Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
Analysis Of Kate Upton Photos Shows Hackers May Have A Backup Of Her Entire iPhone
http://www.businessinsider.com/icloud-hackers-may-have-entire-iphone-backups-via-elcomsoft-phone-password-breaker-2014-9
It just got even worse for the 101 celebrities whose naked photos were hacked from their iCloud accounts: An analysis of the metadata on Kate Upton’s photos showed that her account was hacked using a piece of software intended for law-enforcement agencies that downloads an entire backup copy of all the files on a target’s iPhone.
The software is called EPPB, or Elcomsoft Phone Password Breaker. It is intended for police departments and government agencies that want to “rip” entire copies of iPhones for evidence.
If a hacker can obtain a user’s iCloud username and password with iBrute, he or she can log in to the victim’s iCloud.com account to steal photos. But if attackers instead impersonate the user’s device with Elcomsoft’s tool, the desktop application allows them to download the entire iPhone or iPad backup as a single folder,
If a full device backup was accessed, he believes the rest of the backup’s data may still be possessed by the hacker and could be used for blackmail or finding other targets.
Tomi Engdahl says:
New software ported from Windows to Mac! You’ll never guess what. Yes, it’s spyware
XSLCmd coming your way, whether you like it or not
http://www.theregister.co.uk/2014/09/05/cyber_spy_tool_mac_attack/
Miscreants have ported five-year-old spyware XSLCmd to OS X.
The Windows version of the malware has been around since 2009, and the Apple Mac edition of XSLCmd shares significant portions of the same code. It can open a reverse shell to its masters, automatically transfer your documents to a remote system, install executables, and is configurable.
Tomi Engdahl says:
ICloud-opening weakness was announced in the spring of 2013 – Apple has not fixed it
Russian hacker announced in May 2013 Apple’s cloud service weaknesses. His program has been developed by since last summer had access to cloud data.
Apple’s iCloud cloud services, the vulnerability is not new information, since the matter became public last year. Russian hacker Vladimir Katalov held in October 2013 in Kuala Lumpur, organized Hack in the Box security event presentation at Cracking and Analyzing Apple’s iCloud Protocols .
Katalov wrote iCloud weaknesses of the company ElcomSoft blog already that before, in May 2013.
The hacker’s observation that iCloud backups of phone data, the Find my iPhone information, and documents stored in the cloud were the only e-mail address and password in the back.
Source: http://www.digitoday.fi/tietoturva/2014/09/05/icloud-aukko-julkistettiin-jo-kevaalla-2013–apple-ei-paikannut/201412391/66?rss=6
Apple Two-Factor Authentication and the iCloud
May 30th, 2013 by Vladimir Katalov
http://blog.crackpassword.com/2013/05/apple-two-factor-authentication-and-the-icloud/
Apple’s iCloud cracked: Lack of two-factor authentication allows remote data download
October 21, 2013 -
http://www.zdnet.com/apples-icloud-cracked-lack-of-two-factor-authentication-allows-remote-download-7000022196/
Summary: Notorious Russian hacker Vladimir Katalov released findings showing Apple’s iCloud vulnerable to unauthorized download access, with iCloud data stored on Microsoft and Amazon servers.
Tomi Engdahl says:
Apple’s Two Factor Authentication Doesn’t Protect iCloud Backups Or Photo Streams
http://techcrunch.com/2014/09/02/apples-two-factor-authentication-doesnt-protect-icloud-backups-or-photo-streams/
One of the common bits of advice you’ll see people giving you around this celebrity picture hack is to enable two-factor authentication on your accounts — including Apple’s. That’s good advice, but it wouldn’t have protected any of these celebrities and it doesn’t protect the other accounts that are compromised by hackers that are able to obtain an Apple ID email and password.
While Apple has offered two-factor authentication on accounts for some time now, there is an omission in that system that hackers are taking advantage of. iCloud backups are not protected by two-factor authentication, and can be installed on new devices with only an Apple ID and password.
Tomi Engdahl says:
Mozilla 1024-Bit Cert Deprecation Leaves 107,000 Sites Untrusted
http://it.slashdot.org/story/14/09/05/2120246/mozilla-1024-bit-cert-deprecation-leaves-107000-sites-untrusted
Mozilla has deprecated 1024-bit RSA certificate authority certificates in Firefox 32 and Thunderbird. While there are pluses to the move such as a requirement for longer, stronger keys, at least 107,000 websites will no longer be trusted by Mozilla.
Comment:
It sounds from the writeup like most of the sites in question are defunct and that’s why they’re using out of date crypto. Few sites that people actually visit would appear to be affected.
Tomi Engdahl says:
Hitachi and Barclays announce a vein scanner for online banking security
Claims to be more secure than fingerprint scanning
http://www.theinquirer.net/inquirer/news/2363671/hitachi-and-barclays-announce-a-vein-scanner-for-online-banking-security
BARCLAYS BANK AND HITACHI have unveiled a biometric security device that scans the unique vein patterns in fingers to prevent fraud.
The Barclays Biometric Reader consists of a SIM card that holds the unique vein structure information of a single user and a small infra-red scanner. Using Hitachi’s VeinID technology, the reader captures the image of the vein pattern in a user’s finger, which, like a fingerprint, is unique to each individual.
Unlike fingerprints, the internal structures of veins are very difficult to reproduce artificially and the scanner only operates if there is a constant blood flow to the finger, meaning the severed finger of a finance officer could not be used to bypass the device’s authentication.
In 2015, the reader will be offered to corporate banking clients who will be able to access their bank accounts and authorise payments without the need for PINs, passwords or other authentication.
Both companies believe there is a wider potential to use the biometrics scanner in the consumer sector and integrate it with mobile devices.
Tomi Engdahl says:
Reddit Bans Celebrity Photo Forums After a Week of “Whack-a-Mole”
http://recode.net/2014/09/06/reddit-bans-celebrity-photo-forums-after-a-week-of-whack-a-mole/
Six days after stolen naked photos of celebrities including Jennifer Lawrence and Kate Upton were posted online, Reddit has now banned the forums that help spread images on its site.
