902 Matching Annotations
  1. Oct 2017
    1. DEFCON, the world’s largest hacker conference, will release its findings on Tuesday, months after hosting a July demonstration in which hackers quickly broke into 25 different types of voting machines.

      ...

      Though the report offers no proof of an attack last year, experts involved with it say they’re sure it is possible—and probable—and that the chances of a bigger attack in the future are high.

      “From a technological point of view, this is something that is clearly doable,” said Sherri Ramsay, the former director of the federal Central Security Service Threat Operations Center, which handles cyber threats for the military and the National Security Agency. “For us to turn a blind eye to this, I think that would be very irresponsible on our part.”

  2. Sep 2017
  3. Jul 2017
  4. May 2017
    1. Tools that might be able to decrypt files encrypted by the WannaCry ransomware. With a little luck, and if the victim hasn't rebooted, the keys can be found in memory.

    1. Certain HP laptops have flawed audio drivers that record all your keystrokes to: C:\Users\Public\MicTray.log

      If these files exist, delete them: C:\Windows\System32\MicTray64.exe C:\Windows\System32\MicTray.exe

  5. Apr 2017
    1. Phishing attack that uses Unicode characters to fake a domain name.

      The xn-- prefix is what is known as an ‘ASCII compatible encoding’ prefix. It lets the browser know that the domain uses ‘punycode’ encoding to represent Unicode characters. In non-techie speak, this means that if you have a domain name with Chinese or other international characters, you can register a domain name with normal A-Z characters that can allow a browser to represent that domain as international characters in the location bar.

      What we have done above is used ‘e’ ‘p’ ‘i’ and ‘c’ unicode characters that look identical to the real characters but are different unicode characters. In the current version of Chrome, as long as all characters are unicode, it will show the domain in its internationalized form.

  6. Mar 2017
    1. Protection Level 0 Limited or none Information intended for public access, e.g.,: Public directory information

      Includes name and email.

    2. Student Directory Data (link is external) (unless the student has requested that information about them not be released as public information) Name of student Address, telephone, e-mail

      Not considered private or high level?

    3. Evaluations

      Anything graded with grade indicated? Or simply gradeable?

    1. There were no prospects of advancement mentioned. I had no choice. I had no means. The door of the flat had been ripped off by thieves, the possessions taken.

      Movement outwards...into box

    1. Sebastian Gorka, President Trump’s top counter-terrorism adviser, is a formal member of a Hungarian far-right group that is listed by the U.S. State Department as having been “under the direction of the Nazi Government of Germany” during World War II, leaders of the organization have told the Forward.

      ...

      Gorka’s membership in the organization — if these Vitézi Rend leaders are correct, and if Gorka did not disclose this when he entered the United States as an immigrant — could have implications for his immigration status. The State Department’s Foreign Affairs Manual specifies that members of the Vitézi Rend “are presumed to be inadmissible” to the country under the Immigration and Nationality Act.

    1. The Justice Department has announced charges against four people, including two Russian security officials, over cybercrimes linked to a massive hack of millions of Yahoo user accounts. [500M accounts, in 2014]

      Two of the defendants — Dmitry Dokuchaev and his superior Igor Sushchin — are officers of the Russian Federal Security Service, or FSB. According to court documents, they "protected, directed, facilitated and paid" two criminal hackers, Alexsey Belan and Karim Baratov, to access information that has intelligence value. Belan also allegedly used the information obtained for his personal financial gain.

  7. Feb 2017
    1. A company that sells internet-connected teddy bears that allow kids and their far-away parents to exchange heartfelt messages left more than 800,000 customer credentials, as well as two million message recordings, totally exposed online for anyone to see and listen.

    1. All along the way, or perhaps somewhere along the way, we have confused surveillance for care. And that’s my takeaway for folks here today: when you work for a company or an institution that collects or trades data, you’re making it easy to surveil people and the stakes are high. They’re always high for the most vulnerable. By collecting so much data, you’re making it easy to discipline people. You’re making it easy to control people. You’re putting people at risk. You’re putting students at risk.
  8. Jan 2017
    1. Jim Arkedis, formerly an intelligence analyst with the DoD.

