background preloader

Security

Facebook Twitter

Thousands of visitors to yahoo.com hit with malware attack, researchers say. The Yahoo logo is shown at the company's headquarters in Sunnyvale, Calif. in this April 16, 2013 file photo. (Robert Galbraith/Reuters) Two Internet security firms have reported that Yahoo's advertising servers have been distributing malware to hundreds of thousands of users over the last few days. The attack appears to be the work of malicious parties who have hijacked Yahoo's advertising network for their own ends. Fox IT, a security firm based in the Netherlands, wrote a blog post on Friday describing the problem.

"Clients visiting yahoo.com received advertisements served by ads.yahoo.com. Ashkan Soltani, a security researcher and Washington Post contributor, alerted me to the issue. Fox IT says Yahoo users have been getting infected since at least Dec. 30. "It is unclear which specific group is behind this attack, but the attackers are clearly financially motivated," the firm writes. Another security researcher based in the Netherlands, Mark Loman, has confirmed seeing the malware. Skype blog, social accounts breached. Tor User Identified by FBI. Eldo Kim sent an e-mail bomb threat to Harvard so he could skip a final exam. (It's just a coincidence that I was on the Harvard campus that day.)

Even though he used an anonymous account and Tor, the FBI identified him. Reading the criminal complaint, it seems that the FBI got itself a list of Harvard users that accessed the Tor network, and went through them one by one to find the one who sent the threat. This is one of the problems of using a rare security tool. The very thing that gives you plausible deniability also makes you the most likely suspect. Tor didn't break; Kim did. Tags: anonymity, bombs, deniability, FBI, hoaxes, Tor. The NSA has nearly complete backdoor access to Apple's iPhone. The U.S. National Security Agency has the ability to snoop on nearly every communication sent from an Apple iPhone, according to leaked documents shared by security researcher Jacob Appelbaum and German news magazine Der Spiegel. An NSA program called DROPOUTJEEP allows the agency to intercept SMS messages, access contact lists, locate a phone using cell tower data, and even activate the device’s microphone and camera.

According to leaked documents, the NSA claims a 100 percent success rate when it comes to implanting iOS devices with spyware. The documents suggest that the NSA needs physical access to a device to install the spyware—something the agency has achieved by rerouting shipments of devices purchased online—but a remote version of the exploit is also in the works. Update: Apple denies it helped build the NSA's iPhone backdoor. Appelbaum says that presents one of two possibilities: “Do you think Apple helped them with that?” Photo via Piro*/Flickr. Welcome to Forbes. Cash machines robbed with infected USB sticks. 30 December 2013Last updated at 08:48 ET By Chris Vallance BBC Radio 4 The thieves focused on high value notes to minimise the time they were exposed Researchers have revealed how cyber-thieves sliced into cash machines in order to infect them with malware earlier this year.

The criminals cut the holes in order to plug in USB drives that installed their code onto the ATMs. Details of the attacks on an unnamed European bank's cash dispensers were presented at the hacker-themed Chaos Communication Congress in Hamburg. The crimes also appear to indicate the thieves mistrusted each other. The two researchers who detailed the attacks have asked for their names not to be published Access code The thefts came to light in July after the lender involved noticed several its ATMs were being emptied despite their use of safes to protect the cash inside. After surveillance was increased, the bank discovered the criminals were vandalising the machines to use the infected USB sticks. Exclusive: Secret contract tied NSA and security industry pioneer. NSA surveillance and third-party trackers: How cookies help government spies. Photo by Lili Warren/AFP/Getty Images Snooping on the Internet is tricky.

The network is diffuse, global, and packed with potential targets. There’s no central system for identifying or locating individuals, so it’s hard to keep track of who is online and what they’re up to. What’s a spy agency to do? One option is to plant a unique tag on every computer and smartphone, stamp every Internet message with the sender’s tag, and then capture the tagged traffic. Luckily (for the spies) there’s an easier way: free ride on the private sector, which does its own pervasive tagging and monitoring.

