Tuesday, June 30, 2015

Cisco Security Appliances contain a default SSH Key

From Security Affairs:
Cisco Security Appliances contain a default SSH Key

Security experts at Cisco discovered default SSH Key in many Cisco security appliances, an attacker could use them to establish SSH connection and control the devices. The abuse of the SSH key could represent a serious problem for enterprises and organizations that are exposed to cyber attacks. According to Cisco, Web Security Virtual Appliances, Email Security Virtual Appliances, and Content Security Management Virtual Appliances are affected by the security issue.

How to survive a compliance audit

From Help Net Security:

How to survive a compliance audit

Ipswitch polled 313 IT professionals in United States with 59 percent noting that they were not fully prepared to undergo an audit. Additionally, 75 percent of respondents lacked confidence that colleagues authorized to work with sensitive information are adequately protecting it.

When asked what they would be willing to do instead of a compliance audit, nearly half of all respondents (46 percent) would either undergo a root canal procedure, work over the holidays, live without electricity for a week or eat a live jellyfish.

Darknets in the Deep Web, the home of assassins and pedophiles

From Security Affairs:

Darknets in the Deep Web, the home of assassins and pedophiles

Security experts at Trend Micro published a report on the Deep Web and related illegal activities that exploit the darknets it contains.

Experts at TrendMicro published an interesting report on the Deep Web focusing their analysis on the services and products available in the dark part of the internet that is not indexed by the principal search engines.

Why Hackers Are Trying to Get Into Your Refrigerator

From Inc. Magazine:

Why Hackers Are Trying to Get Into Your Refrigerator

More and more, the physical world and the online world are intricately connected. Vital systems that support life and civilization are connected to the Internet--the power grid, sewers, transportation, and many others. And all that critical infrastructure is run by error-prone humans, meaning it's vulnerable to devastating cyberattacks.

On a more local, personal scale, an ever-increasing number of consumer gadgets and appliances are now equipped to communicate over the Internet. By 2020, market research firm IDC estimates, the so-called The Internet of Things will comprise 200 billion devices. As with our infrastructure, however, connecting all that equipment makes it a potential target for hackers. Unfortunately, medical devices, smart TVs, refrigerators, and thermostats do not have proper security protocols.

How Big Data Analytics Can Help Track Money Laundering

From Data Mashup:

How Big Data Analytics Can Help Track Money Laundering

For the past decade, governments around the world have established international anti-money laundering (AML) and counter-terrorist financing efforts in an effort to shut down the cross-border flow of funds to criminal and terrorist organizations. Their success has encouraged criminals to move their cash smuggling away from the financial system to the byzantine world of global trade. According to PwC US, big data analytics are becoming essential to tracking these activities.

Europol takes down high profile Ukraine-based cybergang

From SC:

Europol takes down high profile Ukraine-based cybergang

A Joint Investigative Team (JIT) took down a major Ukrainian-based cybergang in June, Europol said Thursday. Between June 18 and 19 authorities arrested five members of an alleged gang that has been accused of infecting tens of thousands with malware and banking trojans.

The goal of the JIT was to target high-level cybercriminals suspected of developing, exploiting and distributing Zeus and SpyEye malware along with their accomplices, according to a release. The gang targeted several major banks across the continent, modifying their trojans over time to defeat the banks' security protocols and using “mule networks” to launder money.

Stealthy Fobber Malware Takes Anti-Analysis To New Heights

From Dark Reading:

Stealthy Fobber Malware Takes Anti-Analysis To New Heights

Built off the Tinba banking Trojan and distributed through the elusive HanJuan exploit kit, Fobber info-stealer defies researchers with layers upon layers of encryption.

A stealthy new info-stealing browser injection malware aims to make security researchers' job very difficult. Fobber evades detection and defies anaylsis by sliding from one program to another, using randomly generated filenames, encrypting command-and-control communications with a custom algorithm, and encrypting individual pieces of code within the payload, so that each function must be separately, painstakingly decrypted before it can be run.

