Security

Tor Is Building the Next Generation Dark Net With Funding From DARPA 53

Posted by Soulskill
from the seek-and-go-hide dept.
Patrick O'Neill writes: After years of relative neglect, Tor has been able to dedicate increasing time and resources to its hidden services thanks to funding in part by DARPA, as well as an upcoming crowdfunding campaign. DARPA's funding lasts 1-3 years and covers several projects including security and usability upgrades that close the gap between hidden services and the everyday Internet. "Next-generation hidden services may be run from multiple hosts to better deal with denial of service attacks and high traffic in general, a potentially big power boost that further closes the gap between the Dark Net and normal websites. ... Hidden services, which make up about 4 percent of the entire Tor network, have until recently been relatively neglected when it comes to funding and developing."
Security

How Security Companies Peddle Snake Oil 58

Posted by Soulskill
from the but-this-snake-oil-is-in-the-cloud! dept.
penciling_in writes: There are no silver bullets in Internet security, warns Paul Vixie in a co-authored piece along with Cyber Security Specialist Frode Hommedal: "Just as 'data' is being sold as 'intelligence', a lot of security technologies are being sold as 'security solutions' rather than what they really are: very narrow-focused appliances that, as a best case, can be part of your broader security effort." We have to stop playing "cops and robbers" and pretending that all of us are potential targets of nation-states, or pretending that any of our security vendors are like NORAD, warn the authors.

Vixie adds, "We in the Internet security business look for current attacks and learn from those how to detect and prevent those attacks and maybe how to predict, detect, and prevent what's coming next. But rest assured that there is no end game — we put one bad guy in prison for every hundred or so new bad guys who come into the field each month. There is no device or method, however powerful, which will offer a salient defense for more than a short time. The bad guys endlessly adapt; so must we. Importantly, the bad guys understand how our systems work; so must we."
Crime

New Dark Web Market Is Selling Zero-Day Exploits 28

Posted by samzenpus
from the finest-crime dept.
Sparrowvsrevolution writes Over the last month, a marketplace calling itself TheRealDeal Market has emerged on the dark web, with a focus on sales of hackers' zero-day attack methods. Like the Silk Road and its online black market successors like Agora and the recently defunct Evolution, TheRealDeal runs as a Tor hidden service and uses bitcoin to hide the identities of its buyers, sellers, and administrators. But while some other sites have sold only basic, low-level hacking tools and stolen financial details, TheRealDeal's creators say they're looking to broker premium hacker data like zero-days, source code, and hacking services, often offered on an exclusive, one-time sale basis.

Currently an iCloud exploit is being offered for sale on the site with a price tag of $17,000 in bitcoin, claiming to be a new method of hacking Apple iCloud accounts. "Any account can be accessed with a malicious request from a proxy account," reads the description. "Please arrange a demonstration using my service listing to hack an account of your choice." Others include a technique to hack WordPress' multisite configuration, an exploit against Android's Webview stock browser, and an Internet Explorer attack that claims to work on Windows XP, Windows Vista and Windows 7, available for around $8,000 in bitcoin. None of these zero days have yet been proven to be real, but an escrow system on the site using bitcoin's multisignature transaction feature is designed to prevent scammers from selling fake exploits.
Security

D-Link Apologizes For Router Security 94

Posted by samzenpus
from the our-bad dept.
Mark Wilson writes D-Link has issued an apology to its customers for an on-going security issue with many of its routers. A problem with the Home Network Administration Protocol (HNAP) means that it is possible to bypass authorization and run commands with escalated privileges. The list of routers affected by the issue is fairly lengthy, and D-Link has already issued one patch. But rather than fixing the problem, last week's update left routers wide open to exactly the same problem. As it stands at the moment, a firmware patch is still being produced for a total of 17 routers. In the meantime, all D-Link has to offer is an apology. While unhelpful patches have already been issued, D-Link is currently working away on replacement firmware updates. The release dates for these patches is not yet set in stone, but some are due today (20 April), some tomorrow (21 April) and the remainder on 24 April.
Security

