jm + security   274

Authenticated app packages on Sandstorm with PGP and Keybase
Nice approach to package authentication UX using Keybase/PGP.
When you go to install a package, Sandstorm verifies that the package is correctly signed by the Ed25519 key. It looks for a PGP signature in the metadata, and verifies that the PGP-signed assertion is for the correct app ID and the email address specified in the metadata. It queries the Keybase API to see what accounts the packager has proven ownership of, and lists them with their links on the app install page.
authentication  auth  packages  sandstorm  keybase  pgp  gpg  security 
2 days ago by jm
Report: Everyone Should Get a Security Freeze
“Whether your personal information has been stolen or not, your best protection against someone opening new credit accounts in your name is the security freeze (also known as the credit freeze), not the often-offered, under-achieving credit monitoring. Paid credit monitoring services in particular are not necessary because federal law requires each of the three major credit bureaus to provide a free credit report every year to all customers who request one. You can use those free reports as a form of do-it-yourself credit monitoring.”
us  credit  credit-freeze  security  phishing  brian-krebs 
6 days ago by jm
Three quarters of cars stolen in France 'electronically hacked' - Telegraph
The astonishing figures come two months after computer scientists in the UK warned that thousands of cars – including high-end brands such as Porsches and Maseratis - are at risk of electronic hacking. Their research was suppressed for two years by a court injunction for fear it would help thieves steal vehicles to order. The kit required to carry out such “mouse jacking”, as the French have coined the practice, can be freely purchased on the internet for around £700 and the theft of a range of models can be pulled off “within minutes,” motor experts warn.
hacking  security  security-through-obscurity  mouse-jacking  cars  safety  theft  crime  france  smart-cars 
12 days ago by jm
User data plundering by Android and iOS apps is as rampant as you suspected
An app from, meanwhile, sent the medical search terms "herpes" and "interferon" to five domains, including,,,, and, although those domains didn't receive other personal information.
privacy  security  google  tracking  mobile  phones  search  pii 
19 days ago by jm
Google tears Symantec a new one on its CA failure
Symantec are getting a crash course in how to conduct an incident post-mortem to boot:
More immediately, we are requesting of Symantec that they further update their public incident report with:
A post-mortem analysis that details why they did not detect the additional certificates that we found.
Details of each of the failures to uphold the relevant Baseline Requirements and EV Guidelines and what they believe the individual root cause was for each failure.
We are also requesting that Symantec provide us with a detailed set of steps they will take to correct and prevent each of the identified failures, as well as a timeline for when they expect to complete such work. Symantec may consider this latter information to be confidential and so we are not requesting that this be made public.
google  symantec  ev  ssl  certificates  ca  security  postmortems  ops 
26 days ago by jm
The Okinawa missiles of October | Bulletin of the Atomic Scientists
'By Bordne's account, at the height of the Cuban Missile Crisis, Air Force crews on Okinawa were ordered to launch 32 missiles, each carrying a large nuclear warhead. Only caution and the common sense and decisive action of the line personnel receiving those orders prevented the launches—and averted the nuclear war that most likely would have ensued.'
okinawa  nukes  launch-codes  pal  cold-war  cuban-missile-crisis  history  accidents  ui  security  horror  via:mattblaze 
28 days ago by jm
How a criminal ring defeated the secure chip-and-PIN credit cards | Ars Technica
Ingenious --
The stolen cards were still considered evidence, so the researchers couldn’t do a full tear-down or run any tests that would alter the data on the card, so they used X-ray scans to look at where the chip cards had been tampered with. They also analyzed the way the chips distributed electricity when in use and used read-only programs to see what information the cards sent to a Point of Sale (POS) terminal.

According to the paper, the fraudsters were able to perform a man-in-the-middle attack by programming a second hobbyist chip called a FUN card to accept any PIN entry, and soldering that chip onto the card’s original chip. This increased the thickness of the chip from 0.4mm to 0.7mm, "making insertion into a PoS somewhat uneasy but perfectly feasible,” the researchers write. [....]

The researchers explain that a typical EMV transaction involves three steps: card authentication, cardholder verification, and then transaction authorization. During a transaction using one of the altered cards, the original chip was allowed to respond with the card authentication as normal. Then, during card holder authentication, the POS system would ask for a user’s PIN, the thief would respond with any PIN, and the FUN card would step in and send the POS the code indicating that it was ok to proceed with the transaction because the PIN checked out. During the final transaction authentication phase, the FUN card would relay the transaction data between the POS and the original chip, sending the issuing bank an authorization request cryptogram which the card issuer uses to tell the POS system whether to accept the transaction or not.
security  chip-and-pin  hacking  pos  emv  transactions  credit-cards  debit-cards  hardware  chips  pin  fun-cards  smartcards 
4 weeks ago by jm
How is NSA breaking so much crypto?
If a client and server are speaking Diffie-Hellman, they first need to agree on a large prime number with a particular form. There seemed to be no reason why everyone couldn’t just use the same prime, and, in fact, many applications tend to use standardized or hard-coded primes. But there was a very important detail that got lost in translation between the mathematicians and the practitioners: an adversary can perform a single enormous computation to “crack” a particular prime, then easily break any individual connection that uses that prime.
How enormous a computation, you ask? Possibly a technical feat on a scale (relative to the state of computing at the time) not seen since the Enigma cryptanalysis during World War II. Even estimating the difficulty is tricky, due to the complexity of the algorithm involved, but our paper gives some conservative estimates. For the most common strength of Diffie-Hellman (1024 bits), it would cost a few hundred million dollars to build a machine, based on special purpose hardware, that would be able to crack one Diffie-Hellman prime every year.
Would this be worth it for an intelligence agency? Since a handful of primes are so widely reused, the payoff, in terms of connections they could decrypt, would be enormous. Breaking a single, common 1024-bit prime would allow NSA to passively decrypt connections to two-thirds of VPNs and a quarter of all SSH servers globally. Breaking a second 1024-bit prime would allow passive eavesdropping on connections to nearly 20% of the top million HTTPS websites. In other words, a one-time investment in massive computation would make it possible to eavesdrop on trillions of encrypted connections.

