Skip to main content

Posts

Showing posts from June 1, 2011

WebGL - A New Dimension for Browser Exploitation

WebGL flaws puts Chrome and Firefox users at serious risk WebGL is a new web standard for browsers which aims to bring 3D graphics to any page on the internet. It has recently been enabled by default in Firefox 4 and Google Chrome, and can be turned on in the latest builds of Safari. Context has an ongoing interest in researching new areas affecting the security landscape, especially when it could have a significant impact on our clients. We found that:  A number of serious security issues have been identified with the specification and implementations of WebGL(Graphics Library). These issues can allow an attacker to provide malicious code via a web browser which allows attacks on the GPU and graphics drivers. These attacks on the GPU via WebGL can render the entire machine unusable. Additionally, there are other dangers with WebGL that put users’ data, privacy and security at risk. These issues are inherent to the WebGL specification and would require significant arc...

IronBee: Creating an open source web application firewall

IronBee: Creating an open source web application firewall Qualys announced IronBee , a new open source project to provide the next-generation of web application firewall (WAF) technology. Led by the team who designed and built ModSecurity, the new project aims to produce a web application firewall sensor that is secure, high-performing, portable, and freely available – even for commercial use. A WAF is typically an appliance, server plug-in, or software-based filter that applies a set of rules to an HTTP conversation in order to monitor and control the movement of data, thus keeping it secure from possible attacks. By customizing the rules of a WAF, many attacks can be identified and blocked. The increasing use of web applications and the transition to cloud computing makes it necessary to deploy WAF technology to protect data and meet regulations such as payment card industry (PCI) compliance. With the launch of IronBee, Qualys is creating a sustainable c...

RSA hacked, SecurID users possibly affected

  RSA hacked,users affected   In an open letter, Art Coviello, the executive chairman of RSA (the security division of EMC), made public the fact that the company has suffered a breach and data loss following an "extremely sophisticated cyber attack."     Categorizing the attack as an Advanced Persistent Threat - a term that is often associated with corporate espionage and state sponsored attacks - he said that their investigation revealed that the information extracted from the company systems is related to its SecurID two-factor authentication products, which are widely used by government agencies, private companies and other large organizations to add an additional layer of security for when employees log into their companies' networks. "While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effe...