Cyber War Puts Democracies on the Defensive

From Defense One:

Cyber War Puts Democracies on the Defensive

This month, two years after his massive leak of NSA documents detailing U.S. surveillance programs, Edward Snowden published an op-ed in The New York Times celebrating his accomplishments. The “power of an informed public,” he wrote, had forced the U.S. government to scrap its bulk collection of phone records. Moreover, he noted, “Since 2013, institutions across Europe have ruled similar laws and operations illegal and imposed new restrictions on future activities.” He concluded by asserting that “We are witnessing the emergence of a post-terror generation, one that rejects a worldview defined by a singular tragedy. For the first time since the attacks of Sept. 11, 2001, we see the outline of a politics that turns away from reaction and fear in favor of resilience and reason.”

Maybe so. I am glad that my privacy is now more protected from meddling by U.S. and European democracies. But frankly, I am far more concerned about the cyber threats to my privacy posed by Russia, China, and other authoritarian regimes than the surveillance threats from Washington. You should be too.

Learn about Kid-friendly Topics and Events for July

From Kids.gov:

 
 

These UN maps show how drugs flow around the globe

From Business Insider:

These UN maps show how drugs flow around the globe

Increasingly globalized drug trafficking markets and constantly changing routes and transit points are challenging established anti-drug law enforcement practices, according to the World Drug Report.

Although no major changes appeared in crop cultivation and drug manufacturing regions, new challenges such as the "dark net," have profound implications for both law enforcement and drug trafficking, according to the report.
 

Cyber Attack Reveals Weakness in Government Security

From Social Times:

Cyber Attack Reveals Weakness in Government Security

The concept of a cyberwar is no longer relegated to the pages of science fiction. Many states may have already built weapons to fight this war, and the U.S. government is working to secure online resources to protect against cyber attacks. However, attacks are still slipping through, including a recent attack on U.S. Office of Personnel Management, that may have exposed the data of millions.

FBI Hack Tools OPM

PDF file from the FBI detailing indicators of compromise (IOC) for the Office of Persnnel Management breach:

FBI Hack Tools OPM.pdf

Fireworks Information Center

Let me just say that I think all fireworks should be legal.  Unfortunately people do not exercise the best judgment when using them.  Be safe and enjoy Independence Day.

From Kids.gov:

Fireworks Information Center

Fireworks are synonymous with our celebration of Independence Day. Yet, the thrill of fireworks can also bring pain. 230 people on average go the emergency room every day with fireworks-related injuries in the month around the July 4th holiday.

IT University Online 75% off courses

From IT University Online, special summer sale offering a whopping 75% off all courses:

Hot Summer Sale All Courses 75% off

Monday, June 29, 2015

Apple starts production on next-gen iPhone, report says

From Fox News:

Apple starts production on next-gen iPhone, report says

Is the next iPhone nearly upon us? Apple has begun “early production” of the next-generation iPhone with volume production possibly starting next month, according to a report from Bloomberg. Citing people with knowledge of the matter, the report says that the future iPhone will come with a touch technology called Force Touch.

Force Touch -- which senses how hard the screen is tapped -- was first used in the Apple Watch and 12-inch Retina MacBook. For example, with the Watch, pressing firmly on the screen lets you select new watch faces, control a workout, or search an address in Maps. Apple claims Force Touch “is the most significant new sensing capability since Multi‑Touch” – the tap, scroll, pinch, and swipe gestures found on MacBooks.

NIST Revises Key Computer Security Publication on Random Number Generation

For all you crypto enthusiasts out there.

From the National Institute of Standards and Technology:

NIST Revises Key Computer Security Publication on Random Number Generation

In response to public concerns about cryptographic security, the National Institute of Standards and Technology (NIST) has formally revised its recommended methods for generating random numbers, a crucial element in protecting private messages and other types of electronic data. The action implements changes to the methods that were proposed by NIST last year in a draft document issued for public comment.

The updated document, Recommendation for Random Number Generation Using Deterministic Random Bit Generators, describes algorithms that can be used to reliably generate random numbers, a key step in data encryption. 