The company was careful to say that, even after some delay, it was not changing its policies but rather enforcing existing ones.
At the same time, the company has now banned forums including “The Fappening” that had been created to post and repost the images, which were collected through celebrities’ Apple iCloud backups through unknown means.
Tomi Engdahl says:
For Sale Soon: The World’s First Google Glass Detector
http://www.wired.com/2014/09/for-sale-soon-the-worlds-first-google-glass-detector/
Earlier this summer, Berlin-based artist and coder Julian Oliver released Glasshole.sh, a simple and free piece of software designed to detect Google Glass and boot it from any local Wi-Fi network. That DIY idea, says Oliver, was so popular among Glass’s critics that he’s now offering his cyborg-foiling hack to the masses in a much more polished form: an easy-to-use commercial product selling for less than $100.
Later this month, Oliver says he’ll start taking pre-orders for Cyborg Unplug, a gadget no bigger than a laptop charger that plugs into a wall and patrols the local Wi-Fi network for connected Google Glass devices, along with other potential surveillance gadgets like Google Dropcams, Wi-Fi-enabled drone copters, and certain wireless microphones.
When it detects one of those devices, it can be programmed to flash an alert with an LED light, play a sound through connected speakers, and even ping the Cyborg Unplug owner’s smartphone through an Android app, as well as silently booting those potential spy devices from the network.
“Basically it’s a wireless defense shield for your home or place of work,” says Oliver. “The intent is to counter a growing and tangibly troubling emergence of wirelessly capable devices that are used and abused for surveillance and voyeurism.”
In addition to a default state called “Territory Mode” designed to defend the user’s own network, Oliver says Cyborg Unplug will also offer an “All Out Mode.”
Cutting the Wi-Fi uplink of Google Glass or most other surveillance gadgets doesn’t necessarily do much to prevent that sort of snooping, as long as it’s stored locally on the device. In fact, Cyborg Unplug wouldn’t even detect any Glass user who doesn’t attempt to connect to Wi-Fi. But Oliver argues that it would at least make it more difficult to surreptitiously stream video or images to a remote location without leaving evidence on the snoop’s local device.
Tomi Engdahl says:
The fat cat, the cloud, and the little old lady
Column An allegory for the virtual data age
http://www.theinquirer.net/inquirer/opinion/2363729/the-fat-cat-the-cloud-and-the-little-old-lady
KIM KARDASHIAN put it best, and that’s a sentence I never thought I’d write. After the iCloud ‘issues’ this week – call it a hack, a leak, or a publicity stunt – Mrs West told the world, “I don’t even know where this cloud is.” And she’s right.
Do you know where your cloud data goes? Do you even begin to understand it? Some readers will be paid to know the answer, but many more will take it on faith that it’s safe. So here’s my attempt to explain why you need to take responsibility for your cloud data, in a way that even Kim Kardashian can understand
Today Apple responded by promising to beef up its security. Tim Cook told the Wall Street Journal, “When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece, I think we have a responsibility to ratchet that up. That’s not really an engineering thing.”
So where does that leave poor Claudia? More cat lovers are finding that the only way to be sure to keep their cats safe from the evils of the world is to keep them in a cat carrier in the corner of the room and access them manually.
Tomi Engdahl says:
Home Depot Hit By Same Malware as Target
http://krebsonsecurity.com/2014/09/home-depot-hit-by-same-malware-as-target/
The apparent credit and debit card breach uncovered last week at Home Depot was aided in part by a new variant of the same malicious software program that stole card account data from cash registers at Target last December, according to sources close to the investigation
A source close to the investigation told this author that an analysis revealed at least some of Home Depot’s store registers had been infected with a new variant of “BlackPOS” (a.k.a. “Kaptoxa”), a malware strain designed to siphon data from cards when they are swiped at infected point-of-sale systems running Microsoft Windows.
The information on the malware adds another indicator that those responsible for the as-yet unconfirmed breach at Home Depot also were involved in the December 2013 attack on Target that exposed 40 million customer debit and credit card accounts. BlackPOS also was found on point-of-sale systems at Target last year. What’s more, cards apparently stolen from Home Depot shoppers first turned up for sale on Rescator[dot]cc, the same underground cybercrime shop that sold millions of cards stolen in the Target attack.
Other clues in the new BlackPOS malware variant further suggest a link between the cybercrooks behind the apparent breach at Home Depot and the hackers who hit Target.
Tomi Engdahl says:
Analyzing the FBI’s Explanation of How They Located Silk Road
https://www.nikcub.com/posts/analyzing-fbi-explanation-silk-road/
The first incarnation of online drug marketplace Silk Road was shutdown in October 2013 resulting in the arrest of Ross Ulbricht.
The marketplace was hosted as a hidden service on Tor
One of the big outstanding issues was how the FBI managed to uncover the real IP address of the server hosting the Silk Road.
If the evidence is found to have been obtained unlawfully, then much of the case against Ulbricht would collapse as all subsequent evidence discovered
there are many, many ways that a Tor configuration can leak and reveal details about a user that could lead to them being identified.
Anybody with knowledge of Tor and hidden services would not be able to read that description and have a complete understanding of the process that the agents followed to do what they claim to have done. Were the Silk Road site still live today, and in the same state it was as in back in June 2013 when the agents probed the server, you wouldn’t be able to reproduce or recreate what the agents describe in the affidavit.
This is why there are so many different theories now on how they achieved what they claim to have achieved.
Tomi Engdahl says:
‘Anti-router’ stops drones, cameras, and Google Glass from connecting to Wi-Fi networks
http://www.theverge.com/2014/9/6/6115249/anti-router-stops-drones-cameras-and-google-glass-from-connecting-to
Are you paranoid that strangers are using drones, security cameras, hidden microphones, or even Google Glass to spy on you? If so, you might be interested in a little device called Cyborg Unplug. Just stick it into a power outlet and watch as it sounds an alarm whenever such a surveillance device enters the vicinity of your home. Even better, you can lock those devices from connecting to your Wi-Fi network. If you’re really looking to make a statement, you can even show those “Glassholes” who’s boss by preventing all surveillance devices near your Cyborg Unplug from connecting to any Wi-Fi network.