      Below is how I would assess the credibility of the sources and allegations detailed in Buzzfeed’s recently-released dossier and an explanation of why I believe its two main allegations should be judged on their individual merits as credible with moderate-to-high confidence.

      No, that’s not the same as saying the allegations are 100 percent guaranteed to be true, but I think there’s enough evidence there that it would be irresponsible not to consider how this could impact our nation’s security and what, if anything, can be done to mitigate those potential impacts.

    1. TL;DR If window.opener is set, a page can trigger a navigation in the opener regardless of security origin.
    1. Thousands of poorly secured MongoDB databases have been deleted by attackers recently. The attackers offer to restore the data in exchange for a ransom -- but they may not actually have a copy.

    1. I shouldn’t have daisy-chained two such vital accounts — my Google and my iCloud account — together.

      Lesson learned: not chain different accounts by "logging in with" (most of the time Google, Facebook, Twitter)

    2. First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry’s published self-check algorithm.) Then you hang up. Next you call back, and tell Amazon that you’ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account — not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits. We asked Amazon to comment on its security policy, but didn’t have anything to share by press time.

      Is it still as eas to enter someone's Amazon account today? Hopefully not. But I'm really not sure...

    3. Google partially obscures that information, starring out many characters, but there were enough characters available, m••••n@me.com

      This is where email sub-adressing (https://en.wikipedia.org/wiki/Email_address#Sub-addressing) is also useful!

    4. Apple tech support confirmed to me twice over the weekend that all you need to access someone’s AppleID is the associated e-mail address, a credit card number, the billing address, and the last four digits of a credit card on file

      Not very complicated to hack, isn't it? Fortunately, Apple now relies on two-factor authentification.

    5. In response, Apple issued a temporary password. It did this despite the caller’s inability to answer security questions I had set up. And it did this after the hacker supplied only two pieces of information that anyone with an internet connection and a phone can discover.

      Security is not only the user's business. If the company doesn't do the job, it's useless for the user to be careful.

    6. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification.

      Security considered from different perspectives leads to security flaws!

    1. Almost half of eight- to 11-year-olds have agreed impenetrable terms and conditions to give social media giants such as Facebook and Instagram control over their data, without any accountability, according to the commissioner’s Growing Up Digital taskforce. The year-long study found children regularly signed up to terms including waiving privacy rights and allowing the content they posted to be sold around the world, without reading or understanding their implications.
    1. It’s also important to acknowledge that a more isolated, more nationalist America helps Putin in his objectives even while it compromises our own. We need to accept that America was part of, and needs to be part of, a global system — and that this system is better, cheaper, and more powerful than any imagined alternatives. For many years, the United States has been the steel in the framework that holds everything together; this is what we mean by ‘world order’ and ‘security architecture,’ two concepts that few politicians try to discuss seriously with the electorate.

  9. Dec 2016
    1. You should assume that a printer (and probably cameras, or just about any product) includes unique identifying data. With printers, it's encoded as nearly invisible yellow dots.

  10. Nov 2016
    1. 7 Oct 2016 joint statement from DHS and DNI.

      The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations.

  11. Oct 2016
    1. A large database of blood donors' personal information from the AU Red Cross was posted on a web server with directory browsing enabled, and discovered by someone scanning randomly. It is unknown whether anyone else downloaded the file before it was removed.

    1. The malware, dubbed "Mirai," spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords."

  12. Sep 2016
    1. Proposed changes to "Rule 41" will make it too easy for government agents to get permission to hack remote computers. Petition Congress to prevent this.

    1. Ronnie de Jonge

      very little data to show yet, just in process of setting up. Looking at the rhizosphere to help increase yield of crops without increasing the need for extra land (i.e. food security).<br> Much lost yield is due to "stress" of various sorts (drought, flood, etc).

