jm + security   408

Troy Hunt: The Effectiveness of Publicly Shaming Bad Security
Now I don't know how much of this change was due to my public shaming of their security posture, maybe they were going to get their act together afterward anyway. Who knows. However, what I do know for sure is that I got this DM from someone not long after that post got media attention (reproduced with their permission):

Hi Troy, I just want to say thanks for your blog post on the Natwest HTTPS issue you found that the BBC picked up on. I head up the SEO team at a Media agency for a different bank and was hitting my head against a wall trying to communicate this exact thing to them after they too had a non secure public site separate from their online banking. The quote the BBC must have asked from them prompted the change to happen overnight, something their WebDev team assured me would cost hundreds of thousands of pounds and at least a year to implement! I was hitting my head against the desk for 6 months before that so a virtual handshake of thanks from my behalf! Thanks!
business  internet  security  social-media  shame  troy-hunt  bad-press  spin  shaming 
8 days ago by jm
UIDAI’s Aadhaar Software Hacked, ID Database Compromised, Experts Confirm
The authenticity of the data stored in India's controversial Aadhaar identity database, which contains the biometrics and personal information of over 1 billion Indians, has been compromised by a software patch that disables critical security features of the software used to enrol new Aadhaar users, a three month-long investigation by HuffPost India reveals.

The patch—freely available for as little as Rs 2,500 (around $35)— allows unauthorised persons, based anywhere in the world, to generate Aadhaar numbers at will, and is still in widespread use.

This has significant implications for national security at a time when the Indian government has sought to make Aadhaar numbers the gold standard for citizen identification, and mandatory for everything from using a mobile phone to accessing a bank account.
security  aadhaar  identity  india  privacy  databases  data-privacy 
9 days ago by jm
Biohackers Encoded Malware in a Strand of DNA
a group of researchers from the University of Washington has shown for the first time that it’s possible to encode malicious software into physical strands of DNA, so that when a gene sequencer analyzes it the resulting data becomes a program that corrupts gene-sequencing software and takes control of the underlying computer.
hacking  malware  security  sequencing  genome  biohacking  dna 
17 days ago by jm
Hacker Finds Hidden 'God Mode' on Old VIA C3 x86 CPUs
Domas discovered the backdoor, which exists on VIA C3 Nehemiah chips made in 2003, by combing through filed patents. He found one — US8341419 — that mentioned jumping from ring 3 to ring 0 and protecting the machine from exploits of model-specific registers (MSRs), manufacturer-created commands that are often limited to certain chipsets.

Domas followed the "trail of breadcrumbs," as he put it, from one patent to another and figured out that certain VIA chipsets were covered by the patents. Then he collected many old VIA C3 machines and spent weeks fuzzing code.

He even built a testing rig consisting of seven Nehemiah-based thin clients hooked up to a power relay that would power-cycle the machines every couple of minutes, because his fuzzing attempts would usually crash the systems. After three weeks, he had 15 GB of log data — and the instructions to flip on the backdoor in the hidden RISC chip.

(via Nelson)
cpu  via  x86  fuzzing  security  nehemiah  via:nelson 
5 weeks ago by jm
How I gained commit access to Homebrew in 30 minutes
If I were a malicious actor, I could have made a small, likely unnoticed change to the openssl formulae, placing a backdoor on any machine that installed it.

If I can gain access to commit in 30 minutes, what could a nation state with dedicated resources achieve against a team of 17 volunteers? How many private company networks could be accessed? How many of these could be used to escalate to large scale data breaches? What other package management systems have similar weaknesses?

