Forgot your password?
typodupeerror

+ - Mobile Device Crypto Could Lead to a 'Very, Very Dark Place', FBI Dir. Says-> 2

Submitted by Gunkerty Jeb
Gunkerty Jeb (1950964) writes "FBI Director James Comey said Thursday that the recent movement toward default encryption of smartphones and other devices could “lead us to a very, very dark place.” Echoing comments made by law enforcement officials for the last several decades, Comey said that the advanced cryptosystems available today threaten to cripple the ability of intelligence and law enforcement agencies to gather vital information on criminals."
Link to Original Source

+ - National Security Letter Issuance Likely Headed to Supreme Court->

Submitted by Gunkerty Jeb
Gunkerty Jeb (1950964) writes "The Ninth Circuit appeals court in San Francisco took oral arguments from the Electronic Frontier Foundation and the Department of Justice yesterday over the constitutionality of National Security Letters and the gag orders associated with them. The EFF defended a lower court's ruling that NSLs are unconstitutional, while the DoJ defended a separate ruling that NSLs can be enforced. Whatever the court rules, the issue of NSLs is all but certainly headed for the Supreme Court in the not too distant future."
Link to Original Source

+ - RSA's Coviello Calls for Surveillance Reform, Enhanced Privacy->

Submitted by Gunkerty Jeb
Gunkerty Jeb (1950964) writes "RSA Security executive chairman Art Coviello today at RSA Conference 2014 made his first public comments about the security company’s relationship with the National Security Agency, painting the landmark firm as a victim of the spy agency’s blurring of the lines between its offensive and defensive missions.

A Reuters report in December alleged RSA Security was paid $10 million in a secret contract with the NSA to use encryption software—specifically the Dual EC DRBG random number generator—that the spy agency could easily crack as part of its surveillance programs. The deal goes back nearly a decade to 2006, and according to Reuters, represented one third of the company’s crypto revenue at the time."

Link to Original Source

+ - New 'Mask' APT Campaign Called Most Sophisticated Yet->

Submitted by Gunkerty Jeb
Gunkerty Jeb (1950964) writes "A group of high-level, nation-state attackers has been targeting government agencies, embassies, diplomatic offices and energy companies with a cyber-espionage campaign for more than five years that researchers say is the most sophisticated APT operation they’ve seen to date. The attack, dubbed the Mask, includes a number of unique components and functionality and the group behind it has been stealing sensitive data such as encryption and SSH keys and wiping and deleting other data on targeted machines."
Link to Original Source

+ - Verizon Transparency Report: Govt Requests Increasing->

Submitted by Gunkerty Jeb
Gunkerty Jeb (1950964) writes "After months of public calls from privacy advocates and security experts, Verizon on Wednesday released its first transparency report, revealing that it received more than 164,000 subpoenas and between 1,000 and 2,000 National Security Letters in 2013. The report, which covers Verizon’s landline, Internet and wireless services, shows that the company also received 36,000 warrants, most of which requested location or stored content data."
Link to Original Source

+ - EBay Vulnerable to Account Hijacking via XSRF->

Submitted by msm1267
msm1267 (2804139) writes "eBay users remain vulnerable to account hijacking nearly five months after it was initially informed of a cross-site request forgery flaw by a U.K. security researcher. Ebay has three times communicated to the researcher that the code causing the XSRF situation has been fixed, but it still remains vulnerable to his exploit.

The attack allows a hacker who lures a victim to a website hosting the exploit to change the user's contact information necessary to perform a password reset. The hacker eventually is able to log in as the victim and make purchases on their behalf."