    1. A recent Hewlett-Packard printer software update changed the printers so they would not work with third-party ink cartridges. Worse, the change was made as part of a security update.

      https://act.eff.org/action/tell-hp-say-no-to-drm Petition HP to fix this wrongdoing, and promise not to repeat it. They are also being asked to promise not to invoke the DMCA against security researchers who find vulnerabilities in their products.

    1. Until Let’s Encrypt fixes their bullshit, the CAcert certificate stays.

      As of now (2016-09-20), xaymar.com actually does use a certificate issued by Let's Encrypt. It would be very interesting to read a follow-up article about the reasons that lead to this switch. Sadly, I haven't been able to find one.

  13. Aug 2016
    1. What if, as the cybersecurity consultant Matt Tait asked last month in relation to the DNC emails, a source — like, say, a hacker working for a Russian intelligence agency — provided WikiLeaks with a cache of documents that was tampered with in order to smear a political candidate?
    1. "We demonstrate that well-known compression-based attacks such as CRIME or BREACH (but also lesser-known ones) can be executed by merely running JavaScript code in the victim’s browser. This is possible because HEIST allows us to determine the length of a response, without having to observe traffic at the network level."

      HEIST attacks can be blocked by disabling 3rd-party cookies.

      https://twitter.com/vanhoefm<br> https://twitter.com/tomvangoethem

  14. Jul 2016
  15. Jun 2016
    1. Even if you trust everyone spying on you right now, the data they're collecting will eventually be stolen or bought by people who scare you. We have no ability to secure large data collections over time.

      Fair enough.

      And "Burn!!" on Microsoft with that link.

    1. These vulnerabilities are as bad as it gets. They don't require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible.

      ...

      Tuesday's advisory is only the latest to underscore game-over vulnerabilities found in widely available antivirus packages.

      https://googleprojectzero.blogspot.com/2016/06/how-to-compromise-enterprise-endpoint.html

  16. May 2016
    1. The Defense Department is building a massive information-sharing system detailing national security personnel and individuals cleared for accessing U.S. secrets, to flag who among them might be potential turncoats or other "insider threats."
  17. Apr 2016
    1. In its default configuration, the CJRS web service (either deployed as an executable jar, or a war file in a servlet container) is configured to use the SLURM JobExecutionService, and directly invokes ‘srun’, ‘sbatch’, and ‘salloc’ commands that are available on the host it is running on.A natural consequence of this is that SLURM jobs are submitted using the same user ID as owner of the CJRS web service process. For the purposes of training and demonstration, it is recommended to deploy the application so that it runs as a single, unprivileged user created specifically for the purpose of training. In theory, however, anybody who obtains the executable jar file may run it on a machine they have access to, bound to some random high port exclusive to that user, allowing it to launch SLURM jobs on their behalf via the REST API.

      This will likely not be portable to Docker due to security issues; two separate users will be needed: https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface

    1. The Finnish government is currently drawing up plans to introduce a national basic income. A final proposal won’t be presented until November 2016, but if all goes to schedule, Finland will scrap all existing benefits and instead hand out €800 ($870) per month—to everyone.
    1. Short URLs can be brute forced. They should not be used for pages that contain personal information, or pages that allow anyone with the URL to upload files.

    1. HID VertX and Edge controllers for security doors were discovered to have a command injection vulnerability that made it possible for attackers to open them via the Internet.

  18. Feb 2016
    1. In Firefox, one can disable Content Security Policy by changing security.csp.enable to false in about:config

      Websites using Content Security Policy can be annoted with hypothes.is in Firefox by switching (in about:config ) security.csp.enable to false

  19. Jan 2016
    1. Raj: Now, we are back to the feeling of the need for relief, aren’t we, Paul? Which simply means you feel a need to withdraw. We may stop talking in this fashion, but you don’t have to stop checking to see if I am here, and listening for my response. Just notice the feeling of the need for withdrawal into privateness—without judgment. But be aware of it. I will tell you that you can tolerate the active connection longer, and I want you to remember that the reason we are talking is because of your choice. It is not because I am forcing myself upon you. You do not need to withdraw from me. That is the excuse, but the excuse can only make sense if you can be distracted from the fact that you reached out for the connection. You are not, in fact, withdrawing from my embrace of you. You are withdrawing into privateness that does not allow you to experience the fact that you are embracing always! The suggestion is that you are shutting me out. But know that you are shutting yourself in—self-protective withdrawal into isolation for security that doesn’t constitute security, but which constitutes incarceration.

