61588603
submission
hypnosec writes:
The ICO has issued a mildly toned reminder about how people and organisations need to be mindful about privacy laws in the UK while they are using Google Glass. Andrew Paterson, Senior Technology Officer at ICO notes that the primary issue with Google Glass is whether people have been given notice if they are filmed. Citing instances of Google Glass bans in some bars in the US, Paterson notes that companies in the UK will also be considering their own responses and we anticipate that there will be quite a few businesses which may ban Google Glass. Paterson reminds users that use of such wearable devices should be in compliance with the law and that they should be operated in line with the requirements with the country’s Data Protection Act.
61459995
submission
hypnosec writes:
Cisco has released a new experimental block cipher dubbed FNR or Flexible Naor and Reingold, which it claims is suitable for data with less than 128 bits or where preservation of input length is a must. Sashank Dara, software engineer at Cisco, explains that traditional block ciphers including AES work well with data of sizes greater than 128, 192 or 256 bits, but in cases wherein data transmission involves small chunks of data like IP addresses and MAC addresses and AES is used, the small blocks of data get bloated because of the padding requirement. This is where FNR comes in handy as it proposes “invertible matrices to provide a neat and generic way to achieve pair-wise independence for any arbitrary length”. Cisco has offered the code at github under the LPGLv2 and has also provided an application demoing IPV4 address encryption.
61392777
submission
hypnosec writes:
A new movement dubbed the Open Wireless Movement is asking users to open up their private Wi-Fi networks for total strangers – a random act of kindness – with an aim of better securing networks and facilitating better use of finite broadband resources. The movement is supported by non-profit and pro-internet rights organisations like the Electronic Frontier Foundation (EFF), Mozilla, Open Rights Group, and Free Press among others. EFF is planning to unveil one such innovation – Open Wireless Router – at the Hackers on Planet Earth (HOPE X) conference to be held next month on New York. This firmware will allow individuals to share their private Wi-Fi to total strangers to anyone without a password.
61387315
submission
hypnosec writes:
Google has forked OpenSSL to create its own cryptography library dubbed BoringSSL – something that Mountain View reveals was done because maintaining the different patches Google created over years was getting difficult to manage over different code bases. Adam Langley, a widely respected cryptography engineer and Google employee, revealed that he started tidying up the OpenSSL code long before Heartbleed was discovered. Google had been busy applying a series of patches on top of OpenSSL, few of which have already been into main OpenSSL repository, but as multiple Google products including Chrome and Android have been dependent on the patches they had built, it was becoming complex to handle these patches “across multiple code bases is getting to be too much”. For this reason they decided to switch to a model where they import changes from OpenSSL instead of the other way around.
61369347
submission
hypnosec writes:
Security researcher over at CARI.net has revealed that thousands of servers fitted with Supermicro motherboards are just waiting there, storing admin passwords in clear text, to be probed by hackers and attackers. The plain text password threat is to do with the baseboard management controller (BMC) – a motherboard component – using which administrators can monitor physical status of servers including their temperatures, disk and memory performance, and fan speeds. Wikholm notes that it’s not just the password file that you download via the port, but the entire /nv directory is up for grabs and anyone can download “server.pem file, the wsman admin password and the netconfig files”.
61040657
submission
hypnosec writes:
Starting today businesses and individuals in the UK will be able to register a new national web address ‘.uk’ and drop their existing ‘.co.uk’ or ‘.com’ suffix in favour of a shorter and snappier domain name. The entire process along with the transition is being overseen by private yet not-for-profit organisation Nominet, which has already started notifying existing customers with a ‘.co.uk’ domain of their chance to adopt a ‘.uk’ domain. Nominet will reserve all ‘.uk’ domain names, which already have a ‘.co.uk’ counterparts, for the next five years offering registrants the chance to adopt the new domain and to keep cyber squatters at bay.
60332003
submission
hypnosec writes:
A consumer rights firm, Hagens Berman, has filed a national class-action lawsuit against Google on behalf of Free Range Content, the California-based owner of Repost.us, claiming that the search engine giant unlawfully denies payments to thousands of website owners and operators under its AdSense programme.
The lawsuit partly relies on the recent accusations that Google is engaged in AdSense fraud and through a scheme developed in 2009 denies payments to thousands of publishers just close to the payout dates without providing a valid reason.
Further the lawsuit also cites the case of Free Range Content whose account was also disabled. In February 2014, Free Range Content noticed an unusual spike in their AdSense earnings – something in tune of $40,000.