That’s precisely what the National Security Agency has been up to, as confirmed most recently by a front-page story in Wednesday’s Washington Post.Other countries’ spy agencies are probably doing the same thing. Companies track users for many reasons, such as to remember a login, to target ads, or to learn how users navigate. Which companies are keeping tabs on you? But technical security is not enough. Google Removes Vital Privacy Feature From Android, Claiming Its Release Was Accidental. Yesterday, we published a blog post lauding an extremely important app privacy feature that was added in Android 4.3. That feature allows users to install apps while preventing the app from collecting sensitive data like the user's location or address book.

The App Ops interface removed in Android 4.4.2 After we published the post, several people contacted us to say that the feature had actually been removed in Android 4.4.2, which was released earlier this week. Today, we installed that update to our test device, and can confirm that the App Ops privacy feature that we were excited about yesterday is in fact now gone. When asked for comment, Google told us that the feature had only ever been released by accident — that it was experimental, and that it could break some of the apps policed by it.

The disappearance of App Ops is alarming news for Android users. A moment ago, it looked as though Google cared about this massive privacy problem. Google, the right thing to do here is obvious. The NSA might know everything but it is not all powerful. Given how similar they sound and how easy it is to imagine one leading to the other, confusing omniscience (having total knowledge) with omnipotence (having total power) is easy enough. It’s a reasonable supposition that, before the Snowden revelations hit, America’s spymasters had made just that mistake. If the drip-drip-drip of Snowden’s mother of all leaks — which began in May and clearly won’t stop for months to come — has taught us anything, however, it should be this: omniscience is not omnipotence. At least on the global political scene today, they may bear remarkably little relation to each other.

In fact, at the moment Washington seems to be operating in a world in which the more you know about the secret lives of others, the less powerful you turn out to be. Let’s begin by positing this: There’s never been anything quite like it. It’s visibly changed attitudes around the world toward the U.S. — strikingly for the worse, even if this hasn’t fully sunk in here yet. Omniscience. GHCQ Targets Engineers with Fake LinkedIn Pages. The Belgacom employees probably thought nothing was amiss when they pulled up their profiles on LinkedIn, the professional networking site. The pages looked the way they always did, and they didn't take any longer than usual to load.

The victims didn't notice that what they were looking at wasn't the original site but a fake profile with one invisible added feature: a small piece of malware that turned their computers into tools for Britain's GCHQ intelligence service. The British intelligence workers had already thoroughly researched the engineers. According to a "top secret" GCHQ presentation disclosed by NSA whistleblower Edward Snowden, they began by identifying employees who worked in network maintenance and security for the partly government-owned Belgian telecommunications company Belgacom.

Then they determined which of the potential targets used LinkedIn or Slashdot.org, a popular news website in the IT community. 'Quantum Insert' A Visit from Charles and Camilla. NSA Fact Sheet. CryptoLocker attacks that hold your computer to ransom | Money. The email from the bank looked innocent enough. It was from paymentsadmin@lloydsplc.co.uk, and Sarah Flanders, a 35-year-old charity worker from north London, didn't think twice about opening it. But the email contained software that immediately began encrypting every file on her computer – from precious family photos to private correspondence and work documents.

In just a short time all her files were blocked, and then a frightening message flashed up on her screen: "Your personal files have been encrypted and you have 95 hours to pay us $300. " Flanders is refusing to pay, but fears her personal files are now lost forever. She is one of the lastest victims of a particularly malacious piece of "ransomware" called CryptoLocker, which is estimated to have targeted nearly 1m computers over the past month alone. What's more, while you will no longer be able open, read or view your files, anyone with the decryption key could easily do so. Flanders says she feels violated. Old MacDonald Had a CAPTCHA Farm: Inside the World of Human CAPTCHA Solvers | Are You a Human, the Fun, Free CAPTCHA Alternative. At Are You a Human, when we talk about CAPTCHA cracking, we mostly focus on bots—those nefarious computer programs that create bogus accounts, send out spam, and snap up concert tickets for scalpers, among other things.

