Security blogs

Distribuir contenido
Some security blogs I followCNXriv2VjbgCfgont2013-07-01T21:55:27Z
Actualizado: hace 4 años 7 semanas

More Talks For You!

Dom, 06/23/2013 - 18:44

We have broken off a new hunk of talks for you to chew on, check them out!

Made Open: Hacking Capitalism
Todd Bonnewell

Panel Ask the EFF: The Year in Digital Civil Liberties
Kurt Opsahl, Marcia Hofmann, Dan Auerbach, Eva Galperin,and EFF Staffer(s) to be named later

Electromechanical PIN Cracking with Robotic Reconfigurable Button Basher (and C3BO)
Justin Engler

Adventures in Automotive Networks and Control Units
Charlie Miller and Chris Valasek

A Password is Not Enough: Why Disk Encryption Is Broken And How We Might Fix It
Daniel Selifonov

Do-It-Yourself Cellular IDS
Sherri Davidoff, Scott Fretheim, David Harrison, and Tom Connell

Prowling Peer-to-Peer Botnets After Dark
Tillmann Werner

HTTP Time Bandit
Vaagn Toukharian and Tigran Gevorgyan

Torturing Open Government Systems for Fun, Profit and Time Travel
Tom Keenan

Examining the Bitsquatting Attack Surface
Jaeson Schultz

Please Insert Inject More Coins
Nicolas Oberli

Legal Aspects of Full Spectrum Computer Network (Active) Defense
Robert Clark

Decapping Chips The Easy Hard Way
Adam "Major Malfunction" Laurie and Zac Franken

Protecting Data with Short-Lived Encryption Keys and Hardware Root of Trust
Dan Griffin

So You Think Your Domain Controller is Secure?
Justin Hendricks

(author unknown)
Categorías: Bundle Security blogs

Federal Mobile Computing Summit

Dom, 06/23/2013 - 12:27
07/09/2013 - The 4th installment of the Federal Mobile Computing Summit and Technology Showcase will examine the post-Digital Government Strategy landscape, and...(author unknown)
Categorías: Bundle Security blogs

La Nuit du Hack 2013 Wrap-Up

Dom, 06/23/2013 - 03:50

My clock tower is completed! I left home yesterday at 6AM to Disneyland Ressort Paris and I’m just back at 6AM. It’s too late to go to bed so I finished to write my Nuit du Hack wrap-up. This was the first time I attended this event. During the last years, I always attended Hack in Paris which is organised at the same place the week before. The Nuit du Hack is first of all the biggest CTF contest organised in France. For this edition, more than 1300 people attended the event. It’s an impressive organisation! But before the CTF, talks are also organised during the day. Here is my quick review of them.

The keynote was presented by Jérémie Zimmermann:  ”Freedom or control?“. Jérémie is the co-founder of La Quadrature du Net and fights for online privacy and freedom. The keynote started later due to issues with the public transports and was limited in time. Jérémie started with one question: “Who’s still using Facebook or Gmail?“. Of course, most of the audience is! It’s difficult to get rid of services that we use on a daily basis. Everybody agrees on the fact that those services are monitored (You know: PRISM,NSA, etc) but we need solid evidences (not only provided by hackers and geeks) to prove that we are monitored. A few years ago, computers were our best friend. It was easy to understand how they worked from A to Z. It’s not the case anymore and computers became our enemies! When you are in front of a technological choice, it’s important to verify the infrastructure, think about free softwares and end-to-end encryption. Conclusion to the keynote: we need to educate users. They must realise that everything they typed on Gmail can be re-used to track or score them.

