Hacking & Security

Google Launches USB-Based "Security Key" To Strengthen 2-Step Verification

The Hacker News - 22 Říjen, 2014 - 11:56
Google is taking its users’ privacy very serious and making every possible effort for its users just to make them feel secure when they are online. Today, the tech giant has announced its enhanced two-step verification service that is based on a physical USB key, adding yet another layer of security to protect its users from hackers and other forms of online theft. SECURITY KEY- 2 STEP
Kategorie: Hacking & Security

iPhone Encryption and the Return of the Crypto Wars

LinuxSecurity.com - 22 Říjen, 2014 - 10:46
LinuxSecurity.com: Last week, Apple announced that it is closing a serious security vulnerability in the iPhone. It used to be that the phone's encryption only protected a small amount of the data, and Apple had the ability to bypass security on the rest of it.
Kategorie: Hacking & Security

USB is now UEC (use with extreme caution)

LinuxSecurity.com - 22 Říjen, 2014 - 10:44
LinuxSecurity.com: USB is an acronym for Universal Serial Bus; at least that is what it has stood for since 1999 when it was patented. But now it may take on a new meaning and instead stand for Ultimate Security Breakdown.
Kategorie: Hacking & Security

Is your phone line a '6-figure liability waiting to happen'?

Sophos Naked Security - 22 Říjen, 2014 - 10:21
Premium-rate service scams are sticking businesses - particularly small ones using local carriers - with outrageous phone bills, to the tune of $4.73 billion globally for 2013. Many businesses aren't even aware that they can be stuck paying the bill (or fighting it in court).

Google Search Algorithm to Demote Piracy Sites In Search Results

The Hacker News - 22 Říjen, 2014 - 09:34
The Search Engine giant is not going to spare the Pirated content providing sites. Google is ready to fulfill its commitment to downgrade the search rankings of ‘notorious’ piracy sites globally that often rank above legal and commercial sites. Google and the Copyright holders are, to some extent, enemies for years, but in Google's ongoing anti-piracy efforts, the company will fight
Kategorie: Hacking & Security

Staples likely breached, retailer defenses back in spotlight

Ars Technica - 21 Říjen, 2014 - 22:35

Office supply retailer Staples is investigating a possible breach of its systems following reports from the banking industry of fraudulent credit and debit card transactions at stores in the northeastern United States.

On Tuesday, the company acknowledged that a breach may have occurred and that it had contacted the appropriate law enforcement agencies. The retailer declined to provide further details.

“Staples is in the process of investigating a potential issue involving credit card data and has contacted law enforcement,” a spokesperson said in a statement sent to Ars. “If Staples discovers an issue, it is important to note that customers are not responsible for any fraudulent activity on their credit cards that is reported on a timely basis.”

Read 7 remaining paragraphs | Comments

Kategorie: Hacking & Security

In wake of Anonabox, more crowdsourced Tor router projects make their pitch

Ars Technica - 21 Říjen, 2014 - 21:45
The Invizbox Tor router hardware—the same as Anonabox, but with truth in advertising. Invizbox

Last week, Ars reported on the story of Anonabox, an effort by a California developer to create an affordable privacy-protecting device based on the open source OpenWRT wireless router software and the Tor Project’s eponymous Internet traffic encryption and anonymization software. Anonabox was pulled from Kickstarter after accusations that the project misrepresented its product and failed to meet some basic security concerns—though its developers still plan to release their project for sale through their own website.

But Anonabox’s brief campaign on Kickstarter has demonstrated demand for a simple, inexpensive way to hide Internet traffic from prying eyes. And there are a number of other projects attempting to do what Anonabox promised. On Kickstarter competitor Indiegogo there’s a project called Invizbox that looks almost identical to Anonabox—except for the approach its team is taking to building and marketing the device.

Based on the Chinese-built WT 3020A—a small wireless router that appears identical to the box that was the basis for the Anonabox—the Invizbox will have similar specs to the cancelled Kickstarter: 64 megabytes of RAM, 16 megabytes of Flash storage, and the Linux-based OpenWRT embedded OS. The main difference, according to the Dublin, Ireland-based team behind Invizbox (Elizabeth Canavan, Paul Canavan, and Chris Monks) is that their Tor router will be locked down better—and they won’t pretend that they’re using custom-built hardware.