Link to Original Source

+ - NSA Says Snowden Used Legit Access to Steal Data->

Submitted by Gunkerty Jeb
Gunkerty Jeb (1950964) writes "It’s taken more than six months, but top officials at the National Security Agency are finally discussing some of the details of how former agency contractor Edward Snowden got access to all of the documents he stole and what kind of damage they believe the publication of the information they contain could do. A senior NSA employee tasked with investigating what Snowden did and how he did it said that Snowden simply used the legitimate access he had as a systems administrator to steal and store the millions of documents he’s been slowly leaking to the media, and that the information in those documents could give U.S. enemies a “road map” of the country’s intelligence capabilities and blind spots."
Link to Original Source

+ - The Infamous Zeus Banking Trojan has Gone 64-Bit->

Submitted by Gunkerty Jeb
Gunkerty Jeb (1950964) writes "Researchers at Kaspersky Lab’s Global Research and Analysis Team spotted a new, 64-bit version of the Zeus trojan that behaves much like its 32-bit contemporaries: it too uses Web injects to steal banking credentials to drain online accounts, steal digital certificates and even log keystrokes. Unlike its contemporaries, this new variety of Zeus is — of course — 64-bit compatible, but also communicates with its command and control server over the Tor anonymity network."
Link to Original Source

+ - Ruby on Rails CookieStore Bug Plagues Prominent Sites->

Submitted by Gunkerty Jeb
Gunkerty Jeb (1950964) writes "A lingering security issue in Ruby on Rails that stems from a setting in the framework’s cookie-based storage mechanism is still present in almost 2,000 websites.

Sites using an old version of Ruby on Rails that relies on CookieStore, the framework’s default cookie storage mechanism, are at risk. CookieStore saves each user’s session hash in the cookie on the client side, something that keeps each cookie valid for life. This makes it possible for an attacker to glean a user’s log-in information – either via cross-side scripting or session sidejacking – and log in as them at a later date."

Link to Original Source

+ - Senate Debates Surveillance Transparency Act, NSA Spying->

Submitted by Gunkerty Jeb
Gunkerty Jeb (1950964) writes "In a Senate hearing debating the NSA's contentious surveillance programs and a proposed bill that would impose more transparency onto those practices, Sen. Patrick Leahy of (D-Vt.) asked Google's director for law enforcement and information security matters, Richard Salgado, if government imposed gag orders on requests for user data were making the country safer. Salgado answered that he did not believe that his inability answer questions about data requests had any impact on national security.

In addition, the general counsel for the Director of National Intelligence claimed enumerating the exact number of U.S. citizens monitored under NSA surveillance programs would be too difficult and resource-intensive.

The general consensus of those not advocating for the NSA was that the bill introduced by Sen. Al Franken (D-Mich.) would be a great step forward, but that transparency alone would not undo the damages done to U.S. companies and its government by PRISM and other similar surveillance programs. Nor, they seemed to agree, would the addition of transparency make the NSA’s programs lawful or constitutional."

Link to Original Source

+ - Microsoft to Broaden its Base of Bug Bounty Submitters->

Submitted by Gunkerty Jeb
Gunkerty Jeb (1950964) writes "Having found some initial success with its first foray into the bug bounty world, Microsoft is expanding the program to open up payments of up to $100,000 to incident response teams and forensics experts who come across active attacks in the wild that include new techniques that bypass exploit mitigations in place on the newest version of Windows."
Link to Original Source

+ - Lavabit Temporarily Re-Opening

Submitted by Trailrunner7
Trailrunner7 (1100399) writes "Lavabit, the now-shuttered secure email provider that has become something of a rallying point for privacy advocates and security experts in the ongoing NSA surveillance saga, is giving its former users until Thursday night to change their passwords on the service. They will then have a short window to download their email archives and get to their account data.

Ladar Levison, the founder of Lavabit, in August decided to make the dramatic move of shutting down the service rather than giving the government broad access to his users’ data. The FBI, in the wake of the Edward Snowden leaks of NSA surveillance methods, went to Levison with a court order demanding the SSL keys for the company’s service. Rather than comply, which Levison said would have spelled death for the Lavabit service anyway, he decided to shut down the secure email system. The Department of Justice was not pleased, to say the least, but Levison has held out and recently filed an appeal of the court order."

+ - Google Malaysia Site Hijacked->

Submitted by Gunkerty Jeb
Gunkerty Jeb (1950964) writes "The Google domain for Malaysia was hijacked on Thursday night, redirecting visitors to a page that said a group called Madleets from Pakistan had performed the attack. The domain has been restored now, but the name servers for the domain had been changed to a pair controlled by the attackers."
Link to Original Source

The use of anthropomorphic terminology when dealing with computing systems is a symptom of professional immaturity. -- Edsger Dijkstra

Working...