Slashdot Mirror

If I may say, "nonsense". See the many articles on the whilesale replication of "pin" cards, such as https://www.scmagazine.com/evo... .

If I may say, "nonsense". There is no known flaw in the EMV cards (commonly known as chip cards) that allows them to be replicated. The single article that you refer to, if you had cared to read it, was a faulty implementation of chip processing software on POS terminals in Brazil and had nothing to do with the EMV cards themselves.

If an issuer's database is compromised and security keys stolen, then obviously duplicate cards can easily be created.

If I may say, "nonsense". See the many articles on the whilesale replication of "pin" cards, such as https://www.scmagazine.com/evo... .

I'm not sure this change will affect GrayKey and Cellebrite anyway. My understanding is that they attack the phone's bootloader.

How does GrayKey and Cellebrite get access to the boot loader? Cellebrite currently sells a small device that plugs into the phone.

Eventually, law enforcement came to rely on Cellebrite's Universal Forensics Extraction Device, the UFED. It's a small, hand-held device that's easy to use. Police can simply plug in a phone and download the device's memory to a flash drive in a matter of seconds. That's how police can find your deleted text messages.

GrayKey is a box that plugs into the Lightning port.

The product itself is a gray box four inches deep by two inches tall, with two lightning cables sticking out of the front. Up to two phones can be plugged into the device at a time and are connected for about two minutes.

If the iPhone refuses to communicate via cable then neither device can probably work unless the companies find a flaw they can exploit.

Chipotle has stated that they absolutely refuse to use the EMV chip, and only will do swipe, citing speed over security. https://www.scmagazine.com/chi...

You are right, federated identity is a very real risk right now.

Let's all reflect on what the Australian Government has done with their "MyGOV" portal. Note, I wanted to start this list with a Wikipedia page informing readers of what MyGOV is. But such a page does not exist. Why not?

https://my.gov.au/mygov/content/html/about.html

http://www.smh.com.au/it-pro/security-it/revealed-serious-flaws-in-mygov-site-exposed-millions-of-australians-private-information-20140514-zrczw.html

https://www.scmagazine.com/bold-phishers-use-australian-mygov-to-pull-pii/article/641854/

http://www.smh.com.au/it-pro/security-it/security-bolstered-on-mygov-website-after-dire-warnings-20141230-12fm2l.html

It was measured, and the researchers found that less than half of Tor's traffic involves illegal activity. The full report, called "Shining a Light on the Dark Web," is available (PDF warning).

It was measured, and the researchers found that less than half of Tor's traffic involves illegal activity. The full report, called "Shining a Light on the Dark Web," is available (PDF warning).

http://www.scmagazine.com/samy...

Why ask the operators for cooperation when you can get that data yourself? Or ask the NSA for some help. Sometimes, when you're under investigation, it's also fun to spy the people investigating you

That's why they use the illegally obtained evidence to make up a different story. They even helpfully tell local police departments to do it.

Yes, that happens. Note that in this case, though, we aren't talking about illegally-obtained evidence, we're talking about legally-obtained evidence that can't stand up in court. So they don't need careful parallel construction to avoid "fruit of the poisoned tree" issues. If asked what put them on the track of the evidence that can be used in court, they can happily point to the decrypted data.

Where this creates real risks is if they claim to have gotten a lead from decrypted data in order to start a parallel construction as an alternative to evidence that was obtained illegally. For example, suppose the cops entered the suspect's house without a warrant and found an e-mail on his computer which led them to damning evidence which they could only have found with access to his e-mail. They can't use that evidence in court because the defense attorney would ask them how they obtained the e-mail. But assuming they had some other basis for arresting the suspect and taking his phone, they can simply claim that they got the e-mail from there, even if they didn't actually decrypt the phone at all. Unless the defense has some evidence that they're lying about having gotten the information from the phone, he has no way to argue that the damning evidence is fruit of the poisoned tree, so the judge will refuse to exclude it.

That's why they use the illegally obtained evidence to make up a different story. They even helpfully tell local police departments to do it.

and a USB stick given away at a trade show is automatically good.

woah... they're should be even more suspect...

http://www.scmagazine.com/ibm-distributed-infected-usb-drives-at-conference/article/170862/

Not just your opinion, and everyone can calm down, they've been doing it for a while -> http://www.scmagazine.com/nsa-...

