twice-refried news

Hackers Release Symantec Source Code After Failed $50K Extortion Attempt

Thu, 09 Feb 2012 15:01:29 -0500

Hackers Release Symantec Source Code After Failed $50K Extortion Attempt:

Hackers with the Anonymous collective have released source code for Symantec’s pcAnywhere product after failing to secure $50,000 from the company in an extortion attempt. A hacker going by the online name YamaTough published 1.27 GB of the source code on Pirate Bay Monday night after negotiations to extort money from someone he believed was a Symantec employee fell through. In reality, the Symantec “employee” was an undercover law enforcement agent who was using a fake Symantec email address to communicate with the hacker.

Full Article

What the RIAA Won’t Tell You: Users Matter

Thu, 09 Feb 2012 15:00:54 -0500

What the RIAA Won’t Tell You: Users Matter:

We really have to wonder when the message is going to sink in. On January 18, millions of Internet users spoke out together in one of the most profound and effective uses of technology to organize political opposition in U.S. history, sending a clear message to Congress that voters will not tolerate crippling of the Internet. But big content remains tone deaf to this chorus of Internet users.

Full Article

The Password Analysis Red Herring

Thu, 09 Feb 2012 15:00:18 -0500

The Password Analysis Red Herring:

Alrighty, this will be a fairly light post (in terms of my own applied analysis)… and, apologies as it’s a wee bit behind the curve on various news pieces in the past couple months (I’d intended to write this in early January - oops!;). Please note that this post applies only to user passwords, and it does not apply to system and database password maintained within various environments. Main Thesis: All this password analysis on compromised user password databases is fairly absurd. The breaches themselves are not generally the result of user password being compromised. As such, the time spent analyzing these passwords is largely a waste of time because it does not appreciably represent much risk to businesses; especially not to those that were compromised.

Full Article

Hackers outwit online banking identity security systems

Thu, 09 Feb 2012 14:59:24 -0500

Hackers outwit online banking identity security systems:

Criminal hackers have found a way round the latest generation of online banking security devices given out by banks, the BBC has learned. After logging in to the bank’s real site, account holders are being tricked by the offer of training in a new “upgraded security system”. Money is then moved out of the account but this is hidden from the user.

Full Article

Mozilla considers removing Trustwave CA

Thu, 09 Feb 2012 11:45:09 -0500

Mozilla considers removing Trustwave CA:

Scandalised by the snooping certificate issued by Trustwave, a heise Security reader, Sebastian Wiesinger, has submitted a report to Mozilla’s bug database in which he requests that Trustwave’s root certificates be removed from all Mozilla products. Mozilla’s Kathleen Wilson, who handles the issue, has accepted the submission and requested a statement from Trustwave. Trustwave’s Brian Trzupek has already announced the release of further information which, he says, is still waiting for internal approval.

Full Article

NSA Is Waiting For A Major Incident To Create New Cyber Law

Wed, 08 Feb 2012 14:43:11 -0500

NSA Is Waiting For A Major Incident To Create New Cyber Law:

So, it appears that the NSA is waiting for a major incident to create new cyber law. They have made it clear that they would enjoy nothing better than to have open access to private networks. This article from Jan 23, 2012 has some unsettling overtones in it.

Full Article

Game Theory, Anonymous Causality, and 2012

Wed, 08 Feb 2012 14:38:31 -0500

Game Theory, Anonymous Causality, and 2012:

Anonymous being what it is, has always been susceptible to influence and infiltration from the outside as well as the inside. The nature of the movement is such that it resembles the cell structure of terrorist action groups like Al Qaeda have adopted over the years.

Full Article

Defendant Ordered to Decrypt Laptop May Have Forgotten Password

Wed, 08 Feb 2012 14:37:55 -0500

Defendant Ordered to Decrypt Laptop May Have Forgotten Password:

http://www.wired.com/threatlevel/2012/02/forgotten-password/

Full Article

Symantec: We Didn't Know in 2006 Source Code Was Stolen

Tue, 07 Feb 2012 16:09:07 -0500

Symantec: We Didn't Know in 2006 Source Code Was Stolen:

Anti-virus giant Symantec says it did not know back in 2006 that source code for its software was stolen when it experienced a breach at that time. The company surprised the public last week when it disclosed that hackers had obtained source code for its pcAnywhere software and other products, and that the code had likely been stolen in a six-year-old breach that Symantec had never disclosed.

Full Article

Database Password Storage Exposes Need For Better ID Management

Tue, 07 Feb 2012 16:08:24 -0500

Database Password Storage Exposes Need For Better ID Management:

The recent hack against a database full of FTP passwords held by Web hosting firm DreamHost highlights a growing database breach trend that’s seeing password stores exposed by the boatload. Though these databases contain sensitive authentication information, they’re often left far less protected than databases containing PII. Experts warn that if organizations are truly serious about their security and compliance programs, they need to either find better ways to secure the passwords in the databases they’re distributed across the network, or look for alternatives that will ditch this method of storage altogether.

Full Article

Under Obama, the Freedom of Information Act is Still in Shackles

Tue, 07 Feb 2012 16:03:06 -0500

Under Obama, the Freedom of Information Act is Still in Shackles:

Three years ago this past weekend, on his first full day in office, President Barack Obama issued his now infamous memo on transparency and open government, which was supposed to fulfill his campaign promise to lead the “most transparent administration in history.” Instead, his administration has been just as secretive—if not more so—than his predecessors, and the Freedom of Information Act (FOIA) has become the prime example of his administration’s lack of progress.