The first talk was “Thinking outside the box” by Dave Kennedy, the founder of TrustedSec. Dave is well-known to be also the developer of SET (“Social Engineering Toolkit“). SET is a wonderful tool that you must use if you are doing pen tests. New versions are regularly distributed with updates, bug fixes but also new attacks. Dave’s talk was based on scenarios. The first one was about a health care company. The first phase is to learn about the target and think about what you want. He provided a good example of spear-phishing  (think about all the details – headers, body, signature, links). To be successful the mail must:

  • Fear the people (you won’t receive money, we will cancel your account)
  • Ask for a quick action (it will require only 2 mins of your time)
  • Feel secure (use HTTPS)
Due to a planning mismatch, David was interrupted during his demo and had to free the space for the next speaker. Sad! But the organisers apologised and Dave came back later with other demos. One of them was evading a Next-Generation firewall (which is signature based). He successfully encapsulated SSH into HTTP traffic. Cool! Next one: “Behind the scene of web  attacks” by Davide Canali. He explained the project he is working on at the university. The goal was to deploy multiple websites (CMS,  known applications, etc) acting as honeypots. Live website were proxies redirecting traffic to real web apps installed on VM’s . They collected huge amounts of data over 100 days: created/changed pages, logs, DB snapshots and egress traffic. Interesting statistic: The first malicious activity is generally automated after 2h10 and manual activity after 4h30. During attacks, Perl (libwww/perl) is detected in 75% of sessions. Davide showed lot of interesting stats to map web attacks:
  • Discovery
  • Reconnaissance
  • Exploitation (46% of successful attacks upload a web shell) and this shell is visited in 3h30 after the exploit.

This was an interesting research.

The next talk was presented by Sébastien Andrivet who spoke about the e-voting system used in Genève/Switzerland for a few years. In Switzeland, citizens have three ways to vote: via a polling station, snail mail or via Internet (still experimental). When Sébastien used the system for the first time, I was curious to learn how it is working and how to be sure that votes are correctly handled. Official servers are not always online (only during polling periods) and could not be attacked, so he decided to build his own voting system based on the public one. A huge project! But he succeeded and found interesting stuff:

  • Developer’s names were present in the code
  • Some comments in Java class files were “inappropriate” for a software developed by a government
  • Why does the system allow the citizen to modify his vote?
This last bulled was exploited by a “virus” developed by Sébastien. It uses the same principal as e-banking trojans and hides the manipulation to the user. Question from Sébastion: the voting system was audited (and conclusions published), why this issue was not detected? Simply due the audit scope which was very restricted as seen on the picture below:

This was my preferred presentation today! Great job!

The next talk: “Cracking and analysing Apple iCloud protocols: iCloud backups, Find My iPhone, document storage” by Vladimir Katalov. Vladimir explained how iCloud works and was are the protocols/requests used to put/get files. Simply interesting. Just remember that iCloud backups can’t be fine tuned. Apple has the key and can access your data!

The two next talks were presented during the lunch time and were more funny or based on demos. First, how journalism and social engineering can be mixed. Yes, journalists also use SE techniques to put people in confidence. They have to check their language, keep an eye on the body language. In fact, SE is used every time you need to get some info from somebody (journalists, vendors, politicians, etc). Nothing new… Then a very nice live lock picking demo was organised. Always funny!

Then came Rosario Valotta to speak about “Abusing browser use interfaces for fun & profit“. Malware number is increasing and attacks are mainly originated by user initiated downloads. Users have requirements (more security) and vendors try to provide responses. Let’s focus on Chrome: Browser security notifications are a crucial part of the browser trust model. Notify the user before making important choices. Notifications need to be recognisable and trusted. How? There are two modes used by browsers:

  • Modal: Popup window: accept/deny/ok/yes/now - Workflow blocking / visual contrast / default answer?
  • Modeless notifications: file download, plugging activated, HTML5 apis, etc (work flow is not stopped) (more informative)
Rosario performed nice demonstration of browser abuse. The first one was using notification in the background window (using pounder). He showed how users can be asked to type a certain list of keys which are in fact interpreted by the hidden windows and allow the download/execution of the malicious code. The other example was a “one-click” attack. By asking a user to click on a link, the focus is on another windows and trigger the user to click on an acceptance button to execute the code.  Finally, he explained how modern browsers can detect malicious code using signatures. This feature is called SmartScreenFilter for Microsoft or SafeBrowsing for Chrome & Firefix. Here again, it is possible to bypass the check. Note that signed apps will not be checked (only the reputation will be). Then, Jaime Sanchez came to talk about “From kernel space to user heaven…“. Used in the reconnaissance & scanning phases: if we can fool all network tools, we’ll be able to prevent some attack attempts. Jaime explained how packets are processed from the hardware to applications. Then he presented a very interesting extension for iptables called NFQUEUE. It queues packets for user space monitoring: # iptables -A INPUT -j NFQUEUE --queue-num 0

The first demo was a perl script reading the queue and processing the packets (also the payload). Then, he faked SSH source by applying packet alteration. It’s also possible to fake a traceoute, you just need cool ideas! Finally, he explained how Nmap performed OS fingerprinting and explaint how to generate answers with correct data to fake an OS.

