Hacking & Security

Beware of Skimming Devices Installed on the ATM Vestibule Doors

The Hacker News - 19 Březen, 2015 - 12:52
Despite anti-skimmer ATM Lobby access control system available in the market, we have seen a number of incidents in recent years where criminals used card skimmers at ATM doors. Few years back, cyber criminals started using card skimmers on the door of the ATM vestibule, where customers have to slide their credit or debit cards to gain access to the ATM. The typical ATM Skimming
Kategorie: Hacking & Security

OpenSSL Patch to Plug Severe Security Holes

LinuxSecurity.com - 19 Březen, 2015 - 12:10
LinuxSecurity.com: The world is about to get another reminder about just how much of the Internet runs on technology maintained by a handful of coders working on a shoestring budget. OpenSSL - the software used by thousands of companies to encrypt online communications - is set to get a security makeover this week: The OpenSSL project said it plans to release new versions of its code to fix a number of security weaknesses, including some classified as "high" severity.
Kategorie: Hacking & Security

How We Become Habituated to Security Warnings on Computers

LinuxSecurity.com - 19 Březen, 2015 - 12:05
LinuxSecurity.com: Abstract: Research on security warnings consistently points to habituation as a key reason why users ignore security warnings. However, because habituation as a mental state is difficult to observe, previous research has examined habituation indirectly by observing its influence on security behaviors.
Kategorie: Hacking & Security

New BIOS Implant, Vulnerability Discovery Tool to Debut at CanSecWest

LinuxSecurity.com - 19 Březen, 2015 - 12:02
LinuxSecurity.com: When the National Security Agency's ANT division catalog of surveillance tools was disclosed among the myriad of Snowden revelations, its desire to implant malware into the BIOS of targeted machines was unquestionable.
Kategorie: Hacking & Security

Facebook Vulnerability Leaks Users' Private Photos

The Hacker News - 19 Březen, 2015 - 10:44
If you have enabled automatic Facebook Photo Sync feature on your iPhone, iPad or Android devices, then Beware! Hackers can steal your personal photographs without your knowledge. In 2012, the social network giant introduced Facebook Photo Sync feature for iPhone, iPad and Android devices which, if opt-in, allows Facebook to automatically sync all your photos saved on your mobile device
Kategorie: Hacking & Security

Convicted Tax Fraudster & Fugitive Caught

Krebs on Security - 19 Březen, 2015 - 06:02

Lance Ealy, an Ohio man who fled home confinement last year just prior to his conviction on charges of filing phony tax refund requests on more than 150 Americans, was apprehended in a pre-dawn raid by federal marshals in Atlanta on Wednesday.

Lance Ealy, in self-portrait he uploaded to twitter before absconding.

Ealy, 28, of Dayton, Ohio, was the subject of no fewer than three previous posts on this blog. Ealy reached out to me in February 2014, after being arrested by the U.S. Secret Service for using his email account to purchase Social Security numbers and other personal information from an online identity theft service run by a guy named Hieu Minh Ngo.

Ngo is a Vietnamese national who, for several years, ran an online identity theft service called Superget.info. Shortly after my 2011 initial story about his service, Ngo tauntingly renamed his site to findget.me. The Secret Service took him up on that challenge, and succeeded in luring him out of Vietnam into Guam, where he was arrested and brought to New Hampshire for trial. He pleaded guilty last year to running the ID theft service, and the government has been working on rounding up his customers ever since.

Mr. Ealy was one of several individuals found guilty of identity theft charges after buying from Ngo’s service, which relied in part on data obtained through a company owned by big-three credit bureau Experian.

After being indicted on 46 counts of fraudulent activity, Ealy fired his attorney and chose to represent himself in court. In mid-November 2014 — just days before the jury in his trial was to issue its guilty verdict — Ealy slipped his ankle monitor and skipped town, but not before posting a taunting selfie to his Twitter account.

In the four months since his disappearance, investigators caught glimpses of Ealy jumping online as he made his way south to Atlanta. Incredibly, Ealy took time to file several lengthy pro se legal arguments (PDF) stating why the judge in the case was not impartial and that he deserved a retrial. When federal officials prosecuting his case responded (PDF) incredulously to his request, Ealy took it upon himself to file a response (PDF) to their motion for dismissal — all while on the lam.

Investigators close to the case say Ealy continued filing false tax refund requests while on the run from the law. But instead of turning to an underground identity theft service as he did previously, investigators say Ealy appears to have paid numerous inmates serving time in Ohio prisons for permission to file tax refund requests on their behalf with the Internal Revenue Service (IRS) — topping up the inmates’ commissary funds to the tune of $100 per filing while pocketing the rest of the fraudulent refunds.

