Nerval's Lobster writes "In a video report posted Feb. 4, NBC News reporter Richard Engel, with the help of a security analyst, two fresh laptops, a new cell phone, and a fake identity, pretended to go online with the technical naiveté of a Neanderthal housepet. (Engel's video blog is here.) Almost as soon as he turned on the phone in the Sochi airport, Engel reported hackers snooping around, testing the security of the machines. Engel's story didn't explain whether 'snooping around' meant someone was port-scanning his device in particular with the intention of cracking its security and prying out its secrets, no matter how much effort it took, or if the 'snooping' was other WiFi devices looking for access points and trying automatically to connect with those that were unprotected. Judging from the rest of his story, it was more likely the latter. Engel also reported hackers snooping around a honeypot set up by his security consultant which, as Gartner analyst Paul Proctor also pointed out in a blog posting, is like leaving the honey open and complaining when it attracts flies. When you try to communicate with anything, it also tries to communicate with you; that's how networked computers work: They communicate with each other. None of the 'hacks' or intrusions Engel created or sought out for himself have anything to do with Russia or Sochi, however; those 'hacks' he experienced could have happened in any Starbucks in the country, and does almost every day, Proctor wrote. That's why there is antivirus software for phones and laptops. It's why every expert, document, video, audio clip or even game that has anything at all to do with cybersecurity makes sure to mention you should never open attachments from spam email, or in email from people you don't know, and you should set up your browser to keep random web sites from downloading and installing anything they want on your computer. But keep up the fear-mongering."
SlashBI: Your dashboard for the latest in business-intelligence news and analysis.
holy_calamity writes "MIT Technology Review reports on a new cryptosystem designed to protect stolen data against attempts to break encryption by brute force guessing of the password or key. Honey Encryption serves up plausible fake data in response to every incorrect guess of the password. If the attacker does eventually guess correctly, the real data should be lost amongst the crowd of spoof data. Ari Juels, who invented the technique and was previously chief scientist at RSA, is working on software to protect password managers using the technique."
Freshly Exhumed writes "TorrentFreak has broken the news that after more than a year of downtime the Demonoid tracker is back online. The tracker is linked to nearly 400,000 torrent files and more than a million peers, which makes it one of the largest working BitTorrent trackers on the Internet. There is no word yet on when the site will make a full comeback, but the people behind it say they are working to revive one of the most famous file-sharing communities. As the single largest semi-private BitTorrent tracker that ever existed, Demonoid used to offer a home to millions of file-sharers. Note that this is apparently the original Demonoid and not the d2 site that claims to be using the Demonoid database."
An anonymous reader writes "The Foursquare blog has an interesting post about some of the math they use to evaluate and verify the massive amount of user-generated data that enters their database. They need to figure out the likelihood that any given datapoint accurately represents reality, so they've worked out a complicated formula that will minimize abuse. Quoting: 'By choosing the points based on a user's accuracy, we can intelligently accrue certainty about a proposed update and stop the voting process as soon as the math guarantees the required certainty. ... The parameters are automatically trained and can adapt to changes in the behavior of the userbase. No more long meetings debating how many points to grant to a narrow use case. So far, we've taken a very user-centric view of p-sub-k (this is the accuracy of user k). But we can go well beyond that. For example, p-sub-k could be "the accuracy of user k's vote given that they have been to the venue three times before and work nearby." These clauses can be arbitrarily complicated and estimated from a (logistic) regression of the honeypot performance. The point is that these changes will be based on data and not subjective judgments of how many "points" a user or situation should get."
mrspoonsi writes "Dutch researchers conducted a 10-week sting, using a life-like, computer-generated 10-year-old Filipino girl named 'Sweetie.' During this time, 20,000 men contacted her. 1,000 of these men offered money to remove clothing (254 were from the U.S., 110 from the U.K. and 103 from India). Charity organization Terre des Hommes launched a global campaign to stop 'webcam sex tourism.' It has 'handed over its findings to police and has said it will provide authorities with the technology it has developed."