SBA "Startup Day Initiative"

From the US Small Business Association:

Startup in a Day

The Startup in a Day initiative aims to make it easier for entrepreneurs to start a business by reducing the amount of time it takes to register and apply for permits and licenses on the local level.  Cities and Native American communities across the United States are encouraged to get involved.

Apple tweaks iOS 9 to stop advertisers getting our app data

From Sophos Naked Security:

Apple tweaks iOS 9 to stop advertisers getting our app data

There's a handy little application programming interface (API) in iOS called "canopenURL."

It's supposed to make it easier for apps to communicate.

But Apple said recently that app developers and advertisers like Twitter and Facebook are using it to snoop on what apps we've downloaded (better yet, which apps we've actually paid for), so that they can then target-pitch their own wares - be they games, camera apps, or whatever our download histories reveal we might go for.

Court orders Facebook to identify revenge porn poster

From Sophos Naked Security:

Court orders Facebook to identify revenge porn poster

Facebook has been ordered to help a young woman find out who published an intimate video of her on the social network without her permission.

The judgement was made after a 21-year-old Dutch woman sued Facebook when a video of her performing a sex act on her ex-boyfriend was uploaded to the site in January.

Siri "9/11 conspiracy theory" joke is no laughing matter, say police

From Sophos Naked Security:

Siri "9/11 conspiracy theory" joke is no laughing matter, say police

There are events in the human compass that just don't lend themselves to being turned into comic moments.

Jokes about 9/11, for example, aren't funny even at the best of times.

But 9/11 "humour" took a doubly-distressing turn in the past week, according to CBC.

Private eye jailed for hacking email of Scientology critics and others

From Sophos Naked Security:

Private eye jailed for hacking email of Scientology critics and others

A private investigator from Astoria, New York who broke into the email accounts of two prominent critics of the Church of Scientology was sentenced on Friday in federal court to three months in jail.

Eric Saldarriaga pled guilty on 5 March to one count of conspiracy to commit computer hacking.

Besides the jail time - which is half of what the court's own probation department sought - he'll also be serving three years of supervised probation and will be fined $1,000 (£635).

One man emailed 97,931 people to tell them their passwords had been stolen

From Sophos Naked Security:

One man emailed 97,931 people to tell them their passwords had been stolen

If you found a wallet lying in the street that contained thirty dollars and the owner's address would you return it?

'Atechdad' would.

Atechdad is the creator of the hacked site gallery urhack.com and he's more familiar than most with the bits of the web where personally identifiable detritus washes up from so many internet break-ins.

He is, in his own words, somebody who runs "across lots of passwords on the webs".

Stop Abuse Online site launches to help tackle cyberbullying

From Sophos Naked Security:

Stop Abuse Online site launches to help tackle cyberbullying

The UK government has launched a new website that aims to help victims of online abuse.

Aimed primarily at women and LGBT (lesbian, gay, bisexual and transgender people), which it says are the most abused groups on the internet, the site offers advice on finding help and reporting offences, as well as getting offensive content removed.

Stop Abuse Online, launched on Saturday, says the rapid rise in popularity of social networks, online gaming, chat rooms and online dating, facilitated by the prevalence of smartphones, has created an environment in which the amount of communication and information on the web has led to an increase in undesirable behaviour.

Spearphishing gets personal as woman scammed out of £50k house deposit

From Sophos Naked Security:

Spearphishing gets personal as woman scammed out of £50k house deposit

A London woman has been scammed out of almost £50,000, thinking she was sending it to her solicitor as a down-payment on a house purchase, after crooks apparently gained accessed to her email account and monitored her online conversations.

58-year-old Vivian Gabb, a self-employed single mother, was in the process of buying a house when she received an email purporting to come from her solicitor, asking her to change the account information she used for making payments to the firm and requesting that she send the sum of £46,703.20 (about $73,000), which she was already expecting to have to pay, into the new account.

