STE WILLIAMS

In another Microsoft security “erk!” moment, the infamous Syrian Electronic Army (SEA) over the weekend hijacked multiple Microsoft Twitter accounts, The Official Microsoft Blog at blogs.technet.com and an Xbox support account.

An SEA member called “Syrian Eagle” told Mashable in an email that this is just the beginning.

The beginning? Well, technically, it’s more like Act 2, given that a few weeks ago, Microsoft’s Skype brand had its Twitter, Facebook and WordPress accounts hacked by someone claiming to be the SEA.

Syrian Eagle told Mashable that Microsoft deserves what it got because it’s hawking data to US snoops and multiple governments.

The SEA will publish proof of the allegations, Syrian Eagle said:

Microsoft is monitoring emails accounts and selling the data for the American intelligence and other governments.

And we will publish more details and documents that prove it.

Microsoft is not our enemy but what they are doing affected the SEA.

On Saturday, the pro-Assad group took over the @MSFTnews and @XboxSupport Twitter accounts and posted various messages hashtagged “SEA”, according to Mashable.

One read: “Don’t use Microsoft emails (Hotmail, outlook), They are monitoring your accounts and selling the data to the governments.”

The takeovers appear to have been brief: the messages are no longer live, and a Microsoft spokesperson sent this statement to The Register:

Microsoft is aware of targeted cyberattacks that temporarily affected the Xbox Support and Microsoft News Twitter accounts. The accounts were quickly reset and we can confirm that no customer information was compromised.

The attackers also Tweeted a screenshot of what appears to be a takeover of The Official Microsoft Blog at blogs.technet.com:

Microsoft didn’t put out a statement about the alleged attack, but Mashable says its reporters saw it in action and confirmed that it lasted about an hour.

Mashable also posted a screenshot showing multiple “Syrian Army Was Here” messages on the defaced site. Others reported that the blog was either forcing a redirect to the SEA’s site or displaying the defaced blog.

At any rate, the blog is now under the company’s control.

Microsoft responded to the SEA charges about monitoring email by sending this statement to Mashable:

We’re actively investigating issues and are focused on protecting our employees and corporate network. Microsoft is sometimes obligated to comply with legal orders from governments around the world and provides customer data only in response to specific, targeted, legal demands.

Follow @LisaVaas

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/1DUcawMjROw/

Tags: Apple, botnet, breach, chester wisniewski, chet chat, ios, James Wyke, Java, mavericks, Neiman Marcus, online banking, Oracle, Patch Tuesday, Paul Ducklin, sophos security chet chat, sscc, trget, updates, Zero Access

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/7oapPGuPbxU/

Master list of DNS terminology

The UK government has launched a new campaign aimed at changing attitudes to online security among consumers and small businesses, dubbed Cyber Streetwise.

Cyber Streetwise is urging people to take five actions in order to protect themselves and others from cyber crime:

• Use strong, memorable passwords
• Install anti-virus software on new devices
• Check privacy settings on social media
• Shop safely online – always ensuring to check online retail sites are secure
• Keep software and application patches up to date

The Cyber Streetwise website – CyberStreetwise.com – is offering a range of interactive resources for SMEs and consumers offering impartial advice on how to protect themselves online. The site is full of drop down lists and colourful graphics that recall public information films of yesteryear.

The £4m campaign is led by the Home Office, funded by the National Cyber Security Programme, and delivered in partnership with the private and voluntary sectors.

The initiative has earned the support of UK infosec firms such as Sophos, which is providing security expertise and content for the Cyberstreetwise site.

James Lyne, global head of security research at Sophos, explained that Cyber Streetwise is designed to be more accessible than previous UK government cyber security initiatives, such as Get Safe Online.

“GetSafeOnline was one of the governments first awareness and advice tools,” Lyne explained. “Whilst they both focus on the same task of building awareness of security issues Cyber Street is based off an analysis of the behaviours of different members of society online.

“The advice is supposed to be targeted and tailored at these groups to be more accessible and extends beyond a website in to a broader campaign with posters on the underground etc. In short, they are complimentary but Cyber Streetwise should be more accessible to the broader community and a reminder of security as you stroll to work.”

