Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
How an FBI Informant Led the Hack of British Tabloid “The Sun”
http://yro.slashdot.org/story/14/10/16/0230254/how-an-fbi-informant-led-the-hack-of-british-tabloid-the-sun
Hector Xavier Monsegur, also known online as “Sabu,” was caught by the FBI in June of 2011 for a litany of hacking-related offenses and, within hours, began cooperating with authorities in hopes of receiving a lenient sentence.
How an FBI Informant Ordered the Hack of British Tabloid ‘The Sun’
http://motherboard.vice.com/read/how-an-fbi-informant-ordered-the-hack-of-british-tabloid-the-sun-1
Now, never-before-published FBI records and exclusive interviews detail how the informant rallied other hackers to attack various News Corp. interests, including The Sun, at a time that the FBI has said it was tracking all of Monsegur’s online activity.
Software placed on Monsegur’s computer gave the FBI real-time access to chat rooms where the attack against The Sun and others were hatched. It’s unclear if the plot was a sting gone too far, or if the FBI was even aware that one of its informants had organized an attack on a foreign newspaper.
In an Internet Relay Chat channel aptly named #!sunnydays, logs saved by Monsegur’s FBI-provided computer show the informant intended to maximize the impact of the hack: Not only did he express his intentions to embarrass Murdoch, but to peripherally sabotage the credibility of various outlets by spreading misinformation to a handful of eager journalists.
Hacktivists first began plotting in #!sunnydays on July 12, 2011, and were in and out of The Sun’s server for nearly a week before the operation pinnacled with the group publishing Murdoch’s fake obituary on July 18.
Tomi Engdahl says:
Chat logs reveal FBI informant Sabu’s role in hacking of Sun newspaper
http://www.theguardian.com/us-news/2014/oct/14/fbi-informants-role-hacking-sun-newspaper-lulzsec-chat-logs
US agency faces questions after records show Lulzsec leader Hector Monsegur, who was informant at time, helped attack that closed UK sites
Tomi Engdahl says:
Twitter, Cloudflare kill SSL 3.0 … and here’s how YOU CAN TOO
Flawed HTTPS protocol axed amid attack fears
http://www.theregister.co.uk/2014/10/15/poodle_ssl3_twitter_cloudflare/
Websites and web browser makers are moving quickly to ditch the outdated SSL 3.0 encryption protocol for HTTPS following the discovering of a worrying design flaw.
On Tuesday, Google researchers published details about the shortcoming, dubbed POODLE, which allows eavesdroppers to crack encrypted web traffic.
More specifically, it allows hackers to intercept and decrypt sensitive information – such as secret session cookies – in transit, and ultimately hijack victims’ online accounts.
Ideally, websites and browsers should use TLS 1.2 for protecting data on-the-fly, but POODLE attacks use a loophole to force software to drop down to SSL 3.0, an 18-year-old protocol that was superseded by TLS.
“On its own, POODLE merely makes certain cipher choices no longer as trustworthy,” the company said.
“Unfortunately, these were the last ciphers that were even moderately trustworthy – the other ciphers available in SSLv3 having fallen into untrustworthiness due to insufficient key size (RC2, DES, Export ciphers); cryptanalytic attacks (RC4); or a lack of browser support (RC2, SEED, Camellia). The POODLE attack takes out the remaining two (3DES and AES) as trustworthy (and covers SEED and Camellia as well, so we can’t advocate for those).”
Tomi Engdahl says:
Man bites dog: HTTPS-menacing POODLE is ‘hard to exploit’ – unless you’re on public Wi-Fi
Avoid sketchy pub wireless, warn infosec bods
http://www.theregister.co.uk/2014/10/16/poodle_analysis/
Analysis Mozilla will ditch support for the insecure SSL 3.0 from Firefox next month, following the discovery of a design flaw in the protocol that allows hackers to hijack victims’ online accounts.
SSL v3 will be disabled by default in Firefox 34, due to be released on 25 November. Security experts are unanimous that sysadmins and programmers should drop support for the obsolete encryption tech from servers and applications, but split on the seriousness of the bug.
Like Heartbleed, POODLE is an information-disclosure bug rather than a code-injection hole. Put simply, the shortcoming leaves encrypted data open to snooping by determined miscreants.
SSL 3.0 was introduced in 1996, and superseded by TLS in January 1999 – so it’s high time to ditch the technology. However, to maintain backwards compatibility with older browsers (cough, Internet Explorer 6), SSL v3 is still widely supported by servers, hence why it’s still lurking as a danger today.
This is really bad news because it means hackers can force servers to use the unsafe SSL 3.0 protocol rather than TLS, and then exploit the POODLE flaw
Attacks are likely to be already in development, Whitehouse warned.
“We expect tooling to exploit POODLE to be released shortly. Exploitation will be most likely in a malicious Wi-Fi hotspot scenario, or when travelling to a country where there is a risk of active state-driven attacks.”
Even after vulnerable computers and servers are patched, the risk from POODLE will still be there thanks to vulnerable networking gear and Internet-of-Things devices that cannot be easily patched to drop SSL v3 support, if at all.
“The long tail of POODLE will be all of the non-browser applications using SSL for transport encryption and hardcoded for SSLv3,” noted Metasploit founder HD Moore in an update to his personal Twitter account.
Gavin Millard, EMEA technical director at Tenable Network Security, explained: “Whilst POODLE could be seen as an important vulnerability, affecting an encryption standard that still remains in common browsers for backwards compatibility, the reality is it’s difficult to exploit and requires same network access to systems that are vulnerable to the downgrade. Whilst it’s true that if successfully used, a malicious attacker could expose private data leading to further exploitation, POODLE is far from the severity of recent bugs like Heartbleed or Shellshock.”
