54555985
submission
Lasrick writes:
Standford's Gi-Wook Shin and David Straub analyze North Korea's strange, bloody mistake: the execution of Kim Jong-un's uncle, Jang Song-taek.
54555677
submission
sciencehabit writes:
Over the decades, 50 or more explanations have been offered for the fields of broad, meter-high mounds of soil found across the western United States and on every continent except Antarctica. The ideas have ranged from earthquakes to glaciers to UFOs. But now it seems that generation upon generation of gophers built the millions of mounds seen today. And it took a computer model programmed to act like the burrowing rodents to unearth the truth.
54552841
submission
chicksdaddy writes:
In a great example of the cybercrime "chickens coming home to roost," credit card information stolen from box retailer Target have been linked to fraudulent purchases at large retail outlets, including Target itself, the web site Krebsonsecurity.com reports. (http://krebsonsecurity.com/2013/12/cards-stolen-in-target-breach-flood-underground-markets)
Writing on Friday, Brian Krebs said that millions of the stolen cards are "flooding" underground carder web sites. Working with a source at a small New England bank, Krebs was able to identify hundreds of stolen credit card accounts being offered for sale from that bank alone on a carder site, rescator(dot)la.(http://rescator.la) The cards were being uploaded daily in batches of 100,000 or more, branded as the "Tortuga base."
A "point of purchase" analysis on 20 of stolen accounts belonging to the bank and purchased from four of the "Tortuga" dumps confirmed Target as a common reference point for the cards. Even worse: “Some of these already have confirmed fraud on them, and a few of them were actually just issued recently and have only been used at Target,” Krebs source at the bank informed him. A number of the cards were flagged for fraud after they were used to make unauthorized purchases at big box retailers, including Target, itself, he said.
After reports by Krebs about a major theft of credit cards, Target acknowledged the breach on Thursday, admitting that data on up to 40 million consumers may have been taken. (https://securityledger.com/2013/12/target-confirms-massive-breach-40-million-credit-cards-affected/)
54404835
submission
chicksdaddy writes:
Its hard to put a number on exactly how many Internet connected "smart devices" will be served up by the end of the decade. 30 billion (http://www.gartner.com/newsroom/id/2621015)? 50 billion (http://blogs.cisco.com/diversity/the-internet-of-things-infographic/)? 75 billion (http://www.businessinsider.com/75-billion-devices-will-be-connected-to-the-internet-by-2020-2013-10)? Like McDonald's hamburgers, its probably better to just say "billions and billions." After all, the exact number doesn't matter and everyone agrees there will be lots of them.
But all those devices – and the near-limitless IPV6 address space that will accommodate them – do present a management and governance problem (https://securityledger.com/2013/11/it-pros-internet-of-things-is-a-governance-disaster/): how do you find the specific device you’re looking for in a sea of similar devices?
What the world needs is a Google or, better yet, a Facebook for Internet of Things devices, and that’s what the folks over at the UK-based firm Umbrellium (http://umbrellium.co.uk/about-us/) introduced on Friday with thingful.net (http://www.thingful.net), a search engine that scours the Internet for smart devices.
Unlike Shodan (http://www.shodanhq.com/), the hardware search engine, Thingful is about building connections between Internet of Things devices. Thingful users register using a Twitter account, then associate discoverable smart devices they own with that account. Users can search for others nearby who own and operate smart devices and “follow” those devices, or network with other individuals who own specific types of smart infrastructure via Thingful.
Not that its all voluntary. Thingful currently aggregates public data from connected devices. In large part that is through indexing IoT platforms like Xively, Smart Citizen (open source environmental monitoring), Weather Underground and Air Quality Egg. The search engine has indexed tens of thousands of devices globally, ranging from home thermostats and simple sensors, to wired ocean monitoring buoys in the mid-Atlantic and tanker ships plying the Mediterranean, The Security Ledger reports.
