Similar Posts
Hack Me If You Can
ByKayne
A hacker can say that an institution has 90 days to fix a vulnerability before publicly divulging the secret, and for the vulnerable bank or credit union, that might come off as extortion or a threat. However, it is well within the boundaries of normal security research to do that, according to Kayne McGladrey, Field CISO for the security and compliance company Hyperproof.
“If the company doesn’t respond in a timely manner, that’s where you can get vulnerability disclosures after a reasonable period of time, like 90 or 120 days, or 180 days, depending on which philosophy the researcher subscribes to,” McGladrey said. “That’s all well within the ethical boundaries of a normal security researcher.”
The key difference between an ethical and unethical hacker — between extortion and responsible disclosure — is what the hacker does with the vulnerability.
“I think it’s very possible to say you can prove you can use this vulnerability — maybe it’s to steal a whole bunch of credit card information — without actually doing it,” McGladrey said. “You just show that you can.
How Awareness, Attention Can Improve Cyber Security
ByKayne
Besides working nights, I learned in my fifteen-minute conversation that Rosa volunteers at an elementary school. She’d met no one who worked in cyber security, and the kids she worked with hadn’t considered it as a career option. They wanted to be rappers, they wanted to be marine biologists; they didn’t know there was a high-paying position called “security operations center analyst.”
Cross-Site Scripting Attacks: How to Prevent XSS Vulnerabilities
ByKayne
“If an attacker can steal the user’s cookies, that attacker can impersonate that end user,” says Kayne McGladrey, a senior member and impact creator of the Institute of Electrical and Electronics Engineers. “In an XSS exploit, if I can steal your cookies, I can become you or impersonate you. I can change your password. I can change your backup email account. I can take over that entire account.”
‘A staggering problem’: Working from home could lead to massive data leaks
ByKayne
“I think we’re going to have an unprecedented number of breaches being announced following the pandemic,” said Kayne McGladrey, member of the Institute of Electrical and Electronics Engineers.
VERIFY: No, scammers can’t access your SIM card by dialing a few numbers
ByKayne
“McGladrey told us there is a grain of truth to the claim made in the Facebook post. He says on certain office landline phones, like corporate PBX systems, pressing a variation of those digits allows a call transfer to happen. But this does not affect cell phones or residential landlines.”
Is there an expiry date for connected vehicle software support?
ByKayne
Another issue associated with connected vehicles is around the data they collect and transmit. ”We have seen nation states that want to conduct surveillance, whether on their own domestic population or on foreign populations, use telemetry from hotels, airports, and rental car carriers to determine where individuals are moving,” notes McGladrey. “If it is possible for a dedicated adversary to subvert that communications channel—either directly with a vehicle or by gaining a foothold inside of some telemetry aggregator service, probably the manufacturer—all of a sudden they can know where people are going within in a few feet. If you can associate a user’s identity with their vehicle or location, you have a high degree of fidelity to conduct attacks.”