This is my growing concern, and it’s been proven time and time again that package managers, and credential leaks, are a weak point in the security of the internet, and that supply chain attacks are a real and persistent threat. This is not a weakness in Homebrew, but rather a systemic problem in the industry, and one where we need more security research.
homebrew  github  security  jenkins  credentials  scary 
6 weeks ago by jm
Nginx tuning tips: TLS/SSL HTTPS – Improved TTFB/latency
Must do these soon on jmason.org / taint.org et al.
nginx  http  https  http2  ops  tls  security  linux 
11 weeks ago by jm
Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers Without Consent in Real Time Via Its Web Site
LocationSmart, a U.S. based company that acts as an aggregator of real-time data about the precise location of mobile phone devices, has been leaking this information to anyone via a buggy component of its Web site — without the need for any password or other form of authentication or authorization — KrebsOnSecurity has learned. The company took the vulnerable service offline early this afternoon after being contacted by KrebsOnSecurity, which verified that it could be used to reveal the location of any AT&T, Sprint, T-Mobile or Verizon phone in the United States to an accuracy of within a few hundred yards.
locationsmart  verizon  sprint  t-mobile  att  brian-krebs  security  location-tracking  tracking  mobile  phones  location 
may 2018 by jm
Attacks against GPG signed APT repositories - Packagecloud Blog

It is a common misconception that simply signing your packages and repository metadata with GPG is enough to create a secure APT repository. This is false. Many of the attacks outlined in the paper and this blog post are effective against GPG-signed APT repositories. GPG signing Debian packages themselves does nothing, as explained below. The easiest way to prevent the attacks covered below is to always serve your APT repository over TLS; no exceptions.


This is excellent research. My faith in GPG sigs on packages is well shaken.
apt  security  debian  packaging  gpg  pgp  packages  dpkg  apt-get  ops 
may 2018 by jm
keiichishima/yacryptopan
'Yet another Crypto-PAn implementation for Python':
This package provides a function to anonymize IP addresses keeping their prefix consistency. This program is based on the paper "Prefix-Preserving IP Address Anonymization: Measurement-based Security Evaluation and a New Cryptography-based Scheme" written by Jun Xu, Jinliang Fan, Mostafa H. Ammar, and Sue B. Moon. The detailed explanation can be found in [Xu2002]. This package supports both IPv4 and IPv6 anonymization.


(via Alexandre Dulaunoy)
via:adulau  anonymization  ip-addresses  internet  ipv4  ipv6  security  crypto  python  crypto-pan 
april 2018 by jm
Securing wireless neurostimulators
The latest generation of such devices come with remote monitoring and reprogramming capabilities, via an external device programmer. The manufacturers seem to have relied on security through obscurity (when will we ever learn!) with the very predictable result that the interface turns out not be secure at all. So we end up with a hackable device connected directly to someone’s brain.
security  brain  health  medical  devices  iot  exploits  neurostimulators 
april 2018 by jm
Mythology about security…
A valuable history lesson from Jim Gettys:
Government export controls crippled Internet security and the design of Internet protocols from the very beginning: we continue to pay the price to this day.  Getting security right is really, really hard, and current efforts towards “back doors”, or other access is misguided. We haven’t even recovered from the previous rounds of government regulations, which has caused excessive complexity in an already difficult problem and many serious security problems. Let us not repeat this mistake…


I remember the complexity of navigating crypto export controls. As noted here, it was generally easier just not to incorporate security features.
security  crypto  export-control  jim-gettys  x11  history  x-windows  mit  athena  kerberos 
april 2018 by jm
Colm MacCárthaigh on TLS 1.3 and the risks of 0-RTT
here's my advice: if you see a server supporting 0-RTT and that server doesn't give you an iron-clad guarantee that when the key is used, it's deleted, and that your EARLY CONVERSATION can't be repeated ... don't use it.
colmmacc  tls  security  ssl  0rtt  risks  networking  crypto 
march 2018 by jm
Generate Mozilla Security Recommended Web Server Configuration Files
this is quite cool -- generate web server configs to activate current best-practice TLS settings
web  openssl  nginx  lighttpd  apache  haproxy  hsts  security  ssl  tls  ops 
february 2018 by jm
Amazing thread from @gavinsblog on the Strava leak
'This often led to the same results you see with Strava. In low population countries, or countries with low smartphone penetration, it was often easy to detect Westerners (usually soldiers) in remote areas.

this usually led to being able to identify bases and other types of things based solely on social data. Iraq, Afghanistan = always easy to find US troops (Instagram being a common sharing tool). Same true of IDF troops in staging areas before invasion of Gaza in 2014.

