,000 USD

If there’s something which is in high demand from both the common internet criminals and intelligence agencies around the world, it’s a way of easily infecting the iPhones and iPads of individuals.

The proof that there is high demand for a way to remotely and reliably exploit iOS devices, in order to install malware that can spy upon communications and snoop upon a user’s whereabouts,

> Read More

Sysadmins who fail to change default configurations, leave petabytes of data at risk

Here’s a very important lesson for system administrators and developers who don’t want data to fall into the wrong hands: change the default settings, or risk leaving your organisation’s servers open to access by unauthorised, external parties.

A study by researchers at Swiss security firm BinaryEdge has scanned the internet on various ports,

> Read More

How to Own an Oil Well in 30 Minutes

Industrial Programmable Logic Controllers (PLCs) are devices used to control key manufacturing and infrastructure systems around the world. A PLC is a fully customizable device which can take just about any data in, perform any combination of logical operations on it, and create an almost unlimited number of output scenarios. They’re common on manufacturing lines to control production machinery.

> Read More

Five years after Stuxnet, your USB drive is still being patched

Yesterday was Patch Tuesday, and – as Optimal Security’s Russ Ernst described – Microsoft released fixes for a smorgasbord of vulnerabilities.

Obviously, it’s important that you roll out the patches as soon as possible, and ensure that your computers and networks are protected against threats which malicious hackers could use to target your systems,

> Read More

Infosec Haiku

Anata no joho sekyuritei konshu no haiku

Mac Users Beware –
Thunderstrike and Zero-Day
Are Lookin’ For You!


### Notes ###
* Thanks to Ms. Etsuko vdH for the translation.
* Thanks to everyone who’ve contributed their haikus …

> Read More

LinkedIn trumpets the success of its private bug bounty

It’s all very well having a bug bounty program, argues LinkedIn, but how is your organisation going to cope if it is bombarded with hundreds of meaningless and useless reports, that your security team cannot act upon?

You May Already Know Your Next Hacker

Over the last couple of weeks I’ve seen a pattern of companies frustrating an individual to the point where the person gives up trying to communicate with the company and hacks them in a major way instead. I guess you could call it Revenge Hacking. In each case, the company was communicating with the person in an above-board manner.

> Read More

How Does Your Organization Handle Vulnerability Disclosures?

You’ve probably heard the idiom “No good deed goes unpunished.” It looks like that phrase will survive even the cyber age. There have a been few news stories about how vulnerability disclosures were handled, or mishandled. Some made me laugh, some made me cringe.

When IT Security professionals find a vulnerability, they know what to do next.

> Read More

Buying Exploits for Zero-Day Vulnerabilities

A few weeks ago a story appeared on Slashdot about a new marketplace on the Dark Web called The Real Deal. Since it’s already in the press, hopefully there’s no harm in describing it here. I do risk being banned from the site for discussing it, but I’m optimistic they’ll see it as free publicity rather than doxxing.

> Read More