(via Eric)
via:eric  encryption  privacy  security  nsa  crypto 
5 weeks ago by jm
Designing the Spotify perimeter
How Spotify use nginx as a frontline for their sites and services
scaling  spotify  nginx  ops  architecture  ssl  tls  http  frontline  security 
5 weeks ago by jm
AWS re:Invent 2015 | (CMP406) Amazon ECS at Coursera - YouTube
Coursera are running user-submitted code in ECS! interesting stuff about how they use Docker security/resource-limiting features, forking the ecs-agent code, to run user-submitted code. :O
coursera  user-submitted-code  sandboxing  docker  security  ecs  aws  resource-limits  ops 
5 weeks ago by jm
From Radio to Porn, British Spies Track Web Users’ Online Identities
Inside KARMA POLICE, GCHQ's mass-surveillance operation aimed to record the browsing habits of "every visible user on the internet", including UK-to-UK internal traffic. more details on the other GCHQ mass surveillance projects at
surveillance  gchq  security  privacy  law  uk  ireland  karma-police  snooping 
8 weeks ago by jm
Malware infecting jailbroken iPhones stole 225,000 Apple account logins | Ars Technica

KeyRaider, as the malware family has been dubbed, is distributed through a third-party repository of Cydia, which markets itself as an alternative to Apple's official App Store. Malicious code surreptitiously included with Cydia apps is creating problems for people in China and at least 17 other countries, including France, Russia, Japan, and the UK. Not only has it pilfered account data for 225,941 Apple accounts, it has also disabled some infected phones until users pay a ransom, and it has made unauthorized charges against some victims' accounts.

Ouch. Not a good sign for Cydia
cydia  apple  security  exploits  jailbreaking  ios  iphone  malware  keyraider  china 
12 weeks ago by jm
Using Samsung's Internet-Enabled Refrigerator for Man-in-the-Middle Attacks
Whilst the fridge implements SSL, it FAILS to validate SSL certificates, thereby enabling man-in-the-middle attacks against most connections. This includes those made to Google's servers to download Gmail calendar information for the on-screen display. So, MITM the victim's fridge from next door, or on the road outside and you can potentially steal their Google credentials.

The Internet of Insecure Things strikes again.
iot  security  fridges  samsung  fail  mitm  ssl  tls  google  papers  defcon 
12 weeks ago by jm
London Calling: Two-Factor Authentication Phishing From Iran
some rather rudimentary anti-2FA attempts, presumably from Iranian security services
authentication  phishing  security  iran  activism  2fa  mfa 
12 weeks ago by jm
Open source security team has had enough of embedded-systems vendors taking the piss with licensing:
This announcement is our public statement that we've had enough. Companies in the embedded industry not playing by the same rules as every other company using our software violates users' rights, misleads users and developers, and harms our ability to continue our work. Though I've only gone into depth in this announcement on the latest trademark violation against us, our experience with two GPL violations over the previous year have caused an incredible amount of frustration. These concerns are echoed by the complaints of many others about the treatment of the GPL by the embedded Linux industry in particular over many years.

With that in mind, today's announcement is concerned with the future availability of our stable series of patches. We decided that it is unfair to our sponsors that the above mentioned unlawful players can get away with their activity. Therefore, two weeks from now, we will cease the public dissemination of the stable series and will make it available to sponsors only. The test series, unfit in our view for production use, will however continue to be available to the public to avoid impact to the Gentoo Hardened and Arch Linux communities. If this does not resolve the issue, despite strong indications that it will have a large impact, we may need to resort to a policy similar to Red Hat's, described here or eventually stop the stable series entirely as it will be an unsustainable development model.
culture  gpl  linux  opensource  security  grsecurity  via:nelson  gentoo  arch-linux  gnu 
12 weeks ago by jm
Analysis of PS4's security and the state of hacking
FreeBSD jails and Return-Oriented Programming:
Think of [Return-Oriented Programming] as writing a new chapter to a book, using only words that have appeared at the end of sentences in the previous chapters.
ps4  freebsd  jails  security  exploits  hacking  sony  rop  return-oriented-programming 
august 2015 by jm
GSMem: Data Exfiltration from Air-Gapped Computers over GSM Frequencies
Holy shit.
Air-gapped networks are isolated, separated both logically and physically from public networks. Although the feasibility of invading such systems has been demonstrated in recent years, exfiltration of data from air-gapped networks is still a challenging task. In this paper we present GSMem, a malware that can exfiltrate data through an air-gap over cellular frequencies. Rogue software on an infected target computer modulates and transmits electromagnetic signals at cellular frequencies by invoking specific memory-related instructions and utilizing the multichannel memory architecture to amplify the transmission. Furthermore, we show that the transmitted signals can be received and demodulated by a rootkit placed in the baseband firmware of a nearby cellular phone.
gsmem  gsm  exfiltration  air-gaps  memory  radio  mobile-phones  security  papers 
august 2015 by jm
Preventing Dependency Chain Attacks in Maven
using a whitelist of allowed dependency JARs and their SHAs
security  whitelisting  dependencies  coding  jar  maven  java  jvm 
august 2015 by jm
Jaysus, this is terrifying.
Miller and Valasek’s full arsenal includes functions that at lower speeds fully kill the engine, abruptly engage the brakes, or disable them altogether. The most disturbing maneuver came when they cut the Jeep’s brakes, leaving me frantically pumping the pedal as the 2-ton SUV slid uncontrollably into a ditch.

Avoid any car which supports this staggeringly-badly-conceived Uconnect feature:

All of this is possible only because Chrysler, like practically all carmakers, is doing its best to turn the modern automobile into a smartphone. Uconnect, an Internet-connected computer feature in hundreds of thousands of Fiat Chrysler cars, SUVs, and trucks, controls the vehicle’s entertainment and navigation, enables phone calls, and even offers a Wi-Fi hot spot.


Also, Chrysler's response sucks: "Chrysler’s patch must be manually implemented via a USB stick or by a dealership mechanic."
hacking  security  cars  driving  safety  brakes  jeeps  chrysler  fiat  uconnect  can-bus  can 
july 2015 by jm
"Customer data is a liability, not an asset."
Great turn of phrase from Matthew Green (@matthew_d_green). Emin Gün Sirer adds some detail: "well, an asset with bounded value, and an unbounded liability"
data  privacy  data-protection  ashleymadison  hacks  security  liability 
july 2015 by jm
Security theatre at Allied Irish Banks
Allied Irish Banks's web and mobile banking portals are ludicrously insecure. Vast numbers of accounts have easily-guessable registration numbers and are thus 'protected' by a level of security that is twice as easy to crack as would be provided by a single password containing only two lowercase letters.
A person of malicious intent could easily gain access to hundreds, possibly thousands, of accounts as well as completely overwhelm the branch network by locking an estimated several 100,000s of people out of their online banking.
Both AIB and the Irish Financial Services Ombudsman have refused to respond meaningfully to multiple communications each in which these concerns were raised privately.
aib  banking  security  ireland  hacking  ifso  online-banking 
june 2015 by jm
AV vendors still relying on MD5 to identify malware
oh dear. I can see how this happened -- in many cases they may not still have samples to derive new sums from :(
md5  hashing  antivirus  malware  security  via:fanf  bugs 
june 2015 by jm
How Plex is doing HTTPS for all its users
large-scale automated TLS certificate deployment. very impressive and not easy to reproduce, good work Plex!

