Moore is the creator of the open source penetration testing framework Metasploit, which Rapid7 acquired in 2009. Moore says he will continue to work on Metasploit and will remain active in the community even after he leaves Rapid7 on January 29.
wiredmikey writes: According to a Pentagon memo due out today, the US military will create a new way to recognize drone operators and other service members who contribute to America's fighting efforts from afar. The military is set to introduce a new "R" designation — known as a "device" — that can be attached to medals given to drone operators and other non-combat troops, such as cyber warriors who hack enemy networks.
Former defense secretary Chuck Hagel nixed a proposed new combat medal for US troops who launch drone strikes or cyber attacks, after a torrent of criticism from veterans and lawmakers. Drone pilots have complained of low morale, long hours and of the psychological impacts stemming from killing people remotely.
He uses an example of the Amazon Echo which is “always listening” and raises the question of how welcome it would be in an office where confidential and highly sensitive conversations are frequent.
"How many things are showing up at the office this week that are an always-on conduit to your network from some external third party you really shouldn’t be trusting? Watches, streaming media widgets, phones, tablets and a whole host of other things are likely making their way into the office right now. You probably have a BYOD policy, but do you have an IoT policy? BYOD policies are meant to address your mobile handsets, tablets and personal laptops, but who’s addressing all the other gadgetry?"
wiredmikey writes: A researcher claims he was threatened by Facebook after he responsibly disclosed a series of vulnerabilities and configuration weaknesses that allowed him to gain access to sensitive information stored on Instagram servers, including source code and the details of users and employees.
Wesley Wineberg says he discovered a remote code execution (RCE) vulnerability that allowed him to read a configuration file containing credentials needed to access database, which revealed roughly 60 accounts belonging to Facebook and Instagram employees. Wineberg also discovered that the server had been running on Amazon’s EC2 service and a list of more than 1,400 systems had been hardcoded into the/etc/hosts file.
While Facebook confirmed the existence of the RCE vulnerability and promised a $2500 reward, Facebook later agued that he violated user privacy when he accessed the data. Furthermore, Wineberg claims Facebook’s CSO, Alex Stamos, contacted him via the CEO of Synack, the vulnerability research firm he works for.
“Alex informed my employer (as far as I am aware) that I had found a vulnerability, and had used it to access sensitive data. He then explained that the vulnerability I found was trivial and of little value, and at the same time said that my reporting and handling of the vulnerability submission had caused huge concern at Facebook,” Wineberg said. “Alex then stated that he did not want to have to get Facebook's legal team involved, but that he wasn't sure if this was something he needed to go to law enforcement over.”
Stamos allegedly attempted to convince the researcher and his employer to keep the existence of the security holes private and delete all data obtained from Instagram systems.
“In my opinion, the best course of action was to simply be transparent with all of my findings and interactions. I am not looking to shame any individuals or companies, but I do believe that my treatment in this situation was completely inappropriate,” Wineberg said.
wiredmikey writes: In an attempt to come back from the dead, BlackBerry announced plans to sell an Android-powered smartphone. The struggling Canadian smartphone maker said it would begin selling "Priv," described as "a flagship handheld device that will run on the Android operating system with BlackBerry security," expected to be available later this year.
The company isn't giving up on its own operating system, and will continue to develop and enhance its BlackBerry 10 platform, which currently represents less than one percent of smartphone users.
wiredmikey writes: Hackers the Def Con gathering in Las Vegas on Friday got schooled in how to be online killers. A rush to go digital with the process of registering deaths has made it simple for maliciously minded folks to have someone who is alive declared dead by the authorities.
"This is a global problem," Australian computer security specialist Chris Rock said as he launched a presentation titled "I Will Kill You."
wiredmikey writes: Smartphone maker Samsung said on Wednesday that it soon will implement a new Android security update process that fast tracks mobile security patches over the air when security vulnerabilities are uncovered. The South Korea-based maker of popular Android smartphones said that it recently fast tracked security updates to its Galaxy devices in response to the recent Android “Stagefright” vulnerabilities uncovered late last month by security firm Zimperium.
