Slashdot Mirror

http://krebsonsecurity.com/201...

Is it *really* that hard to google 'adobe flash hack' & go to the first page?

http://krebsonsecurity.com/201...

"For the second time in a week, Adobe Systems Inc. says it plans fix a zero-day vulnerability in its Flash Player software that came to light after hackers broke into and posted online hundreds of gigabytes of data from Hacking Team,"

I keep track of over 200 passwords, using a password manager. Why aren't you?

You mean a password manager like KeePass, where the developer has explicitly and publicly chosen ad revenue over security?

Or just one like LastPass, that "only" suffered a plain ol' fashioned data breach?

Hey, I'll admit carrying all those eggs in the same basket looks a lot more convenient than carrying them one by one. But some of us would rather only risk dropping them one at a time, than all 200 at once.

Also, it seems like somebody finally found a use for Adobe Shockwave, I never thought this would happen and I am impressed that this somebody is the NASA.

http://krebsonsecurity.com/201...

Recent Foscam security cameras: http://krebsonsecurity.com/201...

IoT concerns: http://thenewstack.io/snooping...

Is a washed out former Washington Post journalist to be trusted?

Really, Krebs has the reputation, but unfortunately not the intelligence, of the NSA here on Slashdot.

Please don't post his shit links.

Recent Foscam security cameras: http://krebsonsecurity.com/201...

IoT concerns: http://thenewstack.io/snooping...

Really Dice, scared shitless to mention the manufacturer?

Here is the Krebs link if you want the actual details and don't want to dig it out of the articles linked in the summary: http://krebsonsecurity.com/201...

Really Dice, scared shitless to mention the manufacturer?

Here is the Krebs link if you want the actual details and don't want to dig it out of the articles linked in the summary: http://krebsonsecurity.com/201...

But the cards can be skimmed, and they have been! Getting the PIN is extremely simple, so don't even count on that as security. So it's just a matter of intercepting the data going to the bank as a man-in-the-middle, replicating even temporarily a card, predicting the upcoming "random" number, and so forth.

I'm not saying chip and pin is worse than mag stripe, but they are not so completely secure as the marketing would have you believe. Don't trust the banks or others when they say the cards "cannot be read". They have the same sorts of vulnerabilities as ATM in many cases; relying on cheap manufacturers who don't follow best practices on security, over confidence of the security, assuming a PIN is private, or willingness to accept a certain level of loss.

https://en.wikipedia.org/wiki/...
https://people.csail.mit.edu/r...
http://www.theregister.co.uk/2...
http://arstechnica.co.uk/tech-...
http://krebsonsecurity.com/201...
http://phys.org/news/2015-03-b...
http://www.thisismoney.co.uk/m...

Krebs On Security...

http://krebsonsecurity.com/2015/03/sign-up-at-irs-gov-before-crooks-do-it-for-you
http://krebsonsecurity.com/2015/08/irs-330k-taxpayers-hit-by-get-transcript-scam

Krebs On Security...

http://krebsonsecurity.com/2015/03/sign-up-at-irs-gov-before-crooks-do-it-for-you
http://krebsonsecurity.com/2015/08/irs-330k-taxpayers-hit-by-get-transcript-scam

You admit your router goes down

Indeed, but the statistics I shared doesn't reflect my DNS server prone to downtime. Having some down time does not equate to being prone to downtime.

I am merely pointing out ROUTERSsee 15 posts of mine with 225 examples of insecure routers)

Your problem, not mine.

DNS (kaminsky redirect poisoning flaw, dns amp attacks, rogue DNS servers etc.)

Not an issue I experience on my DNS server.

SINGLE POINTS OF FAILURE with MASSIVE VULNERABILITIES

If HA is necessary, I've told you the technologies you can use to do it.

you've got ALL YOUR EGGS IN A FAULTY BASKET with LITTLE "ROI" FOR THE EXTRA MONIES OUTLAID + POWER BILLS RAISED also!

I already measured the wattage my router uses, there is no noticeable difference between running a DNS server or not on it, so this is just further non-sense.

