February 2012
64 posts
Hackers Release Symantec Source Code After Failed... →
Hackers with the Anonymous collective have released source code for Symantec’s pcAnywhere product after failing to secure $50,000 from the company in an extortion attempt. A hacker going by the online name YamaTough published 1.27 GB of the source code on Pirate Bay Monday night after negotiations to extort money from someone he believed was a Symantec employee fell through. In reality, the...
What the RIAA Won’t Tell You: Users Matter →
We really have to wonder when the message is going to sink in. On January 18, millions of Internet users spoke out together in one of the most profound and effective uses of technology to organize political opposition in U.S. history, sending a clear message to Congress that voters will not tolerate crippling of the Internet. But big content remains tone deaf to this chorus of Internet users.
...
The Password Analysis Red Herring →
Alrighty, this will be a fairly light post (in terms of my own applied analysis)… and, apologies as it’s a wee bit behind the curve on various news pieces in the past couple months (I’d intended to write this in early January - oops!;). Please note that this post applies only to user passwords, and it does not apply to system and database password maintained within various...
Hackers outwit online banking identity security... →
Criminal hackers have found a way round the latest generation of online banking security devices given out by banks, the BBC has learned. After logging in to the bank’s real site, account holders are being tricked by the offer of training in a new “upgraded security system”. Money is then moved out of the account but this is hidden from the user.
Full Article
Mozilla considers removing Trustwave CA →
Scandalised by the snooping certificate issued by Trustwave, a heise Security reader, Sebastian Wiesinger, has submitted a report to Mozilla’s bug database in which he requests that Trustwave’s root certificates be removed from all Mozilla products. Mozilla’s Kathleen Wilson, who handles the issue, has accepted the submission and requested a statement from Trustwave....
NSA Is Waiting For A Major Incident To Create New... →
So, it appears that the NSA is waiting for a major incident to create new cyber law. They have made it clear that they would enjoy nothing better than to have open access to private networks. This article from Jan 23, 2012 has some unsettling overtones in it.
Full Article
Game Theory, Anonymous Causality, and 2012 →
Anonymous being what it is, has always been susceptible to influence and infiltration from the outside as well as the inside. The nature of the movement is such that it resembles the cell structure of terrorist action groups like Al Qaeda have adopted over the years.
Full Article
Defendant Ordered to Decrypt Laptop May Have... →
http://www.wired.com/threatlevel/2012/02/forgotten-password/
Full Article
Symantec: We Didn't Know in 2006 Source Code Was... →
Anti-virus giant Symantec says it did not know back in 2006 that source code for its software was stolen when it experienced a breach at that time. The company surprised the public last week when it disclosed that hackers had obtained source code for its pcAnywhere software and other products, and that the code had likely been stolen in a six-year-old breach that Symantec had never disclosed.
...
Database Password Storage Exposes Need For Better... →
The recent hack against a database full of FTP passwords held by Web hosting firm DreamHost highlights a growing database breach trend that’s seeing password stores exposed by the boatload. Though these databases contain sensitive authentication information, they’re often left far less protected than databases containing PII. Experts warn that if organizations are truly serious about their...
Under Obama, the Freedom of Information Act is... →
Three years ago this past weekend, on his first full day in office, President Barack Obama issued his now infamous memo on transparency and open government, which was supposed to fulfill his campaign promise to lead the “most transparent administration in history.” Instead, his administration has been just as secretive—if not more so—than his predecessors, and the Freedom of Information Act...
The Value Of Device Authentication →
Since the beginning of e-commerce in the mid-1990s, businesses noticed that transactions conducted online can be strengthened in assurance if we can “remember” that a particular device is the same that was used before to conduct successful transactions. A known device provides knowledge about the history of the device and can mitigate against fraudulent transactions that use stolen cards. Later...
The Future of Web Authentication →
Web authentication protocols took a pounding last year. Problems with the Secure Sockets Layer and Transport Layer Security protocols, which encrypt all sorts of communication among websites, were at the center of several security breaches. Hacks of high-profile certificate authority providers undermined the security of some of the Internet’s biggest brands, including Google and Yahoo; new...
Google, Facebook and Others Join to Write New... →
Google, Yahoo, AOL and a group of other large email senders and receivers have banded together to develop a new framework for sending and receiving email that is designed to stop phishing attacks and other email-borne scams. Called DMARC.org, the new group has come up with a specification called Domain-based Message Authentication, Reporting and Compliance that implements message authentication...