and the same true in 2014 with Russian troops in Ukraine. All too easy. Of course the other thing you might be nosey about [is] known military facilities. Social geotagging can give you staff/visitor lists if you persist long enough.

the difference between this technique and Strava was you could usually quickly deduce first name/last name if you wanted, and infer other social profiles eg LinkedIn -> FB -> FB friends -> work colleagues. Not only that but it was possible to automate.'
strava  privacy  military  security  geotagging  geodata  gavin-sheridan 
january 2018 by jm
'DolphinAttack: Inaudible Voice Commands' [pdf]
'Speech recognition (SR) systems such as Siri or Google Now have become an increasingly popular human-computer interaction method, and have turned various systems into voice controllable systems(VCS). Prior work on attacking VCS shows that the hidden voice commands that are incomprehensible to people can control the systems. Hidden voice commands, though hidden, are nonetheless audible. In this work, we design a completely inaudible attack, DolphinAttack, that modulates voice commands on ultrasonic carriers (e.g., f > 20 kHz) to achieve inaudibility. By leveraging the nonlinearity of the microphone circuits, the modulated low frequency audio commands can be successfully demodulated, recovered, and more importantly interpreted by the speech recognition systems. We validate DolphinAttack on popular speech recognition systems, including Siri, Google Now, Samsung S Voice, Huawei HiVoice, Cortana and Alexa. By injecting a sequence of inaudible voice commands, we show a few proof-of-concept attacks, which include activating Siri to initiate a FaceTime call on iPhone, activating Google Now to switch the phone to the airplane mode, and even manipulating the navigation system in an Audi automobile. We propose hardware and software defense solutions. We validate that it is feasible to detect DolphinAttack by classifying the audios using supported vector machine (SVM), and suggest to re-design voice controllable systems to be resilient to inaudible voice command attacks.'

via Zeynep (https://twitter.com/zeynep/status/956520320504123392)
alexa  siri  attacks  security  exploits  google-now  speech-recognition  speech  audio  acm  papers  cortana 
january 2018 by jm
Remote Code Execution on the Smiths Medical Medfusion 4000 Infusion Pump
'Between March and June of 2017 I spent around 400 hours of personal time analyzing the Smiths Medical Medfusion 4000 infusion pump for security vulnerabilities. The devices analyzed had software versions 1.1.2 and 1.5.0. The flaws discovered (the most critical of which was a DHCP buffer overflow in the MQX operating system used) were disclosed in a coordinated fashion and are detailed by ICS-CERT in ICSMA-250-02A and CERT in VU#590639.