SophosLabs finds over 30,000 new infected websites distributing malware every day and, contrary to popular belief, the majority – around 80 per cent – are legitimate small business websites that have been hacked. “It’s therefore vital that small businesses in particular get the basics of security right – from installing antivirus to regularly updating and patching software, using complex passwords and protecting data,” Lyne added.

Matt Palmer, member of the ISACA Security Advisory Group, described Cyber Streetwise as an useful resource for small business managers, who are often pressured for time and do not have access to internal expertise in cyber security.

“Implementing all the areas highlighted will provide some basic protection against low-level threats and significantly reduce risk,” according to Palmer. “However, it should be clearer that the good practices listed are a starting point for effective small business security.”

Ron Gula, chief exec of security appliance firm Tenable Network Security, stressed the importance of training and education in combating cyber threats to businesses.

“This approach of bolstering the skills and knowledge of the public and businesses is a smart step,” said Gula. “The right education and training can significantly reduce the frequency of security breaches. It can help staff to identify suspicious emails, know how some of the attacks work and teach staff what to do if they become compromised. While limiting and monitoring employee access to the internet can help reduce the risk of social engineering attacks, it is only by teaching people about the threats online, that they may be inclined to accept a more stringent internet usage policy.” ®

Master list of DNS terminology

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/14/uk_gov_initiative_cyber_streetwise/

Master list of DNS terminology

Underground cybercriminals are attempting to decrypt a 50GB dump of encrypted debit card PINs that security watchers reckon were lifted during last year’s high profile breach against retail giant Target.

Security intelligence firm IntelCrawler reports that a miscreant claiming to be in possession of 50GB of PIN data secured with 3DES encryption posted a request for a hook-up with a PIN hacker on 3 January, offering a fee of $10 per line. IntelCrawler reckons the hacker is from Eastern Europe.

Chat regarding the decryption of PINs began appearing on private message boards just days after Target admitted the credit card details of 40 million of its customers had gone AWOL.

The retailer also admitted last week that 70 million customers’ personal files had also been swiped as part of the same breach. The credit card information swipe came from a successful malware-based attack on Target’s point-of-sale (PoS) machines over the pre-Christmas holiday shopping season.

PIN in a haystack

Discussions about decrypting encrypted card data have been happening on underground cybercrime forums since as far back as September 2011, but have gained a particular focus of late. “Most of the underground chatter is among users who know how to sniff traffic but need technical help in addressing the decryption issue,” explained Andrew Komarov, IntelCrawler’s chief exec.

An active group of Eastern European cybercriminals specialise in attacks on merchants and PoS terminals by using sophisticated malware and targeted perimeter attacks. Their goal is the interception of payment data and PIN blocks. Many such systems have been compromised in the past during the group’s illicit efforts to uncover this data, according to IntelCrawler.

Security experts are split on whether decrypting 3DES encrypted data is feasible or not. Komarov told us that 3DES encryption is vulnerable to brute-force attacks and hackers have proved this in the past with the decryption of PIN dumps from other cyber-heists.

However, a blog post by Australian outfit Payment Security Consulting, featuring an information transaction flow diagram and the likely point of attack in the Target breach, concludes that encrypted PIN blocks from the Target attack are safe. The Australian consultancy describes the brute force attack scenario outlined by IntelCrawler as implausible at best or fear-mongering at worst.

The Target attackers appear to have been able to grab the data sent from the POS system to the merchant gateway. So this has given them a lot of sensitive data like track data and the Encrypted PIN Blocks.

Target has stated that the PIN Blocks were encrypted using Triple DES keys, so a brute force attack is out of the question.

Each PIN Block has been encrypted using the unique PIN Key on that POS’s PIN Terminal. An attacker would have had to extract the PIN Key of the terminal where the PIN block originates from. This requires at a minimum physical access to that terminal. It is not feasible to extract the plain-text PIN keys remotely.

Robert Graham of Errata Security argues that the PIN information might be matched against the leaked but encrypted data using some sort of frequency analysis and cryptographic cribs (based on purchases made by fraudsters themselves prior to or during the breach).