The device is really just a tiny router the size of an old Apple Airport Express that’s had its firmware customized to sniff out and block devices based on their MAC addresses
Tomi Engdahl says:
Cyborg Unplug – Plug to Unplug
http://plugunplug.net/
Cyborg Unplug comes hot on the heels of glasshole.sh, a script written by Julian Oliver to detect and disconnect Google’s Glass device from a locally owned and administered network. Following broad coverage in the press, the script struck a chord with countless people all over the world that felt either frustrated or threatened by the growing use and abuse of covert, camera-enabled computer technology.
Every wireless (WiFi) device has a unique hardware signature assigned to it by the manufacturer. These signatures are broadcasted by wireless devices as they probe for, connect to and use wireless networks.
Cyborg Unplug sniffs the air for these signatures, looking for devices its owner has selected to ban. If a banned device is discovered an alarm is triggered (LED, audio or message*). Further, if that device is found to be connected to a network that Cyborg Unplug is trained to guard, a stream of special ‘de-authentication’ signals (packets) are sent to disconnect it. It does this automatically, without any interaction required from its owner.
CAN IT BE USED TO DISCONNECT DEVICES FROM ANY NETWORK?
In short yes. But be sure to read on to understand the implications…
Cyborg Unplug can be operated in two modes. The recommended mode is Territory Mode, disconnecting target devices from selected network(s) owned and operated by the user. The other mode is All Out Mode, which disconnects all detected target devices from any network they are associated with, including paired connections with smartphones. Please note that this latter mode may not be legal within your jurisdiction.
Tomi Engdahl says:
Celeb nudie iCloud pervs hatched photo-slurping Flappy Bird plot
July plan would have seen Flappy fappening
http://www.theregister.co.uk/2014/09/08/icloud_hackers_mull_malware_follow_up/
The hacker ring behind last week’s celebrity nude self iCloud privacy flap also planned to use malware to obtain private photographs from compromised Android phones.
The hackers swapped snaps on the /stol/ (short for “stolen”) forum on image board AnonIB, a spinoff of the notorious 4chan
Writing in late July, a denizen of the forum proposed what he described as the “genius” idea of using malware. Specifically, the miscreant claimed to have developed a fake Flappy Bird app that steals people’s photos from Android phones before uploading the data to a server under his control.
It’s unclear whether or not the scheme was carried out, but what it does show is that snoopy hackers were looking into multiple ways to obtain indecent pictures before the hacking of celeb iCloud accounts made worldwide news last week.
Tomi Engdahl says:
UK data watchdog broke data law, says UK data watchdog
ICO probes self in ‘non-trivial security incident’
http://www.theregister.co.uk/2014/07/16/uk_data_watchdog_breached_data_law_says_uk_data_watchdog/
Britain’s data cops have coughed to a serious security screw-up at the Information Commissioner’s Office, and concluded that the ICO – only mildly – violated the Data Protection Act that it is supposed to police.
Tomi Engdahl says:
Comcast Wi-Fi serving self-promotional ads via JavaScript injection
The practice raises security, net neutrality issues as FCC mulls Internet reforms.
http://arstechnica.com/tech-policy/2014/09/why-comcasts-javascript-ad-injections-threaten-security-net-neutrality/
Comcast has begun serving Comcast ads to devices connected to one of its 3.5 million publicly accessible Wi-Fi hotspots across the US. Comcast’s decision to inject data into websites raises security concerns and arguably cuts to the core of the ongoing net neutrality debate.
A Comcast spokesman told Ars the program began months ago. One facet of it is designed to alert consumers that they are connected to Comcast’s Xfinity service. Other ads remind Web surfers to download Xfinity apps, Comcast spokesman Charlie Douglas told Ars in telephone interviews.
The advertisements may appear about every seven minutes or so
“When a user requests to view a page, Comcast injects its JavaScript into the packets being returned by the real server,” Singel said during an instant-message chat.
A Comcast served house ad.
Ryan Singel
Singel’s suspicions were correct that Mediagazer didn’t place the ad there, and Mediagazer is none too happy about it. “Indeed, they were not ours,” Gabe Rivera, who runs Mediagazer and Techmeme, said in an e-mail. In another e-mail, he said, “someone else is inserting them in a sneaky way.”
Unwanted injections
Security implications of the use of JavaScript can be debated endlessly, but it is capable of performing all manner of malicious actions, including controlling authentication cookies and redirecting where user data is submitted.
Comcast’s Douglas says Comcast has nothing nefarious up its sleeve. What’s more, Comcast has multiple layers of security “based on industry best practices” to keep out hackers wanting to exploit the Xfinity network, he said.
Seth Schoen, the senior staff technologist for the Electronic Frontier Foundation, reviewed the data pulled by Singel and said that “there ended up being JavaScript in the page that was not intended by the server.”
Even if Comcast doesn’t have any malicious intent, and even if hackers don’t access the JavaScript, the interaction of the JavaScript with websites could “create” security vulnerabilities in websites, Schoen said. “Their code, or the interaction of code with other things, could potentially create new security vulnerabilities in sites that didn’t have them,” Schoen said in a telephone interview.
What Comcast is doing isn’t without precedent. Airports have deployed so-called branded promotional hotspots, and there are plenty of companies that help businesses set up Wi-Fi hotspots that append ads via JavaScript injection.
If the FCC decided to regulate broadband like a telephone utility, Comcast’s JavaScript practice could come under scrutiny
“It’s the duty of the service provider to pull packets without treating them or modifying them or injecting stuff or forging packets. None of that should be in the province of the service provider,”
Tomi Engdahl says:
Home Depot Finally Confirms Its Payment System Was Hacked For Months
http://techcrunch.com/2014/09/08/home-depot-finally-confirms-its-payment-system-was-hacked-for-months/
Remember that “suspicious activity” that Home Depot was looking into last week?
