Forgot your password?
typodupeerror

+ - Mobile Device Crypto Could Lead to a 'Very, Very Dark Place', FBI Dir. Says-> 2

Submitted by Gunkerty Jeb
Gunkerty Jeb (1950964) writes "FBI Director James Comey said Thursday that the recent movement toward default encryption of smartphones and other devices could “lead us to a very, very dark place.” Echoing comments made by law enforcement officials for the last several decades, Comey said that the advanced cryptosystems available today threaten to cripple the ability of intelligence and law enforcement agencies to gather vital information on criminals."
Link to Original Source

+ - Schmidt Says Attack on Google Prompted Encryption Changes

Submitted by Trailrunner7
Trailrunner7 (1100399) writes "Eric Schmidt, executive chairman of Google, said that the changes to Android's encryption model, which have angered law enforcement officials, should have come as no surprise to law enforcement and government agencies, given the events of the last couple of years.

“The people who are criticizing this should’ve expected this. After Google was attacked by the British version of the NSA we were annoyed to no end,” Schmidt said. “We put in encryption end to end, at rest and in transit. Law enforcement has many many ways to get this information without doing this.”

After the details of Apple’s and Google’s encryption changes became public, some in the law enforcement community have suggested that the companies should include a backdoor in their devices. Both Sen. Ron Wyden and Schmidt dismissed this suggestion out of hand.

“U.S. companies shouldn’t be forced to build backdoors into their products,” Wyden said."

+ - Twitter Sues DoJ Over Restrictions on National Security Letter Data

Submitted by Trailrunner7
Trailrunner7 (1100399) writes "Twitter has filed a lawsuit in federal court asking that the United States Department of Justice’s prohibitions on publishing the number and kind of government requests for data the company receives be declared unconstitutional. The suit claims that the rules infringe on Twitter’s right to free speech by requiring that the company “engage in speech that has been preapproved by government officials or else to refrain from speaking altogether.”

The move by Twitter is the first public shot across the bow of the FBI and Justice Department on this issue. Many companies, including Google, Microsoft, Apple and others, have been pressing the government for the ability to publish detailed information about the scope of the requests they receive for user data. The government so far has said that companies can publish only broad ranges of numbers about the volume of National Security Letters they receive, which only gives a vague picture of the situation.

"Twitter’s ability to respond to government statements about national security surveillance activities and to discuss the actual surveillance of Twitter users is being unconstitutionally restricted by statutes that prohibit and even criminalize a service provider’s disclosure of the number of national security letters (“NSLs”) and court orders issued pursuant to FISA that it has received, if any," the suit says."

+ - Obama Administration argues for backdoors in personal electronics->

Submitted by mi
mi (197448) writes "

Attorney General Eric H. Holder Jr. said on Tuesday that new forms of encryption capable of locking law enforcement officials out of popular electronic devices imperil investigations of kidnappers and sexual predators, putting children at increased risk.

Seriously. Would somebody, please, think of the children?!"
Link to Original Source

+ - DARPA Working on 'Unhackable' Embedded Software

Submitted by Trailrunner7
Trailrunner7 (1100399) writes "DARPA is the birthplace of the network that eventually became today’s Internet, and the agency has spent the decades since it released that baby out into the world trying to find new ways defend it. That task has grown ever more complex and difficult, and now DARPA is working on a new kind of software that is provably secure for specific properties.

Arati Prabhakar, the director of DARPA, said that the agency, which performs advanced research and development for the United States military and government, has been working on the software in the hopes that it can run on some embedded systems. The software isn’t meant as a general purpose operating system for servers or desktops, but Prabhakar said that the agency believes it has plenty of applications.

“Unfortunately there’s not going to be a silver bullet. There are pieces of this we think can become tractable. One of our programs is working on software that’s unhackabale for specific security properties,” said Prabhakar, who was speaking at the Washington Post Cybersecurity Summit on Wednesday. “We’re working on a mathematical proof that the software can’t be hacked from the outside. It’s for embedded systems with a modest number of lines of code.”"