But there’s another method for bypassing CAPTCHAs that’s been gaining in popularity over the past several years: CAPTCHA farms, where workers in developing countries are paid pennies to solve CAPTCHAs en masse. BeatCaptchas.com, where 1,000 CAPTCHAs can be passed for just eight dollars CAPTCHA farms like BeatCaptchas and BypassCaptcha fill banks of computer terminals with workers in countries like India and Bangladesh, then build APIs that pass CAPTCHA images to the terminals, where they are quickly decoded by a real person and then passed back. The result? But while most CAPTCHAs can be quickly cheated by CAPTCHA farms, PlayThru is not so easily defeated. Interested in learning more about CAPTCHA farms? ZDNet: Inside India’s CAPTCHA solving economy. CAPTCHA Busted? AI Company Claims Break of Internet's Favorite Protection System - Wired Science. Vicarious - Turing Test 1: Captcha from Vicarious Inc on Vimeo.

What’s this I hear about a breakthrough in artificial intelligence? A software company called Vicarious claims to have created a computer algorithm that can solve CAPTCHA with greater than 90% accuracy. What is CAPTCHA and why should I care? You’ve already encountered CAPTCHAs if you’ve ever created an email account with Google, set up a PayPal account, or commented on some WordPress blogs. You should care for at least two reasons. But more exciting, this might be a major breakthrough in computer science.

So is it a breakthrough or not? That depends on how they broke CAPTCHA. Do they offer any proof? Ah, there’s the rub. To be fair, you wouldn’t want Vicarious to share the code. And CAPTCHA creator Luis van Ahn, a computer scientist at Carnegie Mellon University in Pittsburgh, Pennsylvania, is not convinced. This is the 50th time somebody claims this. What does all this have to do with the human brain? So does it really work? NSA Hacked Email Account of Mexican President. The National Security Agency (NSA) has a division for particularly difficult missions. Called "Tailored Access Operations" (TAO), this department devises special methods for special targets.

That category includes surveillance of neighboring Mexico, and in May 2010, the division reported its mission accomplished. A report classified as "top secret" said: "TAO successfully exploited a key mail server in the Mexican Presidencia domain within the Mexican Presidential network to gain first-ever access to President Felipe Calderon's public email account. " According to the NSA, this email domain was also used by cabinet members, and contained "diplomatic, economic and leadership communications which continue to provide insight into Mexico's political system and internal stability.

" The president's office, the NSA reported, was now "a lucrative source. " Brazil Also Targeted Reports of US surveillance operations have caused outrage in Latin America in recent months. Economic Motives? Adobe hack shows subscription software vendors lucrative targets. News Analysis October 7, 2013 06:44 AM ET Computerworld - Adobe on Thursday admitted that hackers broke into its network and stole personal information, including an estimated 2.9 million credit cards, illustrating the lucrative target that software-by-subscription providers have become to cyber criminals, analysts said today. "Even before they went to the cloud, bill-you-monthly firms have been a target," said John Pescatore, director of emerging security trends at the SANS Institute, and formerly a Gartner analyst focused on security.

"This has been an issue for [Web] hosting providers for years. Adobe, long a powerhouse in the software industry, has been aggressively promoting Creative Cloud, its software-by-subscription offering, a shift it hopes will "transform our business model and drive higher revenue growth," according to a filing with the U.S. And those credit cards are valuable to hackers. Adobe disagreed. NSA and GCHQ target Tor network that protects anonymity of web users | World news.

The National Security Agency has made repeated attempts to develop attacks against people using Tor, a popular tool designed to protect online anonymity, despite the fact the software is primarily funded and promoted by the US government itself. Top-secret NSA documents, disclosed by whistleblower Edward Snowden, reveal that the agency's current successes against Tor rely on identifying users and then attacking vulnerable software on their computers. One technique developed by the agency targeted the Firefox web browser used with Tor, giving the agency full control over targets' computers, including access to files, all keystrokes and all online activity.

But the documents suggest that the fundamental security of the Tor service remains intact. One top-secret presentation, titled 'Tor Stinks', states: "We will never be able to de-anonymize all Tor users all the time. " Another top-secret presentation calls Tor "the king of high-secure, low-latency internet anonymity".