53959473
submission
chicksdaddy writes:
The Federal Trade Commission (FTC) announced on Thursday (http://www.ftc.gov/opa/2013/12/goldenshores.shtm) that it settled with the maker of a popular Android mobile application over charges that the company used deceptive advertising to collect location and device information from Android owners, The Security Ledger reports.
The FTC announced the settlement with Goldenshores Technologies, LLC of Moscow, Indiana, makers of the “Brightest Flashlight Free” Android application, saying that the company failed to disclose wanton harvesting and sharing of customers’ location and mobile device identity with third parties.
Brightest Flashlight Free, which allows Android owners to use their phone as a flashlight, is a top download from Google Play, the main Android marketplace. (https://play.google.com/store/apps/details?id=goldenshorestechnologies.brightestflashlight.free) Statistics from the site indicate that it has been downloaded more than one million times with an overall rating of 4.8 out of 5 stars.
The application, which is available for free, displays mobile advertisements on the devices that it is installed on. However, the device also harvested a wide range of data from Android phones which was shared with advertisers including what the FTC describes as “precise geolocation along with persistent device identifiers.”
As part of the settlement with the FTC, Goldenshores is ordered to change its advertisements and in-app disclosures to make explicit any collection of geolocation information, how it is or may be used, the reason for collecting location information and which third parties that data is shared with.
53898859
submission
chicksdaddy writes:
Cyber attacks on"connected vehicles" are still in the proof of concept stage (http://www.forbes.com/sites/andygreenberg/2013/07/24/hackers-reveal-nasty-new-car-attacks-with-me-behind-the-wheel-video/). But those proofs of concept are close enough to the real thing to prompt an inquiry from U.S. Senator Ed Markey, who sent a letter (http://www.markey.senate.gov/documents/2013-12-2_GM.pdf) to 20 major auto manufacturers asking for information about consumer privacy protections and safeguards against cyber attacks in their vehicles.
Markey's letter, dated December 2, cites recent reports of "commands...sent through a car's computer system that could cause it to suddenly accelerate, turn or kill the breaks," and references research conducted by Charlie Miller and Chris Valasek on Toyota Prius and Ford Escape. (http://illmatics.com/car_hacking.pdf) and presented at the DEFCON hacking conference in Las Vegas.
"Today's cars and light trucks contain more than 50 separate electronic control units (ECUs), connected through a controller area network (CAN)...Vehicle functionality, safety and privacy all depend on the functions of these small computers, as well as their ability to communicate with one another," Markey wrote.
Among the questions Markey wants answers to:
+ What percentage of cars sold in model years 2013 and 2014 do not have any wireless entry points?
+ What are automakers' methods for testing for vulnerabilities in technologies it deploys — including third pressure technologies? Markey asks specifically about tire pressure monitors, bluetooth and other wireless technologies and GPS (like Onstar).
+ What third party penetration testing is conducted on vehicles (and any results)?
+ What intrusion detection features exist for critical components like controller area network (CAN) busses on connected vehicles?
A member of the Commerce, Science and Transportation Committee (http://www.commerce.senate.gov/public/), Markey is a longtime privacy advocate. He rose from the House to become the junior Senator from Massachusetts after winning a special election in June to replace Sen. John Kerry, who left office to become President Obama's Secretary of State.
53778941
submission
chicksdaddy writes:
The Security Ledger is reporting on an article in the December issue of Usenix's ;login: logout (https://www.usenix.org/publications/login) from researchers at UCSD and George Mason University that suggests reports of Bitcoin’s anonymity may (to paraphrase Twain) “be greatly exaggerated.”
Specifically: the researchers found that, by culling a variety of open source data including public data from the Bitcoin Peer to Peer network and public Internet postings, as well as their own Bitcoin transactions, they were able to “identify major institutions” engaged in Bitcoin transactions “and the interactions between them.”