“POODLE could be a welcome death blow to an ancient standard, forcing the move towards better encryption for the few that still use it to benefit the many that don’t,”
Tomi Engdahl says:
ISIS– Largest, Richest $2Billion Terror-Based Enterprise: Financial Sophistication Rivaling Wall Street
http://bizshifts-trends.com/2014/09/28/isis-largest-riches-terror-organization-ever-high-growth-enterprise-2-billion-terror-based-economy/
ISIS (Islamic State of Iraq and the Levant ) is the world’s largest, richest terrorist organizations, ever. It’s a self-sustaining enterprise that runs mainly on extortion and crime networks, hostages, oil, donations… According to Martin Chulov; ISIS has grown from a ragtag band of extremists to perhaps the most cash-rich and capable terror group in the world with a $2 billion jihadist network. The scale of ISIS resources is unprecedented: A terrorist organization while ruthless, but still able to occupy large areas of territory, quickly…
Tomi Engdahl says:
Securobods rage over $600k Kickstarter Tor box components
Devs insist: It’s NOT just an off-the-shelf circuit board
http://www.theregister.co.uk/2014/10/16/rage_as_kickstarters_600k_anonabox_built_on_borrowed_kit/
The Californian developer told Vulture South Anonabox was an original build and was designed by an engineer friend who sourced materials based on his requirements.
“The engineer who designed the board for us didn’t start with an empty canvas [because] it would take too much time. He used files he had from other customers and projects and modified them to meet our specs.”
“This is pretty normal, and it’s partially why devices such as cellphones all look the same.”
Press outlets which covered the Anonabox Kickstarter campaign were not told of the hardware OEM sourcing, nor of underlying code reliance on the PORTAL project.
Tomi Engdahl says:
Revenge porn Bill upsets British nudists
http://www.telegraph.co.uk/news/politics/11165064/Revenge-porn-Bill-upsets-British-nudists.html
Nudists have written to Chris Grayling asking him to differentiate in the Bill between full-frontal nudity and pornography
Last week Mr Graying announced a new criminal offence of posting so-called ‘revenge pornography’ on the internet, which will carry a maximum sentence of two years.
Cruel individuals who publish intimate pictures or videos to retaliate against their former partners will be targeted with the new law, which will also catch those sending explicit photographs in text messages between mobile phones.
However naturists claim that the Bill does not distinguish between pornography and nudity.
The Bill states that it will be an offence to post online, or publish in hard copy, images showing “genitals exposed”.
However, nudists claim that ‘Innocent full-frontal naturist photography’, showing family and friends naked on a legal nudist beach, at a sun club or in a private garden, might then be deemed, in law, as ‘pornographic’.
“Most naturists would be horrified by such a thought,”
Tomi Engdahl says:
Machine Safety: Safety and security combined
http://www.controleng.com/single-article/machine-safety-safety-and-security-combined/3543982284450fb42c1e58f70d726e7a.html
Some recent reports, cyber attacks have grown by 600% since 2010 costing industry around $400 billion a year impacting productivity, machine uptime and profitability. Machine safety automation also addresses productivity, uptime and profitability. Perhaps “safety” and “security” efforts should combine.
Belden: Protect against yourself
http://www.controleng.com/single-article/belden-protect-against-yourself/67c8d4bd25bb7efca7a9bd5f53d477c4.html
If a manufacturer can protect itself against an inside attack, then that line of defense should be strong enough to withstand a chunk of outside attacks.
“I will ask what are the top threats: Terrorists, hacktivists or control engineers?”
“The control engineer is the greatest risk against the system,” Langill said. “The threat should not be running around with administrative privileges.”
The concept of protecting against the inside attack is a little bit different because what grabs the most headlines are the outside attacks like Stuxnet or the more recent Havex/Dragonfly. What most companies rely upon is short term or reactionary defense compared to a thought out comprehensive security program. “Security right now is about short term tactical measures like patch management or installing antivirus,” Langill said. “Security has to get to thinking about strategic controls or long term planning.” One example he talked about along those lines is patch management.
“I am not a big supporter of patch management. There are other things that can help solve the issues,”
Stuxnet was bad, but Havex is far, far worse,” he said. “Havex, or Dragonfly, is a lot more damaging for more people. In both cases basic security controls people are putting in today, the attacks would not be stopped. The problem is people are thinking tactically, but not strategically.”
Stuxnet was an attack created by the U.S. and Israel that sought to damage an uranium enrichment facility in Natanz, Iran, according to an ISSSource report.
Havex/Dragonfly is malware that targeted the pharmaceutical sector, not the energy sector as previously believed, according to a white paper written by Langill for Belden.
The moral of the story is you can protect your company against inside and outside attacks, but if you have a target painted on your back, you better have a series of layers that can help slow down any kind on onslaught. “No matter what, a targeted attack will be successful,” Langill said. “What we have learned over the years is, if someone has a specific target, they will get in. If you are targeted, you will be compromised.”
After an attack, it is just a matter of what kind of security program a user has and how vigilant they remain. While that may sound daunting and kind of scary, in today’s environment users need to look at and focus on creating a security program. Fear and uncertainty should not stop people from moving into a stronger security posture. “When you talk about security, people start to get that glazed over look in their eyes,” he said. “The reality of cyber security is we are constrained with time and money.”
The end results, though, are when a security program ends up implemented, uptime and productivity can increase. “If you design a system to protect your system against the inside engineer,” Langill said, “you will protect yourself against most all attacks.”
Tomi Engdahl says:
Industrial cyber security: An idea whose time has come?
http://www.controleng.com/single-article/industrial-cyber-security-an-idea-whose-time-has-come/a76d341f6ac25b4eb9b2fce845c26f3f.html
IHS believes there will be a shakeout in the market for industrial cyber security. Although the market will attract some new entrants, this will be largely offset by companies choosing to exit the business and by acquisition-driven consolidation.
The market for industrial cyber security products remains extremely immature, with currently more than160 vendors offering a wide variety of hardware, software and services. In contrast to other parts industrial automation markets, no one vendor dominates; and those with the highest market share typically specialize in a particular region, industry sector or technology. IHS believes there will be a shakeout — although the market will attract some new entrants, this will be largely offset by companies choosing to exit the business and by acquisition-driven consolidation.
Tomi Engdahl says:
NIST Smart Grid framework 3.0 aims for interoperability, updates cybersecurity
http://www.controleng.com/single-article/nist-smart-grid-framework-30-aims-for-interoperability-updates-cybersecurity/ae648acfcbbf8ccbffadb7e40ddb41e1.html
NIST’s 3.0 framework update aims to transform the aging U.S. electric power system into an interoperable Smart Grid—a network that will integrate information and communication technologies.
