mask.of.sanity writes "CloudFlare has been hit by what appears to be the world's largest denial of service attack, in an assault that exploits an emerging and frightening threat vector. The Network Time Protocol Reflection attack exploits a timing mechanism that underpins a way the internet works to greatly amplify the power of what would otherwise be a small and ineffective assault. CloudFlare said the attack tipped 400Gbps, 100Gbps larger than the previous record DDoS attack which used DNS reflective amplification."Link to Original Source
mask.of.sanity writes "Russia has banned digital currency Bitcoin under existing laws and dubbed use of the crypto-currency as "suspicious". The Central Bank of Russia considers Bitcoin as a form of "money substitute" or "money surrogate" (statement in Russian) which is restricted under Russian law. However, unlike use of restricted foreign currencies, Bitcoin has been outright banned. The US Library of Congress has issued a report examining the regulatory approaches national financial authorities have taken to the currency."Link to Original Source
mask.of.sanity writes "Facebook has paid out its largest bug bounty of $33,500 for a serious remote code execution vulnerability which also returned Facebook's etc/passwd. The researcher could change Facebook's use of Gmail as an OpenID provider to a URL he controlled, and then sent a request carrying malicious XML code. The Facebook response included its etc/passwd which contained essential login information such as system administrator data and user IDs. The company quickly patched the flaw and awarded him for the proof of concept remote code execution which he quietly disclosed to them."Link to Original Source
mask.of.sanity writes "Life could become more difficult for fraudsters on Skype thanks to new research by Microsoft boffins that promises to cut down on fake accounts across the platform.
The research (PDF) combined information from diverse sources including a user's profile, activities and social connections into a supervised machine learning environment that could automate the presently manual tasks of fraud detection.
The results show the framework boosted fraud detection rates for particular account types by 68 per cent with a 5 per cent false positive rate."Link to Original Source
mask.of.sanity writes "Researchers have found holes in industrial control systems that they say grant full control of systems running energy, chemical and transportation systems. They also identified more than 150 zero day vulnerabilities of varying degrees of severity affecting the control systems and some 60,000 industrial control system devices exposed to the public internet."Link to Original Source
mask.of.sanity writes "Aircraft flying to the world's most popular airports could be placed in danger by accurate yet inexpensive attacks targeting the ADS-B widespread aviation safety system.
Researchers proved in a paper [PDF] that attackers with control over a wireless network and possessing off-the-shelf equipment could with off the shelf technology flood air traffic control monitors with images of fake aircraft, an attack previously identified but thought laregly theoretical. They also discovered a new attack in which attackers could modify the trajectory of those in the sky which undermined the object of the system to provide pilots with information on the location and direction of aircraft.
The system is required for flights cruising above 29,000 feet in the US and Australia."Link to Original Source
mask.of.sanity writes "Google has revealed details on its Beyond Corp project to scrap the notion of a corporate network and move to a zero-trust model.
The company perhaps unsurprisingly considers the traditional notion of perimeter defences and its respective gadgetry as a dead duck, and has moved to authenticate and authorise its 42,000 staff so they can access Google HQ from anywhere (video).
Google also revealed it was perhaps the biggest Apple shop in the world with 43,000 devices deployed and staff only allowed to use Windows with a supporting business case."Link to Original Source
mask.of.sanity writes "A lawyer says Australian spy agents have raided his office in search of documentary evidence he has taken to the Hague that Australia planted listening devices in East Timor offices to secure lucrative gas revenue.
The documents were apparent proof that Australia planted bugs in the walls of Timor offices in 2004 by sending in spies acting as aid workers.
A possible whistleblower was also arrested in separate but concurrent raids.
Two years later Australia secured a 50 percent stake in the $40 billion gas field that was located 100 kilometres from the then new nation and 400 kilometres from Australia."Link to Original Source
mask.of.sanity writes "Four security researchers have designed a router based on open source components they say will make security and privacy verifiable and more accessible to users.
The Open Router Project router would be built on open source hardware and software and run a custom Linux Yocto distribution with a Freescale QorIQ P1010 processor. A list of secure features planned is here.
The devs have opened a $200,000 crowdfunding goal they say will bring the router up to the first manufacturing run."Link to Original Source
mask.of.sanity writes "Users can be identified with a half percent margin of error based on the way they type. The research work has been spun into an application that could continuously authenticate users, rather than just relying on passwords, and could lock accounts if another person jumped on the computer. Researchers are now integrating mouse movements and clicks, and mobile touch patterns into the work."Link to Original Source
mask.of.sanity writes "A New Zealand researcher has detailed ways that UAVs can be crashed using cheap tools like Herf guns and GPS jammers, and could even be downed by flying drones with more powerful radio. The attacks (podcast) interfere with the navigation systems used by flying drones and are possible because security was not designed into the architecture of some machines."Link to Original Source
mask.of.sanity writes "Two critical networks managing traffic systems of a major Australian capital city contain gaping holes that render it vulnerable to attack.
The flaws were found during penetration tests by the government a year ahead of the G20 Summit, the most significant gathering of world leaders ever held in Australia.
The tests found the agencies messed up security zoning, didn't remove staff logins as they resigned, and had inconsistent patching."Link to Original Source
mask.of.sanity writes "Australia tracked calls by Indonesia's president, documents leaked by defence contractor Edward Snowden reveal. The nation's top spy agency the Australian Signals Directorate tracked phone calls made and received on the mobile phone of Susilo Bambang Yudhoyono for 15 days in August 2009, and also tracked his wife and inner political circle. Indonesia was Australia's nearest and most important regional neighbour."Link to Original Source
mask.of.sanity writes "New Zealand researchers have notified operators of the world's biggest tech platforms of critical vulnerabilities in their wares and found some were barely motivated to fix the flaws. The customers of the affected vendors included the US Air Force, Deloitte and Raytheon.
The researchers gave a talk (podcast) explaining how they found dangerous bugs — some trivial to exploit — in software including Solarwinds, Kaseya and NCentral. A few vendors eventually patched the holes but some refused meaning zero-day was dropped."Link to Original Source
mask.of.sanity writes "Kiwis could have their names, addresses, dates of birth and phone numbers exposed by flaws in the Christchurch public transport system that could also allow locals to travel on buses for free.
The flaws in the MiFare Classic system allow anyone to add limitless funds to their transport cards and also buy cheap grey market cards and add them to the system (VIDEO).
The website fails to check users meaning attackers could look up details of residents and opens the potential for someone to write a script and erase all cards in existence. The flaws have been known to the operator since 2009."Link to Original Source