Hard-coded creds, flaws galore, plague pricey peepers
Hack in the Box Swiss researcher Gianni Gnesa says the most popular network surveillance cameras currently sold on Amazon contain easy remote exploitable vulnerabilities that allow hackers to gain admin access and quietly peer through lenses.
Matthew Keys' case proves yet again that the CFAA hacking laws are inappropriate and open up the possibility of excessive sentences, activists argue. Keys himself tells FORBES CFAA is being used to target journalists.
12 hours ago Top tips to stay safe on public Wi-Fi networksZDNet View Synopsis+1
There are a number of quick and easy ways to improve your personal privacy and safety when using public Internet services.
10 hours ago 5 Lessons From the Summer of Epic Car HacksWIRED View Synopsis+1
For the last three months, car hackers' terrifying abilities have been on full display. Now we filter out the fear and focus on what we've learned.
The post 5 Lessons From the Summer of Epic Car Hacks appeared first on WIRED.
9 hours ago Appetites for more: Government actionsSC Magazine View Synopsis+1
Cybersecurity is a technical challenge. But it also usually has a legal and regulatory aspect as well.
A team of researchers has demonstrated that the cost of breaking the SHA1 cryptographic hash function is lower than previously estimated, which is why they believe the industry should accelerate migration to more secure standards.
Computer hackers in China, South Korea and Germany tried to attack Democratic presidential candidate Hillary Clinton's private email server after she left the U.S. State Department in February 2013, the Associated Press reported on Thursday. "It was not immediately clear whether the attempted intrusions into Clinton's server were serious espionage threats or the sort of nuisance attacks that hit computer servers the world over," the AP said, citing a congressional document. In a letter to Secnap Network Security Corp, which provided the threat monitoring product connected to the server, U.S. Senate Homeland Security and Government Affairs Committee Chairman Ron Johnson, a Wisconsin Republican, asked the Florida-based cyber security company for documents related to its work with Clinton's server.
Read this before you throw away another boarding pass! What?s in a Boarding Pass Barcode? A Lot
1 day ago Angler Ransomware Campaign DisruptedInfoRiskToday View Synopsis+1
Cybercriminals Earned Millions Annually, Cisco SaysA cybercrime ring that employed the Angler Exploit Kit to earn an estimated $34 million per year - from ransomware infections alone - has been disrupted by security researchers at Cisco's Talos security intelligence and research group.
1 day ago Passing the Sniff (Snort) TestSANS Reading Room View Synopsis+1
They go by several names: Bloatware. Trialware. Pre-installation-ware. Some of them are completely innocuous. Many are designed to automate harvesting of information from the user. The line between these "unwantedware" and malware is thinning. Whether they arrive in our networks from a less-than-perfect supply chain, or as a natural result from Bring-Your-Own-Device (BYOD) policies, or even as an aggressive customer support "service" from the manufacturer, unwantedware shall exist. On the best of days, network defenders will identify, mitigate, and remove said software from their organization in the hopes that it cannot come back. Unfortunately, these herculean efforts are not enough. Users will ignore warnings from the security administrators. Users will pay lip service to the security training their organization provides. Users will rationalize intrusions into their devices through a myriad of worthless excuses: "I'm really boring", or "Anyone who wants to spy on me will have a lot of nothing to do", or "I'm really ugly, turning on my webcam would hurt THEM." Time and again users have shown that they are incapable of understanding the risks involved, they must be trained to dislike being spied on. In this paper we will examine unwanted data exfiltrations initiated by software we are told to trust, be it prepackaged software, chatty smartphone apps, or smart television applications. We will also present methods for detecting said exfiltrations, determining what data is being sent, and alerting the user in a meaningful way.
Researchers warn widely used algorithm should be retired sooner.
Security-conscious iOS 9 changes let you secure your devices even more. Cory Bohon shows you how it's done.
The company has already been served a contempt of court order for refusing to hand over the foreign data to the US government.