The goal of this exercise was to help protect patients that rely on therapy provided by the pump, to raise awareness of the risk present in unpatched versions of the device, and, finally, to contribute to the corpus of embedded/IoT security research.'
medical  infusion-pumps  security  iot  safety  exploits  embedded-systems  reversing 
january 2018 by jm
Securing Docker Containers on AWS | nearForm
'On most projects at nearForm we are deploying our solutions within Docker containers. There are tasks that are repeated on each project to secure and harden off those deployments and we built this packer template to produce a quick and easy way for you to spin up an AWS AMI that passes the Docker-Bench-Security script. The Docker-Bench-Security repo is a work product of the above mentioned consolidation efforts by the Docker team.'
docker  aws  security  nearform  containers  linux  packer 
january 2018 by jm
‘It Can’t Be True.’ Inside the Semiconductor Industry’s Meltdown
“Our first priority has been to have a complete mitigation in place,” said Intel’s Parker. “We’ve delivered a solution.” Some in the cybersecurity community aren’t so sure. Kocher, who helped discover Spectre, thinks this is just the beginning of the industry’s woes. Now that new ways to exploit chips have been exposed, there’ll be more variations and more flaws that will require more patches and mitigation.
"This is just like peeling the lid off the can of worms," he said.
meltdown  spectre  speculative-execution  security  exploits  intel  amd  cpus 
january 2018 by jm
[1801.02780] Rogue Signs: Deceiving Traffic Sign Recognition with Malicious Ads and Logos
Well, so much for that idea.
We propose a new real-world attack against the computer vision based systems of autonomous vehicles (AVs). Our novel Sign Embedding attack exploits the concept of adversarial examples to modify innocuous signs and advertisements in the environment such that they are classified as the adversary's desired traffic sign with high confidence. Our attack greatly expands the scope of the threat posed to AVs since adversaries are no longer restricted to just modifying existing traffic signs as in previous work. Our attack pipeline generates adversarial samples which are robust to the environmental conditions and noisy image transformations present in the physical world. We ensure this by including a variety of possible image transformations in the optimization problem used to generate adversarial samples. We verify the robustness of the adversarial samples by printing them out and carrying out drive-by tests simulating the conditions under which image capture would occur in a real-world scenario. We experimented with physical attack samples for different distances, lighting conditions, and camera angles. In addition, extensive evaluations were carried out in the virtual setting for a variety of image transformations. The adversarial samples generated using our method have adversarial success rates in excess of 95% in the physical as well as virtual settings.
signs  road-safety  roads  traffic  self-driving-cars  cars  avs  security  machine-learning  computer-vision  ai 
january 2018 by jm
Aadhaar’s Dirty Secret Is Out, Anyone Can Be Added as a Data Admin
If you think your Aadhaar data is only in the hands of those authorised to access the official [Indian national] Aadhaar database, think again. Following up on an investigation by The Tribune, The Quint found that completely random people like you and me, with no official credentials, can access and become admins of the official Aadhaar database (with names, mobile numbers, addresses of every Indian linked to the UIDAI scheme). But that’s not even the worst part. Once you are an admin, you can make ANYONE YOU CHOOSE an admin of the portal. You could be an Indian, you could be a foreign national, none of it matters – the Aadhaar database won’t ask. A person of your choosing would then have access to the data of all 119,22,59,062 Aadhaar cardholders.
aadhaar  security  fail  vulnerabilities  privacy 
january 2018 by jm
Notes from the Intelpocalypse [LWN.net]
What emerges is a picture of unintended processor functionality that can be exploited to leak arbitrary information from the kernel, and perhaps from other guests in a virtualized setting. If these vulnerabilities are already known to some attackers, they could have been using them to attack cloud providers for some time now. It seems fair to say that this is one of the most severe vulnerabilities to surface in some time.

The fact that it is based in hardware makes things significantly worse. We will all be paying the performance penalties associated with working around these problems for the indefinite future. For the owners of vast numbers of systems that cannot be updated, the consequences will be worse: they will remain vulnerable to a set of vulnerabilities with known exploits. This is not a happy time for the computing industry.
hardware  cpus  intel  amd  spectre  meltdown  security 
january 2018 by jm
These stickers make AI hallucinate things that aren’t there - The Verge
The sticker “allows attackers to create a physical-world attack without prior knowledge of the lighting conditions, camera angle, type of classifier being attacked, or even the other items within the scene.” So, after such an image is generated, it could be “distributed across the Internet for other attackers to print out and use.”

This is why many AI researchers are worried about how these methods might be used to attack systems like self-driving cars. Imagine a little patch you can stick onto the side of the motorway that makes your sedan think it sees a stop sign, or a sticker that stops you from being identified up by AI surveillance systems. “Even if humans are able to notice these patches, they may not understand the intent [and] instead view it as a form of art,” the researchers write.
self-driving  cars  ai  adversarial-classification  security  stickers  hacks  vision  surveillance  classification 
january 2018 by jm
Nicole Perlroth's roundup on the Spectre and Meltdown security holes
Excellent roundup -- this really is amazingly bad news for CPU performance and fixability
meltdown  spectre  nicole-perlroth  security  cpu  performance  speculative-execution  intel  amd  arm 
january 2018 by jm
The mysterious case of the Linux Page Table Isolation patches | Hacker News
good HN comments on the horrible security bug du jour -- Intel CPUs potentially allowing privileged data leaks cross-VM and cross-process
lpt  linux  vm  intel  cpus  security 
january 2018 by jm
The Mirai Botnet Was Part of a College Student Minecraft Scheme
The truth, as made clear in that Alaskan courtroom Friday — and unsealed by the Justice Department on Wednesday—was even stranger: The brains behind Mirai were a 21-year-old Rutgers college student from suburban New Jersey and his two college-age friends from outside Pittsburgh and New Orleans. All three—Paras Jha, Josiah White, and Dalton Norman, respectively—admitted their role in creating and launching Mirai into the world.