The National Institute of Standards and Technology (NIST) has published its NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 3.0, a document that reflects advances in Smart Grid technologies and developments from NIST’s collaborative work with industry stakeholders. Revisions to its guidelines for Smart Grid cybersecurity are available as well.
NIST Guidelines for Smart Grid Cybersecurity
http://www.nist.gov/manuscript-publication-search.cfm?pub_id=916068
Tomi Engdahl says:
FBI Warns Industry of Chinese Cyber Campaign
http://it.slashdot.org/story/14/10/16/1647206/fbi-warns-industry-of-chinese-cyber-campaign
The FBI on Wednesday issued a private warning to industry that a group of highly skilled Chinese government hackers was in the midst of a long-running campaign to steal valuable data from U.S. companies and government agencies.
FBI warns industry of Chinese cyber campaign
http://www.washingtonpost.com/world/national-security/fbi-warns-industry-of-chinese-cyber-campaign/2014/10/15/0349a00a-54b0-11e4-ba4b-f6333e2c0453_story.html
The FBI on Wednesday issued a private warning to industry that a group of highly skilled Chinese government hackers was in the midst of a long-running campaign to steal valuable data from U.S. companies and government agencies.
“These state-sponsored hackers are exceedingly stealthy and agile by comparison with the People’s Liberation Army Unit 61398 . . . whose activity was publicly disclosed and attributed by security researchers in February 2013,” said the FBI in its alert, which referred to a Chinese military hacker unit exposed in a widely publicized report by the security firm Mandiant.
The U.S. government has publicly called on the Chinese government to halt its widespread cybertheft of corporate secrets, but Beijing has denied such activities.
“It suggests a threat actor that is well-funded, organized, patient — all characteristics associated with a government organization,”
The bureau’s nine-page alert contained some “indicators of compromise” that companies could use to determine if they have been hacked by the group.
Tomi Engdahl says:
Disaster roster: OMG, are YOU SAFE? I dunno. Check Facebook
Zuck me, I feel a whole lot more secure today
http://www.theregister.co.uk/2014/10/16/facebook_disaster_alert/
According to Zuck’s spin doctors, people don’t rely on the police, UN or even the Thunderbirds when disaster strikes. No, no, no. They flock to Facebook.
“In times of disaster or crisis, people turn to Facebook to check on loved ones and get updates,” Facebook said in a statement.
“It is in these moments that communication is most critical both for people in the affected areas and for their friends and families anxious for news.”
The “helpful tool” allows you to declare yourself safe in the event of a major disaster, as well as declaring other people safe too. It will kick in after a major incident, such as an earthquake, flood or alien invasion, asking if you’re alive and well.
A message is then sent to your family and “friends” (if you can call Facebook contacts that) reassuring them that you are not dead or in some sort of peril.
“These events have taught us a lot about how people use Facebook during disasters and we were personally inspired to continue work on the Disaster Message Board to incorporate what we’ve learned. This project soon became Safety Check, which will be available globally on Android, iOS, feature phones and desktop.”
Tomi Engdahl says:
Facebook doubles ad-hacking bounty
Small security snafus snuffed, try the tiny and technical
http://www.theregister.co.uk/2014/10/17/facebook_wants_you_to_save_its_ads/
Facebook has doubled the cash it will pay out to folks who report holes in its advertising code.
The bounty will rise in a bid to entice hackers to report bugs found in its ads code following an internal security audit that squashed an undisclosed number of vulnerabilities.
Security engineer Collin Greene said the Zucker-empire will double bug pay-outs until year’s end.
“Starting today and extending through the end of 2014, all whitehat bugs in our ads code will receive double bounties,” Greene wrote in a post.
Tomi Engdahl says:
Link to test if you have SSL 3.0 vulnerability Poodle (Padding Oracle On Downgraded Legacy Encryption):
Try to open https://sslv3only.kyber.fi:444/
If the link opens, you have security problem.
If it does not open you should be safe from this issue.
“SSL 3.0 can not be repaired. A safe encryption can only be accessed by avoiding it completely, “advises Google.
Tomi Engdahl says:
The Guardian Reveals That Whisper App Tracks “Anonymous” Users
http://yro.slashdot.org/story/14/10/17/0046214/the-guardian-reveals-that-whisper-app-tracks-anonymous-users
“The company behind Whisper, the social media app that promises users anonymity and claims to be the “the safest place on the internet”, is tracking the location of its users”
Revealed: how Whisper app tracks ‘anonymous’ users
http://www.theguardian.com/world/2014/oct/16/-sp-revealed-whisper-app-tracking-users
Some Whisper users monitored even after opting out of geolocation services
Company shares some information with US Department of Defense
User data collated and indefinitely stored in searchable database
Whisper app rewrites terms of service and privacy policy
How the ‘safest place on the internet’ tracks its users
Tomi Engdahl says:
Your secrets may not be safe with anonymous sharing app Secret
http://www.theguardian.com/technology/2014/aug/26/secret-app-cyberbullying-security-hackers
App startup cracks down on cyberbullying, but faces renewed scrutiny over security loopholes exploited by hackers
Tomi Engdahl says:
UK’s a very popular target for EMEA cyberspies – report
Germany and Saudi Arabia fill out FireEye cyberpwn podium
http://www.theregister.co.uk/2014/10/17/fireeye_apt_report/
Malware attacks, especially in Europe, nearly doubled in the first half of 2014, according to a new report.
Government, financial services, telecommunications and energy were the most targeted sectors – collectively making up more than half of attacks detected by security vendor FireEye.
The UK (17 per cent) followed by Germany with (12 per cent) were the two European countries most commonly targeted by malware-flinging, spear-phishing cyberspies.
Targets in Saudi Arabia (10 per cent), Turkey (9 per cent) and Switzerland (8 per cent) made up the remainder of the top five.
“APTs most often start with advanced email attacks such as spear-phishing and longlining which con recipients into clicking a malicious link that gives the attacker control of the recipients PC or device,” said Mark Sparshott, EMEA director at Proofpoint.