The report posted above is not one of the the really hot shit ones. The real stinkers are these two: The ThreatExpert Report iSIGHT Partners Report

Can we hope for the proper decision (that police need a warrant)?

The big brother can, ~ and has, ~ tapped into telephonic data without the need to take physical control of your phone.

Feds have been caught setting up fake cell towers to intercept wireless traffics.

http://www.wired.com/threatlevel/2011/11/feds-fake-cell-phone-tower/

http://www.scmagazine.com/tower-dump-of-consumer-mobile-data-a-popular-police-snooping-tactic/article/324789/

The Pentagon has been giving away secrets for years[1] (and they aren't the only ones) due to, what can only be assumed to be, very poor security policies. What's more, even the farmed-out[2] work to privatized military industries has fallen victim to much of the same, even jeopardizing the welfare of other countries. Tell me now, how is it these members of the US Congress thinks it's ok to fry Snowdens ass, but ignore the gross negligence of others which is responsible for some very big losses both in the taxpayer money, as well as technical miltary advantages?

[1] http://www.scmagazine.com/previously-classified-malwares-role-in-pentagon-attack/article/177561/
[2] http://usnews.nbcnews.com/_news/2013/05/28/18556787-chinese-hackers-steal-us-weapons-systems-designs-report-says?lite

The ads pay for the "free" email, and also help pay for Google's research into autonomous vehicles, improved search technology, etc.

In an ideal world, perhaps. The truth is, most ad-servers end up compromised and serving up malware or iframe redirectors which serve up malware.

Furthermore, I fail to see how maturity equates to putting blind faith into a Corporation to do no evil. Especially when you consider it's Microsoft - the same people who brought us UEFI as well as funded most of the SCO legal debacle.

But still, the whole argument that someone acting improperly on company time deserves punishment really only extends as far as reprimanding them, giving them a pay cut or demotion, or firing them.

Do you still feel this way if they were employed in the Military or worked for the state (Police Officer etc.)? What about someone who failed to secure a laptop with 1 million SSNs? There is such a thing as criminal negligence. HIPAA is very specific how it comes to handling data, in cases making the worker responsible for fines - not the organization alone. I realize this isn't a HIPAA issue.

As far as the level of criminal punishment these guys would/should get for this stunt? I'm of the opinion it's not extremely serious, actually. Stupid and immature? Sure... But on the scale of illegal activities, I think it really does rank among the minor issues. If these guys proceeded to leverage the photos to attempt to extort money from the woman, or started making money with a pay web site featuring "stolen cellphone nude pics" or something? Now THAT would take it to the next level. As it is, what we've got here is a woman who was really too careless or trusting with what she kept on her phone, handing it over to a couple guys who took advantage of the situation for kicks.

I agree with the criminal punishment being a bit much, fines would be more appropriate in this case. I'm against having people labeled as sex offenders for minor infractions (it waters down what it was intended to do - identify serious creeps). It's a bit ridiculous that human intervention is needed to facilitate copies since this is a solved problem. They have HD duplicators which are appliances, is it really such a leap to make exporting or syncing of data? Apple can do it easily.

I guess an interesting question is why iDefense decided that only AOL deserved to know about this vulnerability, and not the numberous other guys. They put out their advisory a little while back, but there were no details and only AOL/Winamp was listed as vulnerable. Maybe AOL is a customer? That would suck...we'd all have to pay for their goofy vulnerability brokering service in order to know what people could attack us with.

I guess that's what happens when iDefense buys the vulnerabilities from someone else like Sean de Regge. The people at iDesense don't have their own research team to deal with the vulnerability since they're literally just a couple of cyber-security ticket scalpers not real researchers.

Makes sense why iDefense is on the chopping block: http://www.scmagazine.com/uk/news/article/767733/verisign-sell-non-security-business-units/

It looks like eeye has a service like that too. I probably can't afford it, but this slew of vulnerabilities is free advertising for eeye's service.

If the wording is, as reported, that he is banned from accessing the Internet for personal reasons, that includes ATMs (he'll have to give his bank card to a teller instead), speedpasses, self-scan checkouts, xbox live, etc.

>>Notably, I've observed these guys tracking HTTPS URLs, and of course you can't track those through a proxy.