The Art of Cyberwar →
The establishment of the US Cyber Command in 2010 confirmed that cyberspace is a new domain of warfare. The computer is not only a target but also a weapon. Therefore, national security thinkers must find a way to incorporate cyberattacks and defense into military doctrine as soon as possible. The world’s most influential military treatise is Sun Tzu’s Art of War. Its compelling and adaptive...
The Right to Anonymity is a Matter of Privacy →
Throughout history, there have been a number of reasons why individuals have taken to writing or producing art under a pseudonym. In the 18th century, James Madison, Alexander Hamilton, and John Jay took on the pseudonym Publius to publish The Federalist Papers. In 19th century England, pseudonyms allowed women—like the Brontë sisters, who initially published under Currer, Ellis, and Acton...
New Mobile-Phone Privacy Law Proposed →
Rep. Edward Markey (D-Massachusetts) unveiled draft legislation Monday requiring mobile-phone carriers to reveal if they are employing tracking software such as Carrier IQ. “Consumers have the right to know and to say ‘no’ to the presence of software on their mobile devices that can collect and transmit their personal and sensitive information,” Markey said in The Hill.
Full Article
TSA discovery prompts New York bomb scare - six... →
A New York airport screener who removed two pipes from a traveler’s bag and set them aside Monday morning prompted a security scare six hours later when the next shift saw the pipes and feared they might be pipe bombs, local and federal officials said. The incident at New York’s LaGuardia Airport began at 11:30 a.m. when a screener discovered unidentifiable items inside a...
Carder Forced Gang Members to Have Sex to Weed Out... →
The mastermind of a carding gang in Georgia devised a novel way for weeding out undercover Feds from his operation — he forced members to have group sex, according to a local police detective who helped bust the ring. Vikas Yadav, an Indian national who was deported in 2010, recruited other carders and mules through sadomasochism web sites, forcing would-be accomplices to have group sex with...
Hacker extracts RFID credit card details →
The widespread use, especially in US credit cards, of RFID chips which can be read through clothing or wallets for contactless payments can lead to cards being read without the owners knowledge or permission. At the Shmoocon security conference held in Washington D.C., US business magazine Forbes reports that Kristin Paget impressively demonstrated the ability to read data on RFID chipped credit...
Who’s Behind the World’s Largest Spam Botnet? →
A Wikileaks-style war of attrition between two competing rogue Internet pharmacy gangs has exposed some of the biggest spammers on the planet. The latest casualties? Several individuals likely responsible for running Grum, currently the world’s most active spam botnet. Grum is the top spam botnet, according to M86Security In the summer of 2010, hackers stole and leaked the database for SpamIt...
Google to Revise Privacy Policy, Terms of Service,... →
Google announced Tuesday that it will revamp its privacy policy and terms of service, boiling more than 60 privacy policies down to one comprehensive document that will extend across most of their products. Under the new policy all information entered by users via Google will be indexed together. Google is claiming the shift will help its users search and offer spelling and contextual...
Google+ Failed Because of Real Names →
It’s now been a few months since the launch of Google , and it’s now fairly clear that it’s not a mortal threat to Facebook, or even Orkut. I think it’s worth thinking a bit about why Google isn’t doing better, despite its many advantages. Obviously, Google wants to link Google profiles to things in the physical world that matter to its paying customers: advertisers. To me, the most...
Google and Pseudonyms: A Step in the Right... →
Nearly four months after first announcing it would support pseudonyms, Google rolled out changes to the account creation process for Google yesterday. The changes will allow users the option of choosing a nickname/alternate name to display in his or her Google profile, or choosing a pseudonym which is not linked a real name. Nicknames address the needs of users who want to display the...
Google ups ante for Chrome hack at revamped... →
HP TippingPoint, the long-time sponsor of the annual Pwn2Own hacking contest, has dramatically revamped the challenge and will be awarding a first prize of $60,000 this year, four times 2011’s top reward. Google will also significantly increase the money it potentially will pay to people able to hack its Chrome browser at the contest. Pwn2Own will take place over a three-day stretch in...