Six days later, the company has at last publicly confirmed that the “suspicious activity” was a breach of its payments system. Credit card data was exposed, though Home Depot is quick to note that PINs were not. If you used a credit card at Home Depot in the past 4-5 months, you should consider it stolen.
The breach only affected its U.S. and Canadian stores…
Home Depot has confirmed earlier reports that the breach was in place going back as far as April.
Tomi Engdahl says:
BBC: ISPs Should Assume VPN Users Are Pirates
http://tech.slashdot.org/story/14/09/08/2348240/bbc-isps-should-assume-vpn-users-are-pirates
BBC is now getting involved in the copyright debates of other countries, notably Australia, where it operates four subscription channels.
“Since the evolution of peer-to-peer software protocols to incorporate decentralized architectures, which has allowed users to download content from numerous host computers, the detection and prosecution of copyright violations has become a complex task. This situation is further amplified by the adoption of virtual private networks (VPNs) and proxy servers by some users, allowing them to circumvent geo-blocking technologies and further evade detection,” the BBC explains.
Tomi Engdahl says:
Enigmail PGP plugin forgets to encrypt mail sent as blind copies
User now ‘waiting for the bad guys come and get me with their water-boards’
http://www.theregister.co.uk/2014/09/09/enigmail_encryption_error_prompts_plaintext_panic/
Enigmail has patched a hole in the world’s most popular PGP email platform that caused mail to be sent unencrypted when all security check boxes were ticked.
The dangerous hole in the Mozilla Thunderbird extension affected email that was sent only to blind carbon copy recipients on all versions below 1.7.2 released last month.
Tomi Engdahl says:
Back-to-school Patch Tuesday: Critical updates for Internet Explorer, Adobe Reader
Syadmins, brace yourselves
http://www.theregister.co.uk/2014/09/05/september_patch_tuesday_pre_alert/
Tomi Engdahl says:
Everyone taking part in Patch Tuesday step forward. NOT SO FAST, Adobe!
Critical fix will have to wait a few days
http://www.theregister.co.uk/2014/09/09/everyone_taking_part_in_patch_tuesday_step_forward_not_so_fast_adobe/
Adobe has pushed back the release date for a planned security fix in Acrobat and Reader.
Adobe says the update, when it finally arrives, is a top deployment priority for both Windows and OS X users. The company said that the flaws, which have not yet been detailed for obvious reasons, included ‘critical’ vulnerabilities, a designation usually reserved for flaws which allow an attacker to remotely execute code without notification.
Tomi Engdahl says:
Ultimate hardware hack: Home Depot nailed by vice merchants
BlackPOS ‘Target’ malware implicated
http://www.theregister.co.uk/2014/09/09/home_depot_fesses_up_indicates_april_hack/
Do-it-yourself kingpin Home Depot has confirmed a report it was breached indicating the compromise occurred in April this year.
The US retail chain was working with law enforcement over compromise of payment terminals across stores in the country.
The statement says there is no evidence that debit card PINs were compromised and that the investigation was “focused on April forward”.
Sources close to the investigation told the reporter an upgraded variant of the BlackPOS malware was behind the breach.
The malware also known as Kaptoxa was responsible for the December breach of retail mega chain Target in which 40 million credit and debit cards were stolen.
Tomi Engdahl says:
Hacker Hijacks Satoshi Nakamoto’s Email, Threatens to Reveal All
http://www.coindesk.com/hacker-hijacks-satoshi-nakamoto-email/
The bitcoin world is abuzz with speculation that some of Satoshi Nakamoto’s online accounts have been compromised, concerned a hacker could potentially access information concerning the bitcoin creator’s true identity or use the accounts to defraud key members of the bitcoin community.
“Everyone knows that Bitcoin runs on drama, so this should do wonders for the recent price slump!”
Many suggested the gmx.com address Nakamoto used had simply expired after a period of time and had been claimed by someone else.
Satoshi Nakamoto’s true identity is bitcoin’s core enigma, not just because the creator of the world’s most successful cryptocurrency experiment remains anonymous after nearly six years, but because bitcoin’s rising price would make that person extremely wealthy.
Some analysts say Satoshi Nakamoto’s bitcoin fortune could be as much as 1 million BTC, spread over a series of wallet address and the result of mining from bitcoin’s earliest days.
Tomi Engdahl says:
Authy Raises $3M to End Nude-Photo Theft, Other Fraudulent Hacks
http://blogs.wsj.com/venturecapital/2014/09/08/authy-raises-3m-to-end-nude-photo-theft-other-fraudulent-hacks/
Seed investors have put $3 million into Authy Inc., a San Francisco startup that is bringing safer-than-password protection to an array of apps and services.
This type of security is on the minds of many following the recent theft and unauthorized publication by hackers of celebrities’ nude photos from their personal Apple iCloud accounts.
According to Authy’s newly appointed chief operating officer and president, Marc Boroditsky, here’s how the technology works:
Developers add Authy’s “advanced authentication capability” to their Web or mobile apps by dropping a few lines of code into their system. Users of their Web and mobile apps install Authy on a device of choice, usually a mobile phone, tablet or laptop.
When a user visits a site or uses an app or service that’s Authy-enabled, they are prompted for their user name and password, as usual, but then a box pops up asking for a one-time code that they get through an alert on their device-of-choice and input into the box.
The code expires in about twenty seconds, making it nearly impossible for a hacker to divine what it is.
The idea behind Authy is to give users of consumer technologies a simple way to log in to their favorite apps and sites securely, in a way that feels the same everywhere they go online. Today, various apps ask them to figure out ad hoc security features, and download various “two-factor authentication” apps—like those provided by Facebook or Google separately today.
Tomi Engdahl says:
SoftLayer hardens up its hybrid cloud with TXT
That’s Chipzilla’s Trusted Execution Tech, not a mere thumb’s up message
http://www.theregister.co.uk/2014/09/09/softlayer_hardens_up_its_hybrid_cloud_with_txt/
IBM’s SoftLayer public cloud branch has flicked the switch on Intel’s Trusted Execution (TXT) Technology, allowing users of its service to guarantee their code runs on identifiable servers.