Tomi Engdahl says:
Anonabox: How To Fail Horribly at Kickstarter
http://hackaday.com/2014/10/17/anonabox-how-to-fail-horribly-at-kickstarter/
Late last week, Anonabox hit Kickstarter, glomming on to concerns over security, privacy, and censorship. The project was picked up on the usual tech blogs, lauding this project as the pinnacle of the Open Source, Open Hardware movement and a great investment for the privacy-minded technocrat in a post-Snowden world.
Then, the creator of Anonabox did an AMA on reddit. It was quickly discovered that the entire project was an off the shelf router found on AliExpress with reflashed firmware. The router sells for $20 in quantity one, and the Anonabox Kickstarter is giving them away with a minimum $51 pledge. The new firmware is basically a standard OpenWrt installation with a few changes to the config files. The project claims to solve the problem of hardware backdoors, but ships with a backdoor root password (the password is ‘developer!’), open WiFi, and ssh open by default. The Anonabox also claims to be a plug and play solution to security and privacy on the Internet, meaning if this project ever ships, there will be a lot of people who won’t change the default configuration. That’s rather hilarious in its implications.
As with most Kickstarters that have seen this much negative attention, the project was suspended just a few hours ago, but not before gathering more than $600,000 in pledges at its peak.
Although the Anonabox failed, there is a market for a Tor-enabled router
Tomi Engdahl says:
National Security
FBI director: Tech companies should be required to make devices wiretap-friendly
http://www.washingtonpost.com/world/national-security/fbi-director-tech-companies-should-be-required-to-make-devices-wire-tap-friendly/2014/10/16/93244408-555c-11e4-892e-602188e70e9c_story.html
FBI Director James Comey speaks about the impact of technology on law enforcement at Brookings Institution in Washington. Comey gave a stark warning against smartphone data encryption, saying homicide cases could be stalled, suspects could go free and “justice may be denied because of a locked phone or an encrypted hard drive.”
“We are not seeking to expand our authority to intercept communications,” Comey said, speaking at the Brookings Institution. “We are struggling to keep up with changing technology and to maintain our ability to actually collect the communications we are authorized to collect.”
Tomi Engdahl says:
Exclusive: NSA reviewing deal between official, ex-spy agency head
http://www.reuters.com/article/2014/10/17/us-usa-intelligence-nsa-idUSKCN0I624Y20141017
The U.S. National Security Agency has launched an internal review of a senior official’s part-time work for a private venture started by former NSA director Keith Alexander that raises questions over the blurring of lines between government and business.
Under the arrangement, which was confirmed by Alexander and current intelligence officials, NSA’s Chief Technical Officer, Patrick Dowd, is allowed to work up to 20 hours a week at IronNet Cybersecurity Inc, the private firm led by Alexander, a retired Army general and his former boss.
The arrangement was approved by top NSA managers, current and former officials said. It does not appear to break any laws and it could not be determined whether Dowd has actually begun working for Alexander, who retired from the NSA in March.
Tomi Engdahl says:
How Microsoft Appointed Itself Sheriff of the Internet
http://www.wired.com/2014/10/microsoft-pinkerton/
No-IP was in the crosshairs of Richard Boscovich, an assistant general counsel with Microsoft’s Digital Crimes Unit.
Tomi Engdahl says:
How is e-commerce launch cyber-attacks after? EBay is a cautionary tale
eBay cuts sales forecast after data breach.
eBay is the latest company to cut guidance on Wednesday.
Customers who shop on eBay are even less after the company was forced last month to ask them to change their password information after a burglary last spring.
eBay lowered its full year sales forecast as the ecommerce company continues a torrid year that has seen it plan to spin off its strong PayPal division as its marketplace grows slowly
Sources:
http://www.ft.com/intl/fastft/221292
http://www.tivi.fi/kaikki_uutiset/miten+kay+verkkokaupan+kyberhyokkayksen+jalkeen+ebay+on+varoittava+esimerkki/a1020737
Tomi Engdahl says:
Kickstarter Freezes Anonabox Privacy Router Project for Misleading Funders
http://www.wired.com/2014/10/kickstarter-suspends-anonabox/
All August Germar asked for was $7,500 to fund his privacy-focused router project. But as the attention and controversy around his Kickstarter crowdfunding campaign snowballed over the last five days, he found himself at one point with 82 times that amount—and now with nothing.
On Friday afternoon Kickstarter suspended the crowdfunding campaign for Anonabox, an initiative to sell a tiny, $45 router that would run all a user’s online traffic over the anonymity network Tor. The idea tapped into an explosive demand for simple privacy technology, and earned more than 10 times its modest goal in hours. But as funders shoveled more than half a million dollars into the project, they also began to pick apart Anonabox’s claims of creating custom hardware, as well as the promised security of its software. Soon, many were calling for the project to be cancelled, and asked others to report its shortfalls to Kickstarter staff, who now say they’ll cancel all investors’ pledges.
In an email to the project’s investors, Kickstarter told backers only that “a review of the project uncovered evidence that it broke Kickstarter’s rules.” Those rules, the email continued, prohibit “offering purchased items and claiming to have made them yourself,” “presenting someone else’s work as your own” and “misrepresenting or failing to disclose relevant facts about the project or its creator.”
Tomi Engdahl says:
Media Alert: Check Point Researchers Uncover Potential Next Generation Android Attacks
http://www.checkpoint.com/press/2014/media-alert-check-point-researchers-uncover-potential-next-generation-android-attacks.html
San Carlos, CA — Thu, 16 Oct 2014
Check Point® Software Technologies Ltd. (Nasdaq: CHKP), the worldwide leader in securing the Internet, today released new research entitled “Man in the Binder: He Who Controls the IPC, Controls the Droid.” The study of Android’s unique operating system (OS) architecture showed the potential capture of data and information being stored and communicated on Android devices through the Binder, the message passing mechanism in Inter-process Communication (IPC).
Researchers in Check Point’s Malware and Vulnerability Research Group uncovered that as the single point of communication, the Binder is a natural target for Android malware.
