background preloader

Security

Facebook Twitter

HPVAC. Why the Security of USB Is Fundamentally Broken. Josh Valcarcel/WIRED.

Why the Security of USB Is Fundamentally Broken

The Unpatchable Malware That Infects USBs Is Now on the Loose. It’s been just two months since researcher Karsten Nohl demonstrated an attack he called BadUSB to a standing-room-only crowd at the Black Hat security conference in Las Vegas, showing that it’s possible to corrupt any USB device with insidious, undetectable malware.

The Unpatchable Malware That Infects USBs Is Now on the Loose

Given the severity of that security problem—and the lack of any easy patch—Nohl has held back on releasing the code he used to pull off the attack. But at least two of Nohl’s fellow researchers aren’t waiting any longer. In a talk at the Derbycon hacker conference in Louisville, Kentucky last week, researchers Adam Caudill and Brandon Wilson showed that they’ve reverse engineered the same USB firmware as Nohl’s SR Labs, reproducing some of Nohl’s BadUSB tricks. And unlike Nohl, the hacker pair has also published the code for those attacks on Github, raising the stakes for USB makers to either fix the problem or leave hundreds of millions of users vulnerable.

GNU hackers discover HACIENDA government surveillance and give us a way to fight back — Free Software Foundation — working together for free software. According to Heise newspaper, the intelligence agencies of the United States, Canada, United Kingdom, Australia, and New Zealand, have used HACIENDA to map every server in twenty-seven countries, employing a technique known as port scanning.

GNU hackers discover HACIENDA government surveillance and give us a way to fight back — Free Software Foundation — working together for free software

The agencies have shared this map and use it to plan intrusions into the servers. Anonymous Operating System. Mission Impossible: Hardening Android for Security and Privacy. Updates: See the Changes section for a list of changes since initial posting.

Mission Impossible: Hardening Android for Security and Privacy

The future is here, and ahead of schedule. Come join us, the weather's nice. This blog post describes the installation and configuration of a prototype of a secure, full-featured, Android telecommunications device with full Tor support, individual application firewalling, true cell network baseband isolation, and optional ZRTP encrypted voice and video support.

ZRTP does run over UDP which is not yet possible to send over Tor, but we are able to send SIP account login and call setup over Tor independently. FlreFox #Prlvacy #Securlty #lnfosec. How did the NSA hack our emails? NSA Surveillance (an extra bit) - Numberphile. Internet Toolkit. Update Check An online service to help Windows users check installed programs are up to date and do not have known security vulnerabilities. more...

Internet Toolkit

Antivirus Malware in email und Internet pages are now everyday occurences. DNS Security Collaborative Post - Eric Helgeson. There was a ton of responses to my blog post about my ISP’s bad behavior with DNS and I wanted to consolidate the information here.

DNS Security Collaborative Post - Eric Helgeson

This post is on github so you can click here to add or edit any info in this post, just a pull request away (just follow the same formatting). I’ll be adding more as I parse through all the comments. Basics of DNS. Zero Knowledge Privacy Foundation. ZoneTransfer.me. When teaching, and when talking to clients, I sometimes have to explain the security problems related to DNS zone transfer. Opt out of global data surveillance programs like PRISM, XKeyscore, and Tempora - PRISM Break.

A List of Privacy-Focused Companies, Tools & Technologies. Why passwords have never been weaker—and crackers have never been stronger. Oh great: New attack makes some password cracking faster, easier than ever. A researcher has devised a method that reduces the time and resources required to crack passwords that are protected by the SHA1 cryptographic algorithm.

Oh great: New attack makes some password cracking faster, easier than ever

The optimization, presented on Tuesday at the Passwords^12 conference in Oslo, Norway, can speed up password cracking by 21 percent. The optimization works by reducing the number of steps required to calculate SHA1 hashes, which are used to cryptographically represent strings of text so passwords aren't stored as plain text. Such one-way hashes—for example 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 to represent "password" (minus the quotes) and e38ad214943daad1d64c102faec29de4afe9da3d for "password1"—can't be mathematically unscrambled, so the only way to reverse one is to run plaintext guesses through the same cryptographic function until an identical hash is generated. About The Honeynet Project. The Honeynet Project is a leading international 501c3 non-profit security research organization, dedicated to investigating the latest attacks and developing open source security tools to improve Internet security.

About The Honeynet Project

With Chapters around the world, our volunteers have contributed to fight against malware (such as Confickr), discovering new attacks and creating security tools used by businesses and government agencies all over the world. The organization continues to be on the cutting edge of security research by working to analyze the latest attacks and educating the public about threats to information systems across the world. Founded in 1999, The Honeynet Project has contributed to fight against malware and malicious hacking attacks and has the leading security professional among members and alumni.

Our mission reads "to learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned" with three main pillars: Research Awareness Tools. HoneyMap. TEDxMidAtlantic 2011 - Avi Rubin - All Your Devices Can Be Hacked. Fix Ubuntu. The second operating system hiding in every mobile phone. I've always known this, and I'm sure most of you do too, but we never really talk about it.

