65298603
submission
Gunkerty Jeb writes:
The Ninth Circuit appeals court in San Francisco took oral arguments from the Electronic Frontier Foundation and the Department of Justice yesterday over the constitutionality of National Security Letters and the gag orders associated with them. The EFF defended a lower court's ruling that NSLs are unconstitutional, while the DoJ defended a separate ruling that NSLs can be enforced. Whatever the court rules, the issue of NSLs is all but certainly headed for the Supreme Court in the not too distant future.
55841667
submission
Gunkerty Jeb writes:
After months of public calls from privacy advocates and security experts, Verizon on Wednesday released its first transparency report, revealing that it received more than 164,000 subpoenas and between 1,000 and 2,000 National Security Letters in 2013. The report, which covers Verizon’s landline, Internet and wireless services, shows that the company also received 36,000 warrants, most of which requested location or stored content data.
50020745
submission
Gunkerty Jeb writes:
Kelihos, the peer-to-peer botnet with nine lives, keeps popping up with new capabilities that enable it to sustain itself and make money for its keepers by pushing spam, harvesting credentials and even stealing Bitcoins.
According to a number of sources, Kelihos is now leveraging legitimate and freely available security services that manage composite blocking lists (CBLs) to determine if a potential victim’s IP address has previously been flagged as a spam source or as a proxy. A CBL is a blacklist of IP addresses known to be participating in spreading spam or malware.
48730909
submission
Gunkerty Jeb writes:
A former Cal State San Marcos student was sentenced to a year in prison this week for election tampering by using keystroke loggers to grab student credentials and then vote for himself.
Matthew Weaver, 22, of Huntington Beach, Calif., stole almost 750 students’ identities to try and become president of the San Diego County college’s student government. His plan went awry when the school’s computer technicians noticed an anomaly in activity and caught Weaver with keystroke loggers as he sat in front of the suspicious computer.
48195679
submission
Gunkerty Jeb writes:
In a highly unusual move, James Clapper, the director of national intelligence, said Tuesday that he misspoke when he told a Congressional committee in March that the National Security Agency does not assemble dossiers on Americans. Clapper said at the time that the agency does not do so “wittingly”, but in a letter to the chair of the Senate Select Committee on Intelligence, Clapper admitted this statement was “erroneous”.
Clapper, the top U.S. intelligence official, has been quite vocal in his defense of the NSA’s now-public surveillance programs such as PRISM and the metadata collection program. In statements published shortly after the leak of classified documents by Edward Snowden about those collection efforts Clapper said that they both have been repeatedly authorized by Congress and the executive and judicial branches over the years. The collection of road swaths of Internet data under Section 702 of the Foreign Intelligence Surveillance Act through PRISM is one of the aspects of the agency’s efforts that has many people worried.
48093345
submission
Gunkerty Jeb writes:
A security researcher has uncovered a number of serious vulnerabilities in one of the core security components of several secure telephony applications, including the Silent Circle system developed by PGP creator Phil Zimmermann. The vulnerabilities in the GNU ZRTPCPP library already have been addressed in a new version of the library and Silent Circle has implemented a fix, as well.
ZRTPCPP is a library that implements the ZRTP protocol that Zimmermann and others developed to establish secure sessions over a pre-existing connection. Silent Circle, which sells a cryptographically secure mobile phone application, and several other products implement the ZRTPCPP library, and Mark Dowd of Azimuth Security has identified several vulnerabilities in the library that could give an attacker the ability to get remote code execution. Dowd said that the bugs can be exploited by remote, unauthenticated users.
46306977
submission
Gunkerty Jeb writes:
Industrial control minded researchers from the security firm Cylance launched a custom exploit against a building management system deployed at Google’s Sydney, Australia office, gaining access to a configuration file containing device administration passwords that could be used to gain complete control of the device in question.
This vulnerability in Tridium’s Niagara framework affects an unknown number of organizations aside from Google. In fact, Tridium claims on its website that “there are over 245,000 instances of the Niagara Framework deployed worldwide.” Cylance said its scans revealed some 25,000 similarly vulnerable systems facing the Internet.
44810517
submission
Gunkerty Jeb writes:
Alma Whitten, the director of privacy at Google, is stepping down from that role and leaves behind her a complicated legacy in regards to user privacy. Whitten has been the company's top product and engineering privacy official since 2010 and was at the helm as the company navigated a number of serious privacy scandals and controversies.
Whitten has been at Google for about 10 years, and while she has been the main public face of the company's product privacy efforts in the last couple of years, she has been involved in engineering privacy initiatives for even longer. Before becoming the privacy lead for products and engineering in 2010 in the aftermath of the Google Street View WiFi controversy, Whitten had been in charge of privacy for the company's engineering teams. During that time, she was involved in the company's public effort to fight the idea that IP addresses can be considered personally identifiable information.