According to whio.com, Ealy remains in the Northern District of Georgia until he can be extradited.

Kategorie: Hacking & Security

Understanding iOS Security: Part 1

InfoSec Institute Resources - 19 Březen, 2015 - 00:33

Apple uses iOS (operating system) to power many of its mobile devices such as iPhone, iPad and so on. From the beginning, security has been placed at the core of iOS. There are many inherent features that secure the device and its resources at different levels. This article aims to provide answers to questions such […]

The post Understanding iOS Security: Part 1 appeared first on InfoSec Institute.

Kategorie: Hacking & Security

Introduction to GSM Security

InfoSec Institute Resources - 19 Březen, 2015 - 00:32

Introduction The Global System for Mobile Communication or GSM is a wireless communication that uses digital technology and is widely deployed across the globe for mobile communications, such as mobile phones. This technology utilizes microwaves, and its signal transmission is divided by time, mostly known as Time Division Multiple Access (TDMA). In this article, I […]

The post Introduction to GSM Security appeared first on InfoSec Institute.

Kategorie: Hacking & Security

html5ever project update: one year!

main is usually a function - 19 Březen, 2015 - 00:29

I started the html5ever project just a bit over one year ago. We adopted the current name last July.

<kmc> maybe the whole project needs a better name, idk
<Ms2ger> htmlparser, perhaps
<jdm> tagsoup
<Ms2ger> UglySoup
<Ms2ger> Since BeautifulSoup is already taken
<jdm> html5ever
<Ms2ger> No
<jdm> you just hate good ideas
<pcwalton> kmc: if you don't call it html5ever that will be a massive missed opportunity

By that point we already had a few contributors. Now we have 469 commits from 18 people, which is just amazing. Thank you to everyone who helped with the project. Over the past year we've upgraded Rust almost 50 times; I'm extremely grateful to the community members who had a turn at this Sisyphean task.

Several people have also contributed major enhancements. For example:

  • Clark Gaebel implemented zero-copy parsing. I'm in the process of reviewing this code and will be landing pieces of it in the next few weeks.

  • Josh Matthews made it possible to suspend and resume parsing from the tree sink. Servo needs this to do async resource fetching for external <script>s of the old-school (non-async/defer) variety.

  • Chris Paris implemented fragment parsing and improved serialization. This means Servo can use html5ever not only for parsing whole documents, but also for the innerHTML/outerHTML getters and setters within the DOM.

  • Adam Roben brought us dramatically closer to spec conformance. Aside from foreign (XML) content and <template>, we pass 99.6% of the html5lib tokenizer and tree builder tests! Adam also improved the build and test infrastructure in a number of ways.

I'd also like to thank Simon Sapin for doing the initial review of my code, and finding a few bugs in the process.

html5ever makes heavy use of Rust's metaprogramming features. It's been something of a wild ride, and we've collaborated with the Rust team in a number of ways. Felix Klock came through in a big way when a Rust upgrade broke the entire tree builder. Lately, I've been working on improvements to Rust's macro system ahead of the 1.0 release, based in part on my experience with html5ever.

Even with the early-adopter pains, the use of metaprogramming was absolutely worth it. Most of the spec-conformance patches were only a few lines, because our encoding of parser rules is so close to what's written in the spec. This is especially valuable with a "living standard" like HTML.

The future

Two upcoming enhancements are a high priority for Web compatibility in Servo:

  • Character encoding detection and conversion. This will build on the zero-copy UTF-8 parsing mentioned above. Non-UTF-8 content (~15% of the Web) will have "one-copy parsing" after a conversion to UTF-8. This keeps the parser itself lean and mean.

  • document.write support. This API can insert arbitrary UTF-16 code units (which might not even be valid Unicode) in the middle of the UTF-8 stream. To handle this, we might switch to WTF-8. Along with document.write we'll start to do speculative parsing.

It's likely that I'll work on one or both of these in the next quarter.

Servo may get SVG support in the near future, thanks to canvg. SVG nodes can be embedded in HTML or loaded from an external XML file. To support the first case, html5ever needs to implement WHATWG's rules for parsing foreign content in HTML. To handle external SVG we could use a proper XML parser, or we could extend html5ever to support "XML5", an error-tolerant XML syntax similar to WHATWG HTML. Ygg01 made some progress towards implementing XML5. Servo would most likely use it for XHTML as well.

Improved performance is always a goal. html5ever describes itself as "high-performance" but does not have specific comparisons to other HTML parsers. I'd like to fix that in the near future. Zero-copy parsing will be a substantial improvement, once some performance issues in Rust get fixed. I'd like to revisit SSE-accelerated parsing as well.

