Trailrunner7 writes "If you’re still wondering when the future will get here, stop looking to the skies for flying cars and look down at your iPhone the next time you walk into an Apple store. The company has just kicked off a new in-store tracking initiative that uses Bluetooth to push offers and notifications to customers as they wander through the aisles looking at Beats headphones and One Direction phone cases.
Known as iBeacon, the system uses Bluetooth Low Energy (BLE) to push notifications to users in the store who are carrying iOS 7 devices with the Apple Store app installed. Users must allow the app to track them in order to receive the notifications, but once that option is enabled, a user might find herself receiving offers for a short-term discount on a particular product or an upgrade to a new iPhone."
tsu doh nimh writes "In early October, news leaked out of Russia that authorities there had arrested and charged the malware kingpin known as "Paunch," the alleged creator and distributor of the Blackhole exploit kit. Today, Russian police and computer security experts released additional details about this individual, revealing a much more vivid picture of the cybercrime underworld today. According to pictures of the guy published by Brian Krebs, if the Russian authorities are correct then his nickname is quite appropriate. Paunch allegedly made $50,000 a month selling his exploit kit, and worked with another guy to buy zero-day browser exploits. As of October 2013, the pair had budgeted $450,000 to purchase zero-days. From the story: "The MVD estimates that Paunch and his gang earned more than 70 million rubles, or roughly USD $2.3 million. But this estimate is misleading because Blackhole was used as a means to perpetrate a vast array of cybercrimes. I would argue that Blackhole was perhaps the most important driving force behind an explosion of cyber fraud over the past three years. A majority of Paunchâ(TM)s customers were using the kit to grow botnets powered by Zeus and Citadel, banking Trojans that are typically used in cyberheists targeting consumers and small businesses.""Link to Original Source
Trailrunner7 writes "In response to the growing set of revelations about the NSA’s surveillance methods and alleged compromise of some large technology vendors’ services, Microsoft is taking a number of steps to try and reassure customers about the integrity of the company’s offerings and to greatly expand the use of encryption across its services.
Microsoft said that in the next few months it will be improving and expanding its use of encryption, specifically in its cloud services such as Azure, Outlook.com and Office 365. The company recently announced that it would be improving the encryption services on Office 365, but this new initiative goes well beyond that effort. Microsoft will be implementing Perfect Forward Secrecy on its cloud service and also will be moving to 2048-bit keys. This applies to data in transit between customers and Microsoft’s servers, but it also will be applied to information moving among the company’s data centers.
“Bing still doesn’t offer SSL as an option. So will they finally change that? One of the things they said in this announcement is that they’ll be using best-in-class encryption, but that means more than just an algorithm. It means things like HSTS [HTTP Strict Transport Security] and certificate pinning,” Chris Soghoian of the ACLU said. “Is Microsoft going to use certificate pinning in Internet Explorer?”"
Trailrunner7 writes "The skies may soon be full of drones–some run by law enforcement agencies, others run by intelligence agencies and still others delivering novels and cases of diapers from Amazon. But a new project by a well-known hacker Samy Kamkar may give control of those drones to anyone with $400 and an hour of free time.
Small drones, like the ones that Amazon is planning to use to deliver small packages in short timeframes in a few years, are quite inexpensive and easy to use. They can be controlled from an iPhone, tablet or Android device and can be modified fairly easily, as well. Kamkar, a veteran security researcher and hacker, has taken advantage of these properties and put together his own drone platform, called Skyjack. The drone has the ability to forcibly disconnect another drone from its controller and then force the target to accept commands from the Skyjack drone. All of this is done wirelessly and doesn’t require the use of any exploit or security vulnerability."
SandmanWAIX writes "A 40 billion dollar treaty between Australia and East Timor is going to the courts in The Hague this week with East Timor accusing the Australian spy agency ASIS of spying during the negotiations.