If you want to secure your TOYS?

Nah, I secure my entire network. Failure to secure certain systems is what leads to compromises. Such as when Target was hacked through HVAC company systems.

but you're depending on a SINGLE POINT OF FAILURE

I have a backup router I can plugin if this one fails (I don't need HA here, but could set it up if I wanted), I'm not seeing the single point of failure that hurts me here.

http://it.slashdot.org/story/1...
http://it.slashdot.org/story/1...
http://it.slashdot.org/story/1...
http://krebsonsecurity.com/201...
http://krebsonsecurity.com/201...
http://krebsonsecurity.com/201...
http://krebsonsecurity.com/201...
http://krebsonsecurity.com/201...
http://lifehacker.com/software...
http://linux.slashdot.org/stor...
http://mobile.slashdot.org/sto...
http://mobile.slashdot.org/sto...
http://mobile.slashdot.org/mob...
http://linux.slashdot.org/comm...
http://linux.slashdot.org/comm...

APK

P.S.=> So much for your faith in routers alone stupid (225 in total, 15 posts with 15 items each)... apk

http://it.slashdot.org/story/1...
http://it.slashdot.org/story/1...
http://it.slashdot.org/story/1...
http://krebsonsecurity.com/201...
http://krebsonsecurity.com/201...
http://krebsonsecurity.com/201...
http://krebsonsecurity.com/201...
http://krebsonsecurity.com/201...
http://lifehacker.com/software...
http://linux.slashdot.org/stor...
http://mobile.slashdot.org/sto...
http://mobile.slashdot.org/sto...
http://mobile.slashdot.org/mob...
http://linux.slashdot.org/comm...
http://linux.slashdot.org/comm...

APK

P.S.=> So much for your faith in routers alone stupid (225 in total, 15 posts with 15 items each)... apk

http://it.slashdot.org/story/1...
http://it.slashdot.org/story/1...
http://it.slashdot.org/story/1...
http://krebsonsecurity.com/201...
http://krebsonsecurity.com/201...
http://krebsonsecurity.com/201...
http://krebsonsecurity.com/201...
http://krebsonsecurity.com/201...
http://lifehacker.com/software...
http://linux.slashdot.org/stor...
http://mobile.slashdot.org/sto...
http://mobile.slashdot.org/sto...
http://mobile.slashdot.org/mob...
http://linux.slashdot.org/comm...
http://linux.slashdot.org/comm...

APK

P.S.=> So much for your faith in routers alone stupid (225 in total, 15 posts with 15 items each)... apk

http://it.slashdot.org/story/1...
http://it.slashdot.org/story/1...
http://it.slashdot.org/story/1...
http://krebsonsecurity.com/201...
http://krebsonsecurity.com/201...
http://krebsonsecurity.com/201...
http://krebsonsecurity.com/201...
http://krebsonsecurity.com/201...
http://lifehacker.com/software...
http://linux.slashdot.org/stor...
http://mobile.slashdot.org/sto...
http://mobile.slashdot.org/sto...
http://mobile.slashdot.org/mob...
http://linux.slashdot.org/comm...
http://linux.slashdot.org/comm...

APK

P.S.=> So much for your faith in routers alone stupid (225 in total, 15 posts with 15 items each)... apk

http://it.slashdot.org/story/1...
http://it.slashdot.org/story/1...
http://it.slashdot.org/story/1...
http://krebsonsecurity.com/201...
http://krebsonsecurity.com/201...
http://krebsonsecurity.com/201...
http://krebsonsecurity.com/201...
http://krebsonsecurity.com/201...
http://lifehacker.com/software...
http://linux.slashdot.org/stor...
http://mobile.slashdot.org/sto...
http://mobile.slashdot.org/sto...
http://mobile.slashdot.org/mob...
http://linux.slashdot.org/comm...
http://linux.slashdot.org/comm...

