News & Updates

“No Gods or Kings, Only Man.” No higher authority than that of reason and rationality. A place where “the artist would not fear the censor, where the scientist would not be bound by petty morality, where the great would not be constrained by the small.” As videogame intros go, few are as ambitious, or as forthright, as the protagonist’s descent into the murky depths that envelop Bioshock‘s underwater city of Rapture. Fewer still are as effective nearly a decade on. Whether players realise it or not, those words—No Gods or Kings, Only Man—plastered above the golden visage of the game’s big bad, Andrew Ryan (an interesting contradiction in itself), set a tone that’s carried through the entirety of the game.

It’s a mighty ambitious tone too. Objectivism—a controversial political philosophy created by the Russian-American philosopher Ayn Rand in the mid-20th century—is what stands between Bioshock having a hokey sci-fi plot, and one that gives it worth well beyond its now-waning technical offerings. What is objectivism? In short, it’s the idea that society flourishes if each of its members focuses on their own self-interests over the interests of others, and without heavy-handed intervention from the state. In doing so, the theory runs that each person creates a personal situation where they feel accomplished and happy. Ultimately, society rules itself, “without Gods or Kings.”

Objectivism in Bioshock is seemingly presented as a failure. When you arrive in Rapture, the city has already fallen into chaos and decay, the vast majority of its surviving inhabitants having been consumed by the gene-altering “plasmids” that instil both superpowers and insanity on its users. But the real message of the game goes deeper than this simple warning. Rapture’s founder and ruler, Andrew Ryan, is Bioshock‘s less-than-subtle embodiment of Ayn Rand. Both Rand and Ryan grew up in the Soviet Union under strict communist governments, experiencing the kind of poverty and injustice that sometimes results from a system where individual liberty is side-lined in favour of helping the whole.

Read 11 remaining paragraphs | Comments


Last year, Chrome made Flash ads click-to-play; now, Google is trying to kill off Flash completely.

Starting with Chrome 53, due out early next month, the browser will automatically block tiny and non-visible Flash content, such as tracking and fingerprint cookies that are notoriously hard to shake off. Then, with Chrome 55 in December, Flash will be deprecated entirely, with exceptions for “sites which only support Flash.” In both cases HTML5 is expected to take up the reins.

The changes in Chrome 53 are mostly targeted at behind-the-scenes Flash widgets that many sites use for tracking and analytics purposes. Best-case these non-visible elements can slow down your browsing experience, worst-case they might cause stability issues or reduce battery life on mobile devices. Google says that publishers are in the process of moving these widgets over to HTML5.

Read 6 remaining paragraphs | Comments


Today I have interviewed Claudio Caracciolo (@holesecone of the most renowned Security Professional that works like Chief Security Ambassador for ElevenPaths

Claudio Caracciolo (@holesec)  wrote a book and is known for his effective interpersonal skills and his ability as an international speaker.

Enjoy the Interview.

Claudio Caracciolo

You are one of the world’s most talented cyber security experts, Could you tell me which his your technical background and when you started hacking?

First of all, thank you Pierluigi for the interview and for the compliment.

I studied Electronic Engineering and Telecommunications, but the real story it’s that I love break things, learn about it works and try to fix them or expand its functionalities.  So, I live my entire live in that way, breaking everything I find.   I break things that sometimes I could fix, that sometimes I could expand his functionalities and that sometimes I have to put in the trash…

I started hacking so time ago but I didn’t know… I started doing some electronic experiments with cameras and mixers, then I worked in a Garage trying to modify computers board on different cars, and finally I discovered communications system so I started to study outside of the University everything that I needed (programming languages, network concepts, hardware concepts, etc.) with the intention of learning how it was possible…  But one day, I discovered Social Engineering and all my life makes sense XD.

What was your greatest hacking challenge?

Well, there is a lot of histories that I remember of my own work, some of them are about one of my passions: “Social Engineering” (you can read some off them in my blog in Spanish), but I have to tell you that the greatest hacking challenge for me it’s that one that I have to find… I have a lot of funny stories or good ones but I always search more training for my mind.

What are the 4 tools that cannot be missed in the hacker’s arsenal and why?

In my opinion, you have to use the tool that you need… Nowadays exist a lot of tools that do the same thing in a different way, or even at the same way but with different interface… If you know what do you have to do and how your tool works, you can use whenever you want…

In my case, I usually have Python with Scapy, Nmap, Wireshark, FruityWiFi and SEToolkit.  I know there are 5 tools and not 4.

Which is the industry (healthcare, automotive, telecommunication, banking, and so on) most exposed to cyber attacks and why?

Everyone. I don’t think there is one which is more exposed than others.  There is some particularity in some type of industries but everyone are targets for criminals, hacktivist, students, etc., for example:

  • Telecommunication are always attacked because they are a direct target or just because it‘s in the middle between the attacker and the victim.
  • Energy Industry, is a target for terrorism, for governments, etc..
  • Banking industry doesn’t need explanations.
  • And so on…

Most of companies have technical problems and human’s problems, so we have a lot of work for a long long time.

