itwbennett writes: This week the creators of the Petya and Mischa ransomware programs leaked about 3,500 RSA private keys allegedly corresponding to systems infected with Chimera, another ransomware application. In a post Tuesday on Pastebin, Mischa's developers claimed that earlier this year they got access to big parts of the development system used by Chimera's creators. As a result of that hack, they obtained the source code for Chimera and integrated some of it into their own ransomware project, according to the Pastebin message. There's no confirmation yet that the newly leaked RSA keys work, but there's a good chance they do. In a blog post Tuesday, Malwarebytes researchers advised Chimera victims not to delete their files, saying "there is a hope that soon you can get your data back."
itwbennett writes: Eight popular wireless keyboards studied by IoT security company Bastille Networks were found to use no encryption at all in their wireless communications. 'The data that is transmitted to the USB dongle is in plain text,' said Marc Newlin, a member of the company's research team. All it takes to spy on the keyboards is less than $100 worth of commonly-available equipment, such as the $30 Crazyradio PA USB radio dongle, combined with a directional antenna, said Newlin. And the attacker doesn't even have to be physically within the targeted building. The company has collected all the relevant information on its KeySniffer website.
itwbennett writes: 'On Saturday evening, during the Eleventh HOPE conference in New York City, three hackers released the final master key used by the Transportation Security Administration (TSA), which opens Safe Skies luggage locks,' writes CSO's Steve Ragan. The hackers also released a 3D-printable model of the key. The issue, the hackers say, isn't that some creep can riffle through your delicates using one of these keys, but that government key escrow is inherently dangerous. Even the TSA admits that the Safe Skies locks have little to do with safety. 'These consumer products are convenience products that have nothing to do with TSA's aviation security regime,' an agency spokesperson said.
itwbennett writes: Tinder users should be on the lookout for Tinder profiles asking them to get “verified" and then sending them a link to a site called Tinder Safe Dating. The service asks for credit card information, saying this will verify the user's age. Once payment information has been captured, the user is then signed up for a free trial of porn, which will end up costing $118.76 per month unless the service is cancelled.
itwbennett writes: A draft of new EU export regulations could put smartphones in the category of dual-use technologies (technologies that can serve civil or military purposes) because of their location-tracking capabilities. This could add significant overheads and delays for exporters of smartphones and various other GPS gadgets. The potential difficulty for smartphone manufacturers and resellers appears on page 20 of the leaked draft regulation, which was obtained by news website Euractiv, where cyber-surveillance technology is broadly defined as including 'mobile telecommunication interception equipment, intrusion software, monitoring centers, lawful interception systems and data retention systems, biometrics, digital forensics, location tracking devices, probes and deep package inspection systems.'
itwbennett writes: Artem Vaulin, the alleged owner of the torrent directory service KickassTorrents, was arrested in Poland earlier this week, charged with copyright infringement and money laundering. Apple and Facebook were among the companies that handed over data to the U.S. in its investigation. Department of Homeland Security investigators traced IP addresses associated with KickassTorrents domains to a Canadian ISP, which turned over server data, including emails. At some point, investigators noticed that Vaulin had an Apple email account that was used to make iTunes purchases from two IP addresses — both of which also accessed a Facebook account promoting KickassTorrents.
itwbennett writes: 'Seventeen high-risk vulnerabilities out of the 276 flaws fixed by Oracle Tuesday affect products from third-party software vendors,' writes Lucian Constantin on CSOonline. The vulnerabilities, which were found by researchers from Cisco's Talos team, are in the Oracle Outside In Technology (OIT), a collection of SDKs that are used in third-party products, including Microsoft Exchange, Novell Groupwise, IBM WebSphere Portal, Google Search Appliance, Avira AntiVir for Exchange, Raytheon SureView, Guidance Encase and Veritas Enterprise Vault. 'It's not clear how many of those products are also affected by the newly patched seventeen flaws, because some of them might not use all of the vulnerable SDKs or might include other limiting factors,' writes Constantin. But the Cisco researchers confirmed that Microsoft Exchange servers (version 2013 and earlier) are affected if they have the WebReady Document Viewing enabled. In a blog post the researchers describe how an attacker could exploit these vulnerabilities.