I'd also like to support html5ever on some stable Rust 1.xversion, although it probably won't happen for 1.0.0. The main obstacle here is procedural macros. Erick Tryzelaar has done some great work recently with syntex, aster, and quasi. Switching to this ecosystem will get us close to 1.x compatibility and will clean up the macro code quite a bit. I'll be working with Erick to use html5ever as an early validation of his approach.

Simon has extracted Servo's CSS selector matching engine as a stand-alone library. Combined with html5ever this provides most of the groundwork for a full-featured HTML manipulation library.

The C API for html5ever still builds, thanks to continuous integration. But it's not complete or well-tested. With the removal of Rust's runtime, maintaining the C API does not restrict the kind of code we can write in other parts of the parser. All we need now is to complete the C API and write tests. This would be a great thing for a community member to work on. Then we can write bindings for every language under the sun and bring fast, correct, memory-safe HTML parsing to the masses :)

Double FREAK! A cryptographic bug that was found because of the FREAK bug

Sophos Naked Security - 19 Březen, 2015 - 00:24
Researchers checking up on the state of FREAK patching turned up another bug as a result. Sometimes, finding programming mistakes requires serendipitous coincidences!

Deep Web Drug Market Disappeared suddenly Overnight, $12 Million in Bitcoin Missing

The Hacker News - 18 Březen, 2015 - 18:21
Evolution -- The largest Deep Web drugs marketplace, disappeared suddenly overnight from the Internet. But unlike Silk Road, there is no indication that the law enforcement took down the Evolution marketplace. The Darknet’s most popular markets for drugs and bespoke carjacking services is mysteriously offline Wednesday with rumours circulating over the Internet that its own administrators
Kategorie: Hacking & Security

Microsoft takes 4 years to recover privileged TLS certificate addresses

Ars Technica - 18 Březen, 2015 - 18:04

On Tuesday, Ars chronicled Microsoft's four- to six-week delay responding to a Finnish man who had obtained a Windows Live e-mail address that allowed him to register unauthorized transport layer security certificates for the live.fi domain. Today comes the tale of a Belgian IT worker who has waited more than four years to return two similar addresses for the live.be domain.

Microsoft's delay in securing the addresses such as hostmaster@live.fi and administrator@live.be has potential consequences for huge numbers of people. Browser-trusted certificate authorities such as Comodo grant unusually powerful privileges to people with such an address. All the account holders had to do was ask for a domain-validated TLS certificate for live.fi or live.be. Once they clicked a validation link Comodo sent to their e-mail addresses, the certificates were theirs. Comodo's automatic certificate application also works for addresses with the words admin, postmaster, and webmaster immediately to the left of the @ and the domain name for which the certificate is being applied.

It came as a surprise that Microsoft waited until this week to respond to the Finnish man's report, reportedly from January, that he came into possession of the hostmaster@live.fi address. One would have expected such addresses to be locked down tight to begin with. Once a breach of this policy was reported, it would have been reasonable to assume Microsoft security personnel would respond to it within a day or two, if not sooner. But the Belgian IT worker's e-mail reveals a mind-boggling wait of more than four years for company officials to respond to his private and voluntary report he was sitting on the addresses admin@live.be and administrator@live.be.

Read 3 remaining paragraphs | Comments

Kategorie: Hacking & Security

Boj proti botnetům

Novinky.cz - bezpečnost - 18 Březen, 2015 - 18:00
Provozování botnetu má podle legislativního návrhu americké vlády rozšířit seznam trestných činů, k jejichž řešení může být vydán soudní příkaz. Botnety, tedy sítě počítačů, ovládaných bez vědomí jejich majitelů internetovým podsvětím, představují podle amerických úřadů velkou hrozbu.
Kategorie: Hacking & Security

Breach at Premera Blue Cross Affects 11 Million

Threatpost - 18 Březen, 2015 - 17:17
Hackers wriggled their way into the servers of health insurance provider Premera Blue Cross last year, and potentially exposed the information of 11 million members, employees and other associates.
Kategorie: Hacking & Security

OpenSSL Patch to Plug Severe Security Holes

Krebs on Security - 18 Březen, 2015 - 16:35

The world is about to get another reminder about just how much of the Internet runs on technology maintained by a handful of coders working on a shoestring budget. OpenSSL — the software used by thousands of companies to encrypt online communications — is set to get a security makeover this week: The OpenSSL project said it plans to release new versions of its code to fix a number of security weaknesses, including some classified as “high” severity.