Um, yes, you can. It is possible with todays hardware.

Here are a few;
http://www.esafe.com/eSafe/traffic_solutions.asp

Another;
http://www.scmagazine.com/us/products/productdetai ls/94de9e89-b7a1-6d6f-9479-84b866a2ffab/webwasher- 1000-csm-appliance/
http://www.cyberguard.com/products/webwasher/webwa sher_products/csm_appliance/index.html?lang=de_EN
"WW1000 has the ability to scan encrypted SSL"

The days of HTTPS being valuable are long gone. We can look inside this traffic realtime. I monitor & block traffic to HTTPS sites myself..

Probably hardware costs and software base, just shooting from the hip.
Corporation decisions are made by bean counters, not technology folks.
Besides, if all the corporations started using OS X and their marketshare went up significantly, so would their vulnerabilities. Apple really enjoys a reputation as a "more secure" base OS - apparently everyone seems to conveniently forget a couple facts -

"According to McAfee Avert Labs, Mac platform vulnerability discovery rates have increased by 228 percent in the past three years alone, from 45 in 2003 to 143 last year.

By comparison, Microsoft's products saw a 73-percent increase in vulnerabilities over the same time period."
http://www.scmagazine.com/uk/news/article/557590/m ac+os+x+vulnerabilities+jump+228+percent+three+yea rs/

I'm in favor of the Russian anti-Spam method for dealing with spammers. http://www.scmagazine.com/news/index.cfm?fuseactio n=newsDetails&newsUID=5eead5c2-50ca-40e5-9c59-a8da 453de038&newsType=Latest+News I could even envision a new arcade smash hit: "Whack-a-Spammer" Sorry, I work for an ISP, and get to deal with the annoying results of these idiot spammers' actions. I couldn't resist

This article on SC Magazine Apparently there is a war between virus writers and they are all trying to delete each other's viruses. Mikko has provided a lovely diagram to illustrate the point.

Great inflammatory headline from SC Magazine. Those crazy North Koreans are ready to attack the US with an army of hackers. Apparently they have just bought a load of pc's running windows 3.11 and they're as mad as hell!!

I saw a similar story on SC's Website link

Trying to infect Prius with a Symbian "virus" is like trying to infect a tree with a choc chip cookie . Hey I can come up with a better one - it's like trying to infect shampoo with a book on eating disorders (now go picture that in your head for a second). But this is so sweet - it takes one dumb kid with too much time on their hands and one even dumber kid to moderate at voila! you get slashdot "news".

Whenever thousands of Prius owners and millions of concerned drivers hear a rumor about some virus that can infect cars, it is always cause for concern. I had heard about this before, and was actually relieved (not that much, but still) when I read this story. And, even if I had read the post you referenced, I would still be glad that a statement made by ArrayIndexOutOfBound on a tech news site was validated by F-Secure, a company that _knows_ viruses.

Still, I (a reasonably intelligent and informed /. user) personally have no knowledge of how the bluetooth virus everyone has been talking about works. I know nothing of what OS the Prius uses and how it compares with certain cell phones. I thought this was news.

Lighten up, jerk.

I notice that even Graham Cluley of Sophos is downplaying the threat(link)

This interesting article in SC Magazine. Them free tickets offers are great for social engineering attacks!!!

Not the same thing: pharming DNS redirection so a valid URL goes to a fraud site, phishing attempts to get you to visit an /invalid/ site that /looks/ like the correct one. And keylogging is something entirely different.

More here.

All fraud/identity theft, but different in practice.

link Checkmark labs recently gave out an award to the company for its spyware product. Spyware, as you know, slows down computers and makes them difficult to use. Oh the irony!!!

Trend's had some cross-product bugs in virus software before

But then so has McAfee and CA, (though the last was a licensing component at fault).

There definitely does seem to be an increasing trend in vulnerable AV software at the moment.

Trend's had some cross-product bugs in virus software before

But then so has McAfee and CA, (though the last was a licensing component at fault).

There definitely does seem to be an increasing trend in vulnerable AV software at the moment.

Trend's had some cross-product bugs in virus software before

But then so has McAfee and CA, (though the last was a licensing component at fault).

There definitely does seem to be an increasing trend in vulnerable AV software at the moment.