By mapping unique Bitcoin change addresses, the researchers were able to positively identify 2,197clusters of Bitcoins with common ownership. Those clusters were linked to over 1.8 million BitCoin addresses.
The experiment, though small, suggests that a large slice of the public keys used in Bitcoin transactions – around 14 percent — can be linked back to larger, institutional players, including banks, Bitcoin (or BTC) exchanges or large vendors like the now defunct Silk Road. That centralization makes the Bitcoin network susceptible to surveillance by law enforcement or governments that have the computing power and determination to track down the individuals, groups and institutions at either end of specific exchanges.
The paper, “A Fistful of Bitcoins: Characterizing Payments Among Men with No Names” (http://cseweb.ucsd.edu/~smeiklejohn/files/imc13.pdf)was presented at the IMC (Internet Measurement Conference) 2013 Conference in Barcelona, Spain in October and is reprinted in the December issue of ;login: logout a USENIX publication. It is based on research conducted at The University of California, San Diego and George Mason University. In it, the researchers, led by Sarah Meiklejohn of UCSD used a combination of strategies to “de-anonymize” the BitCoin network.
Aspects of the work have been noted before in news reports, including work that Meiklejohn did with Brian Krebs of Krebsonsecurity tracking an online purchase of heroin in Krebs name (http://krebsonsecurity.com/2013/07/mail-from-the-velvet-cybercrime-underground/). However, Meiklejohn and her colleagues have expanded their analysis of Bitcoin protocol and its potential weaknesses.
53149049
submission
chicksdaddy writes:
The U.S. Federal Trade Commission (FTC) used a one-day workshop to highlight security and privacy issues prompted by so-called “Internet of Things.” But attendees at the event may have walked away with a more ambiguous message, as prominent technologists and industry representatives questioned whether conventional notions of privacy had much relevance in a world populated by billions of Internet-connected devices.
“I don’t feel like privacy is dead,” keynote speaker Vint Cerf, a Vice President and Chief Internet Evangelist at Google, told an audience at the FTC workshop (http://www.ftc.gov/bcp/workshops/internet-of-things/). “I do feel like privacy will be increasingly difficult for us to achieve,” Cerf warned.
And Cerf wasn’t alone in wondering whether that might not be such a bad thing – or even that unusual. “Is privacy an anomaly,” he asked attendees in a keynote speech on Tuesday.
Recalling his experience living in a small, German town where the “postmaster knew what everyone was doing," Cerf argued that the modern concept of being ‘alone in the crowd’ is a fairly recent one, borne of the industrial revolution and the growth of urbanization.
Tensions between the social benefits and costs of new technologies and the Internet of Things cropped up in many discussions during the one-day event, which featured workshops on Internet-connected “Smart Homes,” “Connected Vehicles,” and “Connected Health and Fitness.” The panel on “Connected Vehicles” saw noted researcher Tadayoshi Kohno of the University of Washington sparring with Christopher Wolf of the tech industry-backed Future of Privacy Forum over the benefits of connected car features like geo-tracking and crash detection versus the cost: potential privacy violations or remote attacks on connected car systems.
52950803
submission
ancientribe writes:
Key clues are emerging that provide a clearer picture of how Edward Snowden may have pulled off the most epic insider leak in history. Security firm Venafi says it has figured out how it all went down: Snowden fabricated SSH keys and self-signed digital certificates to access and ultimately steal the NSA documents, Venafi has concluded based on public information on the breach and their analysis. Venafi is also publicly challenging the NSA and Snowden to prove its conclusion wrong.
52925269
submission
chicksdaddy writes:
Veracode's blog has an interesting post on how the fast adoption of "Internet of Things" technology will empower application developers as never before.
Picking up on a post by Jim Morrish over at Bosch's Internet of Things blog (http://blog.bosch-si.com/m2m-platforms-recast-for-the-age-of-the-internet-of-things/), Veracode notes that the an ecosystem is fast developing that abstracts information from a wide range of data sources – including traditional corporate and IT systems, as well as legacy M2M platforms. The effect of that is to put power into the hands of application developers, who have free(er) reign to shape the applications that will define the Internet of Things.