Chrome 43 Should Help Batten Down HTTPS Sites 70

Posted by timothy
from the yes-yes-we-know dept.
River Tam writes The next version of Chrome, Chrome 43, promises to take out some of the work website owners — such as news publishers — would have to do if they were to enable HTTPS. The feature might be helpful for publishers migrating legacy HTTP web content to HTTPS when that old content can't or is difficult to be modified. The issue crops up when a new HTTPS page includes a resource, like an image, from an HTTP URL. That insecure resource will cause Chrome to flag an 'mixed-content warning' in the form of a yellow triangle over the padlock.
The Military

US Military To Recruit Civilian Cybersecurity Experts 66

Posted by timothy
from the which-masters-would-you-prefer? dept.
An anonymous reader writes The U.S. Army is to create a new cybersecurity division, Cyber Branch 17, and is also considering launching a cyber career track for civilians, according to an announcement made this week by Lt. Gen. Edward C. Cardon. Cardon, who currently heads the U.S. Army's cyber command, ARCYBER, spoke to the Senate Armed Services subcommittee on Tuesday about the growing threats and capabilities used in cyber warfare. He argued that creating a cyber career management field for civilians would result in an easier recruitment process, as opposed to recruiting internally and trying to retain the talent, he said. Cardon maintains that recruiting and retaining talent in the field is often challenging, given internal employment constraints surrounding compensation and slow hiring processes.
Google

Google To Propose QUIC As IETF Standard 84

Posted by timothy
from the ok-now-do-it-this-way dept.
As reported by TechCrunch, "Google says it plans to propose HTTP2-over-QUIC to the IETF as a new Internet standard in the future," having disclosed a few days ago that about half of the traffic from Chrome browsers is using QUIC already. From the article: The name "QUIC" stands for Quick UDP Internet Connection. UDP's (and QUIC's) counterpart in the protocol world is basically TCP (which in combination with the Internet Protocol (IP) makes up the core communication language of the Internet). UDP is significantly more lightweight than TCP, but in return, it features far fewer error correction services than TCP. ... That's why UDP is great for gaming services. For these services, you want low overhead to reduce latency and if the server didn't receive your latest mouse movement, there's no need to spend a second or two to fix that because the action has already moved on. You wouldn't want to use it to request a website, though, because you couldn't guarantee that all the data would make it. With QUIC, Google aims to combine some of the best features of UDP and TCP with modern security tools.
Build

MakerBot Lays Off 20 Percent of Its Employees 175

Posted by timothy
from the new-ones-being-printed dept.
Jason Koebler writes MakerBot fired roughly 20 percent of its staff Friday. Figures from 2014 placed the company's ranks at 500, meaning the cuts could equate to roughly 100 employees. The orders came from new CEO Jonathan Jaglom, Motherboard was told. Employees are apparently being led out of the company's Brooklyn office by security today. "It's about 20 percent of staff," a MakerBot representative, who asked not to be identified because she had not received approval to speak to the press, told Motherboard. "Everyone suspected that something would be coming with the new CEO, and that there would be restructuring coming."
Security

Exploit For Crashing Minecraft Servers Made Public 117

Posted by timothy
from the hey-fellas-door's-unlocked dept.
An anonymous reader writes "After nearly two years of waiting for Mojang to fix a security vulnerability that can be used to crash Minecraft servers, programmer Ammar Askar has released a proof of concept exploit for the flaw in the hopes that this will force them to do something about it. "Mojang is no longer a small indie company making a little indie game, their software is used by thousands of servers, hundreds of thousands people play on servers running their software at any given time. They have a responsibility to fix and properly work out problems like this," he noted." Here is Askar's own post on the exploit, and his frustration with the response he's gotten to disclosing it to the developers.
Security

FBI Accuses Researcher of Hacking Plane, Seizes Equipment 267

Posted by Soulskill
from the security-theater dept.
chicksdaddy writes: The Feds are listening, and they really can't take a joke. That's the apparent moral of security researcher Chris Roberts' legal odyssey on Wednesday, which saw him escorted off a plane in Syracuse by two FBI agents and questioned for four hours over a humorous tweet Roberts posted about his ability to hack into the cabin control systems of the Boeing 737 he was flying. Roberts (aka @sidragon1) joked that he could "start playing with EICAS messages," a reference to the Engine Indicating and Crew Alerting System.