(via Nelson)
via:nelson  https  ssl  tls  certificates  pki  digicert  security  plex 
june 2015 by jm
SolarCapture Packet Capture Software
Interesting product line -- I didn't know this existed, but it makes good sense as a "network flight recorder". Big in finance.
SolarCapture is powerful packet capture product family that can transform every server into a precision network monitoring device, increasing network visibility, network instrumentation, and performance analysis. SolarCapture products optimize network monitoring and security, while eliminating the need for specialized appliances, expensive adapters relying on exotic protocols, proprietary hardware, and dedicated networking equipment.

See also Corvil (based in Dublin!): 'I'm using a Corvil at the moment and it's awesome- nanosecond precision latency measurements on the wire.'

(via mechanical sympathy list)
corvil  timing  metrics  measurement  latency  network  solarcapture  packet-capture  financial  performance  security  network-monitoring 
may 2015 by jm
The Hospira drug pump vulnerabilities described here sound pretty horrific
drugs  drug-pumps  hospira  exploits  vulnerabilities  security  root  dosage  limits 
may 2015 by jm
How the NSA Converts Spoken Words Into Searchable Text - The Intercept
This hits the nail on the head, IMO:
To Phillip Rogaway, a professor of computer science at the University of California, Davis, keyword-search is probably the “least of our problems.” In an email to The Intercept, Rogaway warned that “When the NSA identifies someone as ‘interesting’ based on contemporary NLP methods, it might be that there is no human-understandable explanation as to why beyond: ‘his corpus of discourse resembles those of others whom we thought interesting'; or the conceptual opposite: ‘his discourse looks or sounds different from most people’s.' If the algorithms NSA computers use to identify threats are too complex for humans to understand, it will be impossible to understand the contours of the surveillance apparatus by which one is judged.  All that people will be able to do is to try your best to behave just like everyone else.”
privacy  security  gchq  nsa  surveillance  machine-learning  liberty  future  speech  nlp  pattern-analysis  cs 
may 2015 by jm "certificate verification failed" errors due to crappy Verisign certs and overzealous curl policies
Seth Vargo is correct. Its not the bit length of the key which is at issue, its the signature algorithm. The entire keychain for the key is signed with SHA1withRSA:

At issue is that the root verisign key has been marked as weak because of SHA1 and taken out of the curl bundle which is widely popular, and this issue will continue to cause more and more issues going forwards as that bundle makes it way into shipping o/s distributions and aws certification verification breaks.

'This is still happening and curl is now failing on my machine causing all sorts of fun issues (including breaking CocoaPods that are using S3 for storage).' -- @jmhodges

This may be a contributory factor to the issue @nelson saw:

Curl's ca-certs bundle is also used by Node: and doubtless many other apps and packages.

Here's a mailing list thread discussing the issue: -- looks like the curl team aren't too bothered about it.
curl  s3  amazon  aws  ssl  tls  certs  sha1  rsa  key-length  security  cacerts 
april 2015 by jm
HashiCorp's take on the secrets-storage system. looks good
hashicorp  deployment  security  secrets  authentication  vault  storage  keys  key-rotation 
april 2015 by jm
Google Online Security Blog: A Javascript-based DDoS Attack [the Greatfire DDoS] as seen by Safe Browsing
We hope this report helps to round out the overall facts known about this attack. It also demonstrates that collectively there is a lot of visibility into what happens on the web. At the HTTP level seen by Safe Browsing, we cannot confidently attribute this attack to anyone. However, it makes it clear that hiding such attacks from detailed analysis after the fact is difficult.

Had the entire web already moved to encrypted traffic via TLS, such an injection attack would not have been possible. This provides further motivation for transitioning the web to encrypted and integrity-protected communication. Unfortunately, defending against such an attack is not easy for website operators. In this case, the attack Javascript requests web resources sequentially and slowing down responses might have helped with reducing the overall attack traffic. Another hope is that the external visibility of this attack will serve as a deterrent in the future.

Via Nelson.
google  security  via:nelson  ddos  javascript  tls  ssl  safe-browsing  networking  china  greatfire 
april 2015 by jm
a web-based SSH console that centrally manages administrative access to systems. Web-based administration is combined with management and distribution of user's public SSH keys. Key management and administration is based on profiles assigned to defined users.

Administrators can login using two-factor authentication with FreeOTP or Google Authenticator . From there they can create and manage public SSH keys or connect to their assigned systems through a web-shell. Commands can be shared across shells to make patching easier and eliminate redundant command execution.
keybox  owasp  security  ssh  tls  ssl  ops 
april 2015 by jm
Meet the e-voting machine so easy to hack, it will take your breath away | Ars Technica
The AVS WinVote system -- mind-bogglingly shitty security.
If an election was held using the AVS WinVote, and it wasn’t hacked, it was only because no one tried. The vulnerabilities were so severe, and so trivial to exploit, that anyone with even a modicum of training could have succeeded. They didn’t need to be in the polling place—within a few hundred feet (e.g., in the parking lot) is easy, and within a half mile with a rudimentary antenna built using a Pringles can. Further, there are no logs or other records that would indicate if such a thing ever happened, so if an election was hacked any time in the past, we will never know. I’ve been in the security field for 30 years, and it takes a lot to surprise me. But the VITA report really shocked me—as bad as I thought the problems were likely to be, VITA’s five-page report showed that they were far worse. And the WinVote system was so fragile that it hardly took any effort. While the report does not state how much effort went into the investigation, my estimation based on the description is that it was less than a person week.
security  voting  via:johnke  winvote  avs  shoup  wep  wifi  windows 
april 2015 by jm
attacks using U+202E - RIGHT-TO-LEFT OVERRIDE
Security implications of in-band signalling strikes again, 43 years after the "Blue Box" hit the mainstream.

Jamie McCarthy on Twitter: ".@cmdrtaco - Remember when we had to block the U+202E code point in Slashdot comments to stop siht ekil stnemmoc?"

See also -- GMail was vulnerable too; and for more inline control chars. has some official recommendations from the Unicode consortium on dealing with bidi override chars.
security  attacks  rlo  unicode  control-characters  codepoints  bidi  text  gmail  slashdot  sanitization  input 
april 2015 by jm
'CredStash is a very simple, easy to use credential management and distribution system that uses AWS Key Management System (KMS) for key wrapping and master-key storage, and DynamoDB for credential storage and sharing.'
aws  credstash  python  security  keys  key-management  secrets  kms 
april 2015 by jm
The missing MtGox bitcoins
Most or all of the missing bitcoins were stolen straight out of the MtGox hot wallet over time, beginning in late 2011. As a result, MtGox operated at fractional reserve for years (knowingly or not), and was practically depleted of bitcoins by 2013. A significant number of stolen bitcoins were deposited onto various exchanges, including MtGox itself, and probably sold for cash (which at the bitcoin prices of the day would have been substantially less than the hundreds of millions of dollars they were worth at the time of MtGox's collapse).