And we continue with Thibaut Scherrer who talked about CCTV cameras deployed by authorities. They are presented by politicians as the key weapon to prevent crime. Is it true? After a presentation of the different models of cameras used in France (wires/wireless, fixed, pan, tilt, zoom, etc), he gave some pro & con and more interesting how to abuse them to prevent a recording. Some techniques are a wifi jammer or a laser. Thibaut explained also the algorithm developed with other students to detect which camera must be blocked to safely cross from a point A to a point B in Paris. They are open maps with all the information required. Thibaut explained how to protect himself from being recorded with some infrared lights placed on a helmet!

Jayson Street came on stage to talk about email attacks to abuse of companies.  What’s new with email attacks? Nothing new and it still works. Today, 91% of attacks involved spear phishing!

Jayson came on stage with new stories to abuse people with emails. What’s new with email attacks? It still work but nothing new. 91% of attacks involved spear phishing! Jason explained how to perform a good phishing attack. A good introduction email must contain:

  • Danger
  • Intrigue
  • Politics
  • Reward

After explaining how to write a good email with real contact, correct information etc. He explained the new type of attack he used to enter a company. Why bypass your firewall if I can bypass your receptionist? Jayson’s idea was to use Gmail emails but displayed on a tablet and show this to the receptionist… Lot of funny examples!

Next, Florent Batard & Nicolas Oberli presented “Modern frameworks, modern vulnerabilities”. Based on several demos, they showed how to exploit modern frameworks used to build web applications. Example with the “known secret” attack against a Python framework. Those framework are good in protecting themselves against attack but the weakest list is often the developer who by mistake disclose the secret key in public websites like github or pastebin or do not change the default secret key implemented in the source code. If you know this key, you can perform lot of nice attacks like privilege escalation or code execution. The demo displayed a classic file (/etc/passwd) but also started a remote shell using netcat. But generating cookies manually is a pain. The speaker developed a tool called pppp.py that will help you to generated cookies for multiple frameworks. A must have if you are doing pen tests. The tool will be release soon, check out balda.ch.

The last talk was about e-banking application: “Practical exploitation of rounding vulnerabilities in internet banking applications” by Adrian Furtuna. According to some tweets, it wasn’t a brand new topic but it was the first time that I learned this type of exploitation. In this case, no XSS, CRSF or funny attacks but some kind of abuse of how banks process our payments. Think about this: when you buy stuff for 1.99 EUR, do you pay the exact cent? How much sellers win from rounding? Based on this question, does the same works with banks? Usually, amounts are specified with two decimals. Here are two examples:

  • Transfer of 8.3436 EUR, the bank will transfer 8.34 EUR and wins 0,0036 EUR
  • Transfer of 8.3578 EUR, the bank will transfer 8.35 EUR and looses 0.0022 EUR
Note that banks put a limit and the maximum win/loose is fixed to 0.005 EUR. Based in this, how to win some money? By doing foreign exchange transactions or transfer money between two accounts with different currencies. The speaker explained with lot of tables how we can win money. Of course, banks have protection: they perform behaviour monitoring, apply costs (a few cent) per operation or limit the amount of exchange. Note that some techniques presented by the speaker were no tested / difficult to implement. The funniest part was the “robots” built to generate automatically tokens: After the regular talks, we went out for a dinner to the Planet Hollywood like last year. Great conversations with friends as usual! The rest of the event was reserved for CTP challenges and a set of workshops. Unfortunetaly, the planning changed in last minutes and some workshops were postponed or cancelled. One remark to the organisers: next year organize them in a separate room to avoid the noise, the music and allow people to really follow and learn new stuff (Thanks to the drunk guys who disturbed the Tris Acatrinei‘s workshop about OSINT!). Apart this small glitch, great organization! It’s not easy to manage so many people! Oh yes, one last remark about some comments complaints I read on Twitter. I understand that France promotes the French language but when international renowned speakers are invited and attendees coming from abroad, it sounds logical for me to have talks in English… Open your mind!
Categorías: Bundle Security blogs

CfP for DeepSec 2013 is still open! Send us (your?) security nightmares!