A former spy has turned whistleblower in the case and subsequently had his passport cancelled and his lawyers office raided. The unnamed spy (former director of technical operations) decided to come forward as the then foreign minister overseeing the treaty is now an advisor to Woodside Petroleum, Australia's largest oil and gas company."Link to Original Source
vinces99 writes "Quantum entanglement, a perplexing phenomenon of quantum mechanics that Albert Einstein once referred to as “spooky action at a distance,” could be even spookier than Einstein perceived. Now, some physicists believe the phenomenon might be intrinsically linked with wormholes, hypothetical features of space-time that in popular science fiction can provide a much-faster-than-light shortcut from one part of the universe to another. But here’s the catch: One couldn’t actually travel, or even communicate, through these wormholes, said Andreas Karch, a University of Washington physics professor who is co-author of a paper on the research in Physical Review Letters. Quantum entanglement occurs when a pair or a group of particles interact in ways that dictate that each particle’s behavior is relative to the behavior of the others. In a pair of entangled particles, if one particle is observed to have a specific spin, for example, the other particle observed at the same time will have the opposite spin. The “spooky” part is that, as previous research has confirmed, the relationship holds true no matter how far apart the particles are – across the room or across several galaxies. If the behavior of one particle changes, the behavior of both entangled particles changes simultaneously, no matter how far away they are. Recent findings indicate that the characteristics of a wormhole are the same as if two black holes were entangled, then pulled apart. Even if the black holes were on opposite sides of the universe, the wormhole would connect them."Link to Original Source
Trailrunner7 writes "There is a vulnerability in Android 4.3 Jelly Bean that enables a malicious app to disable all of the security locks on a given device, leaving it open to further attacks. Jelly Bean is the most widely deployed version of Android right now.
The vulnerability in Android exists in the way that the operating system handles the flow of events when a user wants to change one of the security locks on a device. There are several different kinds of security locks on Android devices, including PIN codes, facial recognition and gesture locks. When a user wants to change one of these locks, he is asked to enter one of the other ones in order to confirm his control of the device. The vulnerability in Jelly Bean, discovered by researchers at Curesec in Germany, allows a malicious app to skip this step and disable the other security locks."
Trailrunner7 writes "A large group of privacy and digital rights organizations has put together a new effort to urge politicians to curtail the mass surveillance operations that have been exposed in the last few months. The new coalition has developed a set of 13 principles for governments to follow in their intelligence gathering efforts and started a petition that it plans to deliver to the United Nations and governments around the world.
Known as Necessary and Proportionate, the anti-surveillance group includes the EFF, Privacy International, Access, the Chaos Computer Club and many others. The petition that the group has started has been signed by a slew of other organizations and privacy and security experts from around the world, including the Citizen Lab, Digital Courage, the Internet Governance Project, Bruce Schneier, Morgan Marquis-Boire and Jennifer Granick.
“Surveillance can and does threaten human rights, ” EFF International Rights Director Katitza Rodriguez said in a statement. “Even laws intended to protect national security or combat crime will inevitably lead to abuse if left unchecked and kept secret. The Necessary and Proportionate Principles set the groundwork for applying human rights values to digital surveillance techniques through transparency, rigorous oversight and privacy protections that transcend borders.”"
msm1267 writes "A lingering security issue in Ruby on Rails that stems from a setting in the framework’s cookie-based storage mechanism is still present in almost 2,000 websites.
Sites using an old version of Ruby on Rails that relies on CookieStore, the framework’s default cookie storage mechanism, are at risk. CookieStore saves each user’s session hash in the cookie on the client side, something that keeps each cookie valid for life. This makes it possible for an attacker to glean a user’s log-in information – either via cross-side scripting or session sidejacking – and log in as them at a later date."Link to Original Source
Trailrunner7 writes "When authorities in Russia arrested Paunch, the alleged creator of the Blackhole exploit kit, last month, security researchers and watchers of the malware underground predicted that taking him off the board would put a dent in the use of Blackhole and force its customers onto other platforms. Six weeks later, it now appears that Blackhole is almost gone and the Cool exploit kit, another alleged creation of Paunch, has essentially disappeared, as well.