Originally, prosecutors say, the defendants hadn’t intended to bring down the internet—they had been trying to gain an advantage in the computer game Minecraft. “They didn’t realize the power they were unleashing,” says FBI supervisory special agent Bill Walton. "This was the Manhattan Project."


(via Nelson)
minecraft  botnets  mirai  security  rutgers  ddos 
december 2017 by jm
Canarytokens.org - Quick, Free, Detection for the Masses
similar to honeytokens -- detect breaches by access attempts to unique addresses
security  honeypots  honeytokens  canary  canarytokens 
december 2017 by jm
VLC in European Parliament's bug bounty program
This was not something I expected:
The European Parliament has approved budget to improve the EU’s IT infrastructure by extending the free software security audit programme (FOSSA) and by including a bug bounty approach in the programme.

The Commission intends to conduct a small-scale "bug bounty" activity on open-source software with companies already operating in the market. The scope of this action is to:

Run a small-scale "bug bounty" activity for open source software project or library for a period of up to two months maximum;
The purpose of the procedure is to provide the European institutions with open source software projects or libraries that have been properly screened for potential vulnerabilities;
The process must be fully open to all potential bug hunters, while staying in-line with the existing Terms of Service of the bug bounty platform.
vlc  bug-bounties  security  europe  europarl  eu  ep  bugs  oss  video  open-source 
december 2017 by jm
UK government planning to require age verification for access to porn
This thread has pointed out the unintentional side effect which I hadn't considered: this database of user auth info and their porn habits will be an incredibly valuable target for foreign governments and hackers, and a single foreign porn company owns the AV service they are potentially planning to use for it.

"if they can't find a way to de-link identities from usage, this is a monumental national security risk and it's beyond insane they're even considering it. "Sorry Prime Minister, Russia now knows what porn every MP, civil servant and clearance holder watches and when, and we don't know how much of it they've given to Wikileaks. In retrospect, having the world's most obvious SIGINT target built in PHP and hosted in the Cayman Islands by an uncleared foreign 25 year old working for a porn company probably wasn't the best idea".'
age  verification  porn  uk  politics  censorship  security  national-security  wikileaks  russia 
november 2017 by jm
Quad9
Quad9 is a free, recursive, anycast DNS platform that provides end users robust security protections, high-performance, and privacy. 

Security: Quad9 blocks against known malicious domains, preventing your computers and IoT devices from connecting malware or phishing sites. Whenever a Quad9 user clicks on a website link or types in an address into a web browser, Quad9 will check the site against the IBM X-Force threat intelligence database of over 40 billion analyzed web pages and images. Quad9 also taps feeds from 18 additional threat intelligence partners to block a large portion of the threats that present risk to end users and businesses alike. 

Performance: Quad9 systems are distributed worldwide in more than 70 locations at launch, with more than 160 locations in total on schedule for 2018. These servers are located primarily at Internet Exchange points, meaning that the distance and time required to get answers is lower than almost any other solution. These systems are distributed worldwide, not just in high-population areas, meaning users in less well-served areas can see significant improvements in speed on DNS lookups. The systems are “anycast” meaning that queries will automatically be routed to the closest operational system. 

Privacy: No personally-identifiable information is collected by the system. IP addresses of end users are not stored to disk or distributed outside of the equipment answering the query in the local data center. Quad9 is a nonprofit organization dedicated only to the operation of DNS services. There are no other secondary revenue streams for personally-identifiable data, and the core charter of the organization is to provide secure, fast, private DNS


Awesome!
quad9  resolvers  dns  anycast  ip  networking  privacy  security 
november 2017 by jm
How Facebook Figures Out Everyone You've Ever Met
Oh god this is so creepy.
Facebook’s machinery operates on a scale far beyond normal human interactions. And the results of its People You May Know algorithm are anything but obvious. In the months I’ve been writing about PYMK, as Facebook calls it, I’ve heard more than a hundred bewildering anecdotes:

A man who years ago donated sperm to a couple, secretly, so they could have a child—only to have Facebook recommend the child as a person he should know. He still knows the couple but is not friends with them on Facebook.
A social worker whose client called her by her nickname on their second visit, because she’d shown up in his People You May Know, despite their not having exchanged contact information.
A woman whose father left her family when she was six years old—and saw his then-mistress suggested to her as a Facebook friend 40 years later.
An attorney who wrote: “I deleted Facebook after it recommended as PYMK a man who was defense counsel on one of my cases. We had only communicated through my work email, which is not connected to my Facebook, which convinced me Facebook was scanning my work email.”
facebook  privacy  surveillance  security  creepy  phones  contacts  pymk 
november 2017 by jm
The $280M Ethereum bug

The newly deployed contract, 0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4, contains a vulnerability where its owner was uninitialized. Although, the contract is a library it was possible for devops199 to turn it into a regular multi-sig wallet since for Ethereum there is no real distinction between accounts, libraries, and contracts.
The event occurred in two transactions, a first one to take over the library and a second one to kill the library — which was used by all multi-sig wallets created after the 20th of July.

Since by design smart-contracts themselves can’t be patched easily, this make dependancies on third party libraries very lethal if a mistake happens. The fact that libraries are global is also arguable, this would be shocking if it was how our daily use Operating Systems would work.
security  bitcoin  ethereum  lol  fail  smart-contracts 
november 2017 by jm
aws-vault
'A vault for securely storing and accessing AWS credentials in development environments'.

Scott Piper says: 'You should not use the AWS CLI with MFA without aws-vault, and probably should not use the CLI at all without aws-vault, because of it's benefit of storing your keys outside of ~/.aws/credentials (since every once in a while a developer will decide to upload all their dot-files in their home directory to github so they can use the same .vimrc and .bashrc aliases everywhere, and will end up uploading their AWS creds).'
aws  vault  security  cli  development  coding  dotfiles  credentials  mfa 
november 2017 by jm
Fooling Neural Networks in the Physical World with 3D Adversarial Objects · labsix
This is amazingly weird stuff. Fooling NNs with adversarial objects:
Here is a 3D-printed turtle that is classified at every viewpoint as a “rifle” by Google’s InceptionV3 image classifier, whereas the unperturbed turtle is consistently classified as “turtle”.

We do this using a new algorithm for reliably producing adversarial examples that cause targeted misclassification under transformations like blur, rotation, zoom, or translation, and we use it to generate both 2D printouts and 3D models that fool a standard neural network at any angle. Our process works for arbitrary 3D models - not just turtles! We also made a baseball that classifies as an espresso at every angle! The examples still fool the neural network when we put them in front of semantically relevant backgrounds; for example, you’d never see a rifle underwater, or an espresso in a baseball mitt.
ai  deep-learning  3d-printing  objects  security  hacking  rifles  models  turtles  adversarial-classification  classification  google  inceptionv3  images  image-classification 
november 2017 by jm
Alarm systems alarmingly insecure. Oh the irony | Pen Test Partners
Some absolutely abysmal security practices used in off-the-shelf self-installed wireless home alarm systems -- specifically the Yale HSA6400. Simple replay attacks of the unlock PIN message, for instance
security  home  wireless  alarms  yale  fail 
october 2017 by jm
Falling through the KRACKs
I want to talk about why this vulnerability continues to exist so many years after WPA was standardized. And separately, to answer a question: how did this attack slip through, despite the fact that the 802.11i handshake was formally proven secure?
krack  security  wpa  wifi  ieee  crypto  vulnerabilities 
october 2017 by jm
Over The Air - Vol. 2, Pt. 3: Exploiting The Wi-Fi Stack on Apple Devices
This is the most amazing hack.