Twin brothers Muneeb and Sohaib Akhter were sentenced to prison by the Eastern District of Virginia for an array of offenses, including conspiracy to commit wire fraud, conspiracy to access a protected computer without authorization, conspiracy to access a government computer without authorization, and obstruction of justice.
Nabbed in operation targeting 'low-skilled' crooks
A UK voyeur who hacked webcams to spy on victims has avoided going to prison for his crimes.
IT security company High-Tech Bridge issued a security advisory on Wednesday for two reflected cross-site scripting (XSS) vulnerabilities in the Calls to Action WordPress plugin.
Webmail security sucks. But at least researchers can make big money by making a mockery of it, thanks to Microsoft's generous bug bounty program.
5 hours ago SHA-1 Freestart CollisionSchneier blog View Synopsis+1
There's a new cryptanalysis result against the hash function SHA-1:Abstract: We present in this article a freestart collision example for SHA-1, i.e., a collision for its internal compression function. This is the first practical break of the full SHA-1, reaching all 80 out of 80 steps, while only 10 days of computation on a 64 GPU cluster were necessary to perform the attack. This work builds on a continuous series of cryptanalytic advancements on SHA-1 since the theoretical collision attack breakthrough in 2005. In particular, we extend the recent freestart collision work on reduced-round SHA-1 from CRYPTO 2015 that leverages the computational power of graphic cards and adapt it to allow the use of boomerang speed-up techniques. We also leverage the cryptanalytic techniques by Stevens from EUROCRYPT 2013 to obtain optimal attack conditions, which required further refinements for this work. Freestart collisions, like the one presented here, do not directly imply a collision for SHA-1.
However, this work is an important milestone towards an actual SHA-1 collision and it further shows how graphics cards can be used very efficiently for these kind of attacks. Based on the state-of-the-art collision attack on SHA-1 by Stevens from EUROCRYPT 2013, we are able to present new projections on the computational/financial cost required by a SHA-1 collision computation. These projections are significantly lower than previously anticipated by the industry, due to the use of the more cost efficient graphics cards compared to regular CPUs. We therefore recommend the industry, in particular Internet browser vendors and Certification Authorities, to retract SHA-1 soon. We hope the industry has learned from the events surrounding the cryptanalytic breaks of MD5 and will retract SHA-1 before example signature forgeries appear in the near future. With our new cost projections in mind, we strongly and urgently recommend against a recent proposal to extend the issuance of SHA-1 certificates by a year in the CAB/forum (the vote closes on October 16 2015 after a discussion period ending on October 9).
Especially note this bit: "Freestart collisions, like the one presented here, do not directly imply a collision for SHA-1. However, this work is an important milestone towards an actual SHA-1 collision and it further shows how graphics cards can be used very efficiently for these kind of attacks." In other words: don't panic, but prepare for a future panic.
This is not that unexpected. We've long known that SHA-1 is broken, at least theoretically. All the major browsers are planning to stop accepting SHA-1 signatures by 2017. Microsoft is retiring it on that same schedule. What's news is that our previous estimates may be too conservative.
There's a saying inside the NSA: "Attacks always get better; they never get worse." This is obviously true, but it's worth explaining why. Attacks get better for three reasons. One, Moore's Law means that computers are always getting faster, which means that any cryptanalytic attack gets faster. Two, we're forever making tweaks in existing attacks, which make them faster. (Note above: "...due to the use of the more cost efficient graphics cards compared to regular CPUs.") And three, we regularly invent new cryptanalytic attacks. The first of those is generally predictable, the second is somewhat predictable, and the third is not at all predictable.
Way back in 2004, I wrote: "It's time for us all to migrate away from SHA-1." Since then, we have developed an excellent replacement: SHA-3 has been agreed on since 2012, and just became a standard.
This new result is important right now:Thursday's research showing SHA1 is weaker than previously thought comes as browser developers and certificate authorities are considering a proposal that would extend the permitted issuance of the SHA1-based HTTPS certificates by 12 months, that is through the end of 2016 rather than no later than January of that year. The proposal argued that some large organizations currently find it hard to move to a more secure hashing algorithm for their digital certificates and need the additional year to make the transition.