We often hear about cyber weapons and cyber attacks against critical infrastructure. Do you believe it is real the risk of a major and lethal cyber attack against a critical infrastructure?

Yes, I’m sure about that.

The older technology, the not real educations in Cybersecurity, the long time amortization these special devices, the unpatched applications or unsupported operative systems exist more commonly in this industry…

Fortunately, people and industrial vendors are starting to understand this type of threats and work around this.

What scares you more on the internet and why? 

Scared? I’m not scared, I think that no one should be scared.

I am worried for that many Companies and Governments are not ready yet to protect us from basic attacks.

Thanks a lot!

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – hackers, Claudio Caracciolo)

The post Hacker Interviews – Claudio Caracciolo appeared first on Security Affairs.

Source: Security affairs

Sony’s upcoming 4K-capable PlayStation 4 Neo console looks set for a September reveal. The company has began sending out invites to a “PlayStation” meeting taking place in The PlayStation Theatre, New York on September 7 at 3pm (8pm UK time). It has also confirmed that updates on the PS4 and the PlayStation business are part of the event.

The invite follows several reports that Sony would unveil Neo in September, with French gaming website Gameblog even nailing down the exact date earlier this week. While Sony’s Andrew House confirmed the existence of the console to the Financial Times in June, it has yet to detail any of its specifications, or what sort of performance players can expect from its upgraded hardware.

That said, an earlier report from gaming website GiantBomb—which was corroborated by several other publications—detailed the specifications of the console, which included a boost in CPU clock speed, more and faster GPU cores, and increased memory bandwidth. All is said to be based on AMD’s technology, which is used in the current PS4.

Read 3 remaining paragraphs | Comments


(credit: Aurich Lawson)

A copyright dispute between Oracle and Google was resolved in May by a federal jury, which found that Google’s Android operating system didn’t infringe copyrighted code owned by Oracle. A post-trial skirmish over once-confidential Google information is heating up, though, with Google asking for sanctions against one of Oracle’s lead attorneys.

Now, Google says (PDF) it should get additional fees because Oracle attorney Annette Hurst disclosed Android revenue and profit figures in open court. She also revealed that Google paid $1 billion to be the default search bar on Apple’s iPhone. Those figures should have stayed confidential, say Google lawyers, but once a Bloomberg reporter got hold of a transcript of the hearing, they became headline news.

Yesterday, Oracle filed court papers (PDF) responding to the accusations. Oracle points out that Hurst’s statements were made “in response to probing questions from Magistrate Judge Ryu,” and were an “on-the-fly rebuttal of mischaracterizations made by Google’s counsel.” The statements didn’t violate the protective order, Oracle argues, and they fall short of the legal requirements for contempt.

Read 6 remaining paragraphs | Comments


(credit: green kozi)

OAKLAND, Calif.—At a Monday hearing in federal court, US Magistrate Judge Donna Ryu had strong words for prosecutors in an attempted murder and gang case that has dragged on for nearly three years.

“It is stunning to me that at this point in the case, the government cannot tell me very clearly what search has been done and what exists or does not exist, relevant to a stingray,” she said with exasperation.

As Ars reported over a year ago, the case of United States v. Ellis et al involves four men who are charged with the 2013 attempted murder of local police officer Eric Karsseboom. The men are also charged with running an alleged East Oakland gang centered around Seminary Avenue (known as “SemCity”).

Read 37 remaining paragraphs | Comments


(credit: Valentina Palladino)

Name a home appliance or product, and there’s probably a smart version of it today. But for the renters among us, it can be tricky to navigate the aisles of smart light bulbs, thermostats, air conditioners, and vacuums to pick out devices that won’t jeopardize your security deposit. When you don’t own your home, there’s a different set of rules dictating modifications, and some smart home products don’t take that into account.

Luckily these days, an increasing number of smart home devices can cater to apartment dwellers that want to avoid ripping open walls and trussing up wires. And as a NYC-based Ars staffer, I had a particularly perfect rental laboratory to recently test and explore what kinds of smart home devices fit renters’ needs.

Read 37 remaining paragraphs | Comments


In Brief
Microsoft’s August Patch Tuesday offers nine security bulletins with five rated critical, resolving 34 security vulnerabilities in Internet Explorer (IE), Edge, and Office, as well as some serious high-profile security issues with Windows.

A security bulletin, MS16-102, patches a single vulnerability (CVE-2016-3319) that could allow an attacker to control your computer just by


Russian antivirus company Doctor Web discovered a new Linux Trojan dubbed Linux.Lady that is used by crooks to mine cryptocurrency.

According to a new report published by the antivirus company Doctor Web, a Go-Based Linux Trojan, Dubbed Linux.Lady.1, is exploited by cyber criminals for cryptocurrency mining.