Full Article

The Value Of Device Authentication

Tue, 07 Feb 2012 16:02:26 -0500

The Value Of Device Authentication:

Since the beginning of e-commerce in the mid-1990s, businesses noticed that transactions conducted online can be strengthened in assurance if we can “remember” that a particular device is the same that was used before to conduct successful transactions. A known device provides knowledge about the history of the device and can mitigate against fraudulent transactions that use stolen cards. Later on, similar techniques now referred to as device fingerprinting are quite popular in detecting devices that have been used to conduct fraud online. Several businesses have started up that provide knowledge about connected devices.

Full Article

The Future of Web Authentication

Tue, 07 Feb 2012 16:01:29 -0500

The Future of Web Authentication:

Web authentication protocols took a pounding last year. Problems with the Secure Sockets Layer and Transport Layer Security protocols, which encrypt all sorts of communication among websites, were at the center of several security breaches. Hacks of high-profile certificate authority providers undermined the security of some of the Internet’s biggest brands, including Google and Yahoo; new man-in-the-middle attacks hit the Web; and the powerful Beast vulnerability exposed the most commonly used versions of SSL and TLS. Taken as a whole, it appears the Internet’s trust model is broken. However, many security experts aren’t ready to scrap SSL. Rather than starting over, they recommend fixing the existing system. It’s clear that we need to evolve the way we authenticate on the Web; the question is, how?

Full Article

Google, Facebook and Others Join to Write New Email-Authentication Spec Called DMARC

Tue, 07 Feb 2012 16:00:34 -0500

Google, Facebook and Others Join to Write New Email-Authentication Spec Called DMARC:

Google, Yahoo, AOL and a group of other large email senders and receivers have banded together to develop a new framework for sending and receiving email that is designed to stop phishing attacks and other email-borne scams. Called DMARC.org, the new group has come up with a specification called Domain-based Message Authentication, Reporting and Compliance that implements message authentication through the mail-transport agent and not the sender or user agents.

Full Article

The Art of Cyberwar

Tue, 07 Feb 2012 15:59:44 -0500

The Art of Cyberwar:

The establishment of the US Cyber Command in 2010 confirmed that cyberspace is a new domain of warfare. The computer is not only a target but also a weapon. Therefore, national security thinkers must find a way to incorporate cyberattacks and defense into military doctrine as soon as possible. The world’s most influential military treatise is Sun Tzu’s Art of War. Its compelling and adaptive wisdom has survived myriad revolutions in technology and human conflict. And its tactics and strategies have been applied to other disciplines, including business, sports, and personal relationships. Future cybercommanders will also find Sun Tzu’s guidance beneficial. For example, on defense, he warns leaders never to rely on the good intentions of others or to count on best-case scenarios. This is sound advice in cyberspace, because computers are attacked from the moment they connect to the Internet.

Full Article

The Right to Anonymity is a Matter of Privacy

Tue, 07 Feb 2012 15:58:51 -0500

The Right to Anonymity is a Matter of Privacy:

Throughout history, there have been a number of reasons why individuals have taken to writing or producing art under a pseudonym. In the 18th century, James Madison, Alexander Hamilton, and John Jay took on the pseudonym Publius to publish The Federalist Papers. In 19th century England, pseudonyms allowed women—like the Brontë sisters, who initially published under Currer, Ellis, and Acton Bell—to be taken seriously as writers. Today, pseudonyms continue to serve a range of individuals, and for a variety of reasons. At EFF, we view anonymity as both a matter of free speech and privacy, but in light of International Privacy Day, January 28, this piece will focus mainly on the latter, looking at the ways in which the right to anonymity—or pseudonymity—is truly a matter of privacy.

Full Article

New Mobile-Phone Privacy Law Proposed

Tue, 07 Feb 2012 15:56:15 -0500

New Mobile-Phone Privacy Law Proposed:

Rep. Edward Markey (D-Massachusetts) unveiled draft legislation Monday requiring mobile-phone carriers to reveal if they are employing tracking software such as Carrier IQ. “Consumers have the right to know and to say ‘no’ to the presence of software on their mobile devices that can collect and transmit their personal and sensitive information,” Markey said in The Hill.

Full Article

TSA discovery prompts New York bomb scare - six hours later

Tue, 07 Feb 2012 15:55:24 -0500

TSA discovery prompts New York bomb scare - six hours later:

A New York airport screener who removed two pipes from a traveler’s bag and set them aside Monday morning prompted a security scare six hours later when the next shift saw the pipes and feared they might be pipe bombs, local and federal officials said. The incident at New York’s LaGuardia Airport began at 11:30 a.m. when a screener discovered unidentifiable items inside a passenger’s carry-on bag. The officer screened the item for explosives, determined them not to be a threat and cleared the passenger through the checkpoint, a Transportation Security Administration official said.

Full Article

Carder Forced Gang Members to Have Sex to Weed Out Undercover Feds

Tue, 07 Feb 2012 15:45:39 -0500

Carder Forced Gang Members to Have Sex to Weed Out Undercover Feds:

The mastermind of a carding gang in Georgia devised a novel way for weeding out undercover Feds from his operation — he forced members to have group sex, according to a local police detective who helped bust the ring. Vikas Yadav, an Indian national who was deported in 2010, recruited other carders and mules through sadomasochism web sites, forcing would-be accomplices to have group sex with other men and women while Yadav videotaped them, according to the Athens Banner-Herald.

Full Article

Hacker extracts RFID credit card details

Tue, 07 Feb 2012 15:35:38 -0500

Hacker extracts RFID credit card details:

The widespread use, especially in US credit cards, of RFID chips which can be read through clothing or wallets for contactless payments can lead to cards being read without the owners knowledge or permission. At the Shmoocon security conference held in Washington D.C., US business magazine Forbes reports that Kristin Paget impressively demonstrated the ability to read data on RFID chipped credit cards and make a payment that hadn’t been authorised by the card owner. However, credit card manufacturers don’t think that there is an increased risk.

Full Article