"To aid the national security community in imagining contemporary threats, the Australian Security Research Centre (ASRC) is organising Australia’s Security Nightmares: The National Security Short Story Competition. The competition aims to produce a set of short stories that will contribute to a better conception of possible future threats and help defence, intelligence services, emergency managers, health agencies and other public, private and non-government organisations to be better prepared." (via)
A working, cross-platform Java 7 exploit is now in the wild. It's apparently a pair of bugs, working in tandem; neither, alone, would be enough to escape the Java sandbox, but together, any machine, be it Windows, Mac, or Linux, can be instantly and silently compromised, simply by viewing a malicious web page. Only Java 7 is vulnerable, but because of the way Oracle schedules patches, it may be unfixed until October. You can test your machine for the flaw; if vulnerable, you'll want to at least disable Java in your Web browser, if not remove it altogether. On Firefox, NoScript will provide a little protection, by not running Java code unless you click it, but the vulnerability remains.
Why passwords have never been weaker—and crackers have never been stronger. Ars weighs in on the amazing advances the bad guys have made in password cracking over the last few years. Think you know how to choose something that's safe? The probability is quite high that you don't, even if you're technically ept. [more inside]
At 5:00 PM, they remote wiped my iPhone. At 5:01 PM, they remote wiped my iPad. At 5:05, they remote wiped my MacBook Air.
Yes, I was hacked. Hard. Mat Honan, a tech journalist, had his iPhone and Mac remotely wiped and his gmail account deleted within the space of 5 minutes. Password cracked? No. Security question leak? No. Social engineering Apple tech support.
"We thought we were hosts like the queen is at a posh garden party, when actually we're hosts in the way that John Hurt is in Alien." As the Olympics approach, the scandals, inconveniences, mistakes and problems keep mounting, ranging from the frustrating through the comic to the tragic. For your appreciation, a picture of the London Olympics 2012. [more inside]
Introducing Cisco Connect Cloud! Now
available mandatory for Linksys Smart Wi-Fi Routers, Cisco Connect Cloud gives you almost anybody anytime, anywhere access to your home network.
"McPhee describes two things: how Switzerland requires military service from every able-bodied male Swiss citizen—a model later emulated and expanded by Israel—and how the Swiss military has, in effect, wired the entire country to blow in the event of foreign invasion. To keep enemy armies out, bridges will be dynamited and, whenever possible, deliberately collapsed onto other roads and bridges below; hills have been weaponized to be activated as valley-sweeping artificial landslides; mountain tunnels will be sealed from within to act as nuclear-proof air raid shelters; and much more." (via)
The Massachusetts Bay Transit Authority has released MBTA See Say [iTunes link], a free iPhone/Android app that allows riders to "send the MBTA Transit Police pictures, text messages, and locations of unattended packages or suspicious activity" [link to MBTA apps page]. The camera's flash is disabled when a photograph is taken within the app. According to ELERTS, who built the app for the MBTA, "the opportunity to crowdsource information from riders who witness suspicious or criminal activities has not been realized by transit systems." The MBTA, which is the fifth largest transit system in the United States, is the first system to adopt this technology.
An unauthorized certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows.
"Flame" is the name of a newly-identified malware program which utilizes a previously unknown MD5 collision attack to successfully spoof Microsoft Terminal Services, and install itself as a trusted program using Windows Update, Microsoft has confirmed. The program appears to have targeted computers in the Middle East, and specifically Iran; analysts have alleged it is likely created by the same entity that designed Stuxnet. Flame has been live and actively spying since 2010, but went undetected until recently, due to sophisticated anti-detection measures. [more inside]
To Profile or Not to Profile? A Debate between Sam Harris and Bruce Schneier.