Roberts was traveling to Syracuse to give a presentation. He said local law enforcement and FBI agents boarded the plane on the tarmac and escorted him off. He was questioned for four hours, with officers alleging they had evidence he had tampered with in-flight systems on an earlier leg of his flight from Colorado to Chicago. Roberts said the agents questioned him about his tweet and whether he tampered with the systems on the United flight -something he denies doing. Roberts had been approached earlier by the Denver office of the FBI which warned him away from further research on airplanes. The FBI was also looking to approach airplane makers Boeing and Airbus and wanted him to rebuild a virtualized environment he built to test airplane vulnerabilities to verify what he was saying.

Roberts refused, and the FBI seized his encrypted laptop and storage devices and has yet to return them, he said. The agents said they wished to do a forensic analysis of his laptop. Roberts said he declined to provide that information and requested a warrant to search his equipment. As of Friday, Roberts said he has not received a warrant.
Sony

Wikileaks Publishes Hacked Sony Emails, Documents 143

Posted by samzenpus
from the take-a-look dept.
itwbennett writes Wikileaks has published a searchable database of thousands of emails and documents from Sony Pictures Entertainment that were leaked in late 2014 after the studio was attacked by hackers. Some of the 173,132 emails and 30,287 documents contain highly personal information about Sony employees including home addresses, personal phone numbers and social security numbers, a fact which is likely to raise new concerns about the use of stolen information online.
Security

Calling Out a GAO Report That Says In-Flight Wi-Fi Lets Hackers Access Avionics 113

Posted by timothy
from the this-postcard-is-just-an-atom-bomb dept.
An anonymous reader writes A new report from the U.S. Government Accountability Office (GAO) warns that in-flight W-Fi, including wireless entertainment and internet-based cockpit communications, may allow hackers to gain remote access to avionics systems and take over navigation. At the same time, a cyber expert and pilot called the report "deceiving" and said that "To imply that because IP is used for in-flight WiFi and also on the avionics networks means that you can automatically take over the avionics network makes about as much sense as saying you can take over the jet engines because they breathe air like the passengers and there is no air gap between passengers who touch the plane and the engines which are attached to the plane."
Security

The Voting Machine Anyone Can Hack 105

Posted by samzenpus
from the vote-now-vote-often dept.
Presto Vivace writes about a study published by the Virginia Information Technology Agency outlining just how bad the security of the AVS WINVote machine is. "Virginia election officials have decertified an electronic voting system after determining that it was possible for even unskilled people to surreptitiously hack into it and tamper with vote counts. The AVS WINVote, made by Advanced Voting Solutions, passed necessary voting systems standards and has been used in Virginia and, until recently, in Pennsylvania and Mississippi. It used the easy-to-crack passwords of 'admin,' 'abcde,' and 'shoup' to lock down its Windows administrator account, Wi-Fi network, and voting results database respectively, according to a scathing security review published Tuesday by the Virginia Information Technologies Agency. The agency conducted the audit after one Virginia precinct reported that some of the devices displayed errors that interfered with vote counting during last November's elections."
United States

Gyro-Copter Lands On West Lawn of US Capitol, Pilot Arrested 323

Posted by samzenpus
from the just-mail-your-taxes-next-time dept.
An anonymous reader writes that Doug Hughes, 61, a mailman from Ruskin, Florida was arrested for landing a gyro-copter on the West Lawn of the U.S. Capitol. "A 61-year-old Florida mailman was arrested Wednesday after he landed a gyrocopter on the U.S. Capitol west lawn. The gyrocopter was carrying the pilot and 535 stamped letters for members of Congress urging 'real reform' to campaign finance laws. Doug Hughes told the Tampa Bay Times ahead of the afternoon stunt that he notified authorities 'well over an hour in advance of getting to the no-fly zone, so they know who I am and what I'm doing.' Capitol police sent dogs and a bomb squad to the scene. Nothing hazardous was found. A city block from the Capitol had been cordoned off."
Security

Why "Designed For Security" Is a Dubious Designation 58

Posted by samzenpus
from the protect-ya-neck dept.
itwbennett writes The list of products designed to be security enhanced that turned out to be anything but seems to get longer by the day. In just the latest instance, reported by Wired last week, the crowd-funded privacy-enhancing home router Anonabox had to be recalled after an independent researcher discovered serious security flaws in the product. But security experts caution that the real problem may be bigger than vulnerabilities hidden in application code: "Designed for security products don't just have to be good. They have to be beyond reproach," explains John Dickson, a Principal at the Denim Group. "All it takes is one guy with a grudge to undo you."