Forgot your password?
typodupeerror

+ - Security precogs divine web vulnerabilities before they exist->

Submitted by mask.of.sanity
mask.of.sanity (1228908) writes "Three million webpages are set to become hacker fodder according to research that could predict what websites will become vulnerable ahead of time.

The research by Kyle Soska and Nicolas Christin of Carnegie Mellon University used an engine which divined the future by looking at the past — more specifically, by trawling the Way Back Machine with its 391 billion stored pages for sites that had become malicious.

It determined [PDF] that of 4,916,203 current benign webpages (tied to 444,519 websites) about 3 million would become vulnerable within a year."

Link to Original Source

+ - Boffins find hundreds of thousands of woefully insecure IoT devices->

Submitted by mask.of.sanity
mask.of.sanity (1228908) writes "More than 140,000 internet-of-things devices, from routers to CCTV systems contain zero-day vulnerabilities, backdoors, hard coded crackable passwords and blurted private keys, according to the first large scale analysis of firmware in embedded devices. Four researchers from EURECOM France found the flaws when conducting a simple but systematic, automated, and large-scale analysis of 32,356 firmware images running on embedded systems within thousands of different devices.

Of these, 693 had at least one vulnerability while 38 contained active (or possibly recently patched) zero day flaws."

Link to Original Source

+ - Leaked docs offer Win 8 Pro tip: FinFisher spyware can't tap Skype's Metro app->

Submitted by mask.of.sanity
mask.of.sanity (1228908) writes "A string of documents detailing the operations and effectiveness of the FinFisher suite of surveillance platforms appears to have been leaked. The documents, some dated 4 April this year, detail the anti-virus detection rates of the FinFisher spyware which German based Gamma Group sold to governments and law enforcement agencies. The dump also reveals Windows 8 users should opt for the Metro version of Skype rather than the desktop client because it cannot be tapped by FinFisher."
Link to Original Source

+ - Reciepe for building a cheap Raspberry Pi honeypot network->

Submitted by mask.of.sanity
mask.of.sanity (1228908) writes "Honeypots are the perfect bait for corporate IT shops to detect hackers targeting and already within their networks and now a guide has been published to build a dirt cheap battalion of the devices from Raspberry Pis. "By running honeypots on our internal network, we are able to detect anomalous events. We gain awareness and insight into our network when network hosts interact with a Raspberry Pi honeypot sensor," the author explained."
Link to Original Source

+ - NSA man says agency can track you through power lines->

Submitted by mask.of.sanity
mask.of.sanity (1228908) writes "Forensics and industry experts have cast doubt on an alleged National Security Agency capability to locate whistle blowers appearing in televised interviews based on how the captured background hum of electrical devices affects energy grids. Divining information from electrified wires is a known technique: Network Frequency Analysis (ENF) is used to prove video and audio streams have not been tampered with, but experts weren't sure if the technology could be used to locate individuals."
Link to Original Source

+ - Redmond is 'patching' Windows 8 but NOT Windows 7, say security bods->

Submitted by mask.of.sanity
mask.of.sanity (1228908) writes "Microsoft has left Windows 7 exposed by only applying security upgrades to its newest operating systems. Researchers found the gaps after they scanned 900 Windows libraries using a custom diffing tool and uncovered a variety of security functions that were updated in Windows 8 but not in 7. They said the shortcoming could lead to the discovery of zero day vulnerabilities. The missing safe functions were part of Microsoft's dedicated libraries intsafe.h and strsafe.h that help developers combat various attacks. (Video, slides)."
Link to Original Source

+ - Spotty solar power management platform could crash the grid->

Submitted by mask.of.sanity
mask.of.sanity (1228908) writes "Criminals could potentially cause black-outs and mess with power grid configurations by exploiting flaws in a popular solar panel management system used by thousands of homes and businesses. The threat is substantial because, as the company boasts, its eponymous management system runs globally on roughly 229,300 solar plants that typically pump out 566TWh of electrical energy, or so we're told."
Link to Original Source

+ - Silly sysadmins ADDING Heartbleed to servers->

Submitted by mask.of.sanity
mask.of.sanity (1228908) writes "At least 2500 website administrators have made their previously secure sites vulnerable to Heartbleed more than a month after the bug sent the world into a hacker-fearing frenzy.