+ - Google to Pay Researchers Extra Cash for Exploits

Submitted by Trailrunner7
Trailrunner7 (1100399) writes "Google is again increasing the amount of money it offers to researchers who report vulnerabilities in Chrome as part of the company’s bug bounty program. Now, researchers will be able to earn $15,000 at the high end of the scale, and Google also is offering more cash for researchers who can submit a working exploit for their vulnerability submission.

The range for Google’s vulnerability reward program is now $500-$15,000, and there are a number of factors that go into the company’s decision on what to pay a researcher for a submission. Much of it has to do with the severity of the vulnerability and the likelihood that it will affect a large number of users.

“We’ll pay at the higher end of the range when researchers can provide an exploit to demonstrate a specific attack path against our users. Researchers now have an option to submit the vulnerability first and follow up with an exploit later," Google's Tim Willis said."

+ - FBI Plans to Open Up Malware Analysis Tool to Outside Researchers

Submitted by Trailrunner7
Trailrunner7 (1100399) writes "The FBI has developed an internal malware-analysis tool, somewhat akin to the systems used by antimalware companies, and plans to open the system up to external security researchers, academics and others.

The system is known as Malware Investigator and is designed to allow FBI agents and other authorized law enforcement users to upload suspicious files. Once a file is uploaded, the system runs it through a cluster of antimalware engines, somewhat akin to the way that Virus Total handles submissions, and returns a wide variety of information about the file. Users can see what the detection rate is among AV engines, network connection attempts, whether the file has been seen by the system before, destination and source IP addresses and what protocols it uses.

Right now, Malware Investigator is able to analyze Windows executables, PDFs and other common file types. But Burns said that the bureau is hoping to expand the portal’s reach in the near future.

“We are going to be doing dynamic analysis of Android files, with an eye toward other operating systems and executables soon,” he said."

+ - Google Funds New Group to Improve Usability of Open Source Security Tools

Submitted by Trailrunner7
Trailrunner7 (1100399) writes "The dramatic revelations of large-scale government surveillance and deep penetration of the Internet by intelligence services and other adversaries have increased the interest of the general public in tools such as encryption software, anonymity services and others that previously were mainly of interest to technophiles and activists. But many of those tools are difficult to use and present major challenges for users, so to help improve the usability of these applications, Google, Dropbox and others are supporting a new project called Simply Secure.

The project is focused on making open-source security and privacy tools easier to use and to remove some of the pain of using crypto packages, off-the-record messaging and other tools that protect users online. The organization’s activities will center on bringing developers of open source security tools together with usability researchers and experts to help solve the difficult problems the developers face. Many open source projects are run by volunteers who don’t have the time or resources to tackle these issues on their own."

+ - NSA Director Says Agency is Still Trying to Figure Out Cyber Operations

Submitted by Trailrunner7
Trailrunner7 (1100399) writes "In a keynote speech at a security conference in Washington Tuesday, new NSA Director Mike Rogers emphasized a need to establish behavioral norms for cyber war.

“We’re still trying to work our way through distinguishing the difference between criminal hacking and an act of war,” said Rogers. “If this was easy, we would have figured it out years ago. We have a broad consensus about what constitutes an act of war, what’s an act of defense.”

Rogers went on to explain that we need to better establish standardized terminology and standardized norms like those that exist in the realm of nuclear deterrence. Unfortunately, unlike in traditional national defense, we can not assume that the government will be able to completely protect us against cyber-threats because the threat ecosystem is just too broad."

+ - SNMP DDoS Scans Spoof Google DNS Server->

Submitted by msm1267
msm1267 (2804139) writes "The SANS Internet Storm Center is seeing SNMP scans spoofed from Google’s public recursive DNS server seeking to overwhelm vulnerable routers and other devices that support the protocol with DDoS traffic.