Check Point will present the Man in the Binder research findings at Black Hat Europe on Thursday, October 16, 2014 at 11:45AM CEST in The Amsterdam Rai, Netherlands. “Man in the Binder: He Who Controls IPC, Controls The Droid”
Tomi Engdahl says:
In UK, Internet Trolls Could Face Two Years In Jail
http://yro.slashdot.org/story/14/10/19/2313233/in-uk-internet-trolls-could-face-two-years-in-jail
The Guardian about a proposed change in UK law that would greatly increase the penalties for online incivility:
Internet trolls face four times longer in jail, Chris Grayling pledges
http://www.theguardian.com/politics/2014/oct/19/justice-secretary-chris-grayling-pledges-stiffer-sentences-for-internet-trolls
Justice secretary announces plan to change maximum prison sentence for online abuse from six months to two years
Tomi Engdahl says:
If You’re Connected, Apple Collects Your Data
http://apple.slashdot.org/story/14/10/20/003257/if-youre-connected-apple-collects-your-data
It would seem that no matter how you configure Yosemite, Apple is listening.
E.T. Phone Home?
https://github.com/fix-macosx/yosemite-phone-home/
This repository provides a corpus of network communications automatically sent to Apple by OS X Yosemite; we’re using this dataset to explore how Yosemite shares user data with Apple.
The provided data was collected using our Net Monitor toolkit
Tomi Engdahl says:
NSA approves Samsung Knox for use by TOP SECRET g-men
Nine gadgets from chaebol green-lighted
http://www.theregister.co.uk/2014/10/21/nsa_spooks_to_spy_on_the_galaxy/
US spooks will be allowed to access sensitive government information on their KNOX-locked Samsung gadgets from now on.
The South Korean company has been heavily pushing its new KNOX security product and it looks as though its efforts have paid off. The National Security Agency has now approved nine Samsung devices, including the Galaxy S4 and the Galaxy Note 4, for use by its operatives.
Earlier this year, the US Department of Defense gave Samsung devices the thumbs-up, but only for unclassified data.
The UK’s GCHQ spy agency gave Samsung KNOX the green light earlier this year, but only for the lowest level of classified material, OFFICIAL.
Tomi Engdahl says:
Phone Hackers Dial and Redial to Steal Billions
http://www.nytimes.com/2014/10/20/technology/dial-and-redial-phone-hackers-stealing-billions-.html?_r=1
Bob Foreman’s architecture firm ran up a $166,000 phone bill in a single weekend last March. But neither Mr. Foreman nor anyone else at his seven-person company was in the office at the time.
“I thought: ‘This is crazy. It must be a mistake,’ ” Mr. Foreman said.
It wasn’t. Hackers had broken into the phone network of the company, Foreman Seeley Fountain Architecture, and routed $166,000 worth of calls from the firm to premium-rate telephone numbers in Gambia, Somalia and the Maldives.
The firm, in Norcross, Ga., was the victim of an age-old fraud that has found new life now that most corporate phone lines run over the Internet.
The swindle, which on the web is easier to pull off and more profitable, affects mostly small businesses and cost victims $4.73 billion globally last year. That is up nearly $1 billion from 2011
The scheme works this way, telecommunications fraud experts say: Hackers sign up to lease premium-rate phone numbers, often used for sexual-chat or psychic lines, from one of dozens of web-based services that charge dialers over $1 a minute and give the lessee a cut.
Hackers then break into a business’s phone system and make calls through it to their premium number, typically over a weekend, when nobody is there to notice. With high-speed computers, they can make hundreds of calls simultaneously
In part because the plan is so profitable, premium rate number resellers are multiplying rapidly.
Industry groups are trying to tackle the problem but say it is hard to keep up with.
Tomi Engdahl says:
Warning to those who covet the data of Internet of Precious Things
There’s nothing for you here: it’s personal data – watchdogs
http://www.theregister.co.uk/2014/10/22/internet_of_things_data_should_be_treated_as_personal_data/
Data generated by devices in the “internet of things” age should be “regarded and treated as personal data”, data protection authorities from across the globe have agreed.
The watchdogs said it is “more likely than not” that such data can be attributed to individuals.
“Internet of things’ sensor data is high in quantity, quality and sensitivity,” a declaration (2-page/87KB PDF) published at the 36th International Privacy Conference last week read.
“This means the inferences that can be drawn are much bigger and more sensitive, and identifiability becomes more likely than not. Considering that the identifiability and protection of big data already is a major challenge, it is clear that big data derived from internet of things devices makes this challenge many times larger. Therefore, such data should be regarded and treated as personal data.”
Tomi Engdahl says:
DHS Investigates 24 Potentially Lethal IoT Medical Devices
http://science.slashdot.org/story/14/10/22/1313225/dhs-investigates-24-potentially-lethal-iot-medical-devices
In the wake of the U.S. Food and Drug Administration’s recent recommendations to strengthen security on net-connected medical devices, the Department of Homeland Security is launching an investigation into 24 cases of potential cybersecurity vulnerabilities in hospital equipment and personal medical devices.
U.S. government probes medical devices for possible cyber flaws
http://www.reuters.com/article/2014/10/22/us-cybersecurity-medicaldevices-insight-idUSKCN0IB0DQ20141022
The U.S. Department of Homeland Security is investigating about two dozen cases of suspected cybersecurity flaws in medical devices and hospital equipment that officials fear could be exploited by hackers, a senior official at the agency told Reuters.
The products under review by the agency’s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, include an infusion pump from Hospira Inc and implantable heart devices from Medtronic Inc and St Jude Medical Inc, according to other people familiar with the cases, who asked not to be identified because the probes are confidential.
Tomi Engdahl says:
Internet-Exposed Energy Control Systems Abound
http://spectrum.ieee.org/energywise/energy/the-smarter-grid/thousands-of-control-systems-connected-to-the-internet
Infracritical remotely identified over 2.2 million unique IP addresses linked to industrial control systems at energy-related sites including electrical substations, wind farms, and water purification plants. And they were still logging an average of 2,000-3,000 new addresses per day when they closed the count in January 2014.
