POPULARITY
Episode 2 of our big bug podcast series explores recently popularized and widespread vulnerability ImageTragick. Learn about the incredible breadth of this vulnerability and the potential for it to be exploited, and how Bugcrowd was able to proactively enlist the crowd to search all public programs for this vulnerability before any scanner could.
Episode consacré à la vulnérabilité ImageTragick Episode enregistré le 10/05/2016 The post ImageTragick appeared first on NoLimitSecu.
In this episode.. ImageTragick - major flaw in open source image processing toolkit ImageTragick is CVE-2016-3714 Logo & Website: https://imagetragick.com Has a logo, so it must be yuge Is this really that big of a deal? How many are impacted potentially? https://blog.sucuri.net/2016/05/imagemagick-remote-command-execution-vulnerability.html Remote code execution, with minor caveats - likely darn near everywhere Detroit company loses $495k to wire fraud Source was a faked email to make a wire transfer Why didn’t someone verify this?! http://www.detroitnews.com/story/news/local/oakland-county/2016/05/03/troy-investment-company-hacked/83879240/ Will insurance pay out? Is the policy change too little too late? How can other companies learn from this? The Ransomware Epidemic (Optiv blog) Is there an epidemic at play here? Why the switch to ransoming people’s data Is this a viable business model for cyber criminals? https://www.optiv.com/blog/ransomware-part-1-is-this-an-epidemic Undetectable flaw in Qualcomm-powered Android phones is a huge deal Input sanitization flaw (again?!) At risk is 34% users running Android 4.3 and earlier Text messages and call histories accessible in plain text An "undetectable" software flaw in Qualcomm Snapdragon-powered Android smartphones could lay bare users' text messages and call histories to hackers http://www.computing.co.uk/ctg/news/2457217/undetectable-qualcomm-code-vulnerability-lays-bare-android-users-text-messages-and-call-histori White Hat hacker sent to the clink for going too far Found (accidentally?) a SQL Injection flaw then used a tool to pull data out Obviously went too far, right? Where was the 'responsible' or 'reasonable' notification to victim? This headline is deceptive, and misrepresents the story: http://www.infosecurity-magazine.com/news/white-hat-researcher-jailed Hat-tip to Troy Hunt for a sane evaluation: http://windowsitpro.com/troy-hunts-security-sense/security-sense-when-security-researcher-arrested-there-s-usually-good-reas
A critical flaw in that bit of software tucked far far away that you never think about… Until now, we explain why ImageTragick is a pain. More OpenSSL flaws & fraudsters stealing tax data from the motherload. Plus great questions, our answers, a packed Round up & more!
A critical flaw in that bit of software tucked far far away that you never think about… Until now, we explain why ImageTragick is a pain. More OpenSSL flaws & fraudsters stealing tax data from the motherload. Plus great questions, our answers, a packed Round up & more!
A critical flaw in that bit of software tucked far far away that you never think about… Until now, we explain why ImageTragick is a pain. More OpenSSL flaws & fraudsters stealing tax data from the motherload. Plus great questions, our answers, a packed Round up & more!