Read 8 remaining paragraphs | Comments

Kategorie: Hacking & Security

D.C.’s Complicated View of Cyberwar, Regulation, Liability

Threatpost - 21 Říjen, 2014 - 21:03
Former NSA general counsel Stewart Baker shared his insight on Washington's perceptions of cyberwar during his keynote address at the Cybersecurity Summit in Minneapolis.
Kategorie: Hacking & Security

Pozor na phishingové a malware šířící kampaně zneužívající epidemie Eboly

CSIRT.cz - 21 Říjen, 2014 - 19:43

US-CERT nabádá uživatele, aby si dávali pozor před e-mailovými podvody zneužívajícími šíření viru Ebola. Phishingové e-maily mohou obsahovat odkazy, které vedou uživatele na stránky sbírající osobní informace, jako jsou přihlašovací údaje, nebo obsahují nebezpečné přílohy, které mohou infikovat systém.

Kategorie: Hacking & Security

Mac OS X 10.10 Yosemite posílá data o poloze uživatele a hledaných výrazech v Safari serverům Applu

CSIRT.cz - 21 Říjen, 2014 - 19:35

Poslední desktopový operační systém společnosti Apple známý jako Mac OS X 10.10 Yosemite, posílá bez vědomí uživatele informace o poloze uživatele a jeho vyhledáních na servery společnosti Apple.

Kategorie: Hacking & Security

Nová Scareware kampaň podvádí uživatele falešným antivirem

CSIRT.cz - 21 Říjen, 2014 - 19:28

Nový typ scareware advertisement útoku klame uživatele tvrzením, že jejich systém byl infikován a nyní je potřeba pomoc expertů, kteří malware odstraní. Mechanismus šíření malware je docela jednoduchý. Poté, co je nejdříve nakažen počítač adwarem, "vyskočí" na uživatele při surfování neočekávaně reklama na falešný antivirus.

Kategorie: Hacking & Security

Cisco produkty zranitelné vúči POODLE útoku

CSIRT.cz - 21 Říjen, 2014 - 19:23

Společnost Cisco analyzuje své produkty za účelem identifikování těch, které jsou dotčené nedávno odhalenou zranitelnosti v protokolu Secure Sockets Layer (SSL) verze 3.

Kategorie: Hacking & Security

FTC Hires Privacy Researcher Ashkan Soltani as Chief Technologist

Threatpost - 21 Říjen, 2014 - 18:44
The FTC has hired Ashkan Soltani, a highly regarded and respected technologist and privacy researcher, as its chief technologist.
Kategorie: Hacking & Security

Staples Looking into Potential Payment Card Breach

Threatpost - 21 Říjen, 2014 - 18:08
The office supply chain Staples is reportedly looking into a payment data card breach, potentially making it the latest in a long line of retail establishments to suffer a compromise over the last year.
Kategorie: Hacking & Security

Android NFC hack allow users to have free rides in public transportation

Kaspersky Securelist - 21 Říjen, 2014 - 17:39

"Tarjeta BIP!" is the electronic payment system used in Chile to pay for public transportation via NFC incorporated in the user's smartphone. Numerous projects enabling mobile NFC ticketing for public transportation have been already executed worldwide. This is a trend. It means that criminal minds should be interested in it. Moreover, they are.

More and more people keep talking about the feature of payments via NFC. The problem in this particular case is that somebody reversed the "Tarjeta BIP!" cards and found a means to re-charge them for free. So, on Oct. 16 the very first widely-available app for Android appeared, allowing users to load these transportation cards with 10k Chilean pesos, a sum  equal to approximately $17 USD.

MD5 (PuntoBIP.apk) = 06a676fd9b104fd12a25ee5bd1874176

Immediately after appearing on the Internet, many users downloaded it and proved they were able to recharge their travel cards. All they had to do is to install the mentioned app on a NFC capable Android device, to approach the travel card to the phone and then to push the button "Cargar 10k", which means "Refill the card with 10,000" Chilean pesos.

According to the metadata of the .dex file package, it was compiled on October 16, 2014 and it has 884.5 kB (884491 Byte) size. The feature it incorporates interacts directly with the NFC port: android.hardware.nfc

The app has four main features: "número BIP" - to get the number of the card, "saldo BIP" - to get the available balance, "Data carga" - to refill available balance and finally, maybe the most interesting is "cambiar número BIP" - allowing the user to change the card number altogether. Why would we say this last feature is the most interesting? Well, a source suggested the authorities were going to block fraudulently refilled BIP cards. However, as we can see, the app is able to change the BIP number.