      "Just notice the feeling of the need for withdrawal into privateness—without judgement. But be aware of it."

      Feeling what we feel without judging it.

      "You are withdrawing into privateness that does not allow you to experience the fact that you are embracing always! The suggestion is that you are shutting me out. But know that you are shutting yourself in—self-protective withdrawal into isolation for security that doesn't constitute security, but which constitutes incarceration."

    1. Linode Cloud Service has been under DDoS attack for a few days. Now they've discovered some stolen passwords. It is not yet known whether the same attacker is responsible for both.

      A security investigation into the unauthorized login of three accounts has led us to the discovery of two Linode.com user credentials on an external machine. This implies user credentials could have been read from our database, either offline or on, at some point.<br> . . .<br> The entire Linode team has been working around the clock to address both this issue and the ongoing DDoS attacks. We've retained a well-known third-party security firm to aid in our investigation. Multiple Federal law enforcement authorities are also investigating and have cases open for both issues.

  20. Dec 2015
    1. A TOP-SECRET document dated February 2011 reveals that British spy agency GCHQ, with the knowledge and apparent cooperation of the NSA, acquired the capability to covertly exploit security vulnerabilities in 13 different models of firewalls made by Juniper Networks, a leading provider of networking and Internet security gear.

      Matt Blaze, a cryptographic researcher and director of the Distributed Systems Lab at the University of Pennsylvania, said the document contains clues that indicate the 2011 capabilities against Juniper are not connected to the recently discovered vulnerabilities.

      So the NSA and GCHQ (and CIA and FBI, etc) are constantly working to find -- or create -- security flaws wherever they can. Civilians get jail time for things like that. Concern for national security should require them to report flaws they discover to the firms that make the hardware and software. But CISA isn't about security.

    1. Manhattan district attorney Cyrus R. Vance Jr. says that law enforcement agencies want Google and Apple to return to systems without full-disk encryption -- those before iOS 8 and Android Lollipop -- which they could unlock in compliance with a warrant.

      He says that's all they're asking. If that's true, they should be speaking out loudly against mass surveillance and FBI demands for backdoors.

    1. Representatives of the White House seemed to listen attentively, but shared little about their thoughts. They maintained that President Obama’s position has not changed in the last few months. While they seemed well aware of our concerns about the technical infeasibility of inserting backdoors, they didn’t necessarily share them. That worried us a great deal.
    1. "There has always been a tension in the intelligence community between the intel side that wants to exploit the information from social media and the operational or the policy community that wants to do something to shut it down," Mike Flynn, who directed the Defense Intelligence Agency from 2012 to 2014
    1. Apple CEO Tim Cook has repeatedly and strongly criticized those in government who have demanded backdoors, explaining: “You can’t have a back door in the software because you can’t have a back door that’s only for the good guys.” And a representative of many of the large tech companies recently remarked: “Weakening security with the aim of advancing security simply does not make sense.” Eighty-five percent of cybersecurity experts recently surveyed by Politico called backdoors “a bad idea”. (We know, for example, the NSA in particular loves to prey on foreign phone companies’ backdoors.)
    1. The Senate’s recently passed bill, known as the Cybersecurity Information Sharing Act (CISA), is expected to serve as the basis for the finished language. The compromise text will also likely include elements from a bill that originated in the House Intelligence Committee, observers said.This completed product would mostly sideline the privacy advocate-preferred bill from the House Homeland Security Committee. They believe the Homeland Security bill includes the strongest provisions to protect people’s sensitive data from falling into the NSA's hands.Specifically, the Homeland Security bill would give the greatest role to the Department of Homeland Security (DHS) for collecting cyber threat data from the private sector and disseminating it throughout the government.It’s believed the DHS is best suited to scrub data sets of personal information.