MtGox' bitcoins continuously went missing over time, but at a decreasing pace. Again by the middle of 2013, the curve goes more or less flat, matching the hypothesis that by that time there may not have been any more bitcoins left to lose. The rate of loss otherwise seems unusually smooth and at the same time not strictly relative to any readily available factors such as remaining BTC holdings, transaction volumes or the BTC price. Worth pointing out is that, thanks to having matched up most of the deposit/withdrawal log earlier, we can at this point at least rule out the possibility of any large-scale fake deposits — the bitcoins going into MtGox were real, meaning the discrepancy was likely rather caused by bitcoins leaving MtGox without going through valid withdrawals.
mtgox  bitcoin  security  fail  currency  theft  crime  btc 
april 2015 by jm
SCADA systems online, and a horror story about a non-airgapped Boeing 747 engine management system
747's are big flying Unix hosts. At the time, the engine management system on this particular airline was Solaris based. The patching was well behind and they used telnet as SSH broke the menus and the budget did not extend to fixing this. The engineers could actually access the engine management system of a 747 in route. If issues are noted, they can re-tune the engine in air.

The issue here is that all that separated the engine control systems and the open network was NAT based filters. There were (and as far as I know this is true today), no extrusion controls. They filter incoming traffic, but all outgoing traffic is allowed.

(via Paddy Benson)
air-gap  planes  boeing  security  747  solaris  unix 
april 2015 by jm
Boeing 787 Dreamliner jets, as well as Airbus A350 and A380 aircraft, have Wi-Fi passenger networks that use the same network as the avionics systems of the planes

What the fucking fuck. Air-gap or gtfo
air-gap  security  planes  boeing  a380  a350  dreamliner  networking  firewalls  avionics 
april 2015 by jm
Keeping Your Car Safe From Electronic Thieves -
In a normal scenario, when you walk up to a car with a keyless entry and try the door handle, the car wirelessly calls out for your key so you don’t have to press any buttons to get inside. If the key calls back, the door unlocks. But the keyless system is capable of searching for a key only within a couple of feet. Mr. Danev said that when the teenage girl turned on her device, it amplified the distance that the car can search, which then allowed my car to talk to my key, which happened to be sitting about 50 feet away, on the kitchen counter. And just like that, open sesame.

What the hell -- who designed a system that would auto-unlock based on signal strength alone?!!
security  fail  cars  keys  signal  proximity  keyless-entry  prius  toyota  crime  amplification  power-amplifiers  3db  keyless 
april 2015 by jm
'a secret management and distribution service [from Square] that is now available for everyone. Keywhiz helps us with infrastructure secrets, including TLS certificates and keys, GPG keyrings, symmetric keys, database credentials, API tokens, and SSH keys for external services — and even some non-secrets like TLS trust stores. Automation with Keywhiz allows us to seamlessly distribute and generate the necessary secrets for our services, which provides a consistent and secure environment, and ultimately helps us ship faster. [...]

Keywhiz has been extremely useful to Square. It’s supported both widespread internal use of cryptography and a dynamic microservice architecture. Initially, Keywhiz use decoupled many amalgamations of configuration from secret content, which made secrets more secure and configuration more accessible. Over time, improvements have led to engineers not even realizing Keywhiz is there. It just works. Please check it out.'
square  security  ops  keys  pki  key-distribution  key-rotation  fuse  linux  deployment  secrets  keywhiz 
april 2015 by jm
China’s Great Cannon
Conducting such a widespread attack clearly demonstrates the weaponization of the Chinese Internet to co-opt arbitrary computers across the web and outside of China to achieve China’s policy ends.  The repurposing of the devices of unwitting users in foreign jurisdictions for covert attacks in the interests of one country’s national priorities is a dangerous precedent — contrary to international norms and in violation of widespread domestic laws prohibiting the unauthorized use of computing and networked systems.
censorship  ddos  internet  security  china  great-cannon  citizen-lab  reports  web 
april 2015 by jm
Privacy Security Talk in TOG – 22nd April @ 7pm – FREE
Dublin is lucky enough to have great speakers pass through town on occasion and on Wednesday the 22nd April 2015, Runa A. Sandvik (@runasand) and Per Thorsheim (@thorsheim) have kindly offered to speak in TOG from 7pm. The format for the evening is a general meet and greet, but both speakers have offered to give a presentation on a topic of their choice. Anyone one interested in privacy, security, journalism, Tor and/or has previously attended a CryptoParty would be wise to attend. Doors are from 7pm and bring any projects with you you would like to share with other attendees. This is a free event, open to the public and no need to book. See you Wednesday.

Runa A. Sandvik is an independent privacy and security researcher, working at the intersection of technology, law and policy. She contributes to The Tor Project, writes for Forbes, and is a technical advisor to both the Freedom of the Press Foundation and the TrueCrypt Audit project.