42712141
submission
Gunkerty Jeb writes:
In a project that found more than 80 million unique IP addresses responding to Universal Plug and Play (UPnP) discovery requests, researchers at Rapid7 were shocked to find that somewhere between 40 and 50 million of those are vulnerable to at least one of three known attacks.
A Rapid7 white paper enumerated UPnP-exposed systems connected to the Internet and identified the number of vulnerabilities present in common configurations. Researchers found that more than 6,900 product models produced by 1,500 different vendors contained at least one known vulnerability, with 23 million systems housing the same remote code execution flaw.
"This research was primarily focused on vulnerabilities in the SSDP processor across embedded devices," Rapid7' CSO HD Moore told Threatpost. "The general process was to identify what was out there, make a list of the most commonly used software stacks, and then audit those stacks for vulnerabilities. The results were much worse than we anticipated, with the most commonly used software stack (libupnp) also being the most vulnerable."
39648383
submission
Gunkerty Jeb writes:
Side-channel attacks against cryptography keys have, until now, been limited to physical machines. Researchers have long made accurate determinations about crypto keys by studying anything from variations in power consumption to measuring how long it takes for a computation to complete.
A team of researchers from the University of North Carolina, University of Wisconsin, and RSA Security has ramped up the stakes, having proved in controlled conditions that it’s possible to steal a crypto key from a virtual machine.
The implications for sensitive transactions carried out on public cloud infrastructures could be severe should an attacker land his malicious virtual machine on the same physical host as the victim. Research has already been conducted on how to map a cloud infrastructure and identify where a target virtual machine is likely to be.
39232455
submission
Gunkerty Jeb writes:
The death knell for SSL is getting louder.
Researchers at the University of Texas at Austin and Stanford University have discovered that poorly designed APIs used in SSL implementations are to blame for vulnerabilities in many critical non-browser software packages.
Serious security vulnerabilities were found in programs such as Amazon’s EC2 Java library, Amazon’s and PayPal’s merchant SDKs, Trillian and AIM instant messaging software, popular integrated shopping cart software packages, Chase mobile banking software, and several Android applications and libraries. SSL connections from these programs and many others are vulnerable to a man in the middle attack.
38825445
submission
Gunkerty Jeb writes:
Initially thought to be merely a module of the now-infamous Flame malware, MiniFlame, or SPE is, in reality, a secondary surveillance tool deployed against specially identified targets following an initial Flame or Gauss compromise.
MiniFlame/SPE was one of three previously unseen pieces of malware discovered during a forensic analysis of Flame's command and control servers.'
Researchers at Kaspersky Lab and CERT-Bund/BSI determined that the program, which has compromised somewhere between 10 and 20 machines, can stand alone as an independent piece of malware or run as a plug-in for both Flame and Gauss.
38297071
submission
Gunkerty Jeb writes:
Researchers working on the "physically unclonable functions found in standard PC components (PUFFIN) project" announced last week that widely used graphics processors could be the next step in online authentication. The project seeks to find uniquely identifiable characteristics of hardware in common computers, mobile devices, laptops and consumer electronics.
The researchers realized that apparently identical graphics processors are actually different in subtle, unforgeable ways. A piece of software developed by the researchers is capable of discerning these fine differences. The order of magnitude of these differences is so minute, in fact, that manufacturing equipment is incapable of manipulating or replicating them. Thus, the fine-grained manufacturing differences can act as a sort of a key to reliably distinguish each of the processors from one another.
The implication of this discovery is that such differences can be used as physically unclonable features to securely link the graphics cards, and by extension, the computers in which they reside and the persons using them, to specific online accounts.
36843225
submission
Gunkerty Jeb writes:
The Air Force Life Cycle Management Center (AFLCMC) posted a broad agency announcement recently, calling on contractors to submit concept papers detailing technological demonstrations of ‘cyberspace warfare operations’ (CWO) capabilities.
Among many other things, the Air Force is seeking to obtain the abilities to “destroy, deny, degrade, disrupt, deceive, corrupt, or usurp the adversaries' ability to use the cyberspace domain for his advantage” and capabilities that would allow them to intercept, identify, and locate sources of vulnerability for threat recognition, targeting, and planning, both immediately and for future operations.
35821819
submission
Gunkerty Jeb writes:
Moxie Marlinspike, the security and privacy researcher known for his SSLStrip, Convergence and RedPhone tools, has released a new tool that can crack passwords used for some VPNs and wireless networks that rely on encryption using Microsoft's MS-CHAPv2 protocol. Marlinspike discussed the tool during a talk at DEF CON over the weekend, and it is available for download.