Free Range Content scheduled a call with a Google AdSense representative on March 6, but just two days before the call Google disabled its account. Google refused to talk with Free Range Content after this, claims the lawsuit.
59880919
submission
hypnosec writes:
Mozilla has ditched its Firefox’s new-tab monetization plans as they ‘didn’t go over well’ with the community finding it hard to understand the scheme. Johnathan Nightingale, Mozilla’s VP of Firefox said that a lot of Firefox’s community was worried that Mozilla was “going to turn Firefox into a mess of logos sold to the highest bidder” and that users wouldn’t have either control over this or any actual benefit. “That’s not going to happen. That’s not who we are at Mozilla.”
59258935
submission
hypnosec writes:
Mozilla has announced a special $10,000 bug bounty for anyone who breaks its certification verification in upcoming Firefox 31 slated for a July 31 launch. Mozilla revealed its work on a new certification verification library for its products which it claims is more robust and maintainable. To ensure that its new code doesn’t meet with the same fate as Heartbleed and Apple’s #gotofail bug, Mozilla announced the special bug bounty to “make sure this code is rock solid before it ships to millions of Firefox users”. The non-profit organisation is interested in bugs through which the browser accepts fake untrustworthy certificate chains which otherwise should be rejected or something in the code that may lead to exploitable memory corruption. Mozilla also adds that a bug that causes Firefox to accept forged signed OCSP responses would also qualify as a bounty worthy bug under this program.
59182389
submission
hypnosec writes:
National Institute of Standards and Technology (NIST) has removed the much criticized Dual_EC_DRBG aka Dual Elliptic Curve Deterministic Random Bit Generator from its draft guidance on random number generators following a period of public comment period and review. The revised document retains three of the four previously available options for generating pseudorandom bits required to create secure cryptographic keys for encrypting data. NIST recommends that users using Dual_EC_DRBG should transition to one of the other three recommended algorithms as quickly as possible.
57382057
submission
hypnosec writes:
A new Ransomcrypt Trojan, detected recently, lets users request a decryption key without paying – that is if they wait for a month. The ransomware is no different from any other Trojan in the same family, but the authors of the Trojan claim that if users don’t wish to pay the ransom to get the unlock key they are entitled to a free unlock if they wait for a month from the day their personal files were encrypted. “P.S. Remember, we are not scammers. We don’t need your files” reads the ‘how to get data.txt’ file that comes along with the Trojan. "If you want, you can get a decryptor for free after a month. Just send a request immediately after infection. All data will be restored absolutely. Your warranty – decrypted samples and positive feedbacks from previous users."
57300993
submission
hypnosec writes:
Microsoft has decided to continue supporting Windows XP in China unlike rest of the world where it will be pulling the plug on 14-year old operating system on April 8, 2014. Microsoft announced its decision through a post on its official Sina Weibo account on Sunday. Redmond will be partnering with local security vendors to continue supporting Windows XP. It is not yet clear how Microsoft will be chalking out the support strategy. It is not entirely clear why Microsoft is extending support for Windows XP in China as itself has noted that 70 percent of users in the country haven't updated their systems in the last 13 years.
57224349
submission
hypnosec writes:
Synology DiskStation Manager has a critical vulnerability wherein VPN module has a hard-coded password for root, which attackers can use to connect to Synology device and possibly other devices on the shared network. The hard-coded root password is ‘synopass’. Users will not be able to logon to the web interface of the device using the root:synopass combination; however, “when enabling the VPN server, root:synopass will get you authenticated and connected!”
57196963
submission
hypnosec writes:
The Raspberry Pi, which was first put up for sale on February 29, 2012, has completed two years and has sold over 2.5 million units during the period. Announcing the milestone and commemorating the two years, Founder and former trustee of the Raspberry Pi Foundation, Eben Upton announced a $10,000 competition wherein developers will be required to demonstrate a satisfactory Quake III gameplay at a playable framerate on the credit card sized computer using open source drivers.
57186077
submission
hypnosec writes:
European Commission is meeting with consumer protection authorities in the UK, Belgium, France, Italy and members of the Consumer Protection Cooperation (CPC) network responsible for enforcing consumer rights across the EU to discuss concerns raised by consumers of free-to-pay games. The Commissions notes that more than 50 percent of the games in the EU’s online marketplace are advertised as ‘free’; however, they often include costly in-app purchases. Some of the concerns raised by consumers about free-to-play games will include misleading tactics about 'free' games and the cost involved; exhortations or persuasion tactics to make in-app purchases; explicit authorisation during in-app purchases; and contact information in case consumers want to contact vendors or register complaints.