APK

P.S.=> So much for your faith in routers alone stupid (225 in total, 15 posts with 15 items each)... apk

This is an interesting exchange in the comments to Brian's article, between him and a former employee of Norse: http://krebsonsecurity.com/201...

The ex-employee has written a blog post here (might be a liiiiiitle one-sided): http://pandawhale.com/post/703...

"A careful review of previous ventures launched by the company’s founders reveals a pattern of failed businesses, reverse mergers, shell companies and product promises that missed the mark by miles." http://krebsonsecurity.com/201...

yup

http://krebsonsecurity.com/201...

The relationship between hosting companies and spammers is fascinating. I strongly recommend Krebs book on this topic, it makes for an entertaining and educating read (book is called "Spam Nation").

Checkout this post on his blog about spammers and IBM:

Last month, anti-spam group Spamhaus.org listed Softlayer as the “#1 spam hosting ISP,” putting Softlayer at the very top of its World’s Worst Spam Support ISPs index. Spamhaus said the number of abuse issues at the ISP has “rapidly reached rarely previously seen numbers.”

http://krebsonsecurity.com/201...

http://it.slashdot.org/story/1...
http://it.slashdot.org/story/1...
http://it.slashdot.org/story/1...
http://krebsonsecurity.com/201...
http://krebsonsecurity.com/201...
http://krebsonsecurity.com/201...
http://krebsonsecurity.com/201...
http://krebsonsecurity.com/201...
http://lifehacker.com/software...
http://linux.slashdot.org/comm...
http://linux.slashdot.org/comm...
http://linux.slashdot.org/stor...
http://mobile.slashdot.org/mob...
http://mobile.slashdot.org/sto...
http://mobile.slashdot.org/sto...

APK

P.S.=> So much for your faith in routers alone stupid (225 in total, 15 posts with 15 items each)... apk

http://it.slashdot.org/story/1...
http://it.slashdot.org/story/1...
http://it.slashdot.org/story/1...
http://krebsonsecurity.com/201...
http://krebsonsecurity.com/201...
http://krebsonsecurity.com/201...
http://krebsonsecurity.com/201...
http://krebsonsecurity.com/201...
http://lifehacker.com/software...
http://linux.slashdot.org/comm...
http://linux.slashdot.org/comm...
http://linux.slashdot.org/stor...
http://mobile.slashdot.org/mob...
http://mobile.slashdot.org/sto...
http://mobile.slashdot.org/sto...

APK

P.S.=> So much for your faith in routers alone stupid (225 in total, 15 posts with 15 items each)... apk

http://it.slashdot.org/story/1...
http://it.slashdot.org/story/1...
http://it.slashdot.org/story/1...
http://krebsonsecurity.com/201...
http://krebsonsecurity.com/201...
http://krebsonsecurity.com/201...
http://krebsonsecurity.com/201...
http://krebsonsecurity.com/201...
http://lifehacker.com/software...
http://linux.slashdot.org/comm...
http://linux.slashdot.org/comm...
http://linux.slashdot.org/stor...
http://mobile.slashdot.org/mob...
http://mobile.slashdot.org/sto...
http://mobile.slashdot.org/sto...

APK

P.S.=> So much for your faith in routers alone stupid (225 in total, 15 posts with 15 items each)... apk

http://it.slashdot.org/story/1...
http://it.slashdot.org/story/1...
http://it.slashdot.org/story/1...
http://krebsonsecurity.com/201...
http://krebsonsecurity.com/201...
http://krebsonsecurity.com/201...
http://krebsonsecurity.com/201...
http://krebsonsecurity.com/201...
http://lifehacker.com/software...
http://linux.slashdot.org/comm...
http://linux.slashdot.org/comm...
http://linux.slashdot.org/stor...
http://mobile.slashdot.org/mob...
http://mobile.slashdot.org/sto...
http://mobile.slashdot.org/sto...