Sáb, 06/22/2013 - 11:08
Hello to all you late birds! The Call for Papers for DeepSec 2013 is still open! We are eagerly waiting for your workshops and talks! Don’t tell us that the world has become a safe place and there’s nothing out there that can’t be broken or is broken by design. We won’t believe you in [...]lynx
Categorías: Bundle Security blogs

Facebook squashes bug that exposed e-mail addresses for 6 million users

Vie, 06/21/2013 - 21:55

Facebook engineers have fixed a privacy bug that disclosed e-mail addresses and phone numbers of about 6 million account holders to other users, company officials said Friday.

The inadvertent disclosure was included in archives generated when people used the Facebook Download Your Information tool. The service allows users to acquire the entire contents of their accounts. In some cases, the archives contained private e-mail addresses and phone numbers belonging to people the account holder had searched for on Facebook. In a blog post published Friday, company representatives wrote:

We currently have no evidence that this bug has been exploited maliciously and we have not received complaints from users or seen anomalous behavior on the tool or site to suggest wrongdoing. Although the practical impact of this bug is likely to be minimal since any email address or phone number that was shared was shared with people who already had some of that contact information anyway, or who had some connection to one another, it's still something we're upset and embarrassed by, and we'll work doubly hard to make sure nothing like this happens again. Your trust is the most important asset we have, and we are committed to improving our safety procedures and keeping your information safe and secure.

Company officials have already notified regulators in the US and Canada of the disclosure and are in the process of notifying affected users through e-mail.

Read 1 remaining paragraphs | Comments

Categorías: Bundle Security blogs

Friday Squid Blogging: How the Acidification of the Oceans Affects Squid

Vie, 06/21/2013 - 19:28

It's not good.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

schneier
Categorías: Bundle Security blogs

Device-disabling Fake AV migrates to Android phones, demands ransom

Vie, 06/21/2013 - 18:15
Symantec

Device-disabling malware that masquerades as legitimate antivirus protection is migrating to smartphones running Google's Android operating system, according to researchers who got their hands on what appears to be an early test version of one such malicious program.

So-called Fake AV software, which is often bundled with screensavers or other innocuous-appearing apps, has long been a nuisance in the malware landscape for both the Microsoft Windows and Mac OS X platforms. Some operators have managed to rake in millions of dollars by reporting non-existent infections on machines and then tricking owners into paying for fraudulent disinfection services.

Enter Android Fakedefender, which researchers from antivirus provider Symantec recently discovered in several third-party Android app markets. The malicious app is still buggy and crude to say the least, but it nonetheless has the ability to create major headaches for smartphone users who install it. On many handsets, for instance, Fakedefender cannot be uninstalled at all and will prevent users from performing factory resets. Borrowing a page from so-called ransomware malware, the app also prevents many users from opening other apps or accessing data stored on the device until users buy a premium version of the Fake AV program.

Read 6 remaining paragraphs | Comments

Categorías: Bundle Security blogs

Me on the Lou Dobbs Show

Vie, 06/21/2013 - 17:32

I was on the Lou Dobbs Show earlier this week.

schneier
Categorías: Bundle Security blogs

US Offensive Cyberwar Policy

Vie, 06/21/2013 - 14:43

Today, the United States is conducting offensive cyberwar actions around the world.

More than passively eavesdropping, we're penetrating and damaging foreign networks for both espionage and to ready them for attack. We're creating custom-designed Internet weapons, pretargeted and ready to be "fired" against some piece of another country's electronic infrastructure on a moment's notice.

This is much worse than what we're accusing China of doing to us. We're pursuing policies that are both expensive and destabilizing and aren't making the Internet any safer. We're reacting from fear, and causing other countries to counter-react from fear. We're ignoring resilience in favor of offense.