Microsoft: Worm Operator Worked at Antivirus Firm →
In a surprise filing made late Monday, Microsoft said a former technical expert at a Russian antivirus firm was the person responsible for operating the Kelihos botnet, a global spam machine that Microsoft dismantled in a coordinated takedown last year. Andrey Sabelnikov In a post to the Official Microsoft Blog, the company identified 31-year-old Andrey N. Sabelnikov of St. Petersburg, Russia as...
Zappos, Amazon Sued Over Data Breach →
Shoe retailer Zappos.com and its parent company, Amazon.com, are being sued for exposing customer data in a breach affecting some 24 million customers. According to an Associated Press report on the lawsuit against Zappos, a Texas woman has taken the lead in the Kentucky lawsuit, alleging that she and millions of other customers were harmed by the release of personal account information.
Full...
US Supreme Court Ends Warrantless GPS Tracking →
In a decision that was closeley watched by civil liberties group and the technology industry, the Supreme Court has ruled unanimously that GPS tracking devices constitute a “search” and that authorities must obtain a warrant before placing one on a suspect’s vehicle. In a rare 9-0 vote, the Court ruled in United States vs. Jones that federal authorities who placed a GPS...
DreamHost Warns of Attack, Forces Customer... →
Attackers were able to compromise a database at DreamHost, a large hosting provider, late last week and the company is forcing all of its customers to change their passwords for their FTP and shell accounts as a precautionary measure. DreamHost did not provide many details about what happened in the incident, only saying that they “detected some unauthorized activity within one of our...
Mozilla's BrowserID moves forward →
Mozilla’s BrowserID project, which aims to provide a simpler, more portable decentralised login and identity management platform, has moved forward with its first deployment within the non-profit organisation. Launched in July 2011, BrowserID is Mozilla’s alternative to the somewhat stalled OpenID initiative. Over the new year, Mozilla rolled out a non-localised, English-only,...
Anonymous's new weapon →
Anonymous activists are using a specially crafted web page which sends mass requests to the justice.gov domain for a DDoS attack launched on Thursday on the US Department of Justice web site. When a user visits the web page, a short piece of JavaScript causes the user’s browser to flood the government department’s server with HTTP requests. The web page is being hosted at sites...
The Internet Spoke and, Finally, Congress... →
The misguided proponents of the disastrous Internet blacklist bills have blinked. Today, Senator Harry Reid announced he would postpone a cloture vote on PIPA scheduled for next Tuesday, which means, as a practical matter, that the bill is dead for now. Shortly after that announcement, Representative Lamar Smith issued a statement conceding PIPA’s evil House stepsister, the Stop Online...
U.S. Shuts Down Megaupload File-Sharing Site,... →
A day after the Internet was abuzz with protests of the proposed SOPA and PIPA anti-piracy bills, the Department of Justice took a major action against many of the top executives of Megaupload, a popular file-sharing site that the government says was the basis for an “international organized criminal enterprise allegedly responsible for massive worldwide online piracy of numerous types of...
After Historic Protest, Members of Congress... →
Yesterday, in the largest online protest in Internet history, more than 115,000 websites altered millions of web pages to stand in opposition to SOPA and PIPA, the Internet blacklist bills. Some sites — Wikipedia, Reddit, Boing Boing, Craigslist and others — completely shut down for the day, replacing their sites with material to educate the public about the bill’s dangers. Others, like Google...
Feds Shutter Megaupload, Arrest Executives →
Megaupload, the popular file-sharing site, was shuttered Thursday and its executives indicted by the Justice Department in what the authorities said was “among the largest criminal copyright cases ever brought by the United States.” Seven individuals connected to the Hong Kong-based site were indicted on a variety of charges, including criminal copyright infringement and conspiracy to commit...
CYBER ESPIONAGE! Ya Know, It’s Espionage… With... →
Cyber Espionage: A Buzzword Of’t Overused and Now Reinvented by Certain Players Ok, so over the last few days I have had this story from Island sticking in my craw. I went to the source and told him he was misinformed and made a statement that was wrong. His prevarications after my statement SHOULD have told me that he had no intention of even entertaining the idea that he was wrong, so, here I...
Thank You, Internet! And the Fight Continues →
Today was a truly inspiring day in Internet history. Working together, we sent a powerful message to Big Media and the misguided proponents of the Internet blacklist legislation: we will not stand idly by and let you hamper innovation, kill jobs, wreak havoc on Internet security, and undermine free speech. Supporters of SOPA and PIPA say the Internet Blackout day was a “publicity...