An anonymous reader writes "The administrator of file-sharing site UploaderTalk shocked and enraged his userbase a few days ago when he revealed that the site was nothing more than a honeypot set up by a company called Nuke Piracy. The main purpose of the site had been to gather data on its users. The administrator said, 'I collected info on file hosts, web hosts, websites. I suckered $#!&loads of you. I built a history, got the trust of some very important people in the warez scene collecting information and data all the time.' Nobody knows what Nuke Piracy is going to do with the data, but it seems reasonable to expect lawsuits and the further investigation of any services the users discussed. His very public betrayal is likely meant to sow discord and distrust among the groups responsible for distributing pirated files."
First time accepted submitter xavier2dc writes "TrueCrypt is a popular software enabling data protection by means of encryption for all categories of users. It is getting even more attention lately following the revelations of the NSA as the authors remain anonymous and no thorough security audit have yet been conducted to prove it is not backdoored in any way. This has led several concerns raised in different places, such as this blog post, this one, this security analysis [PDF], also related on that blog post from which IsTrueCryptAuditedYet? was born. One of the recurring questions is: What if the binaries provided on the website were different than the source code and they included hidden features? To address this issue, I built the software from the official sources in a careful way and was able to match the official binaries. According to my findings, all three recent major versions (v7.1a, v7.0a, v6.3a) exactly match the sources."
Despite being part of public court proceedings, Comcast sent a notice of infringement ordering Torrent Freak to stop hosting a letter linking a subscriber to Prenda Law. From the article: "Comcast has sent TorrentFreak a cease and desist letter, claiming copyright over contents of an article which revealed that Prenda Law was involved in operating a pirate honeypot. Failure to comply will result in a lawsuit in which the Internet provider will seek damages, a Comcast representative informs us. In addition, Comcast also alerted our hosting provider, who is now threatening to shut down our server."
lightbox32 writes "Porn-trolling operation Prenda Law sued thousands for illegally downloading porn files over BitTorrent. Now, a new document from Comcast appears to confirm suspicions that it was actually Prenda mastermind John Steele who uploaded those files. The allegations about uploading porn to The Pirate Bay to create a 'honeypot' to lure downloaders first became public in June, when an expert report filed by Delvan Neville was filed in a Florida case. The allegations gained steam when The Pirate Bay dug through its own backup tapes to find more evidence linking John Steele to an account called sharkmp4." The problem for Prenda being that initiating the torrent would give anyone who grabbed it an implied license.
holy_calamity writes "MIT Technology Review reports that APT1, the China-based hacking group said to steal data from U.S. companies, has been caught taking over a decoy water plant control system. The honeypot mimicked the remote access control panels and physical control system of a U.S. municipal water plant. The decoy was one of 12 set up in 8 countries around the world, which together attracted more than 70 attacks, 10 of which completely compromised the control system. China and Russia were the leading sources of the attacks. The researcher behind the study says his results provide the first clear evidence that people actively seek to exploit the many security problems of industrial systems."
snydeq writes "Stings, penetration pwns, spy games — it's all in a day's work along the thin gray line of IT security, writes Roger A. Grimes, introducing his five true tales of (mostly) white hat hacking. 'Three guys sitting in a room, hacking away, watching porn, and getting paid to do it — life was good,' Grimes writes of a gig probing for vulnerabilities in a set-top box for a large cable company hoping to prevent hackers from posting porn to the Disney Channel feed. Spamming porn spammers, Web beacon stings with the FBI, luring a spy to a honeypot — 'I can't say I'm proud of all the things I did, but the stories speak for themselves.'"
msm1267 writes "Conpot, short for Control Honeypot, is one of the first publicly available honeypots for industrial control systems (ICS) and SCADA gear. Built by two researchers from the Honeynet Project, the hope is that others will take what they started, deploy it on their own critical infrastructure networks and share the findings. 'The main goal is to make this kind of technology available for a general audience,' said Lukas Rist, one of the developers. 'Not just for security researchers, but also for people who are sysadmins setting up ICS systems who have no clue what could happen and want to see malware attacks against their systems and not put them in any danger.'" Unlike previous ICS Honeypots, this one simulates the control systems rather than requiring that you happen to own an actual industrial control system.
