background preloader


Facebook Twitter

Boiled passports leave a bad taste in the mouth of authorities. According to a recent issue of re:ID magazine, a Frankfurt man ran afoul of German authorities when they discovered that he attempted to damage the RFID chip in his government-issued identification card.

Boiled passports leave a bad taste in the mouth of authorities

Are iPhones or Androids More of a Security Risk? Home » Featured Articles » Are iPhones or Androids More of a Security Risk?

Are iPhones or Androids More of a Security Risk?

Trojanized PuTTY Software. This post was authored by Cisco CSIRT’s Robert Semans, Brandon Enright, James Sheppard, and Matt Healy.

Trojanized PuTTY Software

In late 2013­­­–early 2014, a compromised FTP client dubbed “StealZilla,” based off the open source FileZilla FTP client was discovered. The attackers modified a few lines of code, recompiled the program, and disbursed the trojanized version on compromised web servers. This new attack appears to involve the same actors who reused the same techniques to alter the source code of the widely used open source Telnet/SSH client, PuTTY, and used their network of compromised web servers to serve up similar fake Putty download pages. I2P. The software is free and open source and is published under multiple licenses. The name I2P is derived from Invisible Internet Project, which, in pseudo-mathematical notation, is represented as I²P.

Technical design[edit] I2P is beta software since 2003.[3] Developers emphasize that there are likely to be bugs in the software and that there has been insufficient peer review to date.[4] However, they believe the code is now reasonably stable and well-developed, and more exposure can help development of I2P. Many developers of I2P are known only under pseudonyms. While the previous main developer, jrandom, is currently on hiatus, others, such as zzz and Complication have continued to lead development efforts, and are assisted by numerous contributors.[6] Software[edit] How Was Your Credit Card Stolen? Almost once a week, I receive an email from a reader who has suffered credit card fraud and is seeking help figuring out which hacked merchant was responsible.

How Was Your Credit Card Stolen?

I generally reply that this is a fruitless pursuit, and instead encourage readers to keep a close eye on their card statements and report any fraud. But it occurred to me recently that I’ve never published a primer on the types of card fraud and the likelihood with each of the cardholder ever learning how their account was compromised. This post is an effort to remedy that. The card associations (Visa, MasterCard, et. al) very often know which merchant was compromised before even the banks or the merchant itself does. Op AURORAGOLD - NSA hacks cellphone networks worldwide. The Intercept has uncovered details of the operation AURORAGOLD, another massive surveillance program operated by the US Intelligence .

Op AURORAGOLD - NSA hacks cellphone networks worldwide

The new program is ambitious, the NSA has developed AURORAGOLD with the intent to spy on every cellphone network in the world. The AURORAGOLD operation is mentioned in one of the archive disclosed by Edward Snowden, which revealed that the NSA intercepted thousands of emails sent between companies in a bid to identify security weaknesses in cellphone technology. Operation AURORAGOLD allowed the NSA to monitor the content of messages sent and received by more than 1,200 email accounts associated with major cellphone network operators.

The government Agency has intercepted with this tactic confidential company planning papers that help the it hacking into phone networks. Further documents reveal that the US Intelligence plans to secretly introduce new flaws in communication systems so that they can monitor communications. Cowards Attack Sony PlayStation, Microsoft xBox Networks. A gaggle of young misfits that has long tried to silence this Web site now is taking credit for preventing millions of users from playing Sony Playstation and Microsoft Xbox Live games this holiday season.

Cowards Attack Sony PlayStation, Microsoft xBox Networks

Launching in 2015: A Certificate Authority to Encrypt the Entire Web. Today EFF is pleased to announce Let’s Encrypt, a new certificate authority (CA) initiative that we have put together with Mozilla, Cisco, Akamai, Identrust, and researchers at the University of Michigan that aims to clear the remaining roadblocks to transition the Web from HTTP to HTTPS.

Launching in 2015: A Certificate Authority to Encrypt the Entire Web

Although the HTTP protocol has been hugely successful, it is inherently insecure. Face It, You Are A Poor Judge Of Risk. “The oldest and strongest emotion of mankind is fear, and the oldest and strongest kind of fear is fear of the unknown.”