“Yes, Triple-DES cannot be broken by hackers,” Graham explains in a blog post. “If they don’t have the secret key, they can’t decrypt the PIN numbers. But here’s the deal: hackers can get PINs without decrypting them, because two identical PINs decrypt to the same value.”

But Graham adds that “the Payment Card Industry standards indeed call for salt, so this is probably what Target did”, in which case attempts to use frequency distribution of PINs and similar tricks to infer the corresponding hashes from siphoned off information are going to flounder.

IntelCrawler, which is undaunted by doubts elsewhere that hackers are probably on a hiding to nothing in attempted to decrypt the stolen data, reckons the cybercrooks behind the target scam are also researching the development of their own custom field-programmable gate array (FPGA) board for successful decryption. The security start-up sees similarities between the Target breach and previous mega-breaches involving US retail outfits such as the Heartland Payment Systems hack of 2007/8.

“IntelCrawler has also noticed some nuances with this current possible sniffer breach with a few cases from the past, specifically the RBS and Heartland card breaches. In those cases, a few of the hackers are still on the loose and although no direct linkage can be made yet, the similarities are starting to line up,” Komarov concludes in a bulletin on its research.

Komarov told El Reg: “The attack used in Target breach was related to special malware distribution (http://www.bankinfosecurity.com/-a-6316/op-1) and interception of network communications.”

“The same attacks were also used previously by the same group of criminals from Eastern Europe according to our opinion,” he added. ®

Master list of DNS terminology

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/14/target_breach_pin_decryption_plot/

The other shoe is dropping: Neiman Marcus now has followed Target’s disclosure of a data breach, and security experts say other retailers also have been hit in a holiday hack that pilfered tens of millions or more customer payment cards and personal information in an attack that spanned point-of-sale (POS) systems and databases.

Target, which over the past few weeks has dribbled out additional information on the breach it first announced in late December that affected some 40 million credit and debit cards in its stores between Nov. 27 and Dec. 15, late last week revealed that names, mailing addresses, phone numbers, or email addresses for up to 70 million people also were stolen in the attack — a number that may have some overlap with the payment card victims. Target’s CEO told CNBC, meanwhile, that malware was found on its POS registers, and Neiman Marcus has confirmed a breach of customer payment cards.

While plenty of details about the breaches and how, if at all, they are connected are still unknown, a picture is gradually coming into focus of just what went down during the busy holiday shopping season. Security experts say an organized cybercrime gang likely out of Eastern Europe remotely infected POS systems at Target, Neiman Marcus, and other retailers as a way to rapidly siphon a large volume of credit card and debit card accounts to resell in the cybercrime underground.

But at least in the case of Target — and likely others — the attackers didn’t stop there. They moved from the infected POS systems to a database, security experts say. Adrian Lane, CTO for Securosis, says Target’s revelation that the attackers had accessed 70 million customers’ names, addresses, phone numbers, and emails points to a possible database breach.

“If the attackers have name, address, phone, email, and other personal information, and they have millions of these records, there are only one or two places a hacker can acquire that data — a backup tape or a database. You simply can’t harvest that many records listening on the wire unless you breached them years ago,” Lane says. “Target is known for data mining and analytics, so it’s not too much of an inductive leap to say it was a database breach.”

Curt Wilson, senior analyst with Arbor Networks’ ASERT, who has studied POS malware, says he and his team are trying to confirm whether the retailer breaches used the Dexter and Project Hook POS malware families he and his team recently studied, or other known POS malware. The two malware families target Windows-based POS systems, often via weak credentials in the POS system. “There are lots of Windows vulnerabilities and Security 101 threats in place there, so it’s an open door for attackers,” Wilson says. “POS has been a lucrative target … for some time.”

[Attackers employ custom malware rather than physical skimmers to steal payment card information from POS systems in 40 countries. See ‘Dexter’ Directly Attacks Point-of-Sale Systems.]

Another possible hole: The victimized retailers may have employed weak administrative passwords, a common enterprise mistake. “They probably aren’t using the default password, but I would be willing to bet that the admin accounts are Admin or Root, and the passwords were very weak,” says Vinny Troia, a security consultant with Night Lion Security. “I really doubt every POS terminal was infected; that would take a tremendous amount of work. It’s far more likely that the central processing server was infected, as that would be the machine [that] would potentially have access to — and out of — the corporate network.”