Revolutionary hardware backdoor discovered in China-made military-grade FPGA chips. Claims were made by the intelligence agencies around the world, from MI5, NSA and IARPA, that silicon chips could be infected. We developed breakthrough silicon chip scanning technology to investigate these claims. We chose an American military chip that is highly secure with sophisticated encryption standard, manufactured in China. Our aim was to perform advanced code breaking and to see if there were any unexpected features on the chip. We scanned the silicon chip in an affordable time and found a previously unknown backdoor inserted by the manufacturer. This backdoor has a key, which we were able to extract. If you use this key you can disable the chip or reprogram it at will, even if locked by the user with their own key. This particular chip is prevalent in many systems from weapons, nuclear power plants to public transport. In other words, this backdoor access could be turned into an advanced Stuxnet weapon to attack potentially millions of systems. The scale and range of possible attacks has huge implications for National Security and public infrastructure.
Computer security consultant Byron Sonne (previously, previously) has been acquitted of charges he plotted to attack the G20 summit in Toronto.
"Experimental adaptation of an influenza H5 HA confers respiratory droplet transmission to a reassortant H5 HA/H1N1 virus in ferrets." After an extensive, months-long debate, one of two controversial papers showing ways the H5N1 "avian" influenza virus could potentially become transmissible in mammals with only 3 or 4 mutations was published in Nature today. The journal included an editorial on the merits and drawbacks of "publishing risky research" with regard to biosafety. The debate included an unprecedented recommendation by The US National Science Advisory Board for Biosecurity (NSABB) to block publication -- a decision they later reversed. (Via: 1, 2) Nature's special report has additional articles, including interviews with the teams behind both papers.
Not content with displacing the poor, menacing photographers and blocking ambulances the london olympics now wants ground-to-air missiles, presumably to shoot down rogue skywriters who might misuse it's brand.
Multiple analysts warned of vulnerabilities, but instead of being heeded they were severely punished After a lengthy DDOS attack, some determined hacking, and repeated attempts to penetrate its hardened security layer, the host was finally rooted by a cunningly designed piece of social and mechanical engineering. When the malware released its payload, not only was the system completely wiped, but the culture that created it as well. This day in tech: the original Trojan.
If you've ever worked with the command prompt on a Unix-based computer, you're likely familiar with SSH (Secure SHell), which is a program and a protocol that allows you (yes, you!) to securely access a remote system. While SSH has certainly earned the "Secure" portion of its namesake over the years, it's functionality as a shell has ironically received very little attention, and has begun to show signs of age and obsolescence: SSH doesn't work very well on mobile connections, and its support for Unicode is buggy and incomplete. A group of MIT researchers think they've found solutions to these problems, and have created Mosh as a potential successor to SSH, which fixes many of the old protocol's annoyances and shortcomings, while retaining all of SSH's security features.
"Refusing to allow such threats to paralyze the entire university community in its pursuit of learning and teaching,"
Starting on February 13th The University of Pittsburgh has received a steady stream of bomb threats. The Chancellor of the University has stated that the school has no intention of ending its semester early even though the threats show no sign of stopping and the authorities have been unable to find any leads after finding that some of the threats were routed through systems in Austria. The school's Vice Chancellor wrote this letter to students and faculty in response to the ongoing situation.
Web developer Justin Watt was staying at the Courtyard Marriott in Times Square, New York and using the hotel wifi to access the Internet. He noticed some strangeness on his website... and on every other website he visited (not to mention YouTube was broken.)
Flashback is the first significant MacOS botnet, reportedly infecting and controlling over half a million Macs. Flashback has been around for since September 2011 but recently got a boost with a Trojan that exploits a security hole in Apple's Java distribution; a vulnerable Mac can be infected simply by visiting a web site, no user password required. Apple released a fix for the Java exploit yesterday, some six weeks after Microsoft, Adobe, and Oracle released their fixes.
"Why are small businesses such frequent targets? Because they offer hackers the easiest path to your financial information. In fact, security consultants say, there’s an entire underground industry built around extracting customers’ credit card numbers from retailers’ point-of-sale systems." Slate: Why it’s so easy for hackers to steal financial information from restaurants
In the latest (ongoing) Economist debate (run Oxford-style), security expert Bruce Schneier and architect of the TSA Kip Hawley are facing off to respectively defend and attack the motion "This house believes that changes made to airport security since 9/11 have done more harm than good." Overview. Opening statements. Rebuttals. (Surprisingly cogent) comments from the floor.