Per Thorsheim as founder/organizer of, his topic of choice is of course passwords, but in a much bigger context than most people imagine. Passwords, pins, biometrics, 2-factor authentication, security/usability and all the way into surveillance and protecting your health, kids and life itself.
privacy  security  runa-sandvik  per-thorsheim  passwords  tor  truecrypt  tog  via:oisin  events  dublin 
april 2015 by jm
New South Wales Attacks Researchers Who Found Internet Voting Vulnerabilities | Electronic Frontier Foundation
'NSW officials seemed more interested in protecting their reputations than the integrity of elections. They sharply criticized Halderman and Teague, rather than commending them, for their discovery of the FREAK attack vulnerability. The Chief Information Officer of the Electoral Commission, Ian Brightwell, claimed Halderman and Teague’s discovery was part of efforts by “well-funded, well-managed anti-internet voting lobby groups,” an apparent reference to our friends at, where Halderman and Teague are voluntary Advisory Board members.1 Yet at the same time, Brightwell concluded that it was indeed possible that votes were manipulated.'
freak  security  vulnerabilities  exploits  nsw  australia  internet-voting  vvat  voting  online-voting  eff 
april 2015 by jm
(SEC307) Building a DDoS-Resilient Architecture with AWS
good slides on a "web application firewall" proxy service, deployable as an auto-scaling EC2 unit
ec2  aws  ddos  security  resilience  slides  reinvent  firewalls  http  elb 
april 2015 by jm
Google delist CNNIC certs
As a result of a joint investigation of the events surrounding this incident by Google and CNNIC, we have decided that the CNNIC Root and EV CAs will no longer be recognized in Google products.
cnnic  certs  ssl  tls  security  certificates  pki  chrome  google 
april 2015 by jm
Cassandra remote code execution hole (CVE-2015-0225)
Ah now lads.
Under its default configuration, Cassandra binds an unauthenticated
JMX/RMI interface to all network interfaces. As RMI is an API for the
transport and remote execution of serialized Java, anyone with access
to this interface can execute arbitrary code as the running user.
cassandra  jmx  rmi  java  ops  security 
april 2015 by jm
AllCrypt hacked, via PHP, Wordpress, and the marketing director's email
critical flaw: gaining access to the MySQL db let the attacker manipulate account balances. oh dear
security  fail  allcrypt  hacks  wordpress  php 
march 2015 by jm
Sony PSN hacking horror story
My account got hacked, running up over $600 in charges. Here's the conclusion after running through the Sony support gauntlet.
They can only refund up to $150.
I can dispute the charges with my bank, but that will result in my account being banned.
I cannot unban my account, and will thus lose my purchases ("but you only have the Last of Us and some of our free games, so it's not a big deal")
Whomever hacked my account deactivated my PS4, and activated their own. Customer support will only permit one activation every 6 months. I'm locked out of logging into my own account on my PS4 for six months.
games  sony  psn  playstation  fail  ps4  hacking  security  customer-support  horror-stories 
march 2015 by jm
Real World Crypto 2015: Password Hashing according to Facebook
Very interesting walkthrough of how Facebook hash user passwords, including years of accreted practices
facebook  passwords  authentication  legacy  web  security 
march 2015 by jm
Epsilon Interactive breach the Fukushima of the Email Industry (CAUCE)
Upon gaining access to an ESP, the criminals then steal subscriber data (PII such as names, addresses, telephone numbers and email addresses, and in one case, Vehicle Identification Numbers). They then use ESPs’ mailing facility to send spam; to monetize their illicit acquisition, the criminals have spammed ads for fake Adobe Acrobat and Skype software.

On March 30, the Epsilon Interactive division of Alliance Data Marketing (ADS on NASDAQ) suffered a massive breach that upped the ante, substantially.  Email lists of at least eight financial institutions were stolen. 

Thus far, puzzlingly, Epsilon has refused to release the names  of compromised clients. [...] The obvious issue at hand is the ability of the thieves to now undertake targeted spear-phishing problem as critically serious as it could possibly be.
cauce  epsilon-interactive  esp  email  pii  data-protection  spear-phishing  phishing  identity-theft  security  ads 
march 2015 by jm
Anatomy of a Hack
Authy doesn't come off well here:

'Authy should have been harder to break. It's an app, like Authenticator, and it never left Davis' phone. But Eve simply reset the app on her phone using a address and a new confirmation code, again sent by a voice call. A few minutes after 3AM, the Authy account moved under Eve's control.'
authy  security  hacking  mfa  authentication  google  apps  exploits 
march 2015 by jm
"Cheap SSL certs from $4.99/yr" -- apparently recommended for cheap, low-end SSL certs
ssl  certs  security  https  ops 
february 2015 by jm
The Great SIM Heist: How Spies Stole the Keys to the Encryption Castle
Holy shit. Gemalto totally rooted.
With [Gemalto's] stolen encryption keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments. Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider’s network that the communications were intercepted. Bulk key theft additionally enables the intelligence agencies to unlock any previously encrypted communications they had already intercepted, but did not yet have the ability to decrypt.

[...] According to one secret GCHQ slide, the British intelligence agency penetrated Gemalto’s internal networks, planting malware on several computers, giving GCHQ secret access. We “believe we have their entire network,” the slide’s author boasted about the operation against Gemalto.
encryption  security  crypto  nsa  gchq  gemalto  smartcards  sim-cards  privacy  surveillance  spying 
february 2015 by jm
Extracting the SuperFish certificate
not exactly the most challenging reverse I've ever seen ;)
reverse-engineering  security  crypto  hacking  tls  ssl  superfish  lenovo 
february 2015 by jm
The Superfish certificate has been cracked, exposing Lenovo users to attack | The Verge
The cracked certificate exposes Lenovo users to man-in-the-middle attacks, similar to those opened up by Heartbleed. Armed with this password and the right software, a coffee shop owner could potentially spy on any Lenovo user on her network, collecting any passwords that were entered during the session. The evil barista could also insert malware into the data stream at will, disguised as a software update or a trusted site.