POS systems often have Internet and email access, leaving them open to attack from the outside. “Therefore malicious links or attachments in emails as well as malicious websites can be accessed and malware may subsequently be downloaded by an end user of a POS system,” the US-CERT Website said in a January 2 advisory warning of an increase in POS attacks.

Visa issued a similar warning back in April 2013, but focused on a surge in attacks on grocery retail chains that began in January 2013 and installed malware on POS systems and their back-end servers. “The malware is configured to ‘hook’ into certain payment application binaries. These binaries are responsible for processing authorization data, which includes full magnetic-stripe data. When authorization data is processed, the payment application decrypts the transaction on the cash register system or BOH server and stores the authorization data in random access memory (RAM),” Visa wrote in its alert. “The data must be decrypted for the authorization to be completed, so hackers are accessing full track data when it is stored in RAM and using malware such as memory-parsers to steal it.”

Avivah Litan, vice president and distinguished analyst for Gartner, says she was told by at least two people with knowledge of the breaches that the POS malware that hit Target was tested at a few other retailers before infecting Target. “They had developed very specific point-of-sale malware … I was told it was the exact same piece of malware, and since November we’ve been told big retailer breaches were going on,” Litan says.

Another clue that something was awry: BitSight says it saw a jump in malicious activity on Target’s and Neiman Marcus’ networks in November and December 2013. Retail networks, in general, saw more malicious activity in the second half of the year, according to the firm, whose network of sensors gathers botnet, spam, malware, and other security risk communication and maps it to specific organizations’ networks.

“Since the details of these breaches have not been fully revealed, we do not know if the activity observed by BitSight was indeed the cause of the data loss. BitSight looks only at externally available data and has no access to internal network data. While we did observe increased activity during the time the breaches occurred at Target and Neiman Marcus, these companies were certainly not the worse performers in the retail sector,” said Sonali Shah, vice president of product at BitSight, in a blog post. “SecurityRatings for other companies in this industry are lower, leaving us wondering which retailer will be hit next.”

Arbor’s Wilson says he expects more POS attacks to emerge. “There’s a lot more of this going on … a lot of [victims] don’t know it yet or have yet to publicize the fact” they’ve been breached, Wilson says. “I think we’re going to see more POS malware attacks.”

Daniel Ingevaldson CTO of Easy Solutions, says his firm in early December saw a massive flow of newly stolen credit card accounts, and then an even bigger dump of stolen cards — 2 million — on Jan. 4. “We initially assumed it was the last gasp from the Target breach, but the overall structure of that base [dump] was a little different: We saw a disproportionate amount of AmEx Black cards and AmEx Centurion cards. Centurion cards are only for people with $15 million in assets and annual income of over $1 million,” Ingevaldson notes. “It’s unusual to see those,” and it could be linked to Neiman Marcus’ breach, he says.

He says the Target breach was akin to a smash-and-grab job to get as much as possible as quickly as possible and then to resell the stolen booty right away. The remote infection of POS systems is more lucrative than attaching a skimmer on a PIN pad or at a gas station, he says.

“Another side of this is that we didn’t see 40 million cards hit the [underground] market. So we don’t have a full accounting of all of those cards,” he says. “The guys who perform this work know exactly what they’re doing, and they know how to keep prices high.”

Adam Meyers, vice president of intelligence at CrowdStrike, says while there have been multiple variations of this malware, they were used only in “limited environments” as far as it was known. These latest breaches are similar in nature to a targeted attack, he says.

“Based on my experience, I would say we are looking at several other breach announcements in the future since there appears to be a cybercriminal group that has taken a page from the targeted attacker play book and is able to move laterally and deploy malware to collect track data from the point of sales devices,” Myers says.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/target-neiman-marcus-data-breaches-tip-o/240165363

London, U.K., January 14, 2014 — The (ISC)2 (“ISC-squared”) Foundation, the non-profit charitable trust for (ISC) that aims to empower students, teachers, and the general public to secure their online life with community cyber security education and awareness, today announced its scholarship application period for 2014. The application deadline for students and faculty to submit a completed application is 12:00 a.m. EST on Tuesday, April 1, 2014.