It has long been known that many infrastructure control systems are connected to the Internet.
they relied on a publicly-accessible search engine called Shodan that sniffs out and catalogues Internet-connected devices. Infracritical’s project SHINE (for SHodan INtelligence Extraction) built search queries for Shodan using the names of 182 SCADA suppliers and their leading products.
RUGGEDTRAX project provides a honey-pot for hackers
“In less than two hours the honeypot was subjected to an attack. By day three, they’d counted more than 4,000 attacks”
Tomi Engdahl says:
Windows 0-Day Exploited In Ongoing Attacks
http://tech.slashdot.org/story/14/10/22/1349229/windows-0-day-exploited-in-ongoing-attacks
Microsoft is warning users about a new Windows zero-day vulnerability that is being actively exploited in the wild and is primarily a risk to users on servers and workstations that open documents with embedded OLE objects. The vulnerability is currently being exploited via PowerPoint files.
Windows 0-day exploited in ongoing attacks, offers temporary workarounds
http://www.net-security.org/secworld.php?id=17521
The vulnerability is currently being exploited via PowerPoint files. These specially crafted files contain a malicious OLE (Object Linking and Embedding) object.
“This is not the first time that a vulnerability in OLE has been exploited by cybercriminals, however most previous OLE vulnerabilities have been limited to specific older versions of the Windows operating system. What makes this vulnerability dangerous is that it affects the latest fully patched versions of Windows.”
“User interaction is required to exploit this vulnerability,”
A successful exploitation could lead to the attacker gaining same user rights as the current user, and if that means administrative user rights, the attacker can install programs; access, modify, or delete data; or create new accounts with full user rights.
Users can implement a specific Fix It solution; enable User Account Control (UAC) as it displays a prompt before a file containing the exploit is executed; and deploy the Enhanced Mitigation Experience Toolkit 5.0 and configure Attack Surface Reduction
“Users should also always be mindful of emails containing links or files even from sources they trust. It’s better to delete and ask the sender to send again than to chance being infected and opening up your whole business network to malware attack,” Mark James, security expert at ESET, pointed out.
“The race is on,” warns Sparshott. “Cybercriminals will use phishing and longlining emails containing URL links to websites hosting malicious files that exploit this vulnerability or attach the malicious file to the email itself.”
Tomi Engdahl says:
In dot we trust: If you keep to this 124-page security rulebook, you can own yourname.trust
Step 1: Don’t get owned. Step 2: Use HTTPS. Step 3: …
http://www.theregister.co.uk/2014/10/22/dot_trust_security_policy/
NCC Group has published a set of security standards that you’ll have to follow if you want to operate a .trust website.
The company owns the rights to sell dot-trusts, and uploaded the 124-page policy document [PDF] earlier this month. It provides a technical rundown covering network security to secure DNS settings, and NCC Group says the rules will be used as a configuration standard for all new dot-trust websites.
.trust Technical Policy
https://www.nccgroupdomainservices.com/wp-content/uploads/2014/10/trust-technical-policy.pdf
Tomi Engdahl says:
Android NFC hack allow users to have free rides in public transportation
https://securelist.com/blog/virus-watch/67283/android-nfc-hack-allow-users-to-have-free-rides-in-public-transportation/
“Tarjeta BIP!” is the electronic payment system used in Chile to pay for public transportation via NFC incorporated in the user’s smartphone. Numerous projects enabling mobile NFC ticketing for public transportation have been already executed worldwide. This is a trend. It means that criminal minds should be interested in it. Moreover, they are.
More and more people keep talking about the feature of payments via NFC. The problem in this particular case is that somebody reversed the “Tarjeta BIP!” cards and found a means to re-charge them for free. So, on Oct. 16 the very first widely-available app for Android appeared, allowing users to load these transportation cards with 10k Chilean pesos, a sum equal to approximately $17 USD.
Immediately after appearing on the Internet, many users downloaded it and proved they were able to recharge their travel cards.
Since the app is a hot one and a lot of people from Chile are looking for it, I expect some bad guys to come along and create fake similar apps but trojanized to infect mobile users and take some advantage of their interest.
Tomi Engdahl says:
Avast Antivirus Was Spying On You with Adware (Until This Week)
http://www.howtogeek.com/199829/avast-antivirus-was-spying-on-you-with-adware-until-this-week/
We warned you at the beginning of the year that many of your browser extensions are spying on you, tracking what you are visiting, and even inserting ads into pages. These aren’t just no-name developers either: even Avast, one of the most trusted antivirus vendors was in on the game.
Before we go even one step further, it’s important to note that they recently disabled the spying “shopping” feature in their browser extension. So if you are running the latest Chrome with extensions updated, you are fine. For now.
So Avast has stopped integrating the spying extension, but this is about the principle: you should be able to trust your antivirus provider. Why are they adding a feature that spies on your browsing, inserts ads… and all without properly notifying you?
And why, at the same time, are they claiming to stop spyware, even uninstalling other shopping extensions from other vendors, while they were doing the same thing they are supposed to stop?
Tomi Engdahl says:
NIST to hypervisor admins: secure your systems
Hypervisor security draft open for comment
http://www.theregister.co.uk/2014/10/23/nist_to_hypervisor_admins_secure_your_systems/
US standards body the National Institute of Standards and Technology (NIST) has laid out the basics of hypervisor security in a draft publication released for comment on 20 October.
The sysadmin guide presents 22 security recommendations, under the key headings of isolating VMs from each other and the host hypervisor; controlling access and device emulation; preventing VMs from executing privileged operations; VM management; and managing settings for interactions with the hypervisor.
The report notes that some threat types are well known, well understood, and common to any server-based software. For example, sysadmins should already be aware that they need to secure against network-based attacks, and likewise that Web-based management interfaces are a risk point.
DRAFT NIST Special Publication 800-125-A
Security Recommendations for Hypervisor Deployment
http://csrc.nist.gov/publications/drafts/800-125a/sp800-125a_draft.pdf
To design a hypervisor with the core functionality described above, there are architectural options with each option presenting a different size of Trusted Computing Base (TCB) and hence different degree of ease in providing the required security assurance.
Hence in providing security recommendations for the hypervisor, two different approaches have been adopted in this document – one approach based on architectural options that provide ease of security assurance and the second approach based on configuration choices that form part of its core administrative functions such as management of VMs, hypervisor host, hypervisor software and virtual networks.