Welcome to the cyberwar arms race, an arms race that will define the Internet in the 21st century.

Presidential Policy Directive 20, issued last October and released by Edward Snowden, outlines US cyberwar policy. Most of it isn't very interesting, but there are two paragraphs about "Offensive Cyber Effect Operations," or OCEO, that are intriguing:

OECO can offer unique and unconventional capabilities to advance US national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging. The development and sustainment of OCEO capabilities, however, may require considerable time and effort if access and tools for a specific target do not already exist.

The United States Government shall identify potential targets of national importance where OCEO can offer a favorable balance of effectiveness and risk as compared with other instruments of national power, establish and maintain OCEO capabilities integrated as appropriate with other US offensive capabilities, and execute those capabilities in a manner consistent with the provisions of this directive.

These two paragraphs, and another paragraph about OCEO, are the only parts of the document classified "top secret." And that's because what they're saying is very dangerous.

Cyberattacks have the potential to be both immediate and devastating. They can disrupt communications systems, disable national infrastructure, or, as in the case of Stuxnet, destroy nuclear reactors; but only if they've been created and targeted beforehand. Before launching cyberattacks against another country, we have to go through several steps.

We have to study the details of the computer systems they're running and determine the vulnerabilities of those systems. If we can't find exploitable vulnerabilities, we need to create them: leaving "back doors," in hacker speak. Then we have to build new cyberweapons designed specifically to attack those systems.

Sometimes we have to embed the hostile code in those networks -- these are called "logic bombs" -- to be unleashed in the future. And we have to keep penetrating those foreign networks, because computer systems always change and we need to ensure that the cyberweapons are still effective.

Like our nuclear arsenal during the Cold War, our cyberweapons arsenal must be pretargeted and ready to launch.

That's what Obama directed the US Cyber Command to do. We can see glimpses of how effective we are in Snowden's allegations that the NSA is currently penetrating foreign networks around the world: "We hack network backbones -- like huge Internet routers, basically -- that give us access to the communications of hundreds of thousands of computers without having to hack every single one."

The NSA and the US Cyber Command are basically the same thing. They're both at Fort Meade in Maryland, and they're both led by Gen. Keith Alexander. The same people who hack network backbones are also building weapons to destroy those backbones. At a March Senate briefing, Alexander boasted of creating more than a dozen offensive cyber units.

Longtime NSA watcher James Bamford reached the same conclusion in his recent profile of Alexander and the US Cyber Command (written before the Snowden revelations). He discussed some of the many cyberweapons the US purchases:

According to Defense News' C4ISR Journal and Bloomberg Businessweek, Endgame also offers its intelligence clients -- agencies like Cyber Command, the NSA, the CIA, and British intelligence -- a unique map showing them exactly where their targets are located. Dubbed Bonesaw, the map displays the geolocation and digital address of basically every device connected to the Internet around the world, providing what's called network situational awareness. The client locates a region on the password-protected web-based map, then picks a country and city -- say, Beijing, China. Next the client types in the name of the target organization, such as the Ministry of Public Security's No. 3 Research Institute, which is responsible for computer security -- or simply enters its address, 6 Zhengyi Road. The map will then display what software is running on the computers inside the facility, what types of malware some may contain, and a menu of custom-designed exploits that can be used to secretly gain entry. It can also pinpoint those devices infected with malware, such as the Conficker worm, as well as networks turned into botnets and zombies -- the equivalent of a back door left open...

The buying and using of such a subscription by nation-states could be seen as an act of war. 'If you are engaged in reconnaissance on an adversary's systems, you are laying the electronic battlefield and preparing to use it' wrote Mike Jacobs, a former NSA director for information assurance, in a McAfee report on cyberwarfare. 'In my opinion, these activities constitute acts of war, or at least a prelude to future acts of war.' The question is, who else is on the secretive company's client list? Because there is as of yet no oversight or regulation of the cyberweapons trade, companies in the cyber-industrial complex are free to sell to whomever they wish. "It should be illegal," said the former senior intelligence official involved in cyberwarfare. "I knew about Endgame when I was in intelligence. The intelligence community didn't like it, but they're the largest consumer of that business."