FTC Alert: FTC stops robocall scam

From the Federal Trade Commission:

FTC stops robocall scam

Tired of robocalls? The FTC just shut down Payless Solutions, a scam using illegal robocalls to lie about lowering your credit card interest rate.

Here’s the scam: A robocall – often from “Card Services” – says that you qualify for a special program to lower your credit card interest rate, save thousands of dollars, and pay off debts sooner. If you press a number, a representative might tell you they work for your bank or credit card company. They don’t.

Cybersquatters giving some US presidential candidates a bad name

From Sophos Naked Security:

Cybersquatters giving some US presidential candidates a bad name

Chris Christie, the governor of New Jersey, is about to announce he's running to become the next president of the United States - something he alluded to this past weekend when he began tweeting out links to his website, chrischristie.com.

But first, Governor Christie needed to secure the website domain from its previous owner, a computer programmer from Wisconsin with the same name.

FTC Alert: Is your phone a prized possession?

From the Federal Trade Commission:

Is your phone a prized possession?

Let’s be honest: I spend more time playing games on my smart phone than talking on it. Our phones have become our family photo albums, personal gaming systems, calendars, encyclopedias, navigators, and instant messengers. If you can think of an activity, there’s probably an app for it.

Unfortunately, some apps might not be what they claim, and downloading the wrong app could put your phone on the fritz. According to the FTC, that’s what happened to thousands of people who downloaded the Prized app before it was removed from the app store.

Latest Flash hole already exploited to deliver ransomware - update now!

From Sophos Naked Security:

Latest Flash hole already exploited to deliver ransomware - update now!

Are you still using Flash in your browser?

If so, make certain you've got the latest update from Adobe, even though it only came out last week.

Ideally, you'll have 18.0.0.194, announced in Adobe Security Bulletin APSB15-14, issued on 2015-06-23.

Wednesday, June 10, 2015

Practical IT: Beware these 3 web security myths

From Sophos Naked Security:


Practical IT: Beware these 3 web security myths


If you're in charge of IT security, keeping users safe on the web is one of the biggest problems you face. But there are some outdated notions about threats that can get in the way of effective security.


Protecting users on the web requires you to think about all the ways users access it, and the different weapons cybercriminals have in their arsenals for getting around traditional anti-virus security.

FBI Traces ‘Celebgate’ Nude Photo Hack To Chicago Home

From CBS Chicago:


FBI Traces ‘Celebgate’ Nude Photo Hack To Chicago Home


CHICAGO (CBS) — It’s one of the biggest celebrity nude photo leaks ever and CBS 2 has learned the suspected hacker lives in Chicago.


The FBI has traced a computer to the South Side of Chicago. CBS 2’s Mike Parker found the house in question.

The Government Wants Names of Online Commenters Who Trashed the Silk Road Judge

From Motherboard:


The Government Wants Names of Online Commenters Who Trashed the Silk Road Judge


The Department of Justice has ordered libertarian website Reason.com to turn over the information of six commenters after they made threats against the federal judge who presided over the Silk Road trial.


Ken White of the blog Popehat obtained the grand jury subpoena issued by the Department of Justice last week, which demands "any and all identifying information” the website has pertaining to the threatening commenters. This includes email addresses, telephone numbers, IP addresses, and billing information associated with the accounts.

Friday, June 5, 2015

Hijacking WhatsApp Account In Seconds Using This Simple Trick

From The HAcker News:


Hijacking WhatsApp Account In Seconds Using This Simple Trick


The hugely popular smartphone messaging service WhatsApp, acquired by Facebook for over $20 billion last year, has reportedly been found to be prone to hijacking without unlocking or knowing your device password, making its hundreds of Millions of users vulnerable to, not just hackers, but also non-technical people.

How Apple Pay Can Be Hacked to Steal Your Credit Card Details

From The Hacker News:


How Apple Pay Can Be Hacked to Steal Your Credit Card Details


Today anywhere you go, you will come across Free or Public WiFi hotspots -- it makes our travel easier when we stuck without a data connection.