Opera Software developer Yngve Pettersen discovered the bungle while probing for Heartbleed vulnerable systems in the weeks after the bug was disclosed on April 7. He pinged half a million separate servers of sites rated as popular by Alexa and found hapless admins had, presumably in a panic, updated their then-unaffected-or-possibly-new boxes to the latest offering and in doing so introduced the Heartbleed bug."

Link to Original Source

+ - McAfee accused of McSlurping Open Source Vulnerability Database->

Submitted by mask.of.sanity
mask.of.sanity (1228908) writes "Intel security subsidiary McAfee may be in hot water after it allegedly scraped thousands of records from the Open Source Vulnerability Database instead of paying for them. The slurp was said to be conducted using fast scripts that rapidly changed the user agent, and was launched after McAfee formally inquired about purchasing a license to the data. Law experts say site's copyright could be breached by individuals merely downloading the information in contravention to the site's policies, and did not require the data to be subsequently disseminated."
Link to Original Source

+ - Web cesspit 4chan touts '$20 bug bounty' after hackers ruin Moot's day->

Submitted by mask.of.sanity
mask.of.sanity (1228908) writes "4chan's Moot has launched a bug bounty for the site after it was hacked, but is offering a meagre $20 in "self-serve ad spend" for all bugs. The bounty programme was launched after the website and Moot's Amazon accounts were hacked. The intrusion spelled the end for DrawQuest which was closed after Moot decided it was not worth spending money to ensure the unprofitable but popular drawing platform was secure."
Link to Original Source

+ - iPhone factory reset strikes dead forensic investigations-> 1

Submitted by mask.of.sanity
mask.of.sanity (1228908) writes "Felons wanting to thwart forensic investigators need only perform a factory reset of any current model iPhone including the 4s, 5c and 5s.
Apple's decision to encrypt data on the iPhone is responsible for this state of affairs because a factory reset not only wipes data but also erases the decryption key required to reveal the handset's contents. Forensic investigators will need to wait until the release of a jailbreak for the devices in order to image the phones."

Link to Original Source

+ - Ubuntu 14.04 lock screen bypass: just hold enter->

Submitted by mask.of.sanity
mask.of.sanity (1228908) writes "A user has discovered an embarrassingly simple security security vulnerability affecting the latest version of Ubuntu, which allows snoops to bypass the lock screen. Password protection on machines running Ubuntu 14.04 could be bypassed by simply holding the enter key for about 30 seconds, crashing Unity. Developers worked quickly to issue a fix for the flaw described as 'critical'."
Link to Original Source

+ - Hacker holds key to free flights->

Submitted by mask.of.sanity
mask.of.sanity (1228908) writes "A security researcher says he has developed a method to score free flights across Europe by generating fake boarding passes designed for Apple's Passbook app. The 18 year-old computer science undergrad didn't reveal the 'bypass' which gets the holder of the fraudulent ticket past the last scanner and onto the jetway; he's saving that for his talk at Hack in the Box in Amsterdam next month."
Link to Original Source

+ - eBay passwords revealed as username+123456->

Submitted by mask.of.sanity
mask.of.sanity (1228908) writes "eBay Japan created passwords for accounts based on a combination of a username plus a static salt, allowing anyone with knowledge of it to access any account, a researcher reported. The salt, which should have been random, used was the combination '123456', which was reported as last year's worst password. Video."
Link to Original Source

+ - World's largest DDoS strikes US, Europe->

Submitted by mask.of.sanity
mask.of.sanity (1228908) writes "CloudFlare has been hit by what appears to be the world's largest denial of service attack, in an assault that exploits an emerging and frightening threat vector. The Network Time Protocol Reflection attack exploits a timing mechanism that underpins a way the internet works to greatly amplify the power of what would otherwise be a small and ineffective assault. CloudFlare said the attack tipped 400Gbps, 100Gbps larger than the previous record DDoS attack which used DNS reflective amplification."
Link to Original Source

Forty two.

Working...