Tomi Engdahl says:
Microsoft may be leading the charge against US data grabs
But European companies can’t afford to get complacent if they have any tied to the US
http://www.theregister.co.uk/2014/10/23/microsoft_may_be_leading_the_charge_against_us_data_grabs/
Apple, Cisco, Verizon and AT&T are considering joining Microsoft’s battle against the US government to safeguard customers’ privacy – but European corps should also take note.
Microsoft is embroiled in a legal case to resist US authorities’ efforts to seize emails stored on servers in Ireland. The warrant was issued last December, and despite the tech behemoth’s appeals, was upheld by a US district judge in July.
Judge Loretta Preska said that the location of the data was immaterial since Microsoft had “control” over it. The case involves an alleged drug trafficker and such routine criminal investigations should fall under the Mutual Legal Assistance Treaty.
However the US authorities have decided to bypass the Irish system and go straight for Microsoft.
Tomi Engdahl says:
Is your home or office internet gateway one of ’1.2 MILLION’ wide open to hijacking?
Doublecheck your NAT-PMP settings now
http://www.theregister.co.uk/2014/10/22/home_router_security_threat_rapid7/
Hundreds of thousands of routers, firewalls and gateways used by small offices and homes are said to be vulnerable to hijacking due to bungled NAT settings.
The networking devices are, we’re told, commonly misconfigured to allow remote attackers to reprogram how network traffic flows to PCs, servers, tablets and other machines.
The at-risk hardware acts as a gateway between a local network and the wider internet, and uses NAT-PMP (Network Address Translation Port Mapping Protocol) to configure how traffic from the outside world reaches machines on the LAN.
But it turns out these gateways typically accept NAT-PMP commands from the public internet as well, without authentication, due to configuration blunders.
These findings are according to security biz Rapid7, which says it’s found 1.2 million publicly accessible devices that have insecure NAT-PMP settings. There’s no solid evidence that these are being widely exploited.
Anyone who has a NAT-PMP-capable device on their network should ensure that all NAT-PMP traffic is “prohibited on untrusted network interfaces/” ISPs also have a responsibility in supplying kit that is free from NAT-PMP flaws, added Rapid7 – which is best known for the Metasploit penetration testing tool.
Tomi Engdahl says:
Microsoft promises Windows 10 will mean two-factor auth for all
Sneak peek at security features Redmond’s baking into new OS
http://www.theregister.co.uk/2014/10/22/microsoft_promises_windows_10_will_mean_twofactor_for_all/
Windows doesn’t have the best reputation for security, but Microsoft has been outlining a series of improvements in the new operating system that it believes will stymie hackers and leave corporate data more secure.
“We’re no longer facing an evolution in security threats but a revolution,” Chris Hallum, senior product manager for Windows told The Register. “The reality is that the systems currently in place don’t offer the fundamental immunity we need to deal with such threats.”
Hallum outlined three key technologies Microsoft will be building into Windows 10 that will be used to add protection
First, support for two-factor authentication is going to be built into the OS as standard and the preferred login setting. Full support for fingerprint recognition is being built into the stack, and there’ll also be support for other biometrics, but Microsoft sees the phone as the primary tool for adding two-factor auth to the system.
Only launch users will be able to turn their iOS, Android or Windows Phone smartphone into an authentication token that clears access via Wi-Fi or Bluetooth.
Once users have logged in, Microsoft wants to safeguard the data they are using, and so is adding containerisation technology for each file, ensuring it is sandboxed and encrypted.
Finally, Microsoft is hoping to block whole classes of malware by instituting a code-signing system for software. All apps in the Windows Store will be checked for malware and signed off as safe for use (including 32-bit apps) and the company is also instituting a self-signing system for accredited ISVs to clear their apps, and for corporate IT departments to get home-grown code signed.
Tomi Engdahl says:
New Exploit of Sandworm Zero-Day Could Bypass Official Patch
http://blogs.mcafee.com/mcafee-labs/new-exploit-sandworm-zero-day-bypass-official-patch
During the last few days researchers at McAfee Labs have been actively investigating Sandworm, the Windows packager zero-day attack (CVE-2014-4114). McAfee has already released various updates through our products to protect our customers, and we continue to analyze this attack.
During our investigation, we found that the Microsoft’s official patch (MS14-060, KB3000869) is not robust enough. In other words, attackers might still be able to exploit the vulnerability even after the patch is applied. Users who have installed the official patch are still at risk.
Microsoft Security Advisory 3010060
Vulnerability in Microsoft OLE Could Allow Remote Code Execution
https://technet.microsoft.com/library/security/3010060
Tomi Engdahl says:
Quick PHP patch beats slow research reveal
Simple solution to remote code execution
http://www.theregister.co.uk/2014/10/23/quick_php_patch_beats_slow_research_reveal/
Patches have been flung out to cover vulnerabilities in PHP that led to remote code execution and buffer overflows.
The flaws were detailed this week by Swiss researchers High-Tech Bridge in versions 5.4.33, 5.5.17 and 5.6.1 on a machine running Ubuntu 14.04.1 LTS and the Radamsa fuzzer.
A patch issued last month for CVE-2014-3669 closed an unserialised function which researcher Symeon Paraschoudis detailed in a technical walk through.
Tomi Engdahl says:
Xen says its security policies might be buggier than its software
Users didn’t know if they were allowed to patch bug behind world cloud reboot
http://www.theregister.co.uk/2014/10/23/xen_says_its_security_policies_have_more_holes_than_its_software/
The Xen project has asked for help to ensure future bugs aren’t as disruptive as the XSA-108 flaw that saw major cloud operators reboot an awful lot of servers.
XSA-108 emerged in late September and saw the likes of AWS, SoftLayer and Rackspace patch and reboot many servers. Such reboots are just the kind of thing that cloud providers Just Aren’t Supposed To Do, hence Xen’s admission that “During the embargo period of XSA-108, the Xen Project Security Team was faced with some difficult questions of policy interpretation, as well as practical issues related to pre-disclosure list membership applications.”