APK

P.S.=> So much for your faith in routers alone stupid (225 in total, 15 posts with 15 items each)... apk

http://it.slashdot.org/story/1...
http://it.slashdot.org/story/1...
http://it.slashdot.org/story/1...
http://krebsonsecurity.com/201...
http://krebsonsecurity.com/201...
http://krebsonsecurity.com/201...
http://krebsonsecurity.com/201...
http://krebsonsecurity.com/201...
http://lifehacker.com/software...
http://linux.slashdot.org/comm...
http://linux.slashdot.org/comm...
http://linux.slashdot.org/stor...
http://mobile.slashdot.org/mob...
http://mobile.slashdot.org/sto...
http://mobile.slashdot.org/sto...

APK

P.S.=> So much for your faith in routers alone stupid (225 in total, 15 posts with 15 items each)... apk

But the bad guys didn’t exactly take this innovation laying down; rather, they responded with their own innovations. What they came up with is known as the “crypting” service, a service that has spawned an entire industry that I would argue is one of the most bustling and lucrative in the cybercrime underground today.

Put simply, a crypting service takes a bad guy’s piece of malware and scans it against all of the available antivirus tools on the market today — to see how many of them detect the code as malicious. The service then runs some custom encryption routines to obfuscate the malware so that it hardly resembles the piece of code that was detected as bad by most of the tools out there. And it repeats this scanning and crypting process in an iterative fashion until the malware is found to be completely undetectable by all of the antivirus tools on the market.

http://krebsonsecurity.com/tag...

so wait, you are unhappy that we can setup our own OS on that thing? And to fix that, you are proposing to *restrict* the software you can run on it so that you can't modify it... that doesn't keep cisco routers from getting owned, or any other proprietary device from getting hacked, as far as i know.

there are litterally millions of home routers that run a "limited set of well documented functions" that are regularly abused for DDOS attacks to a complete port scan of the entire internet. and there are hundreds of people trying to fix those machines in various ways, either by reverse-engineering the hardware and installing free software on it or by just fixing the proprietary crap that's shipped with those. at least this machine starts on the right foot: it ships with free software and allows you to run your own.

any machine comes with its own foot shooting device, whether it is its openness or the false feeling of security that it's fine black box that will never fail and never need to be upgraded.

not understanding and not being able to fix a device isn't a advantage in security, i thought we agreed on that...

"Typically, the malware is injected into Web sites via known vulnerabilities in site plugins or third-party software — such as shopping cart programs. ref

"Once launched with administrator privileges, the Trojan loads into the memory of its process files containing cybercriminals' demands:" ref

If MS put real effort into providing good security [...]

You're bitching about an OS with mandatory access controls, DEP, ASLR, virtualized filesystem access, application whitelists, secure boot, and that runs its own authentication daemon in a VM so that not even the kernel itself can directly manage password hashes. You're doing this bitching in an article about a tool they maintain so you can harden and sandbox third-party programs, even when those programs weren't built with stack smashing or ASLR or all those neat Visual Studio canaries in mind.

[...]it would destroy the lucrative market for anti-malware software.

They bundle anti-malware software with the OS. They're, clearly, very concerned about not destroying all that filthy McAfee lucre.

If you can by-pass it then it effectively nullifies any security provided, so yes, it does count.

So if I try to rob a house, and I "bypass" the security system by robbing the next house over, does that mean the security system of the first house sucks?

If you are able to use entry into the second house to steal stuff from the first house, then yes, that the security on the first house is insufficient protection. If the two are completely unrelated, then the security of the first makes no difference.

In this case, card vs card+chip+pin is like two homes with a tunnel between them. The first home might be more secure, but the tunnel is doesn't have any security on it. So the valuables in the first house are still at risk through entry into the second house; and the guy that sold the first house to the current owners failed to mention the existence of the tunnel.

Even aside from that, chip+PIN it no where near as secure as things like Google Wallet that provide single-use card numbers for each transaction.

How is this more secure?