“Doctor Web analysts have detected and examined a new Linux Trojan which is able to run a cryptocurrency mining program on an infected computer. Its key feature lies in the fact that it is written in Go, a language developed by Google.” states the report published by Doctor Web.

The Linux.Lady Linux Trojan is written in Google’s Go programming language and it uses various libraries that are available on GitHub. Go was introduced by Google in 2009, the use of the Go programming language to develop a malicious code is not a novelty, it was first used with the intent of creating malware in 2012 despite it isn’t so popular in the vxer community.

When the Linux.Lady infects a system, it gathers  information on the system, including the Linux operating system version, the number of CPUs and processes.

Once collected info on the infected host, the malware sent it back to a command and control (C&C) server, which in turn provides a configuration file for downloading a cryptocurrency mining application.

The sample of Linux.Lady analyzed by Doctor Web was mining a cryptocurrency named Monero.

Linux.lady malware

Another interesting feature implemented in the Linux.Lady allows the malware to spread to other Linux computers on the infected network.

“The Trojan receives a configuration file containing information necessary for the Trojan’s operation. Then it downloads and launches a cryptocurrency mining program. The malware determines an external IP address of the infected computer using special websites specified in the configuration file.” states the report on the threat. “The Trojan then calculates the mask of the subnet External_ip (mask is and tries to connect to the remote hosts via port 6379 (redis) without entering a password. If the connection is established, Linux.Lady.1 opens the URL specified in the configuration file, downloads a script detected as Linux.DownLoader.196, and adds it to the cron scheduler of the infected computer:”


In the past other Linux malware were discovered by the experts at Doctor Web, including the Encoder ransomware and the Ekoms malware.

Mining activities are a profitable business for cyber criminals that exploits victims’ computational resources to make money.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – Linux.Lady, Linux)

The post Linux.Lady, a Go-based Linux Trojan that mines cryptocurrency appeared first on Security Affairs.

Source: Security affairs

The security expert Rafael Fontes Souza has discovered vulnerabilities in the website of HP (Hewlett Packard) and decided to explain concepts of code review to mitigate the risk of this failure and prevent future attacks.

“I would like to make it clear, I am writing this report for educational purpose, I contacted HP Security-Team that already fixed the flaw.

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’).

Cross-site scripting is a type of coding vulnerability. XSS enables attackers to inject malicious into web pages viewed by other users. XSS may allow attackers to bypass access controls (suck as the same-origin policy).

HP responsible disclosure

How this attack works?

Cross-site scripting (XSS) vulnerabilities occur when:

  1. Untrusted data enters a web application, typically from a web request.
  2. The web application dynamically generates a web page that contains this untrusted data.
  3. During page generation, the application does not prevent the data from containing content that is executable by a web browser, such as JavaScript, HTML tags, HTML attributes, mouse events, Flash, ActiveX, etc.
  4. A victim visits the generated web page through a web browser, which contains a malicious script that was injected using the untrusted data.
  5. Since the script comes from a web page that was sent by the web server, the victim’s web browser executes the malicious script in the context of the web server’s domain.
  6. This effectively violates the intention of the web browser’s same-origin policy, which states that scripts in one domain should not be able to access resources or run code in a different domain.

HP responsible disclosure 2

What to Review

Cross-site scripting flaws can be difficult to identify and remove from a web application. The best practice to search for flaws is to perform an intense code review and search for all places where user input through an HTTP request could possibly make its way into the HTML output.

Code reviewer needs to closely review.

  1. That untrusted data is not transmitted in the same HTTP responses as HTML or JavaScript.
  2. When data is transmitted from the server to the client, untrusted data must be properly encoded in JSON format and the HTTP response MUST have a Content-Type of application/json Do not assume data from the server is safe. Best practice is to always check data.
  3. When introduced into the DOM, untrusted data MUST be introduced using one of following APIs:
  • Node.textContent
  • document.createTextNode
  • Element.setAttribute (second parameter only)

Code reviewer should also be aware of the HTML tags (such as <img src…>, <iframe…>, <bgsound src…> etc.) that can be used to transmit malicious JavaScript.

Web application vulnerability automated tools/scanners can help to find Cross-Site scripting flaws. They cannot find all this is way manual code reviews are important. Manual code reviews won’t catch all either but a defense in depth approach is always the best approach based on your level of risk.

Your code should filter meta-characters from user input. The admins must take appropriate measures for their web applications in order to prevent these type of attacks as these can damage you more than you expect.

All of the information mentioned here is for educational purposes and based on OWASP and MITRE, we aren’t responsible for what you do afterwards.

About the author Rafael Fontes Souza

Rafael SouzaRafael Fontes Souza is an Information Security Professional at Cipher Intelligence Labs with focus in Penetration Testing, Vulnerability Assessment, Analysis and Mitigation.



medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – Cross-site scripting, HP)

The post Security Researcher found vulnerabilities on the HP Website appeared first on Security Affairs.

Source: Security affairs