Tenable Network Security Podcast 203 - "Ebay Got Hacked"
- We're hiring! - Visit the Tenable website for more information about open positions.
- Want to ask questions about Nessus, SecurityCenter, LCE, and PVS and get answers from the experts at Tenable? Join Tenable's Discussion Forum for custom scripts, announcements, and more!
- You can find links to subscribe to Tenable's Podcast feed, YouTube Channel, Twitter and Facebook accounts at http://www.tenable.com/podcast!
- Good Ol’ SQLi Used to Hack Naval Database from Nuclear Carrier
- How to wiretap a country
- Bitly Installs Two-Factor Security After Insider Account Compromise
- Why Your Router Is A Security Risk & How To Fix It
- Schneider Electric asks users to patch Heartbleed again
- Another Internet Explorer Zero Day Surfaces
- Why is eBay burying news of its security breach from its users?
- Hacking the D-Link DSP-W215 Smart Plug
- eBay Urges Password Changes After Breach — Krebs on Security
- Ebay Got Hacked - This is the same story I feel like I've read 1,000 times. It boils down to "big web site was breached, they stole the password database, everyone needs to change their passwords". A few things:
- While there are issues with two-factor authentication in corporations for authenticating users to applications, if your business is a web site (Ebay, Google, LinkedIN) at some point you have to make two-factor authentication available and make it easy for people to use.
- People always shout about the passwords, but tend to gloss over the fact that someone exploited something to gain access in the first place. In this case, it sounds like, nothing official here, Ebay employees were socially engineered and lost their passwords. Training, user awareness, etc... all apply here
- So on the password soap box again, store your passwords securely. Its well documented.
- Make it easy for the user to change their passwords!
- Finallly, can we solve this problem of passwords already? I guess not.
- The Internet Is A Horrible Place - Yea, I said it. The problem is what do we do about it? I tell you what we should not do is create browsers and web browser technology that has lots of vulnerabilities. Darn, too late. All too often we cover vulnerabilities in web browsers, Flash, Java and the like. Securing this technology leads to user unhappiness, such as what if I were to reset a virtual system hosting a web browser each time you used it? Your bookmarks, cookies and saved passwords would all go away. There has to be a better way, but in the mean time, have a strong patch and vulnerability management system.
- nginx 1.5.10 SPDY Memory Corruption
- ESXi 5.5 < Build 1746974 / 5.5 Update 1 < Build 1746018 OpenSSL Library Multiple Vulnerabilities (including Heartbleed) (remote check)
- ISC BIND 9 Recursive Server prefetch DoS
- iTunes < 11.2.1 User Directory Insecure Permissions Vulnerability (Mac OS X)
- iTunes < 11.2.1 User Directory Insecure Permissions Vulnerability (uncredentialed check)
- Multiple Vendor SNMP public Community String Information Disclosure
- Mac OS X : OS X Server < 3.1.2 Heap-Based Buffer Overflow
- Google Chrome < 35.0.1916.114 Multiple Vulnerabilities (Mac OS X)
- Google Chrome < 35.0.1916.114 Multiple Vulnerabilities
- EZPZ One Click Backup Plugin for WordPress cmd Parameter Remote Command Execution
- Bugzilla 2.0 < 4.4.3 / 4.5.3 Login Form XSRF
- Bugzilla 2.0 < 4.0.12 / 4.2.8 / 4.4.3 / 4.5.3 Character Spoofing
- FortiWeb < 5.2.0 Multiple XSRF Vulnerabilities
- BlackBerry < 10.2.0.1443 Multiple Vulnerabilities
- Google Chrome < 34.0.1847.131 (Mac) Multiple Vulnerabilities
- Google Chrome < 34.0.1847.131 (Windows) Multiple Vulnerabilities
- Google Chrome < 34.0.1847.132 (Linux) Multiple Vulnerabilities
- Xerox Supernode Discovery Client Detection
- Mozilla Firefox for Android < 24.0 Shared Library Loading Vulnerability
- Mozilla Firefox for Android < 29.0 Addressbar/Phishing Vulnerability
- Opera < 21.0 Multiple Vulnerabilities
- Microsoft Internet Explorer 6 through 11 Arbitrary Code Execution
- ISC BIND 9.10.0 Recursive Nameserver Denial of Service Vulnerability
- Google Chrome < 34.0.1847.137 (Mac) Multiple Vulnerabilities
- IWARP Server Detection
- Twitch TV Client Detection
- Mac iCal Client Detection
- IWARP Client Detection
- mDNS Query Response
- AppleTV Detected
- iTunes < 11.2.1 Insecure Permissions Local Privilege Escalation
- InduSoft Web Studio < v7.1 + SP2 + P2 Security System Vulnerability
- Schneider Electric SCADA Expert ClearSCADA 2013 R1 < 2013 R1.2 Remote Denial of Service Vulnerability
Passive Vulnerability Scanner
Security News Stories