Facebook Messenger no longer tracks your location by default

From Sophos Naked Security:


Facebook Messenger no longer tracks your location by default


Good news privacy fans - Facebook Messenger will no longer track and make your location available by default.


Instead, to share your location, you will now have to tap on the "More" button on the bottom right-hand side of the screen and then tap on "Location". Next, either send your current location - signified by a blue circle on the map - or pin an alternative location, such as a local restaurant or other meeting place.

Stagnant budgets and rising insider security threats

From Help Net Security:


Stagnant budgets and rising insider security threats


A Vectra Networks survey of more than 500 cybersecurity professionals in the Information Security Community on LinkedIn reveals that insider threats are rising, but IT security budgets are not. Of those surveyed, 68 percent feel vulnerable to insider threats and less than half feel they have sufficient control over insider threats.

Amazon, Google race to get your DNA into the cloud

From Fox News:


Amazon, Google race to get your DNA into the cloud


Amazon.com Inc is in a race against Google Inc to store data on human DNA, seeking both bragging rights in helping scientists make new medical discoveries and market share in a business that may be worth $1 billion a year by 2018.


Academic institutions and healthcare companies are picking sides between their cloud computing offerings - Google Genomics or Amazon Web Services - spurring the two to one-up each other as they win high-profile genomics business, according to interviews with researchers, industry consultants and analysts.   

CSA releases tool for personal data legal protection

From Help Net Security:


CSA releases tool for personal data legal protection


At Infosecurity Europe 2015, the Cloud Security Alliance (CSA) Privacy Level Agreement (PLA) Working Group released the Privacy Level Agreement (PLA) v2, a tool that provides cloud customers and potential customers, of any size, with a mechanism to identify a baseline of mandatory personal data protection legal requirements across the EU.

It also allows cloud customers the ability to evaluate the level of personal data protection offered by different cloud service providers (CSPs). PLA v2 also addresses the needs of CSPs by providing a guidance to achieve compliance with mandatory privacy legislations across the EU and a simple way to disclose, in a structured way, the level of personal data protection that they offer to customers.

70% of breaches are detected by a third-party

From Help Net Security:


70% of breaches are detected by a third-party


46 percent of organizations that have suffered a data breach took more than four months to detect a problem, and more than three months to mitigate the risk. Worryingly, the survey of 1,000 IT professionals, conducted by OnePoll on behalf of LogRhythm, also revealed that 70 percent of breaches were detected by a third-party, rather than the organization itself.

Perhaps unsurprisingly, 73 percent believe their company’s data is vulnerable to being hacked, while 47 percent think their company should be doing more to improve the time it takes to detect and respond to threats.

Discovering connections between attackers

From Help Net Security:


Discovering connections between attackers



California passes law requiring warrant to search computers, cellphones and tablets

From Sophos Naked Security:


California passes law requiring warrant to search computers, cellphones and tablets


The hodgepodge of US state and federal laws about phone searches, some of which say that police need a warrant and some of which say they don't, just got a bit messier.


As the LA Times reports, California on Wednesday joined the ranks of states that require police to have a warrant if they want to search computers, mobile phones, tablets and other devices, or if they want to siphon off location data from any of those devices.

Office of Personnel Management (OPM) & Interior Department Data Breach

This is potentially huge.  I will keep updating links as needed.


OnGuardOnline.gov


OPM data breach – what should you do?


A data breach at the Office of Personnel Management (OPM) – and you’re a current or former federal employee whose personal information may have been exposed. What should you do? Take a deep breath. Here are the steps to take. 


Fox News:


US believes China behind cybersecurity breach affecting at least 4M federal employees


Hackers based in China are believed to be behind a massive data breach that could have compromised the personal data of at least 4 million current and former federal employees, U.S. officials said late Thursday.


Help Net Security:


Personal info of 4 million US government workers compromised in OPM breach


Approximately 4 million US federal employees, both current and former, will start receiving a breach notification alerting them that their personal information has potentially been compromised.