Attacking the Washington, D.C. Internet Voting System (PDF). "When we inspected the terminal server’s logs, we noticed that several other attackers [from Iran, New Jersey, India, and China] were attempting to guess the SSH login passwords." J. Alex Halderman, a computer scientist at the University of Michigan, describes how thoroughly he and his team were able to penetrate a pilot Internet voting system run by the District of Columbia, as part of an open public test in 2010. An earlier report on the attack. Via comp.risks. [more inside]
ms12-020 mistery: the packet stored in the "chinese" rdpclient.exe PoC is the EXACT ONE I gave to ZDI!!! @thezdi? @microsoft? who leaked?
Included in this month's Patch Tuesday was MS12-020, which is a remote exploit in Microsoft's widely deployed Remote Desktop Protocol (RDP). Microsoft projected an exploit would be out 'within a month', but a Proof-of-Concept (PoC) appeared on a Chinese website within a few days. Professionals are concerned. The discoverer of the vulnerability noted that the PoC included the exact packet he had crafted to help Microsoft understand he issue; this points to a leak in the MAPP early vulnerability sharing program. A full remote exploit isn't out yet, but is expected soon.
Body scanners attacked again as US blogger Jon Corbett who blogs for TSA Out of Our Pants! exposes how to beat the body scanners, carrying a metal box in a secret shirt pocket through security at two airports. [more inside]
"A man wearing bowler hat reading a newspaper is seen leaning leisurely against a car. Another person comes from behind and starts hitting the poor man on the head with an iron bar. He does not react at all, still reads his paper. The third man appears looking puzzled. The man takes his hat of and shows it to the other two. They take the hat and examine it." Beat The Bandit, 1961 is a video (01:46) presentation of amazing security/anti-theft inventions that you'll surely feel compelled to buy.
Android apps can secretly copy photos [SLNYT] "Android apps do not need permission to get a user's photos, and as long as an app has the right to go to the Internet, it can copy those photos to a remote server without any notice, according to developers and mobile security experts."
"Carried to its logical end, TSA policy would have to require passengers to travel naked or handcuffed."
"The Transportation Security Administration (TSA) ... have made air travel the most difficult means of mass transit in the United States, at the same time failing to make air travel any more secure." Steve Moore has been an FBI Special Agent, head of the Los Angeles Joint Terrorism Task Force's Al Qaeda and extra-territorial squads, a SWAT agent trained to interdict airplane hijackings, and a pilot. His father literally wrote the book on airline security. And he has come to the conclusion that "TSA is one of the worst-run, ineffective and most unnecessarily intrusive agencies in the United States government." [more inside]
Choosing good passwords - a straightforward real-world guide for the average user, by AusCERT. Also includes links out to a fun and informative piece on The Top 500 Worst Passwords of All Time, and more in-depth material aimed at the tech and security savvy, like this enjoyable conference talk: Security As If Your Life Depended On It (because it might!). So we can avoid becoming xkcd cartoons.
Stripe, a company that processes credit cards for web apps, decided to play a security wargame called Capture the Flag where you are given a logiin and password for a server and are invited to use your hacking abilities to gain access to accounts with increasing access and authorization. People who beat the server and "capture the flag" at /home/the-flag/.password are invited to contact the company for bragging rights and a T-shirt. Just one problem: the hacking game has been hacked, with something called a fork bomb. [more inside]
He leaves his cellphone and laptop at home and instead brings "loaner" devices, which he erases before he leaves the US and wipes clean the minute he returns . In China, he disables Bluetooth and Wi-Fi , never lets his phone out of his sight and, in meetings, not only turns off his phone but also removes the battery , for fear his microphone could be turned on remotely. He connects to the Internet only through an encrypted, password-protected channel, and copies and pastes his password from a USB thumb drive. He never types in a password directly, because, he said, "Chinese are very good at installing key-logging software on your laptop." - Travel precautions in the age of digital espionage.