Amazingly stupid.
superfish  inept  ca  ssl  tls  lenovo  mitm  security 
february 2015 by jm
South Korea faces $1bn bill after hackers raid national ID database • The Register
Simon McGarr says: '80% of S.Korea's population have had their ID number stolen, crimewave ongoing. >> Turns out a pot of honey is sweet'
fail  south-korea  korea  security  id-cards  ssn  id-numbers  privacy 
february 2015 by jm
FreeBSD breaks its kernel RNG for 4 months
If you are running a current kernel r273872 or later, please upgrade
your kernel to r278907 or later immediately and regenerate keys.
I discovered an issue where the new framework code was not calling
randomdev_init_reader, which means that read_random(9) was not returning
good random data. This means most/all keys generated may be predictable and must be
crypto  freebsd  security  lols  rng  randomness  bsd 
february 2015 by jm
Duplicate SSH Keys Everywhere
Poor hardware imaging practices, basically:
It looks like all devices with the fingerprint are Dropbear SSH instances that have been deployed by Telefonica de Espana. It appears that some of their networking equipment comes setup with SSH by default, and the manufacturer decided to re-use the same operating system image across all devices.
crypto  ssh  security  telefonica  imaging  ops  shodan 
february 2015 by jm
How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last
'"Equation Group" ran the most advanced hacking operation ever uncovered.' Mad stuff. The security industry totally failed here
nsa  privacy  security  surveillance  hacking  keyloggers  malware 
february 2015 by jm
"Man vs Machine: Practical Adversarial Detection of Malicious Crowdsourcing Workers" [paper]
"traditional ML techniques are accurate (95%–99%) in detection but can be highly vulnerable to adversarial attacks". ain't that the truth
security  adversarial-attacks  machine-learning  paper  crowdsourcing  via:kragen 
february 2015 by jm
Debunking The Dangerous “If You Have Nothing To Hide, You Have Nothing To Fear”
A great resource bookmark from Falkvinge.
There are at least four good reasons to reject this argument solidly and uncompromisingly: The rules may change, it’s not you who determine if you’re guilty, laws must be broken for society to progress, and privacy is a basic human need.
nsa  politics  privacy  security  surveillance  gchq  rick-falkvinge  society 
january 2015 by jm
Amazing comment from a random sysadmin who's been targeted by the NSA
'Here's a story for you.
I'm not a party to any of this. I've done nothing wrong, I've never been suspected of doing anything wrong, and I don't know anyone who has done anything wrong. I don't even mean that in the sense of "I pissed off the wrong people but technically haven't been charged." I mean that I am a vanilla, average, 9-5 working man of no interest to anybody. My geographical location is an accident of my birth. Even still, I wasn't accidentally born in a high-conflict area, and my government is not at war. I'm a sysadmin at a legitimate ISP and my job is to keep the internet up and running smoothly.
This agency has stalked me in my personal life, undermined my ability to trust my friends attempting to connect with me on LinkedIn, and infected my family's computer. They did this because they wanted to bypass legal channels and spy on a customer who pays for services from my employer. Wait, no, they wanted the ability to potentially spy on future customers. Actually, that is still not accurate - they wanted to spy on everybody in case there was a potentially bad person interacting with a customer.
After seeing their complete disregard for anybody else, their immense resources, and their extremely sophisticated exploits and backdoors - knowing they will stop at nothing, and knowing that I was personally targeted - I'll be damned if I can ever trust any electronic device I own ever again.
You all rationalize this by telling me that it "isn't surprising", and that I don't live in the [USA,UK] and therefore I have no rights.
I just have one question.
Are you people even human?'
nsa  via:ioerror  privacy  spying  surveillance  linkedin  sysadmins  gchq  security 
january 2015 by jm
Secure Secure Shell
How to secure SSH, disabling insecure ciphers etc. (via Padraig)
via:pixelbeat  crypto  security  ssh  ops 
january 2015 by jm
Use sshuttle to Keep Safe on Insecure Wi-Fi
I keep forgetting about sshuttle. It's by far the easiest way to get a cheapo IP-over-SSH VPN working with an OSX client, particularly since it's in homebrew
ssh  vpn  sshuttle  tunnelling  security  ip  wifi  networking  osx  homebrew 
december 2014 by jm
To demonstrate that hackers have no interest in suppressing speech, quashing controversy, or being intimidated by vague threats, we ask that Sony allow the hacker community to distribute "The Interview" for them on the 25th of December. Now, we're aware that Sony may refer to this distribution method as piracy, but in this particular case, it may well prove to be the salvation of the motion picture industry. By freely offering the film online, millions of people will get to see it and decide for themselves if it has any redeeming qualities whatsoever - as opposed to nobody seeing it and the studios writing it off as a total loss. Theaters would be free from panic as our servers would become the target of any future vague threats (and we believe Hollywood will be most impressed with how resilient peer-to-peer distribution can be in the face of attacks). Most importantly, we would be defying intimidation, something the motion picture industry doesn't quite have a handle on, which is surprising considering how much they've relied upon it in the past.
2600  funny  hackers  security  sony  north-korea  the-interview  movies  piracy 
december 2014 by jm
The FBI Used the Web's Favorite Hacking Tool to Unmask Tor Users | WIRED
Since Operation Torpedo [use of a Metasploit side project], there’s evidence the FBI’s anti-Tor capabilities have been rapidly advancing. Torpedo was in November 2012. In late July 2013, computer security experts detected a similar attack through Dark Net websites hosted by a shady ISP called Freedom Hosting—court records have since confirmed it was another FBI operation. For this one, the bureau used custom attack code that exploited a relatively fresh Firefox vulnerability—the hacking equivalent of moving from a bow-and-arrow to a 9-mm pistol. In addition to the IP address, which identifies a household, this code collected the MAC address of the particular computer that infected by the malware.

“In the course of nine months they went from off the shelf Flash techniques that simply took advantage of the lack of proxy protection, to custom-built browser exploits,” says Soghoian. “That’s a pretty amazing growth … The arms race is going to get really nasty, really fast.”
fbi  tor  police  flash  security  privacy  anonymity  darknet  wired  via:bruces 
december 2014 by jm
When data gets creepy: the secrets we don’t realise we’re giving away | Technology | The Guardian
Very good article around the privacy implications of derived and inferred aggregate metadata from Ben Goldacre.
We are entering an age – which we should welcome with open arms – when patients will finally have access to their own full medical records online. So suddenly we have a new problem. One day, you log in to your medical records, and there’s a new entry on your file: “Likely to die in the next year.” We spend a lot of time teaching medical students to be skilful around breaking bad news. A box ticked on your medical records is not empathic communication. Would we hide the box? Is that ethical? Or are “derived variables” such as these, on a medical record, something doctors should share like anything else?
advertising  ethics  privacy  security  law  data  aggregation  metadata  ben-goldacre 
december 2014 by jm
"Macaroons" for fine-grained secure database access
Macaroons are an excellent fit for NoSQL data storage for several reasons. First, they enable an application developer to enforce security policies at very fine granularity, per object. Gone are the clunky security policies based on the IP address of the client, or the per-table access controls of RDBMSs that force you to split up your data across many tables. Second, macaroons ensure that a client compromise does not lead to loss of the entire database. Third, macaroons are very flexible and expressive, able to incorporate information from external systems and third-party databases into authorization decisions. Finally, macaroons scale well and are incredibly efficient, because they avoid public-key cryptography and instead rely solely on fast hash functions.
security  macaroons  cookies  databases  nosql  case-studies  storage  authorization  hyperdex 
november 2014 by jm
Wired on "Regin"
The researchers have no doubt that Regin is a nation-state tool and are calling it the most sophisticated espionage machine uncovered to date—more complex even than the massive Flame platform, uncovered by Kaspersky and Symantec in 2012 and crafted by the same team who created Stuxnet.

“In the world of malware threats, only a few rare examples can truly be considered groundbreaking and almost peerless,” writes Symantec in its report about Regin.

Though no one is willing to speculate on the record about Regin’s source, news reports about the Belgacom and Quisquater hacks pointed a finger at GCHQ and the NSA. Kaspersky confirms that Quisqater was infected with Regin, and other researchers familiar with the Belgacom attack have told WIRED that the description of Regin fits the malware that targeted the telecom, though the malicious files used in that attack were given a different name, based on something investigators found inside the platform’s main file.
regin  malware  security  hacking  exploits  nsa  gchq  symantec  espionage 
november 2014 by jm
How I created two images with the same MD5 hash
I found that I was able to run the algorithm in about 10 hours on an AWS large GPU instance bringing it in at about $0.65 plus tax.