Upon successful execution, the exploit exposes APIs to read and write the host’s physical memory directly over-the-air, by mapping in any requested address to the controlled DART L2 translation table, and issuing DMA accesses to the corresponding mapped IO-Space addresses.
hacks  exploits  security  ios  wifi  apple  iphone  kernel 
october 2017 by jm
The world's first cyber-attack, on the Chappe telegraph system, in Bordeaux in 1834

The Blanc brothers traded government bonds at the exchange in the city of Bordeaux, where information about market movements took several days to arrive from Paris by mail coach. Accordingly, traders who could get the information more quickly could make money by anticipating these movements. Some tried using messengers and carrier pigeons, but the Blanc brothers found a way to use the telegraph line instead. They bribed the telegraph operator in the city of Tours to introduce deliberate errors into routine government messages being sent over the network.
The telegraph’s encoding system included a “backspace” symbol that instructed the transcriber to ignore the previous character. The addition of a spurious character indicating the direction of the previous day’s market movement, followed by a backspace, meant the text of the message being sent was unaffected when it was written out for delivery at the end of the line. But this extra character could be seen by another accomplice: a former telegraph operator who observed the telegraph tower outside Bordeaux with a telescope, and then passed on the news to the Blancs. The scam was only uncovered in 1836, when the crooked operator in Tours fell ill and revealed all to a friend, who he hoped would take his place. The Blanc brothers were put on trial, though they could not be convicted because there was no law against misuse of data networks. But the Blancs’ pioneering misuse of the French network qualifies as the world’s first cyber-attack.
bordeaux  hacking  history  security  technology  cyber-attacks  telegraph  telegraphes-chappe 
october 2017 by jm
Cashing in on ATM Malware - A Comprehensive Look at Various Attack Types
rather unnerving report from Trend Micro / Europol.

'As things stand, it looks like different criminal groups have already graduated from physical to virtual
skimming via malware, thanks to the lack of security measures implemented by commercial banks
worldwide. This is common in Latin America and Eastern Europe, but these criminals are exporting the
technique and have started to victimize other countries.'
atms  banking  security  trend-micro  banks  europol  exploits 
october 2017 by jm
The Israeli Digital Rights Movement's campaign for privacy | Internet Policy Review
This study explores the persuasion techniques used by the Israeli Digital Rights Movement in its campaign against Israel’s biometric database. The research was based on analysing the movement's official publications and announcements and the journalistic discourse that surrounded their campaign within the political, judicial, and public arenas in 2009-2017. The results demonstrate how the organisation navigated three persuasion frames to achieve its goals: the unnecessity of a biometric database in democracy; the database’s ineffectiveness; and governmental incompetence in securing it. I conclude by discussing how analysing civil society privacy campaigns can shed light over different regimes of privacy governance. [....]

1. Why the database should be abolished: because it's not necessary - As the organisation highlighted repeatedly throughout the campaign with the backing of cyber experts, there is a significant difference between issuing smart documents and creating a database. Issuing smart documents effectively solves the problem of stealing and forging official documents, but does it necessarily entail the creation of a database? The activists’ answer is no: they declared that while they do support the transition to smart documents (passports and ID cards) for Israeli citizens, they object to the creation of a database due to its violation of citizens' privacy.

2. Why the database should be abolished: because it's ineffective; [...]

3. Why the database should be abolished: because it will be breached - The final argument was that the database should be abolished because the government would not be able to guarantee protection against security breaches, and hence possible identity theft.
digital-rights  privacy  databases  id-cards  israel  psc  drm  identity-theft  security 
september 2017 by jm
Gas Pump Skimmers - learn.sparkfun.com
For those who don’t want to read through the gritty details here’s the summary:

These skimmers are cheap and are becoming more common and more of a nuisance across north america.

The skimmer broadcasts over bluetooth as HC-05 with a password of 1234. If you happen to be at a gas pump and happen to scan for bluetooth devices and happen to see an HC-05 listed as an available connection then you probably don’t want to use that pump.

The bluetooth module used on these skimmers is extremely common and used on all sorts of legitimate products end educational kits. If you detect one in the field you can confirm that it is a skimmer (and not some other device) by sending the character ‘P’ to the module over a terminal. If you get a ’M' in response then you have likely found a skimmer and you should contact your local authorities.
crime  hardware  bluetooth  security