Information Security News
Backbytes: Guess who's looking for security specialists? Why, Moonpig...
"This is an exciting opportunity to join the growing IT function at Moonpig. We are looking for a versatile Security Officer with strong web-orientated skills, alongside a proven track-record managing an e-commerce focused security programme at a ...
For years, Chrome, Firefox, and virtually all other browsers have offered a setting that doesn't save or refer to website cookies, browsing history, or temporary files. Privacy-conscious people rely on it to help cloak their identities and prevent websites from tracking their previous steps. Now, a software consultant has devised a simple way websites can in many cases bypass these privacy modes unless users take special care.
Ironically, the chink that allows websites to uniquely track people's incognito browsing is a much-needed and relatively new security mechanism known as HTTP Strict Transport Security. Websites use it to ensure that an end user interacts with their servers only when using secure HTTPS connections. By appending a flag to the header a browser receives when making a request to a server, HSTS ensures that all later connections to a website are encrypted using one of the widely used HTTPS protocols. By requiring all subsequent connections to be encrypted, HSTS protects users against downgrade attacks, in which hackers convert an encrypted connection back into plain-text HTTP.
Sam Greenhalgh, a technology and software consultant who operates RadicalResearch, has figured out a way to turn this security feature into a potential privacy hazard. His proof of concept is known as HSTS Super Cookies. Like normal cookies, they allow him to fingerprint users who browse to his site in non-privacy mode, so if they return later, he will know what pages they looked at. There are two things that give his cookies super powers. The first is that once set and depending on the specific browser and platform it runs on, the cookies will be visible even if a user has switched to incognito browsing. The second is that the cookies can be read by websites from multiple domain names, not just the one that originally set the identifier. The result: unless users take special precautions, super cookies will persist in their browser even when private browsing is turned on and will allow multiple websites to track user movements across the Web.
by Sean Gallagher
Sharyl Attkisson, the former CBS investigative reporter who published her claims of government intimidation, electronic surveillance, and cyber-attacks in a book last fall, has begun the process of taking the government to court over the hacking of her personal and work computers, as well as her home network.
In the process, Attkisson’s attorneys have begun to reveal the details of forensic investigations by computer security experts. In legal filings against the government, the attorneys disclosed which government agency’s network was the source of at least some of the hacks: the US Postal Service.
In an administrative claim filed on January 5 under the provisions of the Federal Tort Claims Act and a complaint filed with the District of Columbia Superior Court, Attkisson’s attorneys gave an initial summary of their accusations against the US Justice Department, which they claim directed the surveillance of Attkisson as part of an ongoing Obama administration campaign against journalists and government employees acting as their confidential sources. Attkisson and her family have named outgoing US Attorney General Eric Holder, Postmaster General Patrick Donahoe, and “unknown named agents” of the Department of Justice and US Postal Service as defendants in the suit, seeking damages that could total approximately $35 million.
UK-based Bitstamp, the second largest bitcoin exchange for US dollars, suspended operations on Monday, following evidence that online thieves had stolen up to 19,000 BTC—approximately $5.2 million—from its operational store of bitcoins.
The company alerted its users of the possible attack on Monday and warned against transferring any bitcoins to the service’s old bitcoin deposit addresses. Early the following morning, Bitstamp revealed that the attack affected fewer than 19,000 bitcoins. The actual attack appeared to have occurred on Sunday, January 4, when attackers compromised the company’s operational funds, also known as the “hot wallet."
“Thank you all for your patience, we are working diligently to restore service,” Nejc Kodrič, the co-founder and CEO of Bitstamp, tweeted on Monday, adding, “To restate: the bulk of our bitcoin are in cold storage, and remain completely safe.”
Hardening VoIP systems: Challenges and solutions
By Albert Fruz, InfoSec Institute. VoIP systems can take many different forms. Any computer is capable of providing VoIP services. Microsoft's NetMeeting, which comes with any Windows platform, provides some VoIP services as does the Apple Macintosh ...
Posted by InfoSec News on Jan 06http://www.wsj.com/articles/sony-head-thanks-supporters-in-hacking-attack-1420517703
Posted by InfoSec News on Jan 06http://www.networkworld.com/article/2863395/security0/fbi-wants-you-to-become-a-cyber-agent.html
Posted by InfoSec News on Jan 06http://www.csoonline.com/article/2863402/identity-access/free-tool-automates-phishing-attacks-for-wifi-passwords.html
Posted by InfoSec News on Jan 06http://www.healthcareitnews.com/news/phi-485k-swiped-usps-data-breach
Posted by InfoSec News on Jan 06http://www.cnbc.com/id/102292464