That's the key question: How much of what the United States is currently doing is an act of war by international definitions? Already we're accusing China of penetrating our systems in order to map "military capabilities that could be exploited during a crisis." What PPD-20 and Snowden describe is much worse, and certainly China, and other countries, are doing the same.

All of this mapping of vulnerabilities and keeping them secret for offensive use makes the Internet less secure, and these pretargeted, ready-to-unleash cyberweapons are destabilizing forces on international relationships. Rooting around other countries' networks, analyzing vulnerabilities, creating back doors, and leaving logic bombs could easily be construed as acts of war. And all it takes is one overachieving national leader for this all to tumble into actual war.

It's time to stop the madness. Yes, our military needs to invest in cyberwar capabilities, but we also need international rules of cyberwar, more transparency from our own government on what we are and are not doing, international cooperation between governments, and viable cyberweapons treaties. Yes, these are difficult. Yes, it's a long, slow process. Yes, there won't be international consensus, certainly not in the beginning. But even with all of those problems, it's a better path to go down than the one we're on now.

We can start by taking most of the money we're investing in offensive cyberwar capabilities and spend them on national cyberspace resilience. MAD, mutually assured destruction, made sense because there were two superpowers opposing each other. On the Internet there are all sorts of different powers, from nation-states to much less organized groups. An arsenal of cyberweapons begs to be used, and, as we learned from Stuxnet, there's always collateral damage to innocents when they are. We're much safer with a strong defense than with a counterbalancing offense.

This essay originally appeared on CNN.com. It had the title "Has U.S. Started an Internet War?" -- which I had nothing to do with. Almost always, editors choose titles for my essay without asking my opinion -- or telling me beforehand.

EDITED TO ADD: Here's an essay on the NSA's -- or Cyber Command's -- TAO: the Office of Tailored Access Operations. This is the group in charge of hacking China.

According to former NSA officials interviewed for this article, TAO's mission is simple. It collects intelligence information on foreign targets by surreptitiously hacking into their computers and telecommunications systems, cracking passwords, compromising the computer security systems protecting the targeted computer, stealing the data stored on computer hard drives, and then copying all the messages and data traffic passing within the targeted email and text-messaging systems. The technical term of art used by NSA to describe these operations is computer network exploitation (CNE).

TAO is also responsible for developing the information that would allow the United States to destroy or damage foreign computer and telecommunications systems with a cyberattack if so directed by the president. The organization responsible for conducting such a cyberattack is US Cyber Command (Cybercom), whose headquarters is located at Fort Meade and whose chief is the director of the NSA, Gen. Keith Alexander.

None of this is new. Read this Seymour Hersh article on this subject from 2010.

schneier
Categorías: Bundle Security blogs

BYOD & Mobility – Effects on Network Security

Vie, 06/21/2013 - 11:34

Gary Sockrider, Arbor Networks’ Solutions Architect for the Americas, took some time to discuss the topics of BYOD (bring your own device) and mobile technology’s effects on network security at HostingCon 2013.

BYOD has become more popular than ever, meaning workers are bringing their own laptops, tablets, and smartphones to and from public areas, opening these devices up to security threats. That’s not to mention all the software that this technology is running that could open up the system to other forms of security threats. On top of that, if a device becomes infected out in public and is then brought back onto your private network, that network is now at risk.

This makes network visibility very important. IT professionals need to be able to see what’s happening on their network and what devices are connected. IT managers can then provide controlled access or limited access based on the hardware and the user.

Arbor Networks, Inc., a leading provider of network security and management solutions for enterprise and service provider networks, is participating in HostingCon 2013 as both an exhibiting company and a presenter during the technical presentations taking place throughout the week.

On Wednesday, June 19, Gary Sockrider, Arbor Networks’ solutions architect for the Americas, will participate in a panel discussion on “Identifying DDoS Trends and Limiting Attacks.” He will be joined by fellow network security experts Jeffrey Lyon, Curtis R. Curtis, and Neustar’s Rodney Joffe focusing on best practices for defending against the increasingly complex and ever-evolving threats facing network operators today.