itwbennett writes: On Monday it was reported on Slashdot and elsewhere that the same hacking group that took over Mark Zuckerberg's Twitter account was attacking Pokemon Go's login servers. Now that group, OurMine, is breaking into Minecraft accounts. OurMine made the claim on Tuesday in a video demonstrating its hack. To test the hack, IDG News Service created a user account on Mojang, emailed OurMine and asked the group to break into it, which the group did.
itwbennett writes: Oracle has released its largest Critical Patch Update (CPU) yet, fixing 276 vulnerabilities in more than 80 products. Assuming you've got lots of patching ahead of you, start with the Java patches, advises John Matthew Holt, CTO of application security firm Waratek. And Qualys adds that companies should quickly turn their attention to assets that can be directly attacked from the internet.
itwbennett writes: Earlier this month, Ryan Shapiro, a national security researcher and Ph.D. candidate at MIT, filed a lawsuit against the FBI in which he alleges that the bureau's Freedom of Information Act (FOIA) searches often fail 'by design.' Shapiro has been studying FOIA for years with a particular focus on noncompliance by government agencies and has multiple FOIA lawsuits in motion against the FBI. The new lawsuit claims that one of the 'countless means' by which the FBI foils FOIA requests is by using out-of-date search technology that frequently produces no results. 'In particular, the FBI typically conducts FOIA searches in the 'universal index' portion of its legacy Automated Case Support system, which was deployed in 1995.... despite the existence of two much better search applications within ACS,' writes Katharine Noyes.
itwbennett writes: Researchers at MIT’s Computer Science and Artificial Intelligence Laboratory and the École Polytechnique Fédérale de Lausanne have developed a new system for anonymous Internet communication, dubbed Riffle, that combines three cryptographic techniques to offer better privacy than Tor and boasts much faster performance to boot. The researchers will present a paper describing their work at the Privacy Enhancing Technologies Symposium in Germany next week.
itwbennett writes: A new article by David Taber opens with the premise that agile and waterfall development methodologies often have to be used together to satisfy the needs of both developers (on the agile side) and management (on the waterfall side). And, as previously reported on Slashdot, the 'The 2014 CAST Research on Application Software Health (CRASH) report states that enterprise software built using a mixture of agile and waterfall methods will result in more robust and secure applications than those built using either agile or waterfall methods alone.' Taber has some ideas for how to combine the two opposing technologies — all of which sound like a project management nightmare. How do you handle this on your development projects?
itwbennett writes: This month's Android security bulletin was split into two parts: one with patches that apply to all Android devices, and one with patches that apply only to devices that contain the affected chipset drivers. The 2016-07-01 patch level includes device-agnostic fixes for 32 vulnerabilities: 8 rated critical, 15 of high severity and 9 moderate. The 2016-07-05 security patch level includes additional fixes for 75 vulnerabilities that are marked as device-specific. Twelve of these vulnerabilities are rated critical and are located in highly privileged components such as the Qualcomm GPU driver, the MediaTek Wi-Fi driver, the Qualcomm performance component, the NVIDIA video driver, the kernel file system, the USB driver and other unspecified MediaTek drivers.
itwbennett writes: Ashley Madison has been sharing information with the the FTC since last August when a hack exposed details of millions of customers. Now, the NY Times reports that the FTC is investigating the service. Although Avid Life Media, which owns Ashley Madison, says it doesn't know the focus of the inquiry, one good guess is that it's related to the hackers' claim that Ashley Madison scammed its customers by deploying bots to make the site appear to have more female users than it really did.
itwbennett writes: Researchers from Bitdefender have found a new backdoor program that allows attackers to hijack Mac systems and control them over the Tor network. The malware, dubbed Backdoor.MAC.Eleanor, is distributed as a file converter application through reputable websites that offer Mac software. The malware 'allows attackers to execute commands and scripts, steal and modify files and take pictures using the webcam,' writes Lucian Constantin.