OpenSSL is deployed at countless organizations, including at Web giants like Facebook, Google and Yahoo — as well as broadly across U.S. federal government networks. As its name suggests, OpenSSL implements Secure Sockets Layer (SSL) encryption (also known as “transport layer security” or TLS) for Web sites and associated networks, ensuring that the data cannot be read by untrusted parties.

The patch is likely to set off a mad scramble by security teams at organizations that rely on OpenSSL. That’s because security updates — particularly those added to open-source software like OpenSSL that anyone can view — give cybercriminals a road map toward finding out where the fixed vulnerabilities lie and insight into how to exploit those flaws.

Indeed, while the OpenSSL project plans to issue the updates on Thursday, Mar. 19, the organization isn’t pre-releasing any details about the fixes. Steve Marquess, a founding partner at the OpenSSL Software Foundation, said that information will only be shared in advance with the major operating system vendors.

“We’d like to let everyone know so they can be prepared and so forth, but we have been slowly driven to a pretty brutal policy of no [advance] disclosure,” Marquess said. “One of our main revenue sources is support contracts, and we don’t even give them advance notice.”

Advance notice helps not only defenders, but attackers as well. Last year, ne’er-do-wells pounced on Heartbleed, the nickname given to an extremely critical flaw in OpenSSL that allowed anyone to extract passwords, cookies and other sensitive data from servers that were running vulnerable versions of OpenSSL. This Heartbleed disclosure timeline explains a great deal about how that process unfolded in a less-than-ideal manner.

In the wake of Heartbleed, media organizations asked how such a bug — which many security experts said was a fairly obvious blunder in hindsight — could have gone undetected in the guts of the open-source code for so long. Marquess took to his blog to explain, posting an open letter requesting additional financial support for the OpenSSL project and pointing out the stark fact that so much of the Internet runs on top of software that is maintained by a tiny team with a shoestring budget.

“So the mystery is not that a few overworked volunteers missed this bug; the mystery is why it hasn’t happened more often,” said of the Heartbleed bug.

In an interview with KrebsOnSecurity, Marquess said the updates to be released tomorrow are partly the product of a spike in donations and funding the organization received in the wake of Heartbleed.

In that brief glare of publicity, the OpenSSL Foundation landed two Linux Foundation fellowships — meaning the group gained two new people who are paid for three years to work full-time on improving the security and stability of OpenSSL. Using donations and some commercial revenues, the foundation also is self-funding two additional people to maintain the code.

“We have four people working full-time on OpenSSL doing just what needs to be done, as opposed to working on stuff that brings in revenue,” Marquess said. “We have a lot more manpower resources, and one of the reasons you’re seeing all these bug and vulnerability fixes coming out now is that not only are outsiders looking for problems but we are too. “We’re also doing a major overhaul of the source code, in conjunction with what is going to be probably the biggest crypto audit ever.”

Kategorie: Hacking & Security

Apple Patches WebKit Vulnerabilities in Safari

Threatpost - 18 Březen, 2015 - 16:35
Apple released new versions of Safari that patch a number of WebKit vulnerabilities.
Kategorie: Hacking & Security

Mobile Android, iOS Apps Still Vulnerable to FREAK Attacks

Threatpost - 18 Březen, 2015 - 16:18
FireEye scanned iOS and Android apps downloaded billions of times in aggregate and determined that, despite the availability of patches, because the apps still connect to vulnerable HTTPS servers, they’re subject to FREAK attacks.
Kategorie: Hacking & Security

SSCC 190 - The CeBIT 2015 edition [PODCAST]

Sophos Naked Security - 18 Březen, 2015 - 14:48
Recorded right on the Sophos booth at the CeBIT show in Hannover, Germany. Here's the Fifth Anniversary edition of our weekly podcast...enjoy!

Microsoft ukázal přihlašování Windows Hello. Už žádná textová hesla

Zive.cz - bezpečnost - 18 Březen, 2015 - 12:45
Před pár lety vznikla nová aliance výrobců FIDO, která si klade za cíl sjednotit biometrické a jiné bezpečné přihlašování. A to nejen k počítači, ale i k webovým službám, programům aj. Na jaře 2013 vstoupil do aliance i Google a loni na podzim zavedl podporu pro FIDO i ve svém Chromu . K jeho ...
Kategorie: Hacking & Security

Google Now Manually Reviews Play Store Android App Submissions

The Hacker News - 18 Březen, 2015 - 12:39
Google has changed the way it managed apps on the Google Play Store. After years of depending on the automated app check process, the company just made some changes to its Play Store policies that will successfully weed out malicious and undesirable apps from Google Play store. Google has introduced an update for developers and users that's sure to make some parents happy and some developers sad.
Kategorie: Hacking & Security
Syndikovat obsah