As the papers' authors note, approving this proposal is a bad idea.
More on the paper here.
5 hours ago DHS cybersecurity mandates get push in HouseSC Magazine View Synopsis+1
The Department of Homeland Security (DHS) will be required to put in place a formal cybersecurity strategy, following passage earlier this week of a House bill.
Tin foil VXer wraps new Trojan in cloak and evasion tricks
Malware man Yotam Gottesman has found a somewhat mysterious remote access Trojan on a corporate network that sports highly capable evasion techniques.
Hackers known to use Zeus malware to hack critical infrastructure targets have developed an elaborate network of fake recruiter profiles for phishing on LinkedIn.
10 hours ago More start menu tricks for Windows 10IT Toolbox Blogs View Synopsis+1
Some more tips on customizing and using Windows 10
10 hours ago Windows 10 Resources from ToymasterIT Toolbox Blogs View Synopsis+1
Toymaster has published a handy compilation of resources for Windows 10. Hope it helps. Windows 10 Resources
Anyone ever heard of encryption?
UK doctors and nurses routinely share sensitive patient information via their smartphones, we're told.
38 minutes ago Analyzing ONC's Interoperability RoadmapInfoRiskToday View Synopsis+1
10-Year Plan Shines Spotlights Privacy, Security ChallengesThe protection of patients' health data is a fundamental principle deeply woven throughout federal regulator's new 10-year roadmap for interoperable health data exchange. While some experts say the plan is on the right track, others say more work is needed.
The shift to the EMV standard in the U.S. has drawn incredible media attention for more than a year as everyone witnesses the approach of the looming liability shift deadline. But what does it really mean for merchants, consumers, and hackers? I say the answer is actually very little, and in as few words as possible, I will tell you why.
1 hour ago Cloud Security: Job OpportunitiesInfoRiskToday View Synopsis+1
With organizations increasingly moving to the cloud, more security professionals are needed to help secure those environments as well as manage incident response. Cloud forensics expert Neha Thethi outlines must-have skills, qualifications and certifications.
The secret-spilling group is ramping up its leak bounty program.
The post WikiLeaks Wants to Pay $50K for Video of the Kunduz Hospital Bombing appeared first on WIRED.
2 hours ago How to Assess Voice Quality on a VOIP NetworkIT Toolbox Blogs View Synopsis+1
When using a landline telephone, most people don?t really think about quality unless they are on their cellphone and notice a drop in service.
The secret-spilling group is ramping up its leak bounty program.
The post WikiLeaks Wants to Pay $50K for Video of the Kunduz Bombing appeared first on WIRED.
Dozens of successful attacks detected that install malicious code on company portals.
4 hours ago Attackers Target Organizations via Cisco WebVPNSecurityWeek View Synopsis+1
A Cisco VPN product has been targeted by malicious actors looking to steal sensitive credentials and maintain access to compromised networks, according to incident response and threat intelligence company Volexity.
6 hours ago Threat Intelligence is Not Intellectual PropertySecurityWeek View Synopsis+1
The breadth and depth of threat intelligence is a primary differentiating factor for security vendors is a widely held assumption in the security industry that we collectively need to disprove and change our perspective on.
WASHINGTON (AP) - Hillary Rodham Clinton's private email server, containing an electronic inventory of some 55,000 pages of emails from her stint as secretary of state, was repeatedly hit by attempted cyberattacks originating in China, South Korea and Germany in 2014, according to a congressional document obtained by The Associated Press.
I sit in the C-Suite. (Not now, but I used to.) I am not the CIO or CTO. (Not now, but I used to be.) I am a retailer (for my purposes here). I was just asked three questions at an investor conference: "What's your technology plan?" "What new technologies are you tracking?" "How will these [...]
The European concept of "privacy" has a lot more to do with controlling one's image than with keeping the government from snooping on your affairs.
CyanogenMod has squished both Stagefright bugs in its latest stable release of the custom ROM.