background preloader

Infosec

Facebook Twitter

Stribikⓐ sur Twitter : "@Wikisteff @glynmoody scrypt is even better"... Glyn Moody on Twitter: "Lessons learned from cracking 4,000 Ashley Madison passwords - fascinating analysis; shows how good #bcrypt is..." Tod Beardsley sur Twitter : "Defend against #Android #Stagefright bug on 5.1: Hangouts: Settings : SMS : Advanced Settings, unset autoretrieve MMS. Matthew Tamayo sur Twitter : "But it turned out that none of that data was encrypted. Antonis Polemitis on Twitter: "13/ Plus we cripple our most competitive industry (tech). Other than those minor issues, it is a great idea! /The End" Steffen Christensen sur Twitter : "The #copyright net may be up for you folks, but it's down for us. #infosec @glynmoody.

GCHQ Asked Court To Let It Infringe On Anti-Virus Copyrights... For National Security. National security apparently means "securing" the nation at the expense of citizens' security.

GCHQ Asked Court To Let It Infringe On Anti-Virus Copyrights... For National Security

New Snowden documents published by The Intercept show massive amounts of dicking around in the coding of popular anti-virus software by the NSA and GCHQ. The list of antivirus products not affected would be much, much shorter than a list of those that have been. Much of what listed here involves the NSA and GCHQ monitoring threats reported to these antivirus makers (by intercepting email messages, naturally), obviously in hopes of finding something temporarily exploitable.

But in other cases, the efforts went much, much deeper. The GCHQ obtained a warrant to reverse engineer Kapersky products because it felt the company's software was "obstructing" its hacking attempts. Not only did the GCHQ seek permission to tear apart a legitimate security product for its own ends, but it also asked for an exception to UK copyright law in order to do so.

Cryptostorm ҉ðåяќйἔт sur Twitter : "Meanwhile, @df_cryptostorm delivers this little gem: scriptless .svg-injected HTLM5 keylogger in 2377 bytes flat :-P. Morgan Stanley Employee Stole 10% of Wealth Management Client Data. Morgan Stanley has disclosed that as many as 10% of their Wealth Management client may be affected after data was stolen by an employee who has subsequently been terminated.

Morgan Stanley Employee Stole 10% of Wealth Management Client Data

The company says that law enforcement and regulatory authorities have been informed of the data breach. “While there is no evidence of any economic loss to any client, it has been determined that certain account information of approximately 900 clients, including account names and numbers, was briefly posted on the Internet,” the company said, noting that the data has been removed. “Overall, partial account information of up to 10 percent of all Wealth Management clients was stolen. The data stolen does not include account passwords or social security numbers,” the company continued, Norse – MSNBC: Norse SVP Kurt Stammberger Discusses Sony Hack. Norse – Password Managers: A Single Point of Failure. Putting your passwords into a managed digital vault on your local machine is generally a good idea.

Norse – Password Managers: A Single Point of Failure

For one thing, a password manager can both generate thousands of unique and very strong passwords and keep track of those same long passwords so you don’t have to. However password managers can also be a single point of failure if someone or something learns the master password. In late November, researchers at IBM Trusteer warned that a familiar credential-stealing Trojan, Citadel, had turned its attention to four password managers. The password managers targeted by the malware include NeXus Personal Security Client, PasswordSafe, and KeePass.

Citadel is an updated version of the Zeus Trojan. Vmiss sur Twitter : "Barbie is a gifted engineer, and knows more than just #Infosec @SwiftOnSecurity #VMware #UCS... Sears Owned Kmart Discloses Data Breach. Shellshock DHCP RCE Proof of Concept - Thu September 25, 2014.

Shellshock DHCP RCE Proof of Concept -

Urgent Security Update Regarding Your Bitly Account. UPDATE #4 - MAY 11 at 11:33AM EDT: We are sending an email to all users from the domain bitlysupport.com outlining the steps to secure your account.

Urgent Security Update Regarding Your Bitly Account

If you have already followed the steps to secure your account, you do not need to do so again. UPDATE #3 - MAY 9 at 2:45PM EDT: We have updated this post to address questions regarding the Bitly iPhone app. UPDATE #2 - MAY 9 at 10:30AM EDT: We have updated this post to explain what specifically was compromised and we’re encouraging all of our users to secure their Bitly accounts by following the recommendations listed below. UPDATE #1 - MAY 8 at 8:32PM EDT: We have updated the section of this post regarding users who have Twitter or Facebook accounts connected to their Bitly accounts. We have reason to believe that Bitly account credentials have been compromised; specifically, users’ email addresses, encrypted passwords, API keys and OAuth tokens.

Facebook’s new policy changes allow it to read your face, use it for ads. Facebook is making big changes to the language in its Data Use and Privacy Policy that will allow the company to use information already on the platform in new ways that might frustrate some users.

Facebook’s new policy changes allow it to read your face, use it for ads

While some of the changes may raise some red flags for those concerned about giving up even more private data, at least the company is telling us ahead of time. The list of proposed changes are available via the Facebook Site Governance page for review, although the exact language is obscured from users. The most important changes have to do with how Facebook can recognize and manage a user’s image to create a better experience on the platform and create Sponsored Stories without legal reproach. The changes come at the order of a judge, now Facebook has finally ended the class-action lawsuit against its use of user information for ads and sponsored stories with a $20 million settlement.

Hacker Barnaby Jack dies just before Black Hat presentation on lethal pacemaker hacks. What the Prism Stories Tell Us About the Press. If you don’t share my fascination with the journalistic ethics of the Snowden reporters, you can skip this long piece.

What the Prism Stories Tell Us About the Press

But both of the protagonists have now defended themselves, so I’m posting their messages, with commentary. I began the exchange when I questioned why Glenn Greenwald and the Guardian waited two weeks to release NSA’s minimization procedures, which revealed extensive limitations on how NSA handles information about Americans. It seemed odd that Greenwald didn’t tell us about those procedures in his original story about Prism, which after all quotes an intelligence community official who defends Prism by invoking the minimization procedures: “The program is subject to oversight by the Foreign Intelligence Surveillance Court, the Executive Branch, and Congress.

These Imaging Satellites Will Give Us Data That Could Upend Industries, Transform Economies. After 10 years of CubeSat experimentation, it was left to Berkenstock, Fenwick, and Mann to realize that the basic principles of DIY satellite construction might be put to extremely profitable use.

These Imaging Satellites Will Give Us Data That Could Upend Industries, Transform Economies

As the three men saw it, massive advances in processing power and speed meant not only that they could build a Sputnik-type satellite from cheap parts but that they could pack it with computing ability, making it more powerful than Sputnik could ever be. By extending the craft beyond the CubeSat’s 10-centimeter limit to roughly a meter tall, they could expand the payload to include the minimal package of fine optics able to capture commercial-grade images.

8 Million Reasons for Real Surveillance Oversight. Disclaimer: The information presented here has been gathered and analyzed in my capacity as a graduate student at Indiana University.

8 Million Reasons for Real Surveillance Oversight

This data was gathered and analyzed on my own time, without using federal government resources. This data, and the analysis I draw from it will be a major component of my PhD dissertation, and as such, I am releasing it in order to receive constructive criticism on my theories from other experts in the field. The opinions I express in my analysis are my own, and do not reflect the views of the Federal Trade Commission, any individual Commissioner, or any other individual or organization with which I am affiliated.

UPDATE 12/3/2009 @ 12:20PM: I received a phone call from an executive at TeleStrategies, the firm who organized the ISS World conference.