      It seems necessary to encourage -- or force -- industrial and financial firms to share information with the government about hacks and attempted hacks. But that should not be used as license to transfer and collect customer metadata,

    1. "It makes zero sense to lock up this information forever," said Jeremiah Grossman, who founded cybersecurity firm WhiteHat Security. "Certainly there are past breaches that the public should know about, is entitled to know about, and that others can learn from."

      I used to think the most fanciful thing about the movie "War Games" was not the A.I., but the defense computer connected to a public network. But if industrial control systems can be reached by the Internet or other public lines -- then maybe the government is that stupid.

    1. It is important to note that the path attribute does not protect against unauthorized reading of the cookie from a different path. It can be easily bypassed using the DOM, for example by creating a hidden iframe element with the path of the cookie, then accessing this iframe's contentDocument.cookie property. The only way to protect the cookie is by using a different domain or subdomain, due to the same origin policy.
  21. Nov 2015
    1. Businesses need to be more careful to avoid revealing customers' personal information. And they should record calls, and watch them collectively over time for signs of suspicious activity.

      The harasser in this article tricked customer service representatives into giving him private details about his victims. Starting with whatever information he could find online (a birthdate, the name of a pet) he would call repeatedly until he succeeded in getting other details -- which would make him still more convincing, so he could get more details.

      In one case, he pretended to be a company technician for ISP Cox Communications. They didn't have a procedure to verify the ID of their own technicians?

      Social engineering)

    1. The call for backdoors is nothing new. During my career in the private sector, I’ve seen requests to backdoor encryption software so as to please potential investors, and have seen people in the field who appeared to stand for secure software balk under the excuse of “if that’s what the customer wants,” even if it results in irreparable security weaknesses. I’ve had well-intentioned intelligence officers ask me informally, out of honest curiosity, why it is that I would refuse to insert backdoors. The issue is that cryptography depends on a set of mathematical relationships that cannot be subverted selectively. They either hold completely or not at all. It’s not something that we’re not smart enough to do; it’s something that’s mathematically impossible to do. I cannot backdoor software specifically to spy on jihadists without this backdoor applying to every single member of society relying on my software.
    2. When you make a credit card payment or log into Facebook, you’re using the same fundamental encryption that, in another continent, an activist could be using to organize a protest against a failed regime.<br> ...<br> If a terrorist is suspected of using a Toyota as a car bomb, it’s not reasonable to expect Toyota to start screening who it sells cars to, or to stop selling cars altogether.<br> ...<br> The brouhaha that has ensued from the press has been extreme. ... A Wired article, like many alongside it, finds an Arabic PDF guide on encryption and immediately attributes it as an “ISIS encryption training manual” even though it was written years ago by Gaza activists with no affiliation to any jihadist group.

    1. All new Dell laptops and desktops shipped since August 2015 contain a serious security vulnerability that exposes users to online eavesdropping and malware attacks.

      "At issue is a root certificate installed on newer Dell computers that also includes the private cryptographic key for that certificate. Clever attackers can use this key from Dell to sign phony browser security certificates for any HTTPS-protected site."