Face It, You Are A Poor Judge Of Risk

HP Lovecraft We have a pop quiz today. Are you more likely to die from an alligator attack or a shark attack? Four-Year Old Flaw Exploited by Stuxnet Still Targeted. It was 2010 when the Stuxnet malware first appeared in the public consciousness.

Four-Year Old Flaw Exploited by Stuxnet Still Targeted

Though the years have passed however, there is no shortage of machines still vulnerable to attacks on one of the vulnerabilities the malware exploited as it trotted across the globe. According to a paper released by Kaspersky Lab, CVE-2010-2568 remains a widely exploited security hole. Despite the age of the vulnerability, Kaspersky Lab detected tens of millions of exploits targeting the bug between November 2013 and June 2014, though not all may correlate to individual attacks due to the way the bug is exploited. The vulnerability is a shortcut handling error in Microsoft Windows that affects XP, Vista, Windows 7 and Windows Server 2003 and 2008. What You Think You Know About SaaS Security Is Wrong. Over the last year or so, the “Cloud Access Security Broker” market, as defined by Gartner, has exploded (451 Research calls it the “Cloud Application Control” market).

What You Think You Know About SaaS Security Is Wrong

Cloud Access Security Brokers sit between users and cloud service providers to interject enterprise security policies as cloud applications are being accessed. There is no question that the problem of securing data in the cloud is a real one. Cloud adoption brings operational benefits and efficiencies, but if cloud adoption enables any corporate data to be stored or shared, then it is the enterprise’s responsibility to provide security for that data.

Yes, cloud service providers play a key role in delivering security, but as part of the shared responsibility model, they are not liable for access to and usage of the cloud application. In other words, IT has ceded control of the day-to-day application maintenance, but not security. VXer fighters get new stealth weapon in war of the (mal)wares. The essential guide to IT transformation A bare-metal analysis tool developed by University of California researchers promises to help tip the battle between virus writers and black hats by cloaking malware investigation efforts. The tool is the latest weapon in the war between the diaspora of independent and vendor malware researchers and their VXer foes. Their rolling brawl has given rise to advanced cloak and dagger tactics employed by both belligerents. Black hats have developed impressive methods to find technical artifacts that help them to distinguish between infected computers belonging to victims and and those malware researchers create to detect and foil attacks.

Once known, the means to detect such artifacts is coded into the next generation of malware allowing it to appear harmless in the eyes of security researchers and anti-virus vendors. PGP Email Encryption Fundamentally Broken: Cryptography Expert. Pretty Good Privacy (PGP), the popular email privacy and authentication software is fundamentally broken and it's time for it to "die," says Matthew Green, a respected cryptographer and research professor at Johns Hopkins University.

Green, who has been involved in the recent TrueCrypt audit, published a blog post after Yahoo announced its intention to follow on Google's footsteps and implement end-to-end email encryption. Is EMET Dead? By: Craig Young Exploit mitigation techniques have come a long way. Getting in Our Own Way. The security community has this widely-understood reputation for self-destruction. Malware is threatening virtual machines. Symantec recently issued the “Threats to virtual environments” report to analyze principal menace for virtualized environments.

Double-Down on Security Intrusions with Snort Plus IPS. Time to ditch HTTP – govt malware injection kit thrust into spotlight. Secure remote control for conventional and virtual desktops A new report form the Toronto-based internet watchdog Citizen Lab has shown cases of governments running network injection attacks that can deliver malware via any HTTP web connection. Thousands of computers open to eavesdropping and hijacking. Average Peak Size of DDoS Attacks Spiked in Q2: VeriSign. The average peak size of distributed denial-of-service (DDoS) attacks in the second quarter of 2014 increased by 216% compared to the first quarter, according to the latest trends report from VeriSign. Why So Many Card Breaches? A Q&A. It's time for PGP to die, says ... no, not the NSA – a US crypto prof. Implementing global e-invoicing with guaranteed legal certainty A senior cryptographer has sparked debate after calling time on PGP – the gold standard for email and document encryption.

Brit infosec firm lets hackers think they've stolen something. Most people think public Wi-Fi is safe. Seriously? Most people who use public Wi-Fi couldn't care less about security, according to the recent 2014 Communications Market Report from Ofcom - the UK's Office of Communications/regulatory authority for telecommunications. Why Your Enterprise Most Likely Doesn't Have a Zero-Day Problem. Your Password May Not Be as Safe as You Think. Hackers Demand Automakers Get Serious About Security. Why hackers won't be able to hijack your next flight - the facts. Passwords Protection Steps to Take According to Symantec. Oxford and Cambridge in the race to eliminate passwords. Your fitness tracker is a SNITCH says Symantec. Over 90% of Enterprises Exposed to Man-in-the-Browser Attacks: Cisco. Hacking satellite communications equipment on passenger jets.