Since the original links to download the app were taken down, new links appeared, now pointing to new servers and actually hosting a new app:

MD5 (PuntoBIP-Reloaded.apk) = 2c20d1823699ae9600dad9cd59e03021

This is a modified version of the previous app, compiled on the next business day Oct 17, 2014 and which is a lot bigger 2.7 MB (2711229 Byte). This includes an advertisement module which shows ads via the doubleclick network.

Since both apps allow users to hack a legitimate application, they are now detected by Kaspersky as HEUR:HackTool.AndroidOS.Stip.a

Since the app is a hot one and a lot of people from Chile are looking for it, I expect some bad guys to come along and create fake similar apps but trojanized to infect mobile users and take some advantage of their interest.

At the same time, it is important to mention that mobile payments are getting more and more popular. NFC is one of the most promising ports in this field. This is a good example of how fresh new payment schemes often present the same old problems.

Thanks to Roman Unuchek for his analytical insights.

You may follow me on twitter: @dimitribest

Google Adds Hardware Security Key For Account Protection

Threatpost - 21 Říjen, 2014 - 15:18
Google is introducing an improved two-factor authentication system for Gmail and its other services that uses a tiny hardware token that will only work on legitimate Google sites. The new Security Key system is meant to help defeat attacks that rely on highly plausible fake sites that are designed to capture users’ credentials. Attackers often go […]
Kategorie: Hacking & Security

Strengthening 2-Step Verification with Security Key

Google Security Blog - 21 Říjen, 2014 - 14:00

2-Step Verification offers a strong extra layer of protection for Google Accounts. Once enabled, you’re asked for a verification code from your phone in addition to your password, to prove that it’s really you signing in from an unfamiliar device. Hackers usually work from afar, so this second factor makes it much harder for a hacker who has your password to access your account, since they don’t have your phone.

Today we’re adding even stronger protection for particularly security-sensitive individuals. Security Key is a physical USB second factor that only works after verifying the login site is truly a Google website, not a fake site pretending to be Google. Rather than typing a code, just insert Security Key into your computer’s USB port and tap it when prompted in Chrome. When you sign into your Google Account using Chrome and Security Key, you can be sure that the cryptographic signature cannot be phished.

Security Key and Chrome incorporate the open Universal 2nd Factor (U2F) protocol from the FIDO Alliance, so other websites with account login systems can get FIDO U2F working in Chrome today. It’s our hope that other browsers will add FIDO U2F support, too. As more sites and browsers come onboard, security-sensitive users can carry a single Security Key that works everywhere FIDO U2F is supported.

Security Key works with Google Accounts at no charge, but you’ll need to buy a compatible USB device directly from a U2F participating vendor. If you think Security Key may be right for you, we invite you to learn more.

Posted by Nishit Shah, Product Manager, Google Security
Kategorie: Hacking & Security

Hacking ATMs: The New Wave of Malware

InfoSec Institute Resources - 21 Říjen, 2014 - 13:15

Introduction In recent weeks, security experts at Kaspersky Lab have observed several attacks on Automated Teller Machines (ATMs) which were infected by malware dubbed Tyupkin. Tyupkin is one of the most popular malwares used by criminals to compromise ATMs and force these machines to release cash on demand. Experts at [...]

The post Hacking ATMs: The New Wave of Malware appeared first on InfoSec Institute.

Kategorie: Hacking & Security

Protecting WordPress Installations in an IaaS Environment

InfoSec Institute Resources - 21 Říjen, 2014 - 13:00

Introduction In this article we’re going to take a look at how to secure a WordPress installation against attackers in an IaaS virtual machine. Virtual machines can be rented with various IaaS cloud providers, and only a credit card is needed to actually rent a virtual machine, which is quite [...]

The post Protecting WordPress Installations in an IaaS Environment appeared first on InfoSec Institute.

Kategorie: Hacking & Security

UK considering imprisoning 'cowardly, venomous trolls' for up to 2 years

Sophos Naked Security - 21 Říjen, 2014 - 12:42
Justice Secretary Chris Grayling said that new laws would quadruple the current maximum six-month term and show his determination to "take a stand against a baying cyber-mob".
Syndikovat obsah