CowboyRobot writes "Businesses should seed their password databases with fake passwords and then monitor all login attempts for use of those credentials to detect if hackers have stolen stored user information. That's the thinking behind the 'honeywords' concept first proposed this month in 'Honeywords: Making Password-Cracking Detectable (PDF),' a paper written by Ari Juels, chief scientist at security firm RSA, and MIT professor Ronald L. Rivest (the 'R' in 'RSA'). Honeywords aren't meant to serve as a replacement for good password security practices. But as numerous breaches continue to demonstrate, regardless of the security that businesses have put in place, they often fail to detect when users' passwords have been compromised."
First time accepted submitter anavictoriasaavedra writes "In October, two German computer security researchers created a map that allows you to see a picture of online cyber-attacks as they happen. The map isn't out of a techno-thriller, tracking the location of some hacker in a basement trying to steal government secrets. Instead, it's built around a worldwide project designed to study online intruders. The data comes from honeypots. When the bots go after a honeypot, however, they're really hacking into a virtual machine inside a secure computer. The attack is broadcast on the map—and the researchers behind the project have a picture of how a virus works that they can use to prevent similar attacks or prepare new defenses."
hypnosec writes "Red Hat has announced the availability of a preview version of its OpenStack Distribution that would enable it to compete with the likes of Amazon which is considered one of the leaders in infrastructure-as-a-service cloud services. The enterprise Linux maker was a late entrant into the OpenStack world where players like Rackspace, HP and Internap have already made their mark. Red Hat's OpenStack distribution enterprises can build and manage private, public, and hybrid infrastructure-as-a-service clouds. These companies will not only be competing with the likes of Amazon, but will also be competing against themselves to get a bite out of the IaaS cloud. What started as a project has quickly developed into an open source solution that enables organizations to achieve performance, features and greater functionality from their private and/or public clouds. The announcement of OpenStack Foundation acted as a catalyst toward the fast-paced development of the platform."
tsu doh nimh writes in with news of a major sting operation against carders. From the article: "The U.S. Justice Department today unveiled the results of a two-year international cybercrime sting that culminated in the arrest of 26 people accused of trafficking in hundreds of thousands of stolen credit and debit card accounts. Among those arrested was an alleged core member of 'UGNazi,' a malicious hacking group that has claimed responsibility for a flood of recent attacks on Internet businesses." The trick: the FBI ran a carding forum as a honeypot.
ancientribe writes "Phony AV scammers posing as Microsoft dialed the wrong number when they inadvertently phoned a security researcher at home. He lured them into a honeypot to study their actions, and posted the video online here. His main takeaway: they were 'Stone Age' when it came to their tech know-how."
wiredmikey writes "Sometimes hacking is about money; other times, it's about competition, and when that happens, it is also about getting a little credit. Enter RankMyHack.com. The site is described as the world's 'first elite hacker ranking system,' and invites people to submit proof of their Website hacks in exchange for points — the higher the points, the higher the place on the leader board. In order to get ranked, hackers need to prove they have indeed hacked a site – by inserting a predetermined text into the hacked site page. Rankmyhack then scans for the text in the page and gives score based on how popular the website is, with lower points awarded for XSS attacks. Assuming the site is real – and early reports indicate that it is – hackers can now see where their hacks stack up against those of their peers. Will this morph into a playground for hacktivists to hone their skills?"
An anonymous reader writes "I tried out Google Music, and I liked it. Google made me swear that I won't upload any 'illegal' tracks, and apparently people fear Apple's iCloud turning into a honeypot for the RIAA. My music collection comprises about 90% 'legal' tracks now — legal meaning tracks that I paid for — but I still have some old MP3s kicking around from the original Napster. Moreover, I have a lot of MP3s that I downloaded because I was too lazy to rip the CD version that I own. I wanted to find a tool to scan my music to identify files that may be flagged as having been pirated by these cloud services; I thought such a tool would be free and easy to find. After all, my intent is to search my own computer for pirated music and to delete it — something that the RIAA wants the government to force you to do. But endless re-phrasing on Google leads to nothing but instructions for how to obtain pirated music. Does such a tool exist or does the RIAA seriously expect me to sift through 60 GB of music, remember which are pirated, and delete them by hand?"
An anonymous reader writes "Between watermarked MP3 files and matching identical files, iCloud Music Match might wind up being a giant trap for finding owners of illegally copied files should the RIAA subpoena the evidence."