Presumably because XSA-108 was so disruptive, the organisation has now shouted out to all and sundry with a “community consultation to improve and better define the project’s Security Vulnerability Response Process.”
Tomi Engdahl says:
Smartphone giant _____ puts citizens’ private data beyond reach of oppressive regime _____
And into the hands of _______ that also spies on people
http://www.theregister.co.uk/2014/10/22/xiaomi_global_data_centers/
Chinese Apple wannabe Xiaomi says it’s spent much of the past year migrating its online services out of its Beijing data centers so that it can better serve customers in international markets.
The Middle Kingdom’s smartphone upstart is virtually unknown in the West but is already outselling Samsung in China and has lately moved into Hong Kong, India, Indonesia, Malaysia, the Philippines, Singapore, and Taiwan.
In a Facebook post on Wednesday, Hugo Barra – the ex-Google product manager who was, last year, tapped to become Xiaomi’s global VP – said the company is moving into overseas data centers both to speed up its services and to better manage customer data.
Next, Xiaomi is moving its user accounts, messaging, and other cloud services to AWS data centers in Oregon and Singapore, which Barra said should further improve network speeds and latency, particularly in Malaysia and India.
Tomi Engdahl says:
Microsoft Removes KB2949927 Botched Windows 7 Update
http://news.softpedia.com/news/Microsoft-Removes-KB2949927-Botched-Windows-7-Update-462493.shtml
Installing the monthly Patch Tuesday updates released by Microsoft slowly becomes a very risky job for every Windows user out there, as many of the fixes that are shipped to computers actually cause more harm than good.
The same happened this month with KB2952664, an update that was only supposed to help Windows 7 users upgrade to a newer operating system, but it turns out that another patch was the source of even bigger issues.
So big that Microsoft itself acknowledged the problems and even decided to pull the update completely.
Tomi Engdahl says:
Fake cellphone towers hiding in plain sight, intercepting your phone calls
http://www.engadget.com/2014/09/05/fake-cellphone-towers/?utm_source=Feed_Classic_Full&utm_medium=feed&utm_campaign=Engadget&?ncid=rss_full&cps=gravity
In response to the loads of info leaked on government surveillance, a number of ultra-secure handsets have popped up to elude prying eyes. One such option is the CryptoPhone 500 from ESD that’s built on a regular Galaxy S III frame. In a recent report from Popular Science, that company says that its customers discovered 17 fake cell towers across the US — just in the month of July. It’s unclear who’s running the so-called “interceptors,” but back in June police departments in 15 states admitted to using similar devices known as “stingrays.”
Tomi Engdahl says:
Cisco Fixes Three-Year-Old Telnet Flaw In Security Appliances
http://it.slashdot.org/story/14/10/23/1345230/cisco-fixes-three-year-old-telnet-flaw-in-security-appliances
“There is a severe remote code execution vulnerability in a number of Cisco’s security appliances, a bug that was first disclosed nearly three years ago. The vulnerability is in Telnet and there has been a Metasploit module available to exploit it for years. The FreeBSD Project first disclosed the vulnerability in telnet in December 2011 and it was widely publicized at the time. Recently, Glafkos Charalambous, a security researcher, discovered that the bug was still present in several of Cisco’s security boxes”
Cisco Patches Three-Year-Old Telnet Remote Code Execution Bug in Security Appliances – See more at: https://threatpost.com/cisco-patches-three-year-old-telnet-remote-code-execution-bug-in-security-appliances/108980#sthash.CU45aHZS.dpuf
Tomi Engdahl says:
Proposed Penalty For UK Hackers Who “Damage National Security”: Life
http://yro.slashdot.org/story/14/10/23/1235205/proposed-penalty-for-uk-hackers-who-damage-national-security-life
Government plans that mean computer users deemed to have damaged national security, the economy or the environment will face a life sentence have been criticised by experts
Computer users who damage national security could face jail
Human rights experts criticise proposed legislation saying new law could be used to target legitimate whistleblowers
http://www.theguardian.com/law/2014/oct/23/computer-users-damage-national-security-face-jail
Tomi Engdahl says:
DOUBLE BONK: Testy fanbois catch Apple Pay picking pockets
Users wail as tapcash transactions are duplicated
http://www.theregister.co.uk/2014/10/23/apple_pay_double_transaction_glitch/
Tim Cook’s dream of bonking-to-pay global domination has taken a serious battering after customers using the new Apple Pay system were double charged.
Apple said it was aware of “a Bank of America issue impacting a very small number of Apple Pay users”.
The Bank of America apologised for the double trouble and claimed 1,000 transactions were duplicated.
Tomi Engdahl says:
AWS comes to Germany as Amazon unveils second EU region, out of Frankfurt
https://gigaom.com/2014/10/23/aws-comes-to-germany-as-amazon-unveils-second-eu-region-running-out-of-frankfurt/
Amazon has launched its long-awaited German-based region – its second in Europe, after the one based in Ireland, and its eleventh worldwide.
The move has big implications for latency and resilience, and of course data protection — a particular concern for German businesses.
Tomi Engdahl says:
Facebook and Yahoo Find a New Way to Save the Web’s Lost Email Addresses
http://www.wired.com/2014/10/fb-yahoo-email/
When Yahoo proposed a plan to reuse mothballed email addresses, a lot of people didn’t like it. WIRED’s Mat Honan called it a “very bad idea,” and with good reason.
The problem is that email addresses are used for password recovery on sites across the web. Let’s say that, a decade ago, I signed up for Facebook using [email protected] as my email address, and that became a way of recovering my Facebook password. If I then stopped using Yahoo, a scammer could wait until [email protected] became available and then simply take over my Facebook account.
But Facebook and Yahoo are now offering a solution to this problem, making new use of the internet’s email protocol, known as Simple Mail Transfer Protocol, or SMTP. They’ve written software that lets Facebook timestamp its password recovery messages, showing the date they last confirmed that the Yahoo address was legit. If the account has changed hands since then, Facebook simply drops the message. That stops password resets from falling into the wrong hands.
This could finally free up so many of the email addresses that have been left unused not only at Yahoo, but at other online email providers, including Google and Microsoft.