The second operating system hiding in every mobile phone

Every smartphone or other device with mobile communications capability (e.g. 3G or LTE) actually runs not one, but two operating systems. Tools for a Safer PC. An important aspect of securing any system is the concept of “defense-in-depth,” or having multiple layers of security and not depending on any one approach or technology to block all attacks.

Tools for a Safer PC

Here are some links to tools and approaches that I have found useful in stopping malware from invading a PC. Your mileage may vary. Learn, Memorize, Practice the 3 Rules Follow Krebs’s 3 Basic Rules for online safety, and you will drastically reduce the chances of handing control over your computer to the bad guys. The Scrap Value of a Hacked PC, Revisited. The Value of a Hacked Email Account. Data Broker Giants Hacked by ID Theft Service. An identity theft service that sells Social Security numbers, birth records, credit and background reports on millions of Americans has infiltrated computers at some of America’s largest consumer and business data aggregators, according to a seven-month investigation by KrebsOnSecurity. The Web site ssndob[dot]ms (hereafter referred to simply as SSNDOB) has for the past two years marketed itself on underground cybercrime forums as a reliable and affordable service that customers can use to look up SSNs, birthdays and other personal data on any U.S. resident.

Prices range from 50 cents to $2.50 per record, and from $5 to $15 for credit and background checks. Customers pay for their subscriptions using largely unregulated and anonymous virtual currencies, such as Bitcoin and WebMoney. MIT Students Release Program To 3D-Print High Security Keys. Google Chrome to alert on malware downloads. Sniffer hijacks secure traffic from unpatched iPhones. Almost anyone can snoop the secure data traffic of unpatched iPhones and iPads using a recently-revised tool, a researcher said today as he urged owners to apply Apple's latest iOS fix. The nine-year-old bug was quashed Monday when Apple issued a patch for the iPhone 4, iPhone 3GS and third- and fourth-generation iPod Touch. Fragmenting the Internet Is Not a Security Solution. In light of the recent spate of high-profile hacking campaigns, and the overall poor state of security on the internet, NextGov.com reports that parts of the US government are advocating for a separate, “secure” internet.

The idea calls for segmenting “critical” networks (not yet fully defined, but presumably including infrastructure and financial systems) and applying two security mechanisms to these networks: (1) increased deep packet inspection (DPI) to detect and prevent intrusions and malicious data; and (2) strong authentication, at least for clients. The trouble is that this “.secure” internet doesn’t make much technical or economic sense: the security mechanisms are simply not powerful or cost-effective enough to warrant re-engineering an internet. Whether the idea is to apply different security policies to sites using a special domain name like “.secure” (and possibly the existing .edu and .gov domains), or to create a parallel internet infrastructure, is not yet clear. An Open Letter From Internet Engineers to the U.S. Congress. How to secure your data with Truecrypt in 11 easy steps! TrueCrypt, the final release, archive  

DrWhax/truecrypt-archive. Open Crypto Audit Project. Is TrueCrypt Audited Yet? Insecure.Org - Nmap Free Security Scanner, Tools & Hacking resources. Phil Zimmermann's Silent Circle Builds A Secure, Seductive Fortress Around Your Smartphone. In the 1990s, cryptography pioneer and Pretty Good Privacy (PGP) creator Phil Zimmermann faced federal criminal investigation. His encryption software was so strong, it was charged, there was fear it violated arms trafficking export controls. Now Zimmermann has launched a new startup that provides industrial strength encryption for smartphone users. LEAP Encryption Project. Tahoe-lafs.org. In surveillance era, clever trick enhances secrecy of iPhone text messages. A security researcher has developed a technique that could significantly improve the secrecy of text messages sent in near real time on iPhones.

The technique, which will debut in September in an iOS app called TextSecure, will also be folded into a currently available Android app by the same name. The cryptographic property known as perfect forward secrecy has always been considered important by privacy advocates, but it has taken on new urgency following the recent revelations of widespread surveillance of Americans by the National Security Agency.

Tails. Same Origin Policy - Protecting Browser State from Web Privacy Attacks. d0z.me: The Evil URL Shortener « Spare Clock Cycles. Tipwire · thedod/whatmail Wiki. Request a TipWire chat. SecurityXploded.com. HitmanPro.Kickstart - SurfRight. Allegations regarding OpenBSD IPSEC. Useful Cryptography Resources. It-sec-catalog - Project Hosting on Google Code - code.google.com. iSECPartners/LibTech-Auditing-Cheatsheet.

SecurityFocus. Network security articles and hacking prevention resources for the government and general public. Covering all aspects of Computer Hacking, including tutorials and exploit downloads. A (relatively easy to understand) primer on elliptic curve cryptography. Government Standards Agency “Strongly” Suggests Dropping its Own Encryption Standard.

Ssl/https

PGP. p2p.