Warning. USBCondoms. Have you ever plugged your phone into a strange USB port because you really needed a charge and thought: "Gee who could be stealing my data? ". We all have needs and sometimes you just need to charge your phone. "Any port in a storm. " as the saying goes. Well now you can be a bit safer. "USB Condoms" prevent accidental data exchange when your device is plugged in to another device with a USB cable. (If you'd like some more detailed explanations these news articles and videos do a thorough job.) Use USB-Condoms to: * Charge your phone on your work computer without worrying... * Use charging stations in public without worrying... * Place it as an "always on" adapter on your existing USB/Sync cable and remove only when you want to sync * Turn a normal USB cable into a "charge only" cable If you're going to run around plugging your phone into strange USB ports, at least be safe about it. ;-)

Cars-usenixsec2011.pdf. More NSA Spying Fallout: Groklaw Shutting Down. KAL's cartoon. Blog >> A Saudi Arabia Telecom's Surveillance Pitch. Introducing Trusted Contacts. السجن 12 عاماً لـ3 مواطنين تجسَّسوا على "أرامكو" Exclusive: The Burger King and Jeep Hacker Is Probably This DJ From New England. Keeping our users secure. Latest Java Update Broken; Two New Sandbox Bypass Flaws Found. Google Declares War on the Password | Wired Enterprise. How a Simple Smartphone Can Turn Your Car, Home, or Medical Device into a Deadly Weapon. Bug reveals 'deleted' Snapchat videos.

Exploring the Market for Stolen Passwords. How to terminate your worst enemy's Dropbox account for only $795. Two-for-one: Amazon.com’s Socially Engineered Replacement Order Scam :: HTMList.com, A Web Development Blog by Synapse Studios. The Hackers of Damascus. Twitter passwords reset accidentally after hack some connect to Chinese leadership transition. How a Google Headhunter's E-Mail Unraveled a Massive Net Security Hole | Threat Level.

The Risks Digest Volume 27: Issue 3. Zip bomb. Billion laughs. IEEE log. Got TouchWiz? Some Samsung Smartphones Can Be Totally Wiped By Clicking A Link. iOS 6 allows tweets, Facebook posts from locked device | Security & Privacy. How to Launch a 65Gbps DDoS, and How to Stop One. CloudFlare's blog - Musings from the CloudFlare team. How Police Tracked Down Steve Jobs' Stolen iPads. Another Day, Another Middle Eastern Energy Company Fighting Off a Virus. Mozilla warns Firefox users to disable Java following zero-day exploit. SQL Injection Knowledge Base. After Epic Hack, Apple Suspends Over-the-Phone AppleID Password Resets | Gadget Lab. Apple Allowed Hackers Access To User's iCloud Account. Russia's Top Cyber Sleuth Foils US Spies, Helps Kremlin Pals | Danger Room. Malware went undiscovered for weeks on Google Play | Security & Privacy.

Apple Quietly Pulls Claims of Virus Immunity. The Vulnerabilities Market and the Future of Security. Visualizing Botnets. Resource 207: Kaspersky Lab Research Proves that Stuxnet and Flame Developers are Connected. Lab Experts Provide In-Depth Analysis of Flame’s C&C Infrastructure. Obama Ordered Wave of Cyberattacks Against Iran. 'Flame' cyberespionage worm discovered on thousands of machines across Middle East. IBM Faces the Perils of "Bring Your Own Device" Global state of information security security 2012. Stealth wallpaper keeps company secrets safe - 08 August 2004. 55.000+ Twitter usernames and passwords leaked. 7 Ways Oracle Puts Database Customers At Risk. New Hotmail Exploit Can Get any Hotmail Email Account Hacked for just 20$ | Whitec0de.com.

Microsoft fixes Hotmail flaw following widespread password-reset exploits. Data Security: Most Finders of Lost Smartphones Are Snoops. Darpa’s Plan to Trap the Next WikiLeaker: Decoy Documents | Danger Room. Exclusive: Computer Virus Hits U.S. Drone Fleet | Danger Room. iOS Developers Reporting In-App Purchasing Outage | Gadget Lab. Google Prepares Fix To Stop SSL/TLS Attacks. Apple’s surprising new intern: iPhone hacker Comex. News of the World to close on Sunday – live coverage | Media. Pentesting Vulnerable Study Frameworks Complete List |