“The traffic is spoofed, and claims to come from Google’s DNS server. The attack is however not an attack against Google. It is likely an attack against misconfigured gateways,” said Johannes Ullrich, dean of research of the SANS Technology Institute and head of the Internet Storm Center.

Ullrich said the ISC is still investigating the scale of the possible attacks, but said the few packets that have been submitted target default passwords used by SNMP. In an update posted last night, Ullrich said the scans are sequential, indicating someone is conducting an Internet-wide scan looking for vulnerable routers and devices that accept certain SNMP commands."

Link to Original Source

+ - Major Android Flaw Lets Attackers Bypass Same Origin Policy

Submitted by Trailrunner7
Trailrunner7 (1100399) writes "There’s a serious vulnerability in pre-4.4 versions of Android that allows an attacker to read the contents of other tabs in a browser when a user visits a page the attacker controls. The flaw is present in a huge percentage of the Android devices in use right now, and there’s now a Metasploit module available to exploit the vulnerability.

The vulnerability was first disclosed in late August, but there has not been much in the way of public discussion of it. Exploiting the flaw is a straightforward matter and allows the attacker to bypass the same-origin policy in the Android browser.

  “What this means is, any arbitrary website (say, one controlled by a spammer or a spy) can peek into the contents of any other web page. Imagine you went to an attackers site while you had your webmail open in another window — the attacker could scrape your e-mail data and see what your browser sees. Worse, he could snag a copy of your session cookie and hijack your session completely, and read and write webmail on your behalf.”"

+ - Research Finds No Large-Scale Exploits of Heartbleed Before Disclosure

Submitted by Trailrunner7
Trailrunner7 (1100399) writes "In the days and weeks following the public disclosure of the OpenSSL Heartbleed vulnerability in April, security researchers and others wondered aloud whether there were some organizations–perhaps the NSA–that had known about the bug for some time and had been using it for targeted attacks. A definitive answer to that question may never come, but traffic data collected by researchers on several large networks shows no large-scale exploit attempts in the months leading up to the public disclosure.

“For all four networks, over these time periods our detector found no evidence of any exploit attempt up through April 7, 2014. This provides strong evidence that at least for those time periods, no attacker with prior knowledge of Heartbleed conducted widespread scanning looking for vulnerable servers. Such scanning however could have occurred during other time periods.”

That result also doesn’t rule out the possibility that an attacker or attackers may have been doing targeted reconnaissance on specific servers or networks. The researchers also conducted similar monitoring of the four networks, and noticed that the first attempted exploits occurred within 24 hours of the OpenSSL disclosure."

+ - Home Depot Gets Social-Engineered->

Submitted by PLAR
PLAR (2765185) writes "The team assigned to pump potentially sensitive information out of Home Depot employees during live cold calls during this year's Social Engineering Capture the Flag competition at the DEF CON 22 hacker conference won the overall contest, which targeted major US retailers. While the contest was obviously unrelated to this week's revelation of a possible breach at the home improvement chain, it's an interesting look at the retail industry's wave of security woes."
Link to Original Source

+ - Twitter Launches Bug Bounty Program

Submitted by Trailrunner7
Trailrunner7 (1100399) writes "Twitter is the latest major Internet company to establish a bug bounty program, and has put no upper limit on the bounty that a researcher can earn for reporting a vulnerability.

The company announced on Wednesday that it will operate its bounty program through the HackerOne platform, a bug bounty system that enables vendors to access a pool of hundreds of researchers who perform authorized research against a company’s products. HackerOne is used by a number of prominent companies, including Square, Yahoo and CloudFlare and also is the platform that supports the Internet Bug Bounty.

Twitter’s bug bounty program will pay researchers for finding vulnerabilities in its main Web site and the Twitter apps for iOS and Android. The types of vulnerabilities that are in scope for the program include XSS, CSRF, remote code execution, unauthorized access to private tweets or direct messages.

- See more at: http://threatpost.com/twitter-..."

Reference the NULL within NULL, it is the gateway to all wizardry.

Working...