The reason for the notification is the discovery of a breach the US Office of Personnel Management's (OPM) network. The OPM is an independent agency of the US federal government, which recruits and retains government employees, keeps records of their work, conducts background investigations for prospective employees and security clearances across government, and so on.



CNN:


U.S. government hacked; feds think China is the culprit


Four million current and former federal employees, from nearly every government agency, might have had their personal information stolen by Chinese hackers, U.S. investigators said.

U.S. officials believe this could be the biggest breach ever of the government's computer networks. China called the allegation irresponsible.

NewsMax:

China's Hack of Millions Tied to Healthcare Record Thefts



The disclosure by U.S. officials that Chinese hackers stole records of as many as 4 million government workers is now being linked to the thefts of personal information from healthcare companies.
 
Forensic evidence indicates that the group of hackers responsible for the U.S. government breach announced Thursday likely carried out attacks on health-insurance providers Anthem Inc. and Premera Blue Cross that were reported earlier this year, said John Hultquist of iSight Partners Inc., a cyber intelligence company that works with federal investigators.


NewsMax:


Security Expert: No Stopping Hackers From Stealing Data

A security expert tells Newsmax there's no stopping hackers who want to steal personal data because of "pinholes" in security systems.

During an interview with Ed Berliner on
Newsmax TV's "The Hard Line," Charles D. Morgan — the CEO of PrivacyStar and author of "Matters of Life and Data" — talks about cyber security in the wake of the massive data breach reported Thursday.



Dark Reading:


Breach Exposes 4 Million Federal Employees' Personal Info


Attackers hit U.S. Office of Personnel Management and Department of the Interior.
The personal information of 4 million U.S. federal employees were compromised in a breach affecting the U.S. Office of Personnel Management and Department of the Interior, according to a statement issued this evening by the Department of Homeland Security. The breach might affect every government agency.

Dark Reading:


Intrusion continues spate of breaches at federal organizations over past few months.
The massive data breach disclosed by the U.S. Office of Personnel Management (OPM) Thursday shows that federal government efforts at shoring up its cybersecurity remain a work in progress.

Thursday, June 4, 2015

16-31 May 2015 Cyber Attacks Timeline

From Hackmageddon:


16-31 May 2015 Cyber Attacks Timeline


It’s finally time to publish the timeline of the main cyber attacks occurred in the second half of May.

A two-weeks period that will be remembered for an unprecedented trail of massive breaches, started with Pacnet (number of victims unknown), and continued throughout the month with CareFirst BlueCross BlueShield (1.1 million victims), Adultfriendfinder (4 million), the Saudi Ministry of Foreign Affairs (1 million), the Internal Revenue Systems (100,000), the music streaming portal Gaana.com (7.5 million) and, last but not least, the Japan’s universal public pension system (1.25 million), with a resulting damage report exceeding 10 million of compromised individuals.

A new Facebook scam in the wild that aim to steal sensitive data proposing a “Facebook Recovery” Accounts that share malicious links.

From Security Affairs:


A new Facebook scam in the wild that aim to steal sensitive data proposing a “Facebook Recovery” Accounts that share malicious links.


It’s not new that Facebook it’s the perfect place to try to get precious information and financial gain since it aggregates many people, crossing all generations. The popular social network is very attractive for cyber criminals, and Facebook Scam are “on the agenda”.


This time we are talking about one of the most recent Facebook scam that was uncovered by researchers at Malwarebytes.org.

What Data Breaches Now Cost And Why

From Dark Reading:


What Data Breaches Now Cost And Why


New Ponemon report says the cost of a data breach has increased by 23% and healthcare and education breaches are the most pricey.


The actual cost of a data breach is all about industry sector and location, location, location. Healthcare and education sectors incur the highest breach costs of all industries, and Germany and the US cost victim organizations more than anywhere else in the world. Such incidents in Brazil and India cost the least, according to the new Ponemon Group 2015 Cost of a Data Breach Study: Global Analysis.