"Muslim-American Terrorism in the Decade Since 9/11" (PDF) is a report by Professor Charles Kurzman of the University of North Carolina, published by the Triangle Center for Terrorism and Homeland Security. The TCFTHS is a collection of experts in the "Research Triangle" of North Carolina, associated with Duke, UNC and NC State and RTI, the independent research institute dedicated to aggregating and marketing the research resources of these three institutions. [more inside]
For the past 18 months, engineers at PayPal, Google, Facebook, Yahoo, AOL, Microsoft and nine other technology companies have spent their off-hours (and some on-hours) working hand in hand to tackle the problem that plagues them all: e-mail phishing. The result is DMARC, or, "Domain-based Message Authentication, Reporting & Conformance". It's not new, but puts SPF and DKIM to work in a new way.
The long strange trip of a Singaporean Cold-War-era assault rifle into the hands of Somali pirates in the Gulf of Aden, and what it reveals about the unintended consequences of the global trade in small arms and ammunition. [slnyt]
The U.S. National Security Agency (NSA) has begun releasing Security-Enhanced Android patches and tools, which port their Security-Enhanced Linux tools to Android devices. SEAndroid and SELinux provide mandatory access control designed to limit the amount of damage that rogue or exploited software can do. [more inside]
The holiday season isn't always relaxing for those in the computing security field. 2011's Chaos Communication Congress brought many gifts in the form of vulnerability disclosures, including: malicious documents that infect HP printers, remote control vulnerabilities in prison lock systems, and denial-of-service attacks against Web servers written in just about every scripting language.
The EFF's Year End Review The ACLU's This Year in Civil Liberties Amnesty International's Anual Report (video) [more inside]
The U.S.-Canada Beyond the Border agreement is wide-ranging in its impact. Indeed, Prime Minister Harper referred to it Wednesday as "the most significant step forward in Canada-U.S. co-operation since (NAFTA)". This deal promises regulatory alignment (including the food and automotive sectors), quicker border crossings for business or travel (with pre-clearance options), and "screened once, accepted twice" cargo. Perhaps the biggest concern for Canadians however are the changes this agreement could have for their privacy. [more inside]
Security researchers at North Carolina State University led by Xuxian Jiang (who had previously discovered 12 malicious Android applications sold through Google's Android Market) have uncovered holes in how the permissions-based security model is enforced on numerous Android devices. Called "leaks", these vulnerabilities allow new and existing malicious applications to eavesdrop on calls, track the user's location, install applications, send SMS messages, delete data from the device, and more. (via)
"The PC is dead. Rising numbers of mobile, lightweight, cloud-centric devices [represent] an unprecedented shift of power from end users and software developers on the one hand, to operating system vendors on the other ... This is a little for the better, and much for the worse." - Jonathan Zittrain, Harvard Law Professor (via battellemedia.com) [more inside]
Hacked! James Fallows writes in the Atlantic Monthly on how his wife's Gmail account was hacked, and years of email were deleted. Summary: if you have Gmail, you should be using its new 2-step verification; use strong passwords; don't re-use passwords. [more inside]
The Atlantic is in the middle of a four-part special report on the Israel / Palestinian peace process, called "Is Peace Possible?" which features multimedia presentations on and analyses of what they believe are the four core issues of the conflict: Borders, Security, Refugees, and Jerusalem. (The latter two will be released on Monday, November 7 and 14th, respectively) The report was put together in collaboration with the S. Daniel Abraham Center for Middle East Peace. [more inside]
A year after the infrastructure-attacking Stuxnet worm was discovered in Iran, a new piece of malware using some of the same techniques (but apparently with different goals) has been found infecting systems in Europe. The new malware, dubbed “Duqu” [dü-kyü], appears to have been written by someone with direct access to the Stuxnet source code.
Logging out of Facebook is not enough - Nik Cubrilovic demonstrates how, even after logging out, Facebook tracks every page you visit on sites that integrate Facebook services [via]