TXT allows users to validate a machine’s BIOS and hardware state, handy tricks because it means software can be tuned so it will only run on machines with known good states as verified by Intel’s software. That’s an especially useful trick in the cloud, because those considering cloud sometimes shy away due to compliance requirements. By making it possible to verify the state of a server on which a workload runs, SoftLayer removes one objection to vaporising workloads.
TXT can also enable geo-fencing of workloads
Tomi Engdahl says:
China is now 99.8% sure you’re you, thanks to world’s-best facial recognition wares
Travelling to Beijing? Better grow a mo, horns, pack on some pounds and pray
http://www.theregister.co.uk/2014/09/09/china_builds_998_accurate_facial_recog_system/
Chinese researchers have developed a facial recognition system that can pick faces from a crowd with 99.8 percent accuracy from 91 angles.
The platform can distinguish between identical twins, unravel layers of makeup and still identify an individual if they’ve packed on or shed kilos.
Researcher Zhou Xi of the Chinese Academy of Science told local reporters the system would be built into a fondleslab app next year.
Tomi Engdahl says:
6 tips for smartphone privacy and security
http://www.csoonline.com/article/2134333/social-networking-security-tips-for-smartphone-pri/social-networking-security/6-tips-for-smartphone-privacy-and-security.html
Computer forensic expert Ronald Kaplan thinks you should stop using your smartphone if you want any semblance of privacy in today’s digital world. But, if you insist on keeping yourself electronically tethered, here are some ways to minimize the privacy and security risks
Tomi Engdahl says:
11 sure signs you’ve been hacked
http://www.csoonline.com/article/2134125/data-protection1-sure-signs-you-39-ve-been-hacked/data-protection/11-sure-signs-you-39-ve-been-hacked.html
In today’s threatscape, antivirus software provides little piece of mind. In fact, antimalware scanners on the whole are horrifically inaccurate, especially with exploits less than 24 hours old. After all, malicious hackers and malware can change their tactics at will. Swap a few bytes around, and a previously recognized malware program becomes unrecognizable.
o combat this, many antimalware programs monitor program behaviors, often called heuristics, to catch previously unrecognized malware. Other programs use virtualized environments, system monitoring, network traffic detection, and all of the above at once in order to be more accurate. And still they fail us on a regular basis.
Here are 11 sure signs you’ve been hacked and what to do in the event of compromise. Note that in all cases, the No. 1 recommendation is to completely restore your system to a known good state before proceeding. In the early days, this meant formatting the computer and restoring all programs and data. Today, depending on your operating system, it might simply mean clicking on a Restore button. Either way, a compromised computer can never be fully trusted again.
Tomi Engdahl says:
Use home networking kit? DDoS bot is BACK… and it has EVOLVED
OMG, it reconfigures your firewall… SAVE yourselves, Linux lords
http://www.theregister.co.uk/2014/09/09/linux_modem_bot/
A router-to-router bot first detected two years ago has evolved – and now has the capability to reconfigure the firewalls of its victims.
The Lightaidra malware captured by security researcher TimelessP (@TimelessP) is an IRC-based mass router scanner/exploiter that’s rare because it spreads through consumer network devices instead of vulnerable Windows PCs. TimelessP detected the router-to-router bot using a honeypot.
Variants of the malware cropped up in DDoS attack tools that run on Linux spotted by security researchers from Malware Must Die back in May. The ELF DDoS tool, for example, was based on Lightaidra and capable of running on Linux-based workstations, servers and routers.
“I’ve watched the attacks evolve over time… [This] was the first one I saw that reconfigures the firewall in the downloader,”
“Antivirus software would have been of little use here.”
Tomi Engdahl says:
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
http://www.theregister.co.uk/2014/09/07/google_recommends_pronounceable_passwords/
Google has updated its password manager to recommend pronounceable passwords within its flagship Chrome browser.
“As soon as you focus the password field, a nice overlay will suggest you a strong and pronounceable password that will be saved in your Chrome passwords, Beaufort said.
“… Chromium uses a C library that provides an implementation of FIPS 181 Automated Password Generator.”
The update is Google’s latest encroachment into the territory of online password management dominated by LastPass and 1Password, who could well feel threatened as Chrome builds in functionality they once offered as third-party value adds.
Tomi Engdahl says:
PayPal Finally Embraces Bitcoin
This integration will allow Braintree customers to accept bitcoin as a payment method.
http://www.fastcompany.com/3035430/fast-feed/paypal-finally-embraces-bitcoin
For PayPal, it was a question of when. The payments company has long hedged on its stance on bitcoin
On Monday, PayPal finally came to embrace bitcoin, with its subsidiary Braintree integrating the cryptocurrency into its vzero.sdk tool released in July. Braintree is using Coinbase to process bitcoin payments.
“This will be PayPal’s first foray into bitcoin,” said Braintree CEO Bill Ready, who sold his startup to the payments giant last fall for $800 million. “We think both the One Touch mobile payments that we announced as well as bitcoin will be high interest to merchants.”
This update will allow its customers–including Uber, Airbnb, TaskRabbit, and HotelTonight–to easily accept bitcoin as a payment method.
Tomi Engdahl says:
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says ‘Kyle and Stan’ attack is spreading through compromised ad networks
http://www.theregister.co.uk/2014/09/10/big_names_caught_in_kyle_and_stan_malicious_ad_attack/
Cisco has spotted some big names serving up malicious advertising: YouTube, Amazon and Yahoo! among them.
A Borg blogger, Armin Pelkmann, with fellow-authors Shaun Hurley and David McDaniel, writes that what the company calls the “Kyle and Stan” malware campaign began in May, and uses redirects to try and trick users into downloading a new media player that ships malware in its payload.
The high-profile serving domains – along with many others – are, of course, receiving the “malvertising” from ad networks that have been tricked into hosting the attack content.
The aim is to get punters to download and install a file that’s a “bundle of legitimate software, like a media-player”, with a “unique-to-every-user configuration” that gets compiled into the downloaded file.