Through the (ISC) Foundation’s information security scholarship program, undergraduate, graduate, and post-graduate students have the opportunity to build stable careers in the field of information security. According to the 2013 Global Information Security Workforce Study, the global shortage of information security professionals is having a profound impact on the world economy. These scholarships not only encourage students to pursue careers in this industry, but they also help address the growing demand for skilled cyber security professionals worldwide.

“It is critical that we work to fill society’s need for trained cyber security professionals by building the workforce of the future,” said Julie Peeler, director of the (ISC) Foundation. “For many of these students, their financial situations are challenging and our scholarships provide the funding they need to continue their education. I look forward to impacting more information security students with life-changing scholarships in 2014.”

The 2014 scholarship categories include:

Women’s Scholarships: To inspire women to join the ever-growing field of information security, each year, the (ISC) Foundation grants up to two scholarships totaling up to US$40,000.

Undergraduate Scholarships: Aspiring information security professionals have the opportunity to ease some of their educational financial burden with the (ISC)2 Foundation Undergraduate Scholarship, offering undergraduate students studying information security grants of up to US$5,000 per recipient.

Graduate Research Project(s): Graduate students often need funding to conduct special research projects. Seed funding of up to eight grants will be given for up to US$3,000 per recipient.

Harold F. Tipton Memorial Scholarship: The (ISC) Foundation Harold F. Tipton Memorial Scholarship was established to provide passionate, aspiring young information security professionals the means to follow the pathway to industry excellence, as constructed by the late Mr. Tipton.

Faculty Certification Exam Vouchers: To encourage more academic participation in the profession and the certification process, (ISC) will provide vouchers valid for one CISSP or CSSLP exam and, upon certification, the first year of membership dues.

The (ISC) Foundation evaluates applicants based on academic excellence, passion for the industry, and financial need. The (ISC) Foundation scholarship programme has already had a lasting impact on these individuals:

“Since receiving the scholarship, my student life has dramatically changed for the better,” said Patrick Katamba, 2012 2013 Undergraduate Scholarship recipient, London Metropolitan University. “Due to this financial support, this year I didn’t have to worry about paying tuition fees. As a result, I also cut back on my weekly hours of work in order to fully concentrate on my studies. This change has drastically changed the way I learn and hopefully this has or will be reflected in my final results of the second year.”

“The scholarship has come as a blessing as my financial situation had worsened and I don’t think without this award coming my way I would have progressed well in my academics, especially with research as I was already planning to apply for a dead year,” said Innocent Barigye, 2013 Graduate Scholarship recipient. Makerere University Kampala. “With this financial support I have got from the (ISC) Foundation, I will be able to concentrate and finish my research and degree in time without much hassling looking for finances which I believe is every scholars wish.”

“It is both an honor and privilege to be the recipient of the (ISC) Women’s Scholarship,” said Catherine P. Delaere, 2013 Graduate Scholarship recipient, Capella University. “What does this gift mean to me? Quite simply: opportunity and impact. As a single working mother of two, it means the opportunity to achieve higher education and career goals, increasing my chances of success, while suffering less of a financial burden. It means a positive impact on my children, teaching them by example the importance of life-long learning and pursuing goals; on my employer, by pursuing my master’s degree in IT security and assurance which will afford me greater opportunity to obtain CISSP certification, increasing my value and contribution in my workplace; and on me, by allowing me to reach my potential as a career woman and a dedicated IT professional. I am very grateful to the (ISC) Foundation for the opportunity and the impact of this scholarship.”

To apply, please visit:

https://www.isc2cares.org/uploadedFiles/wwwisc2caresorg/Content/Applicant-Recipient-Qualifications-Requirements-Instructions-2014.pdf

For additional scholarship information, please visit:

https://www.isc2cares.org/Scholarships/

# # #

About the (ISC)2 Foundation

The (ISC)2 Foundation is a non-profit charitable trust that aims to empower students, teachers and the general public to secure their online life by supporting cyber security education and awareness in the community through its programs and the efforts of its members. Through the (ISC)2 Foundation, (ISC)2’s global membership of nearly 93,000 information and software security professionals seek to ensure that children everywhere have a positive, productive, and safe experience online, to spur the development of the next generation of cyber security professionals, and to illuminate major issues facing the industry now and in the future. For more information, please visit www.isc2cares.org.

