Hackin9

On Friday, Google told The Washington Post that it was accelerating implementation of end-to-end encryption between its data centers worldwide.

The search giant did not immediately respond to a request for comment from Ars.

“Google has data centers around the world and when you have an e-mail stored, it’s stored at [something like] six data centers around the world,” Chris Soghoian, a privacy expert at the American Civil Liberties Union, told Ars. “Every single bit of data is now going to be encrypted, so now if the government is listening to that fiber, they won’t get that data.”

Read 3 remaining paragraphs | Comments


    






 

The majority of devices connected to the Tor privacy service may be using encryption keys that can be broken by the National Security Agency, a security researcher has speculated.

Rob Graham, CEO of penetration testing firm Errata Security, arrived at that conclusion by running his own "hostile" exit node on Tor and surveying the encryption algorithms established by incoming connections. About 76 percent of the 22,920 connections he polled used some form of 1024-bit Diffie-Hellman key. The analysis came a day after revelations the NSA can circumvent much of the encryption used on the Internet. While no one knows for sure exactly what the NSA is capable of cracking, educated speculation has long made a case that the keys Graham observed are within reach of the US spy agency.

"Everyone seems to agree that if anything, the NSA can break 1024 RSA/DH keys," Graham wrote in a blog post published Friday. "Assuming no 'breakthroughs,' the NSA can spend $1 billion on custom chips that can break such a key in a few hours. We know the NSA builds custom chips, they've got fairly public deals with IBM foundries to build chips."

Read 3 remaining paragraphs | Comments


    






 
Though the National Security Agency spends billions of dollars to crack encryption technologies, security experts maintain that properly implemented, encryption is still the best way to maintain online privacy.
 
With the U.S. Labor Day holiday marking the unofficial end of summer on the markets, tech stocks got off to a fairly positive start in the new season as several major deals and the mobile phone market came under especially intense scrutiny.
 
Startup Aava Mobile will show a Windows 8.1 tablet with an 8.3-in., high-definition screen and Intel's upcoming Atom tablet processor code-named Bay Trail at the Intel Developer Forum next week.
 
Microsoft's acquisition of Nokia was a defensive move to keep the Finnish phone maker from going under or falling into the hands of an Android-first rival, several analysts argued this week.
 
The U.S. National Security Agency's efforts to defeat encrypted Internet communications, detailed in news stories this week, are an attack on the security of the Internet and on users' trust in the network, some security experts said.
 
With the launch of NASA's lunar mission tonight, the space agency is taking a big step in an effort to create an outer space Internet.
 
Disk storage systems sales generated $7.7B in the second quarter, a 5% decline from the same quarter in 2012, according to IDC.
 
Linux Kernel Btrfs CRC32C feature Infinite Loop Local Denial of Service Vulnerability
 
Linux Kernel Btrfs CRC32C feature CVE-2012-5375 Security Bypass Vulnerability
 
Yahoo received 12,444 requests from the U.S. government for user data in the first half of this year, resulting in 11,402 instances of data disclosure, it said Friday in its first transparency report.
 
A small robot says, "Good morning," and with that one phrase, takes a huge step forward in robot-human cooperation in space, as well as robotic companions.
 
The IEEE-USA is calling for reform of the L-1 visa program following release of a government report that identified IT offshore outsourcers as its major users.
 
Zend Server CVE-2012-5382 Insecure File Permissions Vulnerability
 
PHP CVE-2012-5381 Insecure File Permissions Vulnerability
 
RubyInstaller CVE-2012-5380 Insecure File Permissions Vulnerability
 
It isn't yet time to stock up on canned beans and bottled water, but a potential conflict with Syria--which hasn't been shy about attacking vulnerable U.S. infrastructure--should have your organization reviewing its disaster-preparedness plans.
 
Apple appears likely to release OS X Mavericks, its next edition of the Mac operating system, near the end of October.
 
Early adopters who want to get their hands on the latest Samsung smartwatch and phablet will have to plunk down some major coin based on what U.S. carriers announced today they will be charging for bundled deals.
 
The federal judge presiding over the U.S. electronic books case against Apple has barred the company from striking deals that would ensure that it could undercut prices of other retailers in the e-book market.
 