Bottom line: MD5 is feasibly attackable by pretty much anyone now.
crypto  images  md5  security  hashing  collisions  ec2  via:hn 
november 2014 by jm
curl | sh
'People telling people to execute arbitrary code over the network. Run code from our servers as root. But HTTPS, so it’s no biggie.'

humor  sysadmin  ops  security  curl  bash  npm  rvm  chef 
november 2014 by jm
Chip & PIN vs. Chip & Signature
Trust US banks to fuck up their attempts at security :( US "chip-and-signature" cards are still entirely forgeable because the banks fear that consumers are too stupid to use a PIN, basically.
BK: So, I guess we should all be grateful that banks and retailers in the United States are finally taking steps to move toward chip [and signature] cards, but it seems to me that as long as these chip cards still also store cardholder data on a magnetic stripe as a backup, that the thieves can still steal and counterfeit this card data — even from chip cards.

Litan: Yes, that’s the key problem for the next few years. Once mag stripe goes away, chip-and-PIN will be a very strong solution. The estimates are now that by the end of 2015, 50 percent of the cards and terminals will be chip-enabled, but it’s going to be several years before we get closer to full compliance. So, we’re probably looking at about 2018 before we can start making plans to get rid of the magnetic stripe on these cards.
magstripe  banks  banking  chip-and-pin  security  brian-krebs  chip-and-signature 
october 2014 by jm
PSA: don't run 'strings' on untrusted files (CVE-2014-8485)
Perhaps simply by the virtue of being a part of that bundle, the strings utility tries to leverage the common libbfd infrastructure to detect supported executable formats and "optimize" the process by extracting text only from specific sections of the file. Unfortunately, the underlying library can be hardly described as safe: a quick pass with afl (and probably with any other competent fuzzer) quickly reveals a range of troubling and likely exploitable out-of-bounds crashes due to very limited range checking
strings  libbfd  gnu  security  fuzzing  buffer-overflows 
october 2014 by jm
Google Online Security Blog: This POODLE bites: exploiting the SSL 3.0 fallback
Today we are publishing details of a vulnerability in the design of SSL version 3.0. This vulnerability allows the plaintext of secure connections to be calculated by a network attacker.

ssl3  ssl  tls  security  exploits  google  crypto 
october 2014 by jm
An _extremely_ detailed resource about the bash bug
bash  hacking  security  shell  exploits  reference  shellshock 
october 2014 by jm
« earlier      
per page:    204080120160