IoT Devices Hosted On Vulnerable Clouds In 'Bad Neighborhoods'

From Dark Reading:


IoT Devices Hosted On Vulnerable Clouds In 'Bad Neighborhoods'


OpenDNS report finds that organizations may be more susceptible to Internet of Things devices than they realize.
Internet of Things devices do create new opportunities for attackers to remotely exploit organizations that are too casual about securing their corporate network from unfamiliar Fitbits, according to new research released today by OpenDNS.

Twin brothers accused of leading phishing gang busted by Russian police

From Sophos Naked Security:


Twin brothers accused of leading phishing gang busted by Russian police


In the history of cybercrime, some of the worst offenders, the biggest breaches, and the baddest malware have come from Russia.


Some recent examples of major hacks carried out by Russian cybergangs include the compromise of the White House email system and the emails of President Obama; the breach of the IRS and thousands of US taxpayers' accounts; and the amassing of more than a billion username and password combinations that spurred fears of the "biggest hack in history."

Skype can no longer be crashed with these eight characters

From Sophos Naked Security:


Skype can no longer be crashed with these eight characters


Such an innocent - and 7/8ths worth of ubiquitous! - set of characters, that "http://:" (minus the quotes).


Not for Skype, though, as it turns out. They're more like Kryptonite to the internet chat app.


As of Wednesday, Skype had reportedly fixed this simple-to-exploit bug.

Microsoft Windows 10: Three Security Features To Know About

From Dark Reading:


Microsoft Windows 10: Three Security Features To Know About


Microsoft's next-generation operating system Windows 10 will be available as a free upgrade to Windows 7 and 8.1 users on July 29. But Windows Enterprise version customers will have to wait until later this year.
Application-vetting and biometric authentication headline the new main security features in Microsoft's new Windows 10 operating system, which the company today said will begin shipping for free on July 29 to users of Windows 7 and 8.

Facebook Requires SHA-2 as of Oct. 1

From ThreatPost:


Facebook Requires SHA-2 as of Oct. 1


Facebook has put developers on notice that as of Oct. 1, apps that do not support SHA-2 will no longer connect to its network.


With Tuesday’s announcement, the tech giant has fallen in line alongside Google, Mozilla and Microsoft in deprecating the SHA-1 and older hash algorithms.

Privacy Proponents Rally In Favor of Tracking Protection in Firefox

From ThreatPost:


Privacy Proponents Rally In Favor of Tracking Protection in Firefox


Privacy advocates are calling on Mozilla to better deploy Tracking Protection, a technology that offers more stringent privacy and speeds up page loads by blocking requests to tracking domains, in its Firefox browser.


The functionality has existed in the browser for months but the idea of making it a more prominent feature began to pick up steam a week and a half ago at Web 2.0, a one day workshop held in conjunction with the IEEE’s Symposium on Security and Privacy, in San Jose, Calif. A paper written by Monica Chew, a former Mozilla software engineer, and Georgios Kontaxis, a computer science student at Columbia University who previously interned at Mozilla, won best paper at the conference, and support for the initiative has slowly bubbled up since then.

2015-06-04 Link of the Day: OWASP ZAP

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.


OWASP ZAP




Any/all products/services are provided for informational purposes only. The author does not endorse any single product.

Use these products/services at your own risk.

How to raise users' expectations about security and privacy?

From Help Net Security:


How to raise users' expectations about security and privacy?


Users do not seem to care much about privacy and security.

When buying a new smartphone, for example, they rarely ask about security updates and how long the device will be supported. When downloading a new app, most of them don't even glance at the permissions it asks.

They effectively don't ask for security and privacy, and those two things consequently slip down the tech developers' and creators' list of things that are important when creating new things.

How to turn on two-factor authentication on over 100 popular online services

From Help Net Security:


How to turn on two-factor authentication on over 100 popular online services


TeleSign launched Turn It On, a new campaign featuring a guide to two-factor authentication and providing step-by-step instructions for turning on 2FA for over a 100 popular social networking, banking, cloud computing and other online services that offer the 2FA option.