The Science Behind DDoS Extortion. Al-Qaeda usage of encryption after Snowden leaks. How hackers could slam on your car's brakes - Aug. 1, 2014. Inside Citizen Lab, the “Hacker Hothouse” protecting you from Big Brother. Elliptic Curve DSA. Anatomy of a brute force attack – how important is password complexity? Python Gets High Marks for Open Source Software Security: Report. Traffic Correlation Attacks against Anonymity on Tor. PRISM repercussion on the Tor network accesses. The Hacker Academy - Password Cracking 101: Meet John the Ripper. RSA Abandons Suspect NIST Encryption Algorithm. PHP SuperGlobal variables gaining popularity within hacking community. Lawyers came in like wrecking ball when boffins tried to break Tor. 2014: The Year Extortion Went Mainstream. Privacy Lessons from Snapchat.

Lessons from 3 Organizations That Made 3 Privacy Mistakes. New Insights into Email Spam Operations. Preparing for the Internet of Things: Integrating Strong Authentication in Daily Life. New Changes to PCI Data Security Standard Published. Security Execs Say Next-Generation Security Teams Need More Than Tech Skills. Cybercrime: Africa need a defense
 system. Invest in Employees vs. Pay for a Data Breach? Enterprise Social Risk Needs a C-Suite Champion. SQL Injection Most Common Vector for Data Breaches in First Half of 2013: IBM. How the Bible and YouTube are fueling the next frontier of password cracking. The Rogue Internet: The Evolution of the Cyber Threat. What Is Your Browser Doing Behind Your Back? ASLR Bypass Techniques Appearing More Frequently in Attacks. Security Gurus Reveal Their Mentors: The Influencers. Business Intelligence - Intro to reconnaissance. Cyberbullying Infograph - know to fight it.

Antivirus bods grilled: Do YOU turn a blind eye to government spyware? Massive Spike in Reconnaissance Using Source Port Zero Traffic: Cisco. Group-IB Threat Intelligence Report 2012–2013 H1, a must read. Russia Cybercrime Market Reached $1.9 Billion in 2012, Group-IB Estimates. Faces, gestures, heartbeats – how will the passwords of the future work? The Ethics of Monitoring Your Employees. Finance watchdog: Big fingers + tiny mobe screen + banking = doesn't end well.

Information Warfare, Russia, New Zeland ... it is arms race. Why Elliptic Curve Cryptography is Necessary for Secure Remote Access. Next version of the web will have resistance to surveillance at its core. ENISA Report Outlines Incidents Causing Major Outages at Telcos. If you Knew you Were Going to be Attacked, What Would you do Differently?

XSS: Researcher found critical vulnerabilities in major websites. IPv6 and cybercrime – what’s the story? Londoners Tracked By Advertising Firm's Trash Cans. How Politics Influences Security. Cracking Wifi Passwords With Kali Linux. Dr Anton Chuvakin Blog PERSONAL Blog: Complete PCI DSS Log Review Procedures, Part 9. Mana Tutorial: The Intelligent Rogue Wi-Fi Router. How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last. 90% of SSL VPNs are ‘hopelessly insecure’, say researchers. Will POODLE's Bite Kill SSL 3.0? Five Anti-Analysis Tricks That Sometimes Fool Analysts. How to Steal Data From an Airgapped Computer Using FM Radio Waves.

Tor Project Mulls How Feds Took Down Hidden Websites. Five Best VPN Service Providers. When Encryption Isn't Enough. SSL Is Officially Declared Dead. How to Block Tumblr at Your Router. Critical Flaw Found in AVG, McAfee, Kaspersky Products. OpenSSL fixes high-severity key recovery hole - Security - iTnews. My Identity Was Stolen. Here’s How They Did It — NOVA Next. Krebs on Security. FBI, GCHQ Get Foreign Hacking Authority. Destroying ransomware business models is not your job, so just pay up. DDoS mitigation - Wikipedia.