Categorías: Bundle Security blogs

The Japanese Response to Terrorism

Vie, 06/21/2013 - 09:25

Lessons from Japan's response to Aum Shinrikyo:

Yet what's as remarkable as Aum's potential for mayhem is how little of it, on balance, they actually caused. Don't misunderstand me: Aum's crimes were horrific, not merely the terrible subway gassing but their long history of murder, intimidation, extortion, fraud, and exploitation. What they did was unforgivable, and the human cost, devastating. But at no point did Aum Shinrikyo represent an existential threat to Japan or its people. The death toll of Aum was several dozen; again, a terrible human cost, but not an existential threat. At no time was the territorial integrity of Japan threatened. At no time was the operational integrity of the Japanese government threatened. At no time was the day-to-day operation of the Japanese economy meaningfully threatened. The threat to the average Japanese citizen was effectively nil.

Just as important was what the Japanese government and people did not do. They didn't panic. They didn't make sweeping changes to their way of life. They didn't implement a vast system of domestic surveillance. They didn't suspend basic civil rights. They didn't begin to capture, torture, and kill without due process. They didn't, in other words, allow themselves to be terrorized. Instead, they addressed the threat. They investigated and arrested the cult's leadership. They tried them in civilian courts and earned convictions through due process. They buried their dead. They mourned. And they moved on. In every sense, it was a rational, adult, mature response to a terrible terrorist act, one that remained largely in keeping with liberal democratic ideals.

schneier
Categorías: Bundle Security blogs

Yahoo tells security critics to chillax regarding its email recycling program

Vie, 06/21/2013 - 05:08

So much for trying to be nice. Yahoo's latest bid to lift itself from the tech also-ran swamp with an email recycling initiative has been criticized for potential security threats to dormant users. To try and calm down the pitchfork-wielding crowd, the company has released a statement describing various security measures that will be taken to insure past users' data and security--but they may not cover all the bases.

Tags: YahooIndustry Newsl33tdawg
Categorías: Bundle Security blogs

iOS default hotspot passwords cracked in 50 seconds

Vie, 06/21/2013 - 05:07

iOS users may be far more susceptible to being hacked when using Wi-Fi hotspot connections than they imagined.

According to researchers at Friedrich-Alexander University in Germany, Apple's default passwords for mobile hotspots, also known as pre-shared keys (PSKs), entail a mix of characters and numbers that are easily guessable.

Tags: iOSWirelessApplel33tdawg
Categorías: Bundle Security blogs

Linux continues to rule supercomputers

Vie, 06/21/2013 - 05:04

While Linux fans and critics obsess about Linux's failure to sweep Windows off the desktop, they're ignoring that Linux is winning everywhere else, and that when it comes to the highest of high-end computing, Linux rules.

Driving the point home, the top 10 fastest supercomputers all run Linux of one sort or the other. You have to go the way to the 44th fastest computer, the European Centre for Medium-Range Weather Forecasts box, which runs IBM's AIX Unix variant, to find one that doesn't run Linux.

Tags: Linuxl33tdawg
Categorías: Bundle Security blogs

FAA will soon ease in-flight restrictions for some electronic devices

Vie, 06/21/2013 - 05:03

We've been hearing rumblings that the FAA wants to start letting you use certain gadgets on airplanes through the "terrible 10,000 feet," and according to the WSJ, it's about to do just that.

A 28-member industry and government panel's draft report strongly recommended relaxing blanket rules against electronics that have been in place since 1966 due to massive changes in technology since then.

Tags: FAAIndustry Newsl33tdawg
Categorías: Bundle Security blogs

5 Fun Facts From the Latest NSA Leak

Vie, 06/21/2013 - 05:01

After a brief respite, the Guardian newspaper has resumed its publication of leaked NSA documents. The latest round provides a look at the secret rules the government follows for collecting data on U.S. persons.

We found a number of interesting disclosures in two documents released by the newspaper. Among them:

Tags: NSAPRISMl33tdawg
Categorías: Bundle Security blogs

Use of Tor and e-mail crypto could increase chances that NSA keeps your data

Vie, 06/21/2013 - 04:59

Using online anonymity services such as Tor or sending encrypted e-mail and instant messages are grounds for US-based communications to be retained by the National Security Agency even when they're collected inadvertently, according to a secret government document published Thursday.