There’s no “drive-by” component to the attack, however: so far, the post notes, the attackers are relying on social engineering to trick users into the install.
Tomi Engdahl says:
OpenSSL promises devs advance notice of future bugs, slaps if they blab
Future Heartbleeds without the heartache
http://www.theregister.co.uk/2014/09/10/openssl_to_open_up_about_bugs/
In the wake of Heartbleed, the OpenSSL project has decided that *nix distributions that use the popular crypto pack will get advance notice of upcoming security-related bugfixes.
The project has decided that distributions that ship with OpenSSL will get some advance notice of issues ahead of fixes – an announcement on the openssl-announce list but not details of specific issues.
“OpenSSL embargoes should be measured in days and weeks, not months or years”,
Tomi Engdahl says:
We lift the lid on Intel’s Pro 2500 SSD. Shock, horror: It doesn’t use its own NAND chips
Encryption and toolkit tinkering for all
http://www.theregister.co.uk/2014/09/10/review_storage_intel_ssd_pro_2500_240gb/
Intel has been busy of late launching SSDs for both the consumer market and for the data centre/enterprise segments
Intel offers the Pro 2500 in three formats and has a broad range of capacities. The 2.5-inch form factor has 120, 180, 240, 360 and 480GB storage options.
As befitting the market at which they are aimed, the Pro 2500 drives come loaded to gills with data protection. For a start, these are self-encrypting drives (SED) using 256-bit encryption that is hardware based. The drives have support for TCG Opal 2.0 (the Pro 1500 only supported v1.0) and IEEE-1667 for Microsoft’s eDrive, although this is turned off by default.
If you want to use IEEE-1667, it can be turned on by using the new Intel SSD Pro Administrator Tool, a command line utility that also allows IT administrators to perform a complete PSID revert, should the drive’s encryption key get lost.
Tomi Engdahl says:
Salesforce Warns of Potential Malware Attack
http://www.entrepreneur.com/article/237259
Cloud-based business software company Salesforce said Tuesday that a particular type of malware that usually goes after information at large financial companies could be taking aim at its users.
The destructive software, called Dyre malware or Dyreza, steals user log-in data, according to the statement released by Salesforce today.
Bank of America, Natwest, Citibank, RBS, Ulsterbank have all been targets of the Dyre malware previously, according to a statement from Danish security company CSIS released earlier this summer.
The malware shows up in a users email account as spam and asks a customer to download a file with information regarding a financial account, CSIS says.
Tomi Engdahl says:
we recommend you leverage the following security capabilities of the Salesforce Platform:
Activate IP Range Restrictions to allow users to access salesforce.com only from your corporate network or VPN
Use SMS Identity Confirmation to add an extra layer of login protection when salesforce credentials are used from an unknown source
Implement Salesforce#, which provides an additional layer of security with 2-step verification. The app is available via the iTunes App Store or via Google Play for Android devices.
Leverage SAML authentication capabilities to require that all authentication attempts be sourced from your network.
Source: https://help.salesforce.com/apex/HTViewSolution?urlname=Security-Alert-Dyre-Malware&language=en_US
Tomi Engdahl says:
Show us your Five-Eyes SECRETS says Privacy International
Refusal to disclose GCHQ canteen menus and prices triggers Euro Human Rights Court action
http://www.theregister.co.uk/2014/09/10/show_us_your_fiveeyes_secrets_says_privacy_international/
Privacy International has taken the “Five-Eyes” spying issue to court, filing a demand that the agreements between participant countries – the US, the (currently) UK, Canada, Australia and New Zealand – be made public.
As the group explains, “Privacy International has asked the European Court of Human Rights to rule that intelligence agencies should not be entitled to keep the details of such arrangements hidden from the public.”
Tomi Engdahl says:
Payment security bods: Nice pay-by-bonk (which NO ONE uses) on iPhone 6, Apple
Retailers won’t lose sales ‘cos they can’t take mobe payments
http://www.theregister.co.uk/2014/09/10/apple_pay_reaction/
Apple’s confirmation that the iPhone 6 will enable contactless payments via NFC has received a broadly positive reaction from security firms and payment processing vendors.
Apple said it wouldn’t access any payment data, so the transaction would take place between a user, bank and retailer. This privacy, along with ease of use, are among the main selling points for the Apple Pay technology.
More than 220k merchants that accept contactless payments will accept Apple Pay. Visa and Mastercard will also support the technology, which is due to be rolled out initially in the US. The technology is compatible with the upcoming Apple Watch as well as the iPhone 6 and iPhone 6 Plus.
“If the iPhone 6 lives up to the hype, it could take a whole swathe of consumers one step closer to ditching their wallets, but things won’t change overnight,” Hobday commented. “Retailers should be looking to boost investment in new payment readers when it’s clear customers are ready to use them en masse. We’ve seen a 248 per cent increase in contactless payments since 2012, but it has taken eight years to get to a point where consumers are comfortable enough to really start using the technology.”
Payment card data breaches at retailers are at the top of the news thanks to the recently disclosed breach at Home Depot, which comes months after a similar breach at US retail giant Target.
Payments expert Avivah Litan of Gartner has a thoughtful article on whether Apple Pay will save merchants from data breaches. She’s positive about the technology, particularly in the US where “Chip (EMV) cards will take at least five to seven years to become more or less ubiquitous… and merchants can’t wait that long to protect themselves and their card data.”
“This is very exciting news and has the potential to change the payment landscape, at least in the US, where merchants are being breached every other day and are up to their eyeballs in security issues and expenses,” Litan writes. “Apple can certainly ride the security wave and offer merchants and consumers more secure payments.”
“At a time when many in the market are moving towards biometric for payments, Apple’s decision to go for NFC – a technology that up until now has struggled to clearly stamp its mark on the payments industry – is a bold one.”
Tomi Engdahl says:
It’s a pain in the ASCII, so what can be done to make patching easier?
Give us the tools
http://www.theregister.co.uk/2014/09/10/software_patching/
Like most of you reading this article, I neglect good patching hygiene.