“The number one tip most experts give for increasing account security and stopping the fallout from data breaches is to turn on two-factor authentication,” said Steve Jillings, CEO of TeleSign. “Yet our research shows that the majority of consumers (61 percent) do not know what two-factor authentication is, even though it’s available on almost every account, free to the consumer and just waiting to be turned on.”

Wednesday, June 3, 2015

This Simple Message Can Crash Skype Badly and Forces Re-Installation

From The Hacker News:


This Simple Message Can Crash Skype Badly and Forces Re-Installation


Just last week iPhone and iPad users were dealing with an iOS text bug that caused the app to crash and iPhones to reboot, now a similar bug has been found that takes out Skype — the popular video chat and messaging service.


Yes, Microsoft-owned Skype VoIP client is also affected by a bug that crashes almost every single version of the Skype client on both desktops and mobile phones with a single message containing just eight characters.

2015-06-03 Link of the Day: SANS Windows Forensic Analysis & Incident Response Poster

From the SANS Institute:


SANS Windows Forensic Analysis & Incident Response Poster
 



Any/all products/services are provided for informational purposes only. The author does not endorse any single product.

Use these products/services at your own risk.

Online warzone: Cybercrime and terrorism are threatening Europe, and some countries aren't ready.

From Politico:


Online warzone: Cybercrime and terrorism are threatening Europe, and some countries aren't ready.


The Internet is the new underworld front line. Police, judges, lawyers and prosecutors must be trained to combat cybercrime, argued speakers Thursday on a European Commission cybersecurity panel.


Cyberterrorism has become one of the most high-profile threats to the economy and governments. Last week, reports surfaced of an attack on computers in the German parliament by an unknown perpetrator, and in April the Islamic State claimed responsibility for taking French television station TV5Monde offline.

Security startup finds stolen data on the 'Dark Web'

From CSO Online:


Security startup finds stolen data on the 'Dark Web'


Finding stolen data on the Internet is often the first sign of a breach, and a Baltimore-based startup says it has developed a way to find that data faster and more securely.


The company is called Terbium Labs, named after a malleable, silver-gray element. CEO Danny Rogers and CTO Michael Moore say they're taking a large scale, computational approach to finding pilfered data.

Researchers: Hola Fixes Incomplete

From ThreatPost:


Researchers: Hola Fixes Incomplete


Hola, a popular, free, peer-to-peer service that enables anonymous surfing and access to blocked online resources, said today it has patched vulnerabilities discovered last week that expose its millions of users to possible code execution, remote monitoring and other threats to privacy and security.


The researchers who last week disclosed vulnerabilities in the Hola Unblocker Windows client, Firefox and Chrome extensions, and the Hola Android app, however today said that the flaws are still present and that all Hola did was break a vulnerability checker proof-of-concept tool developed by the researchers.

Slew of Vulnerabilities Found in D-Link Storage Devices

From ThreatPost:


Slew of Vulnerabilities Found in D-Link Storage Devices


Researchers have identified dozens of vulnerabilities in several D-Link products, some of which allow attackers to bypass authentication requirements or upload arbitrary files to target devices.


The vulnerabilities lie in a variety of D-Link network storage devices and the company has produced updated firmware to address some of the problems. Researchers at Search-Lab discovered the vulnerabilities and said that there are a number of different D-Link devices open to the authentication bypass, as well as command injection and arbitrary file upload.

U.S. and Japan to Cooperate on Cybersecurity, Information Sharing

From ThreatPost:


U.S. and Japan to Cooperate on Cybersecurity, Information Sharing


The United States and Japan have agreed to cooperate more closely on cybersecurity and information sharing initiatives as a way to help both countries defend against future threats and attacks.


The new initiative will include a variety of components, most notably cooperation during serious incidents, cooperation between the two countries’ cybersecurity and defense units, and information sharing programs. Both countries face threats from a variety of sources, to both private and government networks. The U.S. Department of Defense and Ministry of Defense in Japan said in a statement that the countries will build on an existing foundation of cooperation on information security.