About (ISC)

(ISC) is the largest not-for-profit membership body of certified information and software security professionals worldwide, with over 93,000 members in more than 135 countries. Globally recognised as the Gold Standard, (ISC) issues the Certified Information Systems Security Professional (CISSP) and related concentrations, as well as the Certified Secure Software Lifecycle Professional (CSSLP), the Certified Cyber Forensics Professional (CCFPSM), Certified Authorization Professional (CAP), HealthCare Information Security and Privacy Practitioner (HCISPPSM), and Systems Security Certified Practitioner (SSCP) credentials to qualifying candidates. (ISC)’s certifications are among the first information technology credentials to meet the stringent requirements of ISO/IEC Standard 17024, a global benchmark for assessing and certifying personnel. (ISC) also offers education programmes and services based on its CBK, a compendium of information and software security topics. More information is available at www.isc2.org.

Article source: http://www.darkreading.com/management/isc2-foundation-to-offer-145000-for-2014/240165365

Master list of DNS terminology

There’s a right time and a wrong time to exploit a vulnerability – and according to researchers from the University of Michigan, that’s something that can be worked out ahead of time.

According to this paper Timing of cyber conflict, available from PNAS, knowing exactly when to launch a digital assault is something that can be calculated from the following information:

• Persistence – “the probability that if you refrain from using it now, it will still be useable” in the future. In other words, if you have a zero-day up your sleeve (and bear in mind they are worth a lot of money), do you use it now, or hope that it won’t get patched before you want to use it?
• Stealth – “the probability that if you use it now it will still be usable” in the future. In other words: can you deploy an attack based on a vulnerability, without being detected?
• Threshold – What conditions would lead you to use a particular cyber attack vector?

The findings may not be particularly Earth-shattering to seasoned infosec professionals, but they can be taken as a neat summary of considerations IT security types must ponder every day.

As the authors say: “The heart of our model is the trade-off between waiting until the stakes of the present situation are high enough to warrant the use of the resource, but not waiting so long that the vulnerability the resource exploits might be discovered and patched even if the resource is never used.”

The writers, Robert Axelrod and Rumen Iliev of the Ford School of Public Policy at the University of Michigan, then test the model against historical examples such as Stuxnet; Iran’s attack on Saudi Aramco; Chinese cyber-espionage; and China’s restriction of rare earth exports.

In the Stuxnet case, they say, the attack used had low persistence because it depended on a combination of vulnerabilities: the use of USB keys to deploy the worm (which could have been banned at any time by the target, the Iranian nuclear enrichment plant at Natanz), the spread technique (via a shared printer), and the worm’s privilege escalation. However, because the attack was stealthy, its designers were confident that it would evade detection (as it did, for 17 months), so they decided that it was better to deploy sooner rather than later.

Similarly, they say, China’s apparently-frequent cyber-espionage seems to be predicated on the belief that their attacks have low persistence (they’ll get patched soon) but may have reasonable stealth.

While none of this will come as a surprise to experts in the field, the aim of the Axelrod-Iliev paper seems to be to help policy-level people understand the cyber-attack landscape with a minimum of technical grasp. ®

Master list of DNS terminology

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/14/us_researchers_develop_decision_model_for_cyberattacks/

You’ve heard about scammers who call unsuspecting consumers and offer to “fix” computer problems that aren’t there — and steal their money and personal information in the process.

Now there’s a new twist: scammers are now calling the victims of these attacks and offering a “refund” on the bogus services, only to steal more data and account information.

According to a recently-issued warning by the Federal Trade Commission, scammers are now double-dipping on the victims of their fake IT services, calling again to offer bogus refunds to customers who weren’t satisfied.

“Once they’ve got you hooked, they claim that they need your bank or credit card account number to process the refund,” the FTC says. “They might say that you need to create a Western Union account to receive the money. They may even offer to help you fill out the necessary forms — if you give them remote access to your computer. But instead of transferring money to your account, the scammer withdraws money from your account.”