    1. Another provision of the proposed Investigatory Powers Bill is that internet service providers (ISPs) must retain a record of all the websites you visit (more specifically, all the IP addresses you connect to) for one year. This appears to be another measure to weaken privacy while strengthening security – but in fact, it is harmful to both privacy and security. In order to maintain a record of every website you have visited in the last year, the ISP must store that information somewhere accessible. Information that is stored somewhere accessible will sooner or later be stolen by attackers.
    2. I’ll say it again, to be absolutely clear: any mechanism that can allow law enforcement legitimate access to data can inevitably be abused by hostile foreign intelligence services, and even technically sophisticated individuals, to break into systems and gain unauthorised access to the same data.
    3. If the law enforcement services can remotely break into the device of a suspect, then sooner or later criminals will find ways to use the same mechanism to break into devices and steal or destroy your personal data.
    4. Any method that provides exceptional access immediately exposes the system to attacks by malicious parties, rendering the protection of encryption essentially worthless. Exceptional access would probably require that government departments have some kind of master keys that allowed them to decrypt any communication if required. Those master keys would obviously have to be kept extremely secret: if they were to become public, the entire security infrastructure of the internet would crumble into dust. How good are government agencies at keeping secrets?
    1. Every three years, the Librarian of Congress issues new rules on Digital Millennium Copyright Act exemptions. Acting Librarian David Mao, in an order (PDF) released Tuesday, authorized the public to tinker with software in vehicles for "good faith security research" and for "lawful modification." The decision comes in the wake of the Volkswagen scandal, in which the German automaker baked bogus code into its software that enabled the automaker's diesel vehicles to reduce pollutants below acceptable levels during emissions tests.
  22. Oct 2015
    1. Do you have a question or comment that involves "security" and "hashids" in the same sentence? Don't use Hashids. Here are some ways to decode:
  23. Jun 2015
  24. May 2015
    1. RFC 7235 - Access Authentication Framework RFC 2617 - HTTP Authentication: Basic and Digest Access Authentication

      Further readings...

  25. Feb 2015
  26. Jan 2015
    1. It’s primarily from data and not their algorithms that powerful companies currently derive their advantages, and the only way to curb that power is to take the data completely out of the market realm, so that no company can own them. Data would accrue to citizens, and could be shared at various social levels. Companies wanting to use them would have to pay some kind of licensing fee, and only be able to access attributes of the information, not the entirety of it.

      Yes, well at present the security services are complicit with the present economic and legislative model, and this makes imagining any change to existing structures very difficult because such changes will be resisted by the rather shadowy security services. Cameron does a deal with them, he makes a point somewhat in support of their agenda in return for which he bigs up his position on security with the cost of looking an idiot - not a huge cost for a politician it seems.

    2. But if you turn data into a money-printing machine for citizens, whereby we all become entrepreneurs, that will extend the financialization of everyday life to the most extreme level, driving people to obsess about monetizing their thoughts, emotions, facts, ideas—because they know that, if these can only be articulated, perhaps they will find a buyer on the open market. This would produce a human landscape worse even than the current neoliberal subjectivity. I think there are only three options. We can keep these things as they are, with Google and Facebook centralizing everything and collecting all the data, on the grounds that they have the best algorithms and generate the best predictions, and so on. We can change the status of data to let citizens own and sell them. Or citizens can own their own data but not sell them, to enable a more communal planning of their lives. That’s the option I prefer.

      Very well thought out. Obviously must know about read write web, TSL certificate issues etc. But what does neoliberal subjectivity mean? An interesting phrase.

  27. Nov 2014
    1. This criterion requires an independent security review has been performed within the 12 months prior to evaluation. This review must cover both the design and the implementation of the app and must be performed by a named auditing party that is independent of the tool's main development team. Audits by an independent security team within a large organization are sufficient. Recognizing that unpublished audits can be valuable, we do not require that the results of the audit have been made public, only that a named party is willing to verify that the audit took place.
  28. Mar 2014
    1. http://bouncycastle.org/download/bcprov-jdk16-146.jar

      This should almost certainly say "https".

    2. We need an authenticity infrastructure when there is no way to have advance knowledge of what SSL certificate a client should expect to see, but your app knows where it will be connecting, and it knows exactly what it should expect.

      Succinct way to highlight this distinction.

    3. Google is already doing this. They have an “app” called Chrome, and when their app makes SSL connections to their own services, it checks to make sure that the certificates it sees are the ones it knows Google is using. They call this “pinning,” and you should do it for your mobile apps.
  29. Sep 2013
    1. Much as it is not the criminal defense lawyer's place to judge their client regardless of how guilty they are, it is not the doctor's place to force experimental treatment upon a patient regardless of how badly the research is needed, and it is not the priest's place to pass worldly judgement on their flock, it is not the programmer's place to try and decide whether the user is using the software in a "good" way or not.

      Taking this to heart / putting it on my wall.