The card number is single use. If they try to use it again, it doesn't work. So it's more secure in the same way that a one-time password is more secure. Google approves the single transaction, and denies any further ones. So yes, it's actually more secure but it also relies on NFC (Wallet+NFC, now Android Pay). It's less secure in that you're putting your bank/credit cards at a single source (Google, Apple, etc) and then using their services to make more secure transactions with others - so single point of failure in security. However, you're card numbers won't be stolen from Target, Home Depot, Walmart, or any other vendor you do business with.

It's also been shown that people can completely clone a chip+PIN card, again rendering the added security null and void.

Do you have a citation?

here's a couple:

http://securityaffairs.co/word...
http://www.theage.com.au/it-pr... - also referenced at http://krebsonsecurity.com/201...

So yeah, if Krebs mentions it, it's probably been proven sufficiently, and likely happening.

Just good to mention that Chip & PIN cards would not have prevented the Target breach in any way as mentioned in Brian Krebs follow up article: https://krebsonsecurity.com/20... "0 – The number of customer cards that Chip-and-PIN-enabled terminals would have been able to stop the bad guys from stealing had Target put the technology in place prior to the breach (without end-to-end encryption of card data, the card numbers and expiration dates can still be stolen and used in online transactions)."

Except that chip cards don't provide the same card number for every transaction. In an EMV transaction the cashier requests that the terminal read the chip. Data from the chip gets sent to the processor. The processor sends data back to the card, which is then used to perform an action on the chip. Once the chip is done, it sends all of the information needed to capture the transaction to the processor. But it does not contain the actual card number.

EMV transactions all contain cryptograms with the card number. Target would only be able to see, at most, the first 6 digits and the last 4 digits of every card. Target would not have had anything to compromise. The processor would have had information that would be usable once to complete a single transaction. The card could not have been cloned. The card number could not have been reused in an online transaction because it would have been marked as a duplicate and fraudulent transaction. So therefore, chip and pin would have protected everyone in the Target breach. That's assuming an actual EMV spec transaction occurred. The back and forth communication between the card chip and the processor is the reason that the card must be left in during the transaction.

Just good to mention that Chip & PIN cards would not have prevented the Target breach in any way as mentioned in Brian Krebs follow up article:

https://krebsonsecurity.com/20...

"0 – The number of customer cards that Chip-and-PIN-enabled terminals would have been able to stop the bad guys from stealing had Target put the technology in place prior to the breach (without end-to-end encryption of card data, the card numbers and expiration dates can still be stolen and used in online transactions)."

Since Krebs doesn't get it, for the benefit of Slashdot, the information he describes as a failure of the system, the card number, name, and expirery, are all meant to be open access, by design. If you don't understand why this is a good thing, read the spec.

Just good to mention that Chip & PIN cards would not have prevented the Target breach in any way as mentioned in Brian Krebs follow up article:

https://krebsonsecurity.com/20...

"0 – The number of customer cards that Chip-and-PIN-enabled terminals would have been able to stop the bad guys from stealing had Target put the technology in place prior to the breach (without end-to-end encryption of card data, the card numbers and expiration dates can still be stolen and used in online transactions)."

Krebs is a first class moron.

Please tell me the last time you made an online transaction without the 3 digit CC?

Must be at least 10 years for me.

You have zero liability, and the merchant deserves to take the loss

EVM was never designed to solve this "problem", nor global warming or world hunger.

Good for you to point out Krebs' stupidity.

Just good to mention that Chip & PIN cards would not have prevented the Target breach in any way as mentioned in Brian Krebs follow up article: https://krebsonsecurity.com/20... "0 – The number of customer cards that Chip-and-PIN-enabled terminals would have been able to stop the bad guys from stealing had Target put the technology in place prior to the breach (without end-to-end encryption of card data, the card numbers and expiration dates can still be stolen and used in online transactions)."

Correct. Chip & PIN would not have solved anything.

To provide an example...I used my Chip card the other day. The vendor was having an issue with their chip reader, so the POS operator put in an override to allow it to be swiped. So another easy way to by pass the Chips? Make a hack that makes the system think the reader is unusable.

Just good to mention that Chip & PIN cards would not have prevented the Target breach in any way as mentioned in Brian Krebs follow up article:

https://krebsonsecurity.com/20...