The FTC advises consumers who have been victims of false IT services to hang up on subsequent callers and file a complaint at ftc.gov/complaint.

Have a comment on this story? Please click “Add a Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/end-user/ftc-warns-users-of-new-twist-on-tech-sup/240165347

Master list of DNS terminology

Mozilla CTO Brendan Eich has cautioned netizens not to blindly trust software vendors, arguing that only open-source software can be assured to be free from government-mandated surveillance code.

“Every major browser today is distributed by an organization within reach of surveillance laws,” Eich wrote in a joint blog post with Mozilla research and development VP Andreas Gal on Saturday.

Under those laws, Eich argued, governments could compel software companies to include surveillance code in their products. Worse, the vendors may not be able to admit to the public that such code exists when asked, because of gag orders.

The Mozilla man argued that open-source software can help alleviate this risk because customers have the opportunity to review its source code and spot any potential backdoors.

Equally important, Eich said, security researchers can compile open-source projects from source and compare the output to the executable binaries distributed by software vendors to make sure that the downloadable binaries don’t include any undisclosed extras.

That’s not possible for a product like Internet Explorer, Eich said, because Microsoft doesn’t share any of its proprietary code with customers.

Even browsers that use open-source HTML rendering engines such as WebKit and Blink are not safe, he added, pointing out that both Safari and Chrome contain “significant fractions” of proprietary code, into which governments could potentially sink their hooks.

“Mozilla Firefox in contrast is 100 per cent open source,” Eich wrote, by way of tooting the nonprofit’s own horn.

Not that this fact has necessarily shielded Firefox users from surveillance so far. In August, a version of Firefox that was distributed for use with the anonymizing Tor network was found to be vulnerable to an exploit that could leak users’ MAC addresses to attackers. Scammers have also occasionally tricked Firefox users into downloading fake, malware-laden updates.

To combat this, Eich has called upon security researchers to “regularly audit Mozilla source and verified builds by all effective means” – including establishing automated procedures – and to raise a public alarm if they discover any irregularities.

In turn, he proposed, such fully audited browsers could potentially be used as “trust anchors” to verify the authenticity of internet services, which could also contain secret surveillance code.

“Security is never ‘done’ – it is a process, not a final rest-state,” Eich wrote. “No silver bullets. All methods have limits. However, open-source audibility cleanly beats the lack of ability to audit source vs. binary.” ®

Master list of DNS terminology

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/14/eich_urges_open_source_surveillance_audits/

Master list of DNS terminology

A number of Cisco networking products for small businesses contain critical vulnerabilities that could allow attackers to gain root access to the equipment, the networking giant has warned.

The affected products include the WAP4410N Wireless-N Access Point, the WRVS4400N Wireless-N Gigabit Security Router, and the RVS4000 4-port Gigabit Security Router, Cisco said in a security advisory issued late on Friday.

Note that these products are all branded Cisco and not Linksys. Cisco marketed consumer and small business networking equipment under the Linksys brand for ten years beginning in 2003, but sold the division to Belkin in January 2013.

According to Cisco’s advisory, the vulnerabilities in all three products stem from an undocumented test interface that listens on TCP port 32764 on the affected devices.

Attackers can potentially exploit that interface to execute arbitrary commands on the underlying operating system, the advisory explains. By doing so, Cisco adds, they can potentially gain the administrator password to the advice, which would then allow them to execute commands with elevated privileges.

The most obvious use for such an exploit would be to trigger a denial-of-service attack on a network by freezing up the router or resetting it to its factory default configuration.

Cisco has ranked the vulnerabilities at 10.0 on the Common Vulnerability Scoring System (CVSS) – the highest possible score, which indicates a critical flaw.

Worst of all, public exploit code for the vulnerabilities is already available, although Cisco says it has not seen any widespread attacks based on the exploit so far.

There are no known workarounds for the vulnerabilities and Cisco has not released any patches as yet, although it promises it will ship fixes for all three routers by the end of January 2014. Until then, El Reg advises users of the affected products to cross their fingers. ®

Master list of DNS terminology

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/14/cisco_small_business_router_flaw/