There are very good reasons why we should all of us obsessively test every patch and patch our systems immediately, but patching is a pain in the ASCII.
The tools suck, rebooting sucks, and most damning of all, something usually breaks.
Each PC, and most servers, have more applications installed today than they did back when I were a lad. Everything is also far more interconnected and interdependent. In today’s world, patches cascade, and there are ever so many of them.
Multiple authentication and identity sources are baked into virtually everything – each a separate API, client application or server of its own to worry about.
Server applications are often a database, a web server of some variety and a set of binaries running on one or more operating systems spread across who knows how many hosts.
Rebooting is a huge part of the problem with patching. All operating systems have the issue to some degree, but Microsoft’s Windows causes the vast bulk of the frustration.
When you are patching a server you require one of two things. You can have an expensive high-availability infrastructure that ensures you can take down individual copies of whatever server application you are using without a loss in service; or you can schedule maintenance windows.
Companies, employees and customers expect 24/7 access to everything. For many of us, scheduling downtime takes almost as much time as the patching itself.
It is even worse on the end-user side. Rebooting desktops is a right royal pain.
Far too many of us simply don’t test patches. In some cases this is due to limited lab space, but often doing the update dance takes so long that it is worth taking a risk.
Rolling back changes because of a patch issue is something we have to do only every year or two. Patch testing can take days out of every month.
None of us is going to like patching, but if we get the proper tools involved, at least we can make it bearable.
Tomi Engdahl says:
How to Protect Yourself From Big Bank-Card Hacks
http://www.wired.com/2014/09/avoid-bank-card-breach-hassle/
With hackers stealing millions of credit and debit card numbers with seeming impunity from Target, Home Depot, and other retailers lately, it might seem as if there’s nothing the average consumer can do to protect themselves.
But you don’t have to rely on the security of Big Box retailers to shield you. With a couple of precautions, you can dramatically reduce the hassle and expense of a bank card breach if you are hit. Though you can’t guard against every scenario, a little op sec goes a long way.
Use Prepaid or Single-Use Cards for Ecommerce
If you have automatic card payments set up for Netflix or your gym membership, you’ll have to cancel the card data for each account and update it when the bank issues you new digits.
Single-use, or disposable, credit card numbers are tied to your real card number, but can prevent that number from being exposed if a site is hacked. Citibank, Bank of America and Discover all offer disposable card numbers.
Never Use Debit Cards Except to Withdraw Funds at Bank ATM
With a credit card, you can always dispute fraudulent charges before you pay them. That’s not the case with a debit card, which is tied directly to your bank account.
You can still get reimbursement for fraud on a debit card, but it will probably be well after the fact: hackers can drain your funds before you know the card number has been stolen.
So treat your debit card with extra security. Don’t use it at gas pumps or other spots prone to skimming.
Tomi Engdahl says:
The Satoshi Nakamoto Email Hacker Says He’s Negotiating with the Bitcoin Founder
http://motherboard.vice.com/read/the-satoshi-nakamoto-email-hacker-says-hes-negotiating-with-the-bitcoin-founder
Motherboard was able to communicate with two individuals who have access to Nakamoto’s old email address. The first said he was only browsing Nakamoto’s for fun. The second not only claimed to be the real hacker of the account, but also said the first person we spoke with was Nakamoto himself.
Tomi Engdahl says:
Is the Future of Digital Security in Our Veins?
http://motherboard.vice.com/read/future-digital-security-is-in-our-veins?trk_source=popular
Biometrics is the supposed future of security, but the actual biology likely to wind up providing that protection is less assured than it may appear. Sure, fingerprint scanners are well on their way to proper ubiquity, but at the same time that technology is hardly airtight or even close.
Passwords by now should be as archaic as vacuum tubes, but here we are, dependent on awkward two-step verification systems for any semblance of proper security. One relatively recent suggestion involves the replacement of passwords with good old fashioned blood.
You may have already heard about Hitachi’s VeinID system, in which “near-infrared light is transmitted through the finger and partially absorbed by hemoglobin in the veins to capture a unique finger vein pattern profile, which is then matched with a pre-registered profile to verify individual identity,” according to the Hitachi sales pitch. While vein ID technology shares some of the failings of fingerprint recognition—a user is stuck with their veins and fingerprints for life, after all—but unlike prints, one doesn’t leave copies of their vein structures all over the place. Also unlike prints, vein recognition only works if the user is alive, as the signature disappears just as soon as blood-flow disappears.
Tomi Engdahl says:
FBI Lied About How it Obtained Silk Road Server Location Says Security Expert
http://www.ibtimes.co.uk/fbi-lied-about-how-it-obtained-silk-road-server-location-says-security-expert-1464552
A security expert claims the FBI is lying about how it located the Icelandic server hosting the Silk Road underground drugs bazaar.
FBI said that it had used a misconfiguration in the Silk Road login page to reveal the internet protocol (IP) address of the server.
“No matter how much I intentionally misconfigured the server, or included scripts from clearnet hosts, I never observed traffic from a non-Tor node or a ‘real’ IP address.”
So, does this mean the FBI did get its information from the NSA illegally and that Tor’s encryption has been broken?
Cubrilov doesn’t think so.
“The FBI have good reason to not mention any bugs or forcing the server to do anything, and to pretend that they simply picked up the IP address from the wire, since such actions would raise concerns about how lawful their actions in uncovering the IP address were. What we do know is that their description of ‘packet sniffing’ for the IP through a ‘leak’ is impossible,” Cubrilovic said.
Tomi Engdahl says:
4.93 million Gmail usernames and passwords published, Google says ‘no evidence’ its systems were compromised
http://thenextweb.com/google/2014/09/10/4-93-million-gmail-usernames-passwords-published-google-says-evidence-systems-compromised/
Approximately 4.93 million Gmail usernames and passwords were published to a Russian Bitcoin forum on Tuesday, as first reported by Russian website CNews. That’s the bad news. The good news is that this leak doesn’t seem as massive upon further inspection.