Tags: TorEncryptionNSAPRISMl33tdawg
Categorías: Bundle Security blogs

Things are Heating Up!

Vie, 06/21/2013 - 00:42

Tomorrow is the first official day of summer and, if you really think about it, DEF CON is the main reason summer exists. There are probably some other things going on, like shark attacks and whatnot. There are probably people who prioritize car trips and county fairs over hacker conventions. But you're HERE, so you are probably not one of those people. You are one of US, and you want to know what kind of action we have bubbling for you this year.

Well, the short answer is 'plenty'. Here are some of the current highlights:

The Most Significant Bit

Do you wish there was a contest that would develop your cyber-macho the way TV contests develop back-stabbing and bug-eating? We got you, OK? We got you.

The Most Significant Bit is a new contest that aims to take 16 noobs with a compubox and a dream from "zero to hero" by filling their spare cycles at DEF CON with various challenges
to their hacking and making skills. They will fight to avoid elimination! They will fight to avoid humiliation! They will fight because apparently the winner gets a REAL CROWN*!

To enter, just submit a short (1-2 minute) video to YouTube explaining why this contest needs you. Include the search term dc8bits. (Test number one - following instructions.) 16 players will be chosen to compete, and in the end one contestant's victorious buttocks will feel the incomparable comfort of the 'Throne of Leetness'. If this sounds like something you need in your life, you can find out more at dc8bits.org.

*Street value of the 'Crown of Shiny Bits' is unknown at this time.

Hacker Jeopardy Sign-up

Do you and your pals know everything? Can you remember all the everything you know even under extreme alcohol conditions? Do you yearn to be immortalized in DEF CON lore?

Quite possibly the fastest route to glory for people like you is Hacker Jeopardy, the mighty and eternal drunken orgy of geek knowledge. To enter, it is advisable to check out the forum thread and get the lowdown. Host G. Mark Hardy has posted the steps you must take to begin your journey, and they are fairly specific. The first line is in ALL CAPS, PEOPLE. That's how you know it's business time. If you have a team with the goods, it's time to get enterin'.

Recruiting agents for the DEF CON DarkNet

Another new game in town this year is the DEF CON DarkNet Project, an Alternate Reality Game set in the world of Daemon and Freedom by Daniel Suarez. If the idea of a real-life, real-time MMO appeals to you, you should really check out the forum thread about the game. It looks very cool.

The team behind the game is also looking for some help if you've got some skills and some time. They need some web design, some design of the hammer and nails variety and people to design additional quests. Check out the forum thread and lend a hand if you can.

Now that the summer is upon us, you'll want to keep an eye on this space. There will be much, much more to come.

(author unknown)
Categorías: Bundle Security blogs

Stanford, Mozilla, Opera team up to tackle cookie privacy issues

Jue, 06/20/2013 - 19:10

For the past few months, Firefox betas have been heuristically blocking certain cookies in a bid to protect user privacy and reduce the amount of online tracking by advertisers. Mozilla has not moved this blocking into the stable builds of its browser, however, because of problems with its effectiveness. The heuristics aren't perfect, so sometimes it blocks cookies it shouldn't block and other times lets cookies through that it should block.

A new project from Stanford University could provide the solution. The Cookie Clearinghouse intends to provide lists of cookies that should be blocked or accepted. Still in the planning stages, it will be designed to work in concert with the heuristics found in Firefox in order to correct the errors that the algorithmic approach makes.

Firefox's algorithm is simple. Essentially, if you visit a domain directly, that domain will be able to set cookies (first-party cookies) and it will continue to be permitted to set cookies even when visited indirectly (third-party cookies). For example, if you visit facebook.com, it will be allowed to set cookies both for explicit visits and whenever other sites embed Facebook content such as like buttons.

Read 13 remaining paragraphs | Comments

Categorías: Bundle Security blogs

‘Hijacking’ of DNS Records from Network Solutions

Jue, 06/20/2013 - 17:45
Multiple domain names registered under Network Solutions suffered problems with their domain names today, as their DNS nameservers were replaced [...]Jaeson Schultz
Categorías: Bundle Security blogs