"0 – The number of customer cards that Chip-and-PIN-enabled terminals would have been able to stop the bad guys from stealing had Target put the technology in place prior to the breach (without end-to-end encryption of card data, the card numbers and expiration dates can still be stolen and used in online transactions)."

NO, it is not in most cases because the chip is capable of holding your information in plain text or plain text + pin for offline transactions. A well-installed skimmer (with the keypad etc) can read that information (and are available for purchase): http://krebsonsecurity.com/201...

Brian Krebs has been doing this for awhile now.
http://krebsonsecurity.com/

Someone's just taking it to the next level - not a bad idea at all IMHO.

I suggest reading the letter before drawing conclusions, I think you've gotten out of touch with reality in your post. (Of course, the summary is a bit out of touch, too).

If you look at the actual lawyer letter, it claims the original post was factually incorrect. It requests a correction of the story. The letter doesn't explicitly threaten a lawsuit, or threaten anything, actually.

A guy who runs a web site for cheaters has more integrity than a certain presidential candidate...

This is just stupid. Seriously? Hillary had her own mail server. Big deal. That doesn't make me dislike her any more than I already do because all politicians are clueless about technology. The AM CEO basically discussed hacking a rival with his CTO: http://krebsonsecurity.com/201...

This dump has already been called out as fake

http://krebsonsecurity.com/201...

If I had some stuff I wanted to keep secure, I would buy a safe with a dial combination lock, not an electronic safe (and certainly not one with software sophisticated enough that it needs an actual OS underneath it)

But then you wouldn't be able to have your safe count your money for you. It wouldn't be able to confirm who made the deposit. It wouldn't be able to communicate with your central office to tell you how much money was at each different location. It wouldn't be able to call the bank for a pickup when it's full. My guess is this is basically the same as ATM/USB hacks, where Brinks decided that the safe is going to be installed in a sufficiently secure area that it's OK to leave a USB port exposed.

Well they do break the OS. And I got tired after posting of the most visible instances.

You recently blogged ("Malware Evolution Calls for Actor Attribution") criticizing security companies that don't make the effort to identify the creators of malware. Do you think there are times when a company—such as Kaspersky in their recent attack—could be acting responsibly by deliberately suppressing (temporarily, one would hope) information they might have about the source of an attack?

- "This could happen on Android, Windows and Linux, not just on Apple!"

-

Um, It HAS happened on Android also: Critical flaws in Apple & Samsung Devices

It's sad I have been offered this

two years of free credit monitoring and identity threat protection as compensation

6 times now, and from 6 different corps.

And this..

'sophisticated cyberattack'

is bullshit..
http://krebsonsecurity.com/201...

Turns out, the same bulk registrant in China that registered the phony Premera and Anthem domains in April 2014 also registered two Carefirst look-alike domains — careflrst[dot]com (the “i” replaced with an “L”) and caref1rst[dot]com (the “i” replaced with the number “1”).

Additionally, ThreatConnect has unearthed evidence showing the same tactics were used on EmpireB1ue.com (note the “L” replaced with a number “1”), a domain registered April 11, 2014 (the same day as the phony Carefirst domains). EmpireBlue BlueCross BlueShield was one of the organizations impacted by the Anthem breach.

Bit9's application whitelisting product was leveraged to attack customers using it.

http://krebsonsecurity.com/201...

You're almost right.

Diginotar wasn't Turkish. What you're probably thinking of was the Turkish CA "TURKTRUST Inc" which gave intermediate CA authority to organisations which in turn created & issued fake SSL certificates. See article by Brian Krebs.

TURKTRUST claims it gave the intermediate CA authority accidentally. Difficult to believe considering one of the recipients of such authority was a government authority. And particularly in light of what little respect the Erdogan government has for human rights, and his penchant for spying on his own citizens.

I'm just curious if these are the same people who penetrated the SR site via phpMyAdmin, over the Internet, on 192.168.1.24?

I mean, what motivation could there have been at play?