The Cool exploit kit isn’t as well-known as Blackhole, but it is just as dangerous and was being sold at a much higher price during its heyday. Blackhole is one of the more venerable exploit kits for sale on the underground markets and it has been very popular with a variety of attackers and malware gangs over the years. It’s often used in drive-by download scenarios to compromise users’ machines through the use of browser exploits or exploits for plug-ins such as Java or Flash. Blackhole customers could buy a yearly license for about $1,500 or even just rent it for a day for $50. Cool could rent for as much as $10,000 a month."
Trailrunner7 writes "Encryption, once a tool used mainly by security professionals, activists and others with reason to suspect their communications may be at risk, has been moving ever deeper into the mainstream in recent months. Now, Microsoft is planning to roll out a new encrypted email service on its Office 365 site that will make sending and receiving secure email much simpler.
The new service, known as Office 365 Message Encryption, is designed to simplify the process of using encrypted email, something that hasn’t been as easy as most users would like. Setting up and using many secure email applications can be an arduous and confusing process, particularly for users who may not be familiar with security. Microsoft’s new service, which will be available in the first quarter of 2014, uses a system that’s somewhat similar to other secure email systems, wherein a user receives an email with an encrypted attachment and instructions for opening it."
Trailrunner7 writes "The challenge to the NSA’s domestic surveillance program filed with the Supreme Court by the Electronic Privacy Information Center ended Monday, with the court refusing to consider the challenge at all. EPIC had filed the challenge directly with the Supreme Court rather than going through the lower courts.
Trailrunner7 writes "Buried underneath the ever-growing pile of information about the mass surveillance methods of the NSA is a small but significant undercurrent of change that’s being driven by the anger and resentment of the large tech companies that the agency has used as tools in its collection programs.
The changes have been happening since almost the minute the first documents began leaking out of Fort Meade in June. When the NSA’s PRISM program was revealed this summer, it implicated some of the larger companies in the industry as apparently willing partners in a system that gave the agency “direct access” to their servers. Officials at Google, Yahoo and others quickly denied that this was the case, saying they knew of no such program and didn’t provide access to their servers to anyone and only complied with court orders. More recent revelations have shown that the NSA has been tapping the links between the data centers run by Google and Yahoo, links that were unencrypted.
That revelation led a pair of Google security engineers to post some rather emphatic thoughts on the NSA’s infiltration of their networks. It also spurred Google to accelerate projects to encrypt the data flowing between its data centers. These are some of the clearer signs yet that these companies have reached a point where they’re no longer willing to be participants, witting or otherwise, in the NSA’s surveillance programs."
Trailrunner7 writes "In the first six months of this year, Google received seven wiretap orders from the United States government and complied with all of them. The company also received 207 pen register requests in the same period and complied with 89 percent of them, according to Google’s new transparency report.
The company’s latest report reveals a fairly dramatic increase in the volume of user data requests from the U.S. government since the beginning of 2010. In the first half of that year, Google received 4,287 requests for user data. In the latest reporting period, the company got 10,918 requests. However, the percentage of requests that Google complies with has been dropping over time, with the company providing some data in 94 percent of requests in the second half of 2010 and 83 percent in the first half of 2013. Overall, requests from all governments have more than doubled since 2010."
Trailrunner7 writes "When the first NSA surveillance story broke in June, about the agency’s collection of phone metadata from Verizon, most people likely had never heard the word metadata before. Even some security and privacy experts weren’t sure what the term encompassed, and now a group of security researchers at Stanford have started a new project to collect anonymous data from Android users to see exactly how much information can be drawn from the logs of phone calls and texts.
The project, dubbed Metaphone, is soliciting volunteers who agree to allow the collection of various kinds of metadata from their phones, which will then be sent automatically to Stanford’s researchers. The Stanford Security Lab, which is running the project, is interested in showing that the collection of metadata amounts to surveillance, something that NSA leaders and Congress have said is not the case.
“We intend to report preliminary results as soon as we have enough crowdsourced data. Phone records are plainly a hot-button issue: Congress is considering intelligence reform legislation, courts are hearing litigation challenges, and many in the public aren’t sure who’s telling the truth. Our aim is to provide rigorous answers about the sensitivity of phone metadata,” Jonathan Mayer of Stanford said."