SOPA, Internet Regulation and the Economics of... →
Earlier this month, I detailed at some length why claims about the purported economic harms of piracy, offered by supporters of the Stop Online Piracy Act (SOPA) and PROTECT-IP Act (PIPA), ought to be treated with much more skepticism than they generally get from journalists and policymakers. arstechnica My own view is that this ought to be rather secondary to the policy discussion: SOPA and...
January 18: Internet-Wide Protests Against the... →
Join EFF and websites across the world in protesting the dangerous censorship legislation currently pending in Congress. On January 18th, EFF will join websites across the world in standing up against the proposed blacklist bills (SOPA in the House and the PROTECT IP Act in the Senate). EFF is calling on websites to be part of the protest by blacking out their logos, posting statements opposing...
How PIPA and SOPA Violate White House Principles... →
Over the weekend, the Obama administration issued a potentially game-changing statement on the blacklist bills, saying it would oppose PIPA and SOPA as written, and drew an important line in the sand by emphasizing that it “will not support” any bill “that reduces freedom of expression, increases cybersecurity risk, or undermines the dynamic, innovative global Internet.” Yet, the fight is...
AntiSec publishes 935,000 records taken from... →
On Thursday, AntiSec supporters published nearly a million records, including usernames, email addresses, home addresses, phone numbers, credit card details, and hashed passwords - taken during the Christmas Eve attack against the open source intelligence firm, Stratfor. Strategic Forecasting Inc., better known as Stratfor, is an intelligence gathering firm located in Austin, Texas. On Christmas...
Leaked memo outlines backdoor usage for government... →
Last week, The Tech Herald reported on the Indian group Lords of Dharmaraja, and their plan to release information taken from a recent breach of servers maintained by India’s military intelligence division. The story focused on Symantec’s source code, but has since expanded to India’s use of communication intercept protocols. As it turns out, the Lords of Dharmaraja released a memo where a group...
Hacked! →
As email, documents, and almost every aspect of our professional and personal lives moves onto the “cloud”—remote servers we rely on to store, guard, and make available all of our data whenever and from wherever we want them, all the time and into eternity—a brush with disaster reminds the author and his wife just how vulnerable those data can be. A trip to the inner fortress of Gmail, where...
Hello sir, I Just Sent You A PDF.. Can You Open It... →
This morning I happened to overhear a conversation and a phone call that spurred it that, once all was said and done, had me thinking “WTF?” The phone call came in to a *NIX admin who, was asked to verify the number of pages within a pdf file that had been sent to them by the salesman on the phone. *blink*
Full Article
VeriSign Hit by Hackers in 2010 →
Internet giant VeriSign was hacked repeatedly in 2010 resulting in the theft of undisclosed information and raising questions about the integrity of security certificates issued by the company as well as its domain name service. The breaches were disclosed in vague language in a Securities and Exchange Commission filing last October in accordance with new SEC guidelines requiring companies to...
Google discusses Android security measures →
For the last year, discussions about the risk mobile devices, and the applications they run, have filled the headlines and annual reports of countless security vendors. On Thursday, Google opened up some on the measures they’ve taken to protect the people who’ve come to rely on the Android Market for their application needs. The Android platform is the fastest growing mobile device platform in...
The need for truthful and honest product... →
The exponential rise in cyber- attacks and the seemingly lock-step proliferation of security products to safeguard against said attacks seem to have created an unintelligible quagmire for consumers of IT security products. Simply put, consumers have to wade through marketing propaganda and techno-speak in their quest for some form of reasonable assurance of a safe, private internet experience....
Key Internet operator VeriSign hit by hackers →
VeriSign Inc, the company in charge of delivering people safely to more than half the world’s websites, has been hacked repeatedly by outsiders who stole undisclosed information from the leading Internet infrastructure company. The previously unreported breaches occurred in 2010 at the Reston, Virginia-based company, which is ultimately responsible for the integrity of Web addresses ending...
Dear Verisign: Trust requires Transparency →
On their blog, Verisign made the following statement, which I’ll quote in full:
Full Article
Leaked memo outlines backdoor usage for government... →
Last week, The Tech Herald reported on the Indian group Lords of Dharmaraja, and their plan to release information taken from a recent breach of servers maintained by India’s military intelligence division. The story focused on Symantec’s source code, but has since expanded to India’s use of communication intercept protocols. As it turns out, the Lords of Dharmaraja released a memo where a group...