related tags

2fa  3db  3des  3dsecure  3g  4chan  4g  9-11  512-bit  a350  a380  abuse  accidents  accounts  accuracy  aclu  actel  activism  ads  adversarial-attacks  advertising  aes  aggregation  aib  air-gap  air-gaps  air-travel  airborne-zombies  aircrack  airport  akamai  alarm  alert  algorithms  allcrypt  amazon  america  amplification  android  anonymisation  anonymity  anonymization  anonymous  anti-phishing  anti-spam  antivirus  antwerp  apache  apache-harmony  api-keys  apis  apple  applets  appliances  apps  arab-spring  arch-linux  architecture  ars-technica  as-34109  asf  ashleymadison  atm  attack  attacks  audits  australia  austria  auth  authentication  authorisation  authorization  authy  auto-learning  automation  av  aviation  avionics  avs  aws  backbone  backdoors  backup  backups  banking  banks  bash  bbc  belkin  ben-goldacre  bernie  bgp  bidi  big-brother  big-data  bike  biometrics  bios  bitcoin  bitomat  blacklists  blockchain  bluetooth  boeing  books  botnet  bpf  brakes  brian-krebs  browsers  bruce-schneier  brute-force  bsafe  bsd  btc  buffer-overflows  buffer-overrun  bug-reports  bugging  bugs  bugzilla  build  byte  c  ca  cacerts  calibre  can  can-bus  cao  card-present  cars  case-studies  cassandra  cauce  cb3rob  cbc  ccc  cctlds  celebrities  cellphones  cellxion  censorship  certificates  certs  cgi  chef  china  chip-and-pin  chip-and-signature  chipandpin  chips  chrome  chrysler  chunked-encoding  cia  cipav  citizen-lab  cityhash  clampi  clocks  clojure  cloud-services  cloudflare  cnnic  code-spaces  codepad  codepoints  coding  coding-standards  cold-war  colin-holder  collisions  comcast  comerica  communication  comodo  compartmentalisation  compliance  compression  concurrency  configuration  console  containerization  containers  contractors  control-characters  cookies  copying  corvil  cory-doctorow  coursera  courtventures  cpu  cracking  credit  credit-cards  credit-freeze  credstash  crime  crl  crls  crowdsourcing  crypto  crypto-ag  cryptography  cryptophone  cs  css  ctr  cuban-missile-crisis  culture  curl  currency  customer-care  customer-support  cycling  cydia  d-link  d-spam  dailywtf  dan-kaminsky  danger  darknet  data  data-breaches  data-dumps  data-privacy  data-protection  data-retention  database  databases  datamining  david-miranda  david-simon  ddos  deanonymization  death  debit-cards  defaults  defcon  delete  dependencies  deployment  des  desfire  design  desktop-sharing  dessid  development  dhs  diffie-hellman  digicert  digital-rights  directories  distraction  distribution  diy  djb  dkim  dmca  dns  dnsbls  docker  doh  domain-keys  domains  dos  dosage  dot-net  dpc  dreamliner  driving  drones  dropbox  drug-pumps  drugs  dsl  dual-use  dual_ec_drbg  dublin  dug-song  east-texas  eastern-europe  eavesdropping  ec2  ecb  ecc  ecdhe  ecommerce  ecs  eff  eircom  elb  elliptic-curve  elliptic-curves  email  embedded-systems  emergency  emv  encryption  end-to-end  entropy  epic-marketplace  epsilon-interactive  escaping  esp  espionage  ethics  eu  eurion  euro  ev  events  exfiltration  experian  exploits  extortion  facebook  facebook-api  factorisation  fail  fail0verflow  false-positives  farebot  fastmail  fbi  fghack  fiat  filesharing  filtering  finance  financial  find-my-iphone  fine-gael  fingerprinting  fingerprints  firefox  firewall  firewalls  firmware  five-eyes  flame  flash  flight  floating-point  fpga  france  fraud  freak  freebsd  fridges  frontline  froyo  ftp  fun-cards  funding  funny  fuse  future  fuzzing  games  gandi  gartner  gchq  gemalto  gentoo  gmail  gnu  google  goto  goto-fail  government  gpg  gpl  grades  gradle  great-cannon  great-firewall  greatfire  grsecurity  gsm  gsmem  gsocgate  guardian  gwibber  hackers  hacking  hacks  hamachi  han  handshake  haproxy  hard-lattice-problem  hardware  hash  hashdos  hashes  hashicorp  hashing  hashmap  hbgary  health  heartbleed  hijacking  history  history-stealing  hmac  home  home-alarms  home-automation  homebrew  homeplug  horror  horror-stories  hospira  house  html  http  https  humor  hvac  hyperdex  hypervisor  iam  icann  icloud  ics  id-cards  id-numbers  identity  identity-theft  idiots  ifso  ilya-grigorik  images  imaging  imei  immixgroup  imsi-catchers  india  inept  infrastructure  injection  input  install  insteon  insulin  intel  internet  internet-voting  ioactive  ioerror  ios  iot  ip  ipad  iphone  ipmi  ipsec  iran  irc  ireland  isec  isps  israel  jailbreaking  jails  jamming  jar  jars  java  javascript  jdk  jeeps  jenkins  jira  jmx  joe-stewart  jon-callas  jonathan-zdziarski  journalism  jtag  jvm  kaptoxa  karma-police  karsten-nohl  kernel  kettles  key-distribution  key-length  key-lengths  key-management  key-rotation  keybase  keybox  keyed-hashing  keyless  keyless-entry  keyloggers  keyraider  keys  keyservers  keywhiz  kids  kiss  kms  knife  korea  l2tp  languages  lastpass  latency  launch-codes  law  lawsuits  legacy  lenovo  liability  libbfd  liberty  libraries  limits  linkedin  linux  location  locks  logging  lols  london  lucid-intelligence  lxc  mac  macaroons  machine-learning  maciej  magstripe  mail  malware  mandos  maritime  mastercard  matt-blaze  matthew-green  maven  mcafee  md5  measurement  medicine  memcached  memory  memory-cards  metadata  metrics  mfa  michael-hayden  microsemi  microsoft  mifare  mig  mike-hearn  miniduke  mining  mitm  mobile  mobile-phones  money  moores-law  mouse-jacking  movies  mozilla  mtgox  mugging  murmurhash  muscular  mysore  nai  namespaces  neorouter  netbios  network  network-monitoring  network-neutrality  networking  new-york  newegg  nginx  nlp  nmap  node  north-korea  nosql  not-the-onion  notaries  npm  nsa  nsls  nsw  ntp  nukes  nul  nyc  nyms  nytimes  oauth  obfuscation  obscurity  ocsp  offshoring  oilrigs  okinawa  omgwtfbbq  one-time-passwords  online  online-backup  online-banking  online-shopping  online-storage  online-voting  open-source  openbsd  opensource  openssh  openssl  openwrt  opie  opportunistic  ops  opt-out  oracle  osx  ota  otp  owasp  p2p  packages  packaging  packet-capture  packet-injection  packets  pal  paper  papers  passwords  pastebin  patent-trolls  patents  pathetic  pattern-analysis  payment  pci  pci-dss  pdf  pea  peering  per-thorsheim  perfect-forward-secrecy  performance  pgp  phil-zimmermann  phish  phishing  phones  photos  photoshop  php  pics  pii  pin  pins  piracy  pki  plainscapital  planes  planex  playstation  plcs  plex  plugins  point-of-sale  poisoning  police  policies  politics  popen  port-forwarding  pos  posram  post-its  postmortems  poul-henning-kemp  power  power-amplifiers  power-management  powerline-networking  prefetching  prism  prius  privacy  private-keys  prng  prngs  programming  project-zero  protocols  proxies  proximity  proxy  proxying  ps3  ps4  psn  public-key  pump  python  quakenet  qualcomm  radio  rails  rainbow-tables  ram-scrapers  ramnica-valcea  random  randomness  raspberry-pi  reddit  reference  regin  reinvent  remote  replication  reports  resilience  resource-limits  return-oriented-programming  reverse-engineering  reversing  review  revocation  rf  rfid  rick-falkvinge  risk  risks  rlo  rmi  rng  rngs  road-safety  robin-xu  romania  root  rop  ross-anderson  router  routers  routing  rsa  ruby  runa-sandvik  russia  rvm  s3  safe-browsing  safety  salting  samsung  samy-kamkar  sandbox  sandboxing  sandstorm  sanitisation  sanitization  satis  scala  scaling  scams  scanner  scanning  scareware  scary  schneier  science  screening  sd-cards  search  secrecy  secrets  securecode  secureworks  security  security-theatre  security-through-obscurity  seizure  serialization  server  servers  setuid  sh  sha  sha1  sha256  shell  shellshock  shipping  ships  shodan  shopping  shoup  side-channels  siemens  sigint  signal  silent-circle  silentcircle  silicon  sim-cards  siphash  skey  skimmers  slashdot  slides  smart-cars  smartcards  smartphones  smb  smc8014  sms  snapchat  snes  sniffing  snooping  social-media  society  software  solarcapture  solaris  sony  source-code  south-africa  south-korea  spam  spamhaus  spear-phishing  speech  speed  spinvox  spoofing  spotify  spying  spyware  sql  square  ssh  sshd  sshuttle  ssl  ssl-labs  ssl3  ssn  standards  stingrays  stock-markets  storage  strings  stud  stuxnet  super-mario  superfish  superget  surveillance  svm  swpats  symantec  sync  sysadmin  sysadmins  systemd  tao  target  taxis  tcp  tcpcrypt  tcpdump  tech  technology  telefonica  tempest  terrorism  tesco  testing  text  the-guardian  the-interview  theft  thomas-ptacek  thunderbird  time  time-warner  timing  tips  tlds  tls  tlsdate  toasters  tog  tomato  tools  tor  torrents  toyota  tracking  transactions  transcription  transit  transparent-proxies  travel  trojan.posram  trojans  truecrypt  trust  trustwave  tsa  tunisia  tunneling  tunnelling  turing-complete  tv  tv5monde  twitter  two-factor-auth  two-factor-authentication  u-locks  ubuntu  uconnect  ui  uk  ukraine  unicode  unit-testing  unix  upd4t3  updates  urls  us  us-politics  usa  user-submitted-code  usertrust  varnish  vault  vbv  vc  verification  verified-by-visa  via:adamshostack  via:adulau  via:alec-muffet  via:boingboing  via:bruces  via:cscotta  via:elliottucker  via:eric  via:fanf  via:filippo  via:gwire  via:hn  via:ioerror  via:irr  via:jgc  via:joe-feise  via:johnke  via:kragen  via:lhl  via:mattblaze  via:mikko  via:nelson  via:oisin  via:pixelbeat  via:pjakma  via:reddit  via:risks  via:securitay  via:tupp_ed  via:waxy  viruses  visa  vm  voting  vpn  vulnerabilities  vvat  walmart  war  warning  watchlists  web  web-of-trust  web-services  webdev  webkit  wemo  wep  whitelisting  whitepapers  whitfield-diffie  wickr  wifi  windows  winvote  wired  wireless  wordpress  worms  wow  wyoming  x-ray  xelerance  xl2tpd  xss 

Copy this bookmark: