Information Security News
Developers of the vBulletin software package for website forums released a security patch Monday night, just hours after reports surfaced that a hack on the developers' site leaked password data and other sensitive information belonging to almost 480,000 subscribers.
vBulletin officials have put in place a mandatory password reset for all users after discovering it was subjected to a hack attack. They went on to warn that the attacker "may have accessed customer IDs and encrypted passwords on our system." A separate post on the vBulletin site makes reference to a security patch for versions 5.1.4 through 5.1.9 of the vBulletin Connect software package.
Noticeably missing from either link is an explicit warning that there is a critical vulnerability in vBulletin that has already been actively exploited and puts thousands of sites at risk until they install the patch. Ars asked vBulletin officials to clarify the reports and to confirm or disconfirm the speculation they have generated, but so far the request has gone unanswered. This post contains inferences and information from alternative sources that has yet to be explicitly confirmed.
Genome researchers hit back at infosec bods' 'network vuln' claims
The Global Alliance for Genomics & Health has downplayed vulnerabilities found in its genome-sharing network by two Stanford researchers. Carlos Bustamante and Suyash Shringarpure, postdoctoral scholars in genetics at Stanford, had raised concerns ...
You might have used nmap several times for recon using the conventional portscan functionality (Connect scan, SYN Scan, FIN scan, UDP scan, ...) but for gathering extra info like HTTP directories, DNS host enumeration without performing zone transfer, Microsoft SQL Server enumeration and SMB device info people usually uses additional tools. I will show you how nmap can provide that information without use of extra tools:
1. HTTP Directories
The http-enum script is able to test for the existence of some directories that are common to many webservers and could have potentially interesting information and vulnerabilities. This is an alternative to tools like nikto:
2. DNS Host Enumeration
ike about nmap recon scripts is they are fast, reliable and they minimize the load of tools you need to carry on. They will save you tons of time gathering valuable info so you can focus in compromising the assets. If you want to know more about the nmap scripts, please check https://nmap.org/nsedoc.
As hacks become a regular occurrence, infosec careers surge
It is now not enough to just look for a career in infosec, you need to choose an area of expertise, and requirements for each differ. Relevant IT security certifications such as CEH, CISSP, CISA or CISM, though, are either essential or, at a minimum ...
As part of Ars UNITE last week, Ars IT Editor Sean Gallagher outlined what many already know—the Internet of Things (IoT) is inevitable. However, this being Ars, he also documented that future's dirty little secret. At the moment, companies seem to be overlooking the security of the Internet of Things in favor of its promise.
That revelation may not be new to Ars readers, who give a resounding "LOL, NO" to this movement. The past year includes dozens of IoT security horror stories from hacked baby monitors and eavesdropping laser printers to classics like commandeered smartlights or an army of remote-controlled routers. But the growing concern over IoT's darkside caught the eye of NPR's All Things Considered this week, and yesterday Gallagher joined host Robert Segal to tell him all about it.
We particularly felt some parental pride when Gallagher took the opportunity to chat IoT and turned it into a security lesson. Segal asked him if Ars readers are excited about the possibilities of IoT (again, "LOL, NO"), and Gallagher went on to explain how something as innocuous as smartlights can be damning.