As a recap, Chegg discovered on September 19th a data breach dating back to April that "an unauthorized party" accessed a data base with access to "a Chegg user’s name, email address, shipping address, Chegg username, and hashed Chegg password" but no financial information or social security numbers. The company has not disclosed, or is unsure of, how many of the 40 million users had their personal information stolen.

19-year-old in Nova Scotia has been charged with "unauthorized use of a computer" for downloading documents that were available through URLs.

Traffic sent to and from Google, Facebook, Apple, and Microsoft was briefly routed through a previously unknown Russian Internet provider Wednesday under circumstances researchers said was suspicious and intentional.

For the last few years, Intel CPUs have Intel Management Engine, which runs its own OS, the Unix-like MINIX. You have no access to it. But it has complete access to your computer.

EFF recommendations for Congress regarding data security and data breaches like the one at Equifax.

https://www.ftc.gov/datasecurity<br> FTC guide to data security for businesses.

DEFCON, the world’s largest hacker conference, will release its findings on Tuesday, months after hosting a July demonstration in which hackers quickly broke into 25 different types of voting machines.

...

Though the report offers no proof of an attack last year, experts involved with it say they’re sure it is possible—and probable—and that the chances of a bigger attack in the future are high.

“From a technological point of view, this is something that is clearly doable,” said Sherri Ramsay, the former director of the federal Central Security Service Threat Operations Center, which handles cyber threats for the military and the National Security Agency. “For us to turn a blind eye to this, I think that would be very irresponsible on our part.”

Tools that might be able to decrypt files encrypted by the WannaCry ransomware. With a little luck, and if the victim hasn't rebooted, the keys can be found in memory.

Certain HP laptops have flawed audio drivers that record all your keystrokes to: C:\Users\Public\MicTray.log

If these files exist, delete them: C:\Windows\System32\MicTray64.exe C:\Windows\System32\MicTray.exe

Phishing attack that uses Unicode characters to fake a domain name.

The xn-- prefix is what is known as an ‘ASCII compatible encoding’ prefix. It lets the browser know that the domain uses ‘punycode’ encoding to represent Unicode characters. In non-techie speak, this means that if you have a domain name with Chinese or other international characters, you can register a domain name with normal A-Z characters that can allow a browser to represent that domain as international characters in the location bar.

What we have done above is used ‘e’ ‘p’ ‘i’ and ‘c’ unicode characters that look identical to the real characters but are different unicode characters. In the current version of Chrome, as long as all characters are unicode, it will show the domain in its internationalized form.

The Justice Department has announced charges against four people, including two Russian security officials, over cybercrimes linked to a massive hack of millions of Yahoo user accounts. [500M accounts, in 2014]

Two of the defendants — Dmitry Dokuchaev and his superior Igor Sushchin — are officers of the Russian Federal Security Service, or FSB. According to court documents, they "protected, directed, facilitated and paid" two criminal hackers, Alexsey Belan and Karim Baratov, to access information that has intelligence value. Belan also allegedly used the information obtained for his personal financial gain.

A company that sells internet-connected teddy bears that allow kids and their far-away parents to exchange heartfelt messages left more than 800,000 customer credentials, as well as two million message recordings, totally exposed online for anyone to see and listen.

Thousands of poorly secured MongoDB databases have been deleted by attackers recently. The attackers offer to restore the data in exchange for a ransom -- but they may not actually have a copy.

Malware hidden in ad banners with steganography.

Shuffler prevents certain hacking exploits by continuously scrambling the code of running programs.

http://www.cs.columbia.edu/~junfeng/papers/shuffler-osdi16.pdf

APT (Advanced Persistent Threat) espionage malware: Stuxnet, Flame, Duqu, Regin, Equation, Careto, ProjectSauron

"We demonstrate that well-known compression-based attacks such as CRIME or BREACH (but also lesser-known ones) can be executed by merely running JavaScript code in the victim’s browser. This is possible because HEIST allows us to determine the length of a response, without having to observe traffic at the network level."

HEIST attacks can be blocked by disabling 3rd-party cookies.

https://twitter.com/vanhoefm<br> https://twitter.com/tomvangoethem

DNC email hack, and possible Russian involvement.

These vulnerabilities are as bad as it gets. They don't require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible.

...

Tuesday's advisory is only the latest to underscore game-over vulnerabilities found in widely available antivirus packages.

https://googleprojectzero.blogspot.com/2016/06/how-to-compromise-enterprise-endpoint.html

The IRS has been having problems with identity theft.

Short primer on ransomware and defenses.

https://googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html

Linode Cloud Service has been under DDoS attack for a few days. Now they've discovered some stolen passwords. It is not yet known whether the same attacker is responsible for both.

A security investigation into the unauthorized login of three accounts has led us to the discovery of two Linode.com user credentials on an external machine. This implies user credentials could have been read from our database, either offline or on, at some point.<br> . . .<br> The entire Linode team has been working around the clock to address both this issue and the ongoing DDoS attacks. We've retained a well-known third-party security firm to aid in our investigation. Multiple Federal law enforcement authorities are also investigating and have cases open for both issues.

"State considered harmful - A proposal for a stateless laptop", Joanna Rutkowska

http://blog.invisiblethings.org/papers/2015/state_harmful.pdf https://twitter.com/rootkovska

EFF summary of cryptography news for 2015.

Matt Blaze, a cryptographic researcher and director of the Distributed Systems Lab at the University of Pennsylvania, said the document contains clues that indicate the 2011 capabilities against Juniper are not connected to the recently discovered vulnerabilities.

So the NSA and GCHQ (and CIA and FBI, etc) are constantly working to find -- or create -- security flaws wherever they can. Civilians get jail time for things like that. Concern for national security should require them to report flaws they discover to the firms that make the hardware and software. But CISA isn't about security.

So it looks like the Juniper security flaw does have something to do with an NSA backdoor that was exploited by attackers.

https://rpw.sh/blog/2015/12/21/the-backdoored-backdoor/

http://blog.cryptographyengineering.com/2015/12/on-juniper-backdoor.html

Big security breach at Juniper Networks, a hardware company that works with government agencies and large businesses. Someone installed a backdoor that went undiscovered for three years.

http://www.businessinsider.com/fbi-investigates-juniper-hack-attack-2015-12

The EFF offers non-cash rewards (public acknowledgement, EFF gear, or EFF memberships) for finding bugs or vulnerabilities in their software or server configurations.