First off, we got in touch with Google regarding the issue. The company does not believe this is the result of any sort of security breach on its end.
Next, since the posting, the forum administrators have purged the passwords from the text file in question, leaving only the logins.
A quick analysis of the text file shows it includes mainly English, Spanish, and Russian accounts, but also that it seems to combine older lists accumulated over a longer period of time.
As a result, this leak likely affects significantly fewer than 5 million users.
If you want to check whether your account is included in the leak, you can head to isleaked.com and input your email address
Google has taken steps to help them secure their accounts and given them usual recommendations to protect their devices from malware. The company also recommended enabling 2-step verification.
Tomi Engdahl says:
Stronger security for your Google Account
http://www.google.com/intl/en/landing/2step/
With 2-Step Verification, you’ll protect your account with both your password and your phone
Tomi Engdahl says:
Why Google is Hurrying the Web to Kill SHA-1
https://konklone.com/post/why-google-is-hurrying-the-web-to-kill-sha-1
Most of the secure web is using an insecure algorithm, and Google’s just declared it to be a slow-motion emergency.
Something like 90% of websites that use SSL encryption — [green lock] — use an algorithm called SHA-1 to protect themselves from being impersonated.
Unfortunately, SHA-1 is dangerously weak, and has been for a long time. It gets weaker every year, but remains widely used on the internet. Its replacement, SHA-2, is strong and supported just about everywhere.
By rolling out a staged set of warnings, Google is declaring a slow-motion emergency, and hurrying people to update their websites before things get worse. That’s a good thing, because SHA-1 has got to go, and no one else is taking it as seriously as it deserves.
As importantly, the security community needs to make changing certificates a lot less painful, because security upgrades to the web shouldn’t have to feel like an emergenc
An attack on SHA-1 feels plenty viable to me
In 2005, cryptographers proved that SHA-1 could be cracked 2,000 times faster than predicted. It would still be hard and expensive — but since computers always get faster and cheaper, it was time for the internet to stop using SHA-1.
Then the internet just kept using SHA-1. In 2012, Jesse Walker wrote an estimate, reprinted by Bruce Schneier, of the cost to forge a SHA-1 certificate. The estimate uses Amazon Web Services pricing and Moore’s Law as a baseline.
Walker’s estimate suggested then that a SHA-1 collision would cost $2M in 2012, $700K in 2015, $173K in 2018, and $43K in 2021. Based on these numbers, Schneier suggested that an “organized crime syndicate” would be able to forge a certificate in 2018, and that a university could do it in 2021.
In 2012, researchers uncovered a malware known as Flame.
Flame relied on an SSL certificate forged by engineering a collision with SHA-1′s predecessor, MD5.
And it’s a funny story about MD5, because, like SHA-1, it was discovered to be breakably weak a very long time ago, and then, like SHA-1, it took a horrifying number of years to rid the internet of it.
What browsers are doing
Microsoft was the first to announce a deprecation plan for SHA-1, where Windows and Internet Explorer will distrust SHA-1 certificates after 2016. Mozilla has decided on the same thing. Neither Microsoft nor Mozilla have indicated they plan to change their user interface in the interim to suggest to the user that there’s a problem.
Google, on the other hand, recently dropped a truth bomb by announcing that Chrome would show warnings to the user right away, because SHA-1 is just too weak
To help with the transition, I’ve built a small website at shaaaaaaaaaaaaa.com that checks whether your site is using SHA-1 and needs to be updated
Requesting a new certificate is usually very simple. You’ll need to generate a new certificate request that asks your CA to use SHA-2, using the -sha256 flag.
openssl req -new -sha256 -key your-private.key -out your-domain.csr
SHA-1 roots: You don’t need to worry about SHA-1 root certificates that ship with browsers, because their integrity is verified without using a digital signature.
Tomi Engdahl says:
SHA-2: Very cryptographic. So secure. Such growth. Wow.
http://news.netcraft.com/archives/2014/05/05/sha-2-very-cryptographic-so-secure-such-growth-wow.html
Use of the SHA-2 cryptographic signature algorithm has received a significant boost in the wake of the Heartbleed Bug.
Practical attacks against the SHA-1 algorithm are now within reach of government agencies, giving them the opportunity to construct a pair of different SSL certificates with the same SHA-1 digest. Ultimately, this could enable an attacker to impersonate secure websites using a variant of the attack that worked against MD5 in 2008.
Tomi Engdahl says:
Clever trick will safeguard Apple Watch from thieves
http://www.cultofmac.com/295024/apple-watch-anti-theft/
One of the big questions about the Apple Watch is how Apple will prevent thieves from ripping it off your wrist and using it to clear your bank account.
Because the Apple Watch is connected to Apple Pay — making purchases as easy as a quick swipe — what’s to stop miscreants from abusing it?
Thanks to sensors on the Apple Watch’s back, the device can tell when it’s being worn and when it has been taken off.
Tomi Engdahl says:
Cleaning up after password dumps
http://googleonlinesecurity.blogspot.fi/2014/09/cleaning-up-after-password-dumps.html
One of the unfortunate realities of the Internet today is a phenomenon known in security circles as “credential dumps”—the posting of lists of usernames and passwords on the web. We’re always monitoring for these dumps so we can respond quickly to protect our users. This week, we identified several lists claiming to contain Google and other Internet providers’ credentials.
We found that less than 2% of the username and password combinations might have worked, and our automated anti-hijacking systems would have blocked many of those login attempts. We’ve protected the affected accounts and have required those users to reset their passwords.
A few final tips: Make sure you’re using a strong password unique to Google. Update your recovery options so we can reach you by phone or email if you get locked out of your account. And consider 2-step verification, which adds an extra layer of security to your account.
Tomi Engdahl says:
Microsoft refuses to hand over foreign data, held in contempt of court
http://www.zdnet.com/microsoft-refuses-to-hand-over-foreign-data-held-in-contempt-of-court-7000033508/
Summary: Although the agreement with the U.S. government does not land the technology giant in any trouble for now, it could still face repercussions.