LinuxSecurity.com: Multiple vulnerabilities has been discovered and corrected in roundcubemail: Multiple cross-site scripting (XSS) vulnerabilities in Roundcube webmail before 0.9.3 allow user-assisted remote attackers to inject [More...]
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Updated gdm and initscripts packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having [More...]
 
LinuxSecurity.com: Fraudulent security certificates could allow sensitive information tobe exposed when accessing the Internet.
 
JGroups 'DiagnosticsHandler::run()' Method Security Bypass Vulnerability
 
ActivePerl CVE-2012-5377 Insecure File Permissions Vulnerability
 
Apache Santuario XML Security for JAVA XML Signature CVE-2013-2172 Security Bypass Vulnerability
 
Acer has chosen a different approach to the all-in-one PC, installing Android instead of Windows on its upcoming DA241HL, but the problem is that Google's operating system isn't a desktop OS.
 

Given that we now know that the National Security Agency (NSA) has the ability to compromise some, if not all of VPN, SSL, and TLS forms of data transmission hardening, it’s worth considering the various vectors of technical and legal data-gathering that high-level adversaries in America and Britain (and likely other countries, at least in the “Five Eyes” group of anglophone allies) are likely using in parallel to go after a given target. So far, the possibilities include:

  • A company volunteers to help (and gets paid for it)
  • Spies copy the traffic directly off the fiber
  • A company complies under legal duress
  • Spies infiltrate a company
  • Spies coerce upstream companies to weaken crypto in their products/install backdoors
  • Spies brute force the crypto
  • Spies compromise a digital certificate
  • Spies hack a target computer directly, stealing keys and/or data, sabotage.

Let’s take these one at a time.

Voluntary sharing

As Ars has reported before, one of the major telecommunications companies in America—either Verizon or AT&T—went to the NSA in the days after September 11, 2001 because it “noticed odd patterns in domestic calling records surrounding the events of 11 September and offered call records and analysis."

Read 23 remaining paragraphs | Comments


    






 
Google added an App Launcher preview to Chrome on OS X that lets Mac owners run the company's new packaged apps from the Dock.
 
There's no doubt that TV makers are excited about 4K television. The sets, which offer four times the detail of today's high-definition sets, are appearing in increasing numbers and consumers too seem convinced by the technology, which must be a relief to the industry after the cool reception that 3D TV got a few years ago.
 
By layering data from 311 and 911 calls over Census data, unemployment data and other poverty indicators, Buffalo uses data analytics to identify its most challenged neighborhoods and more effectively deploy resources for everything from neighborhood beautification to combatting crime and reducing fire hazards.
 
As the market for contact center outsourcing has matured, buyers are increasingly looking for sophisticated support from suppliers to enhance the customer experience across multiple channels, which include mobile apps and social media.
 

I peruse through my spam folder periodically looking for anything out of the ordinary. I also examine quite closely email that are obviously spam that make it through to my inbox. This one in fact reads a lot like a job application, or a business promotion  attempt gone wrong. Unlike a job application it was not addressed to anyone in particular, and was in fact sent to the SANS Internet Storm Center Handlers distribution list. The fact that the handlers are on a spam list I suppose is not surprising. What I find odd is that this person who is looking for work bought a list for the purpose of spamming it! He did not attach a resume (unlike spammer Bernard Shifman) however did place a link to his LinkedIn profile so that the recipients of his spam can read all about his having achieved his MBA. Which made me wonder if they teach spamming at college or university these days? My thoughts on the subject are that spamming is not the way to go when marketing yourself or your business. Also I am fairly certain SANS would not hire a spammer as a 'business analyst'. The handlers list has never been used to advertise any job openings. Which really has me wondering where he got it? Also where would he get the idea that spamming random people on the Internet would help his job search?

Here is the first part of the correspondence:

He is unapologetic and responds that he is being creative!

I wonder if they teach ethics in business at the place he acquired his MBA? What do you think? Creative or a spammer?
Would you hire or do business with a spammer? He appears to be in good company, has spamming become the new resume distribution method of choice?:
http://blog.dynamoo.com/2013/06/is-this-guy-moron-spammer.html


I find it depressing that the spammer appears to have in fact gotten a job roughly four weeks later. Well, according to his LinkedIn profile, so it must be true!