News of the initiative is great for Android users. For years, wireless carriers and phone manufacturers have been accused of putting profits over protection and dragging their feet on regular operating system updates, making Android users vulnerable to malware and other attacks.
wiredmikey writes: Several exploits have been discovered, including ones for zero-day vulnerabilities, in the hundreds of gigabytes of data stolen by a hacker from the systems of surveillance software maker Hacking Team.
Researchers at Trend Micro analyzed the leaked data and uncovered several exploits, including two zero-days for Adobe Flash Player. A readme document found alongside proof-of-concept (PoC) code for one of the Flash Player zero-days describes the vulnerability as “the most beautiful Flash bug for the last four years since CVE-2010-2161.” In addition to the Flash Player exploits, researchers spotted an exploit for a Windows kernel vulnerability, a flaw that fortunately has already been patched.
Adobe told SecurityWeek that it’s aware of the reports and expects to release a patch on Wednesday.
wiredmikey writes: Yahoo! Chief Information Security Officer (CISO) Alex Stamos said on Wednesday night that he will be leaving the iconic Internet company to take on the role of Chief Security Officer (CSO) at Facebook. Stamos took to Twitter and Facebook to announce the move, which comes just over a year after accepting his role of VP of Information Security and CISO at Yahoo in March 2014.
Stamos, who will officially join Facebook as CSO on Monday, June 29. He replaces former CSO Joe Sullivan who left the social media giant in April to take the role of CSO at Uber.
Stamos is a strong advocate of Internet privacy and security, and was a driving force behind TrustyCon, a rival event organized alongside the 2014 RSA Conference in protest of allegations that RSA accepted a $10 million payment from the NSA several years ago to use a weak number generating algorithm by default in its BSAFE toolkits.
wiredmikey writes: The mastermind behind criminal website Silk Road, which sold $200 million worth of drugs to customers worldwide, was sentenced to life in prison by a federal judge in New York Friday.
Judge Katherine Forrest imposed two life sentences against Ross Ulbricht, 31, for narcotics distribution and criminal enterprise.
Forrest told Ulbricht that he will never be eligible for parole. "What you did in Silk Road was terribly destructive to our social fabric," said the judge, calling him a criminal whose graduate school education made his actions less explicable than a common drug dealer.
wiredmikey writes: The White House on Saturday said that an ISIL senior leader known as Abu Sayyaf was killed in an operation in eastern Syria conducted by U.S. forces. Sayyaf, who was ordered to be captured, along with his wife Umm Sayyaf, was killed when he engaged U.S. forces, Secretary of Defense Ash Carter said in a statement.
According to the White House, Abu Sayyaf was a senior ISIL leader who, among other things, had a senior role in overseeing ISIL’s illicit oil and gas operations – a key source of revenue that enables the terrorist organization to carry out their brutal tactics and oppress thousands of innocent civilians. He was also involved with the group’s military operations.
wiredmikey writes: Uber on Thursday said that it has hired former Facebook security chief Joe Sullivan as its first ever Chief Security Officer. Sullivan, who will take the position as CSO at Uber in late April, joins the company after 5 years at Facebook in a similar role, and nearly 7 years at eBay and PayPal prior to that.
The appointment of Sullivan as CSO comes just weeks after the company disclosed that a data breach may have allowed malicious actors to gain access to the driver’s license numbers of roughly 50,000 of its drivers.
wiredmikey writes: A massive power outage caused chaos and shut down public transport across Turkey on Tuesday, with the government refusing to rule out that the electricity system had been the victim of an attack. The nationwide power cut, the worst in 15 years, began shortly after 10:30 am (0730 GMT) in Istanbul, the state-run Anatolia news agency quoted the Turkey Electricity Transmission Company (TEIAS) as saying.