Application developers can already tap off-the-shelf development tools, protocols, and features that connect them to a much wider pool of data (and, thus, possible applications). That frees them from the onerous task of mastering proprietary application logic or stove piped platforms.
Of course, the security and privacy implications of all that abstracted logic (and the boilerplate code that enables it) have yet to be worked out. Veracode has noted before that third party code in its various incarnations is already a frequent source of computer security vulnerabilities. (http://www.veracode.com/blog/2013/10/third-party-components-and-the-owasp-top-10-talking-code-part-6/)
52924891
submission
chicksdaddy writes:
All those sensors on your smartphone are great. They enable all kinds of cool features – from finding the nearest Starbucks to mobile payments. But they also pose a risk to the privacy of the phone’s owner, as malicious actors (and the occasional national government) look for ways to turn cameras and other sensors into powerful, cheap and convenient spying tools.
Now researchers at The University of Cambridge have demonstrated one possible, new attack type (http://www.lightbluetouchpaper.org/2013/11/08/5653/): harnessing the built-in video camera and microphone on Samsung Galaxy and Nexus devices to spy on an owner’s hand movements and guess his or her password, The Security Ledger reports. The technique could be a way for cyber criminals to defeat anti-keylogging technology like secure “soft” keyboards used to enter banking PINs and other sensitive information, the researchers report. (http://www.cl.cam.ac.uk/~rja14/Papers/pinskimmer_spsm13.pdf)
The lesson for mobile application developers and device makers is that “mobile devices are fundamentally different from traditional servers (and) desktops in the way we use them," Laurent Simon, one of two Cambridge University researchers who conducted the research told The Security Ledger. ”Smart phones and other devices that are “aware” of the physical world are vulnerable to new types of attacks. “This physical-world interaction needs to be considered when designing secure devices,” he wrote.
52884783
submission
chicksdaddy writes:
Fresh off their discovery of a previously unknown (‘zero day’) security hole in Microsoft’s Internet Explorer web browser (http://www.fireeye.com/blog/technical/2013/11/new-ie-zero-day-found-in-watering-hole-attack.html), researchers at the security firm Fireeye say that they have evidence that a string of sophisticated attacks have a common origin.
In a report released on Monday (http://www.fireeye.com/resources/pdfs/fireeye-malware-supply-chain.pdf), the firm said that many seemingly unrelated cyber attacks identified in the last year appear to be part of a “broader offensive fueled by a shared development and logistics infrastructure” — what Fireeye terms a ‘supply chain’ for advanced persistent threat (APT) style attacks.
At least 11 APT campaigns targeting “a wide swath of industries” in recent months were found to be built on a the same infrastructure of malicious applications and services, including shared malware tools and malicious binaries with the same timestamps and digital certificates, Fireeye reports.
“Taken together, these commonalities point to centralized APT planning and development,” Fireeye wrote.
52671835
submission
chicksdaddy writes:
Factory-installed and even aftermarket identity management applications may soon be standard components on automobiles, as the federal government looks for ways to leverage automation and collision avoidance technology to make the country’s highways and roadways safer. That’s the conclusion of a new report from the Government Accountability Office. Vehicle to vehicle communications are poised to take off, but that significant security and privacy challenges must first be met, identity management top among them, GAO found.
The report, GAO 14-13 (http://gao.gov/assets/660/658709.pdf) said that the US Dept. of Transportation (DOT) is looking at public-key infrastructure (PKI) deployments that would allow automobiles to authenticate to each other and ensure that the data being transmitted has not been tampered with.
GAO quotes officials at one auto industry consortium known as “CAMP VSC 3,” which includes Ford Motor Company, GM, Honda and Mercedes, saying that the security system will need to be able to detect “misbehaving devices—such as devices that are malfunctioning, used maliciously, or hacked,” then “automatically revoke certificates from vehicles with such devices.”
52541997
submission
chicksdaddy writes:
The über-popular Nest smart thermostat (http://nest.com/) has become the poster child for the wonderful possibilities of "The Internet of Things." The sleek, device is an object lesson in how software driven, smartly designed and cloud-connected devices will transform our physical spaces. Under the hood, however, many of these devices – the Nest included – fail to live up to their slick and polished exteriors and graphical interfaces.
To that point, The Security Ledger has an interview with Daniel Buentello, an independent security researcher who most recently made the rounds with his "Weaponizing your Coffee Pot" talk at DerbyCon and ToorCon Seattle. (https://www.youtube.com/watch?v=9YwF7cj_OKc#t=1972)
Buentello talks to Security Ledger about his new research on The Nest — a powerful, sensor rich device about which little is known. Buentello said the Nest's reliance on cloud-based management infrastructure is a particular concern.
"The situation here is a lot worse than what meets the eye," he said. "These connected (device) clouds are basically web apps without a user interface." And, like any web app, they're vulnerable to attack.
As Buentello showed with research on the Belkin WeMo platform, would-be Nest hackers could use Nest APIs to fuzz the Nest cloud, finding exploitable vulnerabilities. This would be similar to what happened to many social network and e-commerce operations in the early days of mobile phone app craze, when hackers figured out that they could manipulate mobile APIs.
The lack of "traditional" user interfaces on devices like the Nest might give developers the (false) security that the devices can't be hacked by traditional means. As for a Nest botnet, Buentello said that he's conducting research that might show how it might be possible to hijack the Nest cloud and use it to control devices in the field, but he isn't talking.
52286685
submission
chicksdaddy writes:
It's another day, another face-palm moment for the home surveillance camera industry.
Just one month after the Federal Trade Commission (FTC) settled a complaint (http://www.ftc.gov/opa/2013/09/trendnet.shtm) with the maker of SecurView, a line of poorly secured home surveillance cameras, a researcher at the firm Duo Security (http://www.duosecurity.com) has found a slew of even more serious security holes in the IZON Camera — a popular product that is sold in Apple Stores and Best Buy, among others. A review by The Security Ledger found dozens of such systems accessible via the public Internet, in some cases allowing anyone to peer into the interiors of private residences and businesses.
Mark Stanislav (@markstanislav), the Security Evangelist at the firm Duo Security conducted an audit of the IZON hardware and corresponding iOS mobile application software used to manage it. He documented a slew of troubling security lapses including an easily guessed, default user account for the Web-based GUI used to view live video streams, wide-open configuration with wide-open ports for accessing the device by Telnet and HTTP, unencrypted communications and video streaming to and from IZON devices and hard-coded, undocumented root account for the linux based devices.
Using the search engine Shodan.org, Stanislav compiled a list of scores of IP addresses of IZON cameras exposed on the Internet – some deployed behind simple DSL broadband connections. A review of that list by The Security Ledger revealed a handful of exposed Web interfaces that allow anyone with an Internet connection and knowledge of the default user name and password to take control of the camera: viewing a live video feed, making video recordings that can be automatically uploaded to YouTube or other cloud-based services, and even sounding audio alarms. In one case, the camera appeared to be deployed in a private residence in Kissimmee, Florida, where an elderly couple were seen caring for an infant. Others showed the interiors and exteriors of private residences – some occupied, others obviously vacant. (https://i1.wp.com/securityledger.com/wp-content/uploads/2013/10/IZON-Photos.jpg)
The CTO for Stem Innovation of Salt Lake City (http://steminnovation.com/), which makes the IZON cameras said that the IZON firmware, server system and iOS applications tested by Stanislav have been updated since the Summer, when Stanislav's research was conducted. He claims the research contains “inaccurate and misleading information.” Stem did not provide specific information about any inaccuracies.