A recommended read on how to actually find a job without sending spam:
http://careers.theguardian.com/careers-blog/why-you-need-to-stop-spamming-employers

What is a 'Bernard Shifman':
http://web.archive.org/web/20030602190540/www.petemoss.com/spamflames/ShifmanIsAMoronSpammer.html

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.
My SANS Teaching Schedule

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Auction giant eBay wants to know how you feel about Bitcoin.
 
Facebook has laid out big plans in recent months to simplify the app development process by acquiring Parse. But the social network actually had its eye on the cloud service company for years, and at one point the two considered a different partnership.
 
NASA's black-hole-hunting spacecraft NuSTAR hit its first major milestone, detecting 10 "supermassive" black holes.
 
Facebook has closed the notice and comments period on the proposed changes to its privacy policy, and expects to decide by next week whether it needs to further update the policy in the wake of user feedback.
 
Apple is investigating a supplier factory in China for alleged labor violations, after a watchdog group claimed the facility had been forcing its employees to work long hours assembling iPhones.
 
Citrix CloudPortal Services Manager CVE-2013-2939 Unspecified Security Vulnerability
 
Linux Kernel 'dispatch_discard_io()' Function Security Bypass Vulnerability
 
Citrix CloudPortal Services Manager CVE-2013-2936 Unspecified Security Vulnerability
 
Citrix CloudPortal Services Manager CVE-2013-2933 Unspecified Security Vulnerability
 

Posted by InfoSec News on Sep 06

http://healthitsecurity.com/2013/09/04/ehr-and-mobile-device-auditing-security-requires-vigilance/

By Dom Nicastro
Health IT Security
September 4, 2013

If you need a few reasons to adapt to the latest security advancements, just
look at the calendar for September and circle the “23”. That’s compliance day
for the HIPAA Omnibus Rule, which modifies the privacy, security and
enforcement rules. There are 659 more reasons – one for every...
 

Posted by InfoSec News on Sep 06

http://www.wired.com/threatlevel/2013/09/nsa-backdoored-and-stole-keys/

By Kim Zetter
Threat Level
Wired.com
09.05.13

It was only a matter of time before we learned that the NSA has managed to
thwart much of the encryption that protects telephone and online
communication, but new revelations show the extent to which the agency,
and Britain’s GCHQ, have gone to systematically undermine encryption.

Without the ability to actually crack the...
 

Posted by InfoSec News on Sep 06

http://www.chicagotribune.com/news/local/breaking/chi-advocate-medical-group-didnt-adequately-secure-data-classaction-suit-says-20130905,0,7744379.story

By Mitch Smith
Tribune reporter
September 5, 2013

Advocate Medical Group, already under federal and state investigation after the
theft of computers containing personal information on millions of people, is
now facing a class-action lawsuit from patients who say the Downers Grove-based...
 

Posted by InfoSec News on Sep 06

http://www.zdnet.com/darknets-wargames-and-raspberry-pi-at-first-ever-balkan-hacker-conference-7000020315/

By Violet Blue
Zero Day
ZDNet News
September 6, 2013

Because hackers are under such scrutiny and debate right now, and because
hackers have literally changed the world we live in - as well as royally pissed
off so many people - we know that this is leading somewhere.

Right now, it has led me to Serbia for BalCCon 2013: First Contact...
 

Posted by InfoSec News on Sep 06

http://rt.com/usa/fbi-adds-sea-wanted-list-484/

RT.com
September 06, 2013

The Federal Bureau of Investigation has added the Syrian Electronic Army (SEA),
an active group of hackers sympathetic to the government of Syrian President
Bashar Assad, to its list of wanted criminals.

Though working largely on the periphery for the last few years, the SEA has
recently raised its profile considerably after temporarily disabling major
media outlets....
 

InfoSec Skills Partners with Global Certification Institute (GCI) to ...
PR.com (press release)
InfoSec Skills has entered into a partnership agreement with Australia's leading certification and examination services provider to launch a new certification scheme in Information Assurance for the Asia Pacific marketplace. This incorporates ...
GCI to distribute BCS-accredited IA training to combat skills shortageIDG News Service

all 2 news articles »
 
VMware ESXi and ESX NFC Protocol Handling Remote Denial of Service Vulnerability
 
Internet Storm Center Infocon Status