Here is a brilliant review of the browser in one of the premier infosec mags.

What they are saying is that if you like your computing experience to be all-Microsoft this is the way to go. Otherwise you'd be much better off with a different browser, email client and personal firewall!!

Quote: "There were about 59 incidents of this fraudulent activity, the company said. Law enforcement officials are investigating the case." (Link here). Surely they should have spotted something was wrong after about the fifth attempt!!!

They are merely sending the email back to where came (see here) Would you be sending unsoliticited post if you were sending junk mail back to the credit card company it came from. (which really annoys junk mailers by the way!!!)

I read here that bots in the UK nearly led to nearly half a billion dollars being siphoned off a Japanese bank.

... or Slovakia. I read it here.

The point was the jury didn't understand the complexities of the case. In this situation it's the judge's job to turn over the conviction. What if a jury decided you were a murderer on the basis of mistaken identity. Wouldn't you want a judge to turn that over? Or would you rather spend the next few years dropping soap infront of 'Big Bubba' from West Virginia?

I saw a similar story here. This was reported a month ago!!!

To be honest, I don't recall exactly which publisher ran it, it may have been this one but that doesn't look like I remember. The one I'm thinking of was about a year or so ago, and I could have sworn it was ZD Net or PC Magazine. If anyone else can find it or remembers it please post a link.

Be wary of positive reviews of these "Hack Attacks" books. Those who rate them highly seem to be:

technically clueless

or

cronies/clones of the author

The first edition of HAR supposed solicited 269 Amazon.com reviews! In contrast, the best-selling "hacking" book of all time is Hacking Exposed, with 51 reviews. Something doesn't add up if you peruse these reviews.

I certainly hope the second edition is better than the first. That would be good for the security community, which is all that matters in the long run.

Helevius

I bought a cadre of smart-card readers and Netsign software from Litronic, now known as SSP Solutions, because they promised "smart-card enabled dial-up access" with Windows 98. When I got them and was programming the pin number into them, I noticed that the familiar ***** appears on one of the dialog boxes. I thought "nooo, this can't possibly be what I think it is" and downloaded a windows password cracker that just reads the memory location that contains the contents of those *****. Sure enough, there was my pin number, protected only by the brilliant security of the Windows 98 operating system. After explaining what "smart-card" means to the tech guy, Litronic refused to take the readers & software back, citing a "no return" policy on their website. Needless to say these useless products are sitting in a cabinet waiting for me to find a use for them in Linux. SSP has taken the webpage down that duped me into buying this product, but you can still find the claim in reviews such as this onet.

There is an article in the September 2001 issue of Secure Computing Magazine. (a "trade rag" - so it never says anything bad about a potential advertiser)

Pay Your Dues by Jay Heiser in Information Security Magazine is also worth reading.

A small reader survey, May 2001 - Talkback.

Security Focus offers several mailing lists that you may wish to subscribe to, or at least read the archives about. In particular Security Certification, CISSP Study, and security-basics. One recent message is certainly worth reading. Similar questions have been also asked in cryptography and firewall wizards - Nov 2001 mailing lists, and I believe has come up several times before.

A review of one IS manager's experience from Computerworld secuirty Column.

A so-so review of different security certificates from CertCities.

The main points I would make are choose a certificate that has the right focus for your career. CISSP is the best known cert, but it is aimed at IT/IS Security Managers and Consultants not at senior technologists / engineers / "in the trenchs" types. The best features of this is requiring 3 years of computer / network / audit security experience and having a broad overview of computing security (the 10 common bodies of knowledge, CBK). This makes it out of reach for many people new to info sec, and that's okay, they likely should focus on another certification anyhow. Next is the SANS/GIAC certificates which are more focused and hands on. The best feature is that they require a "practical" part to the certification, which is doubly good because it is not just exam cramming and lets the student practice her communicaton skills, which is important in the security field since you should be able to work in a team and with others (non-technical other) in an organization outside your team for the common benefit of the business.

Certifications tend to be expensive to get, and don't forget most of them have requirements for maintaince such as x number of contuning education credits, re-examinations, or conference attendance. This is a mixed bag, it is good that it justifies staying up to date, but it can also be very expensive for a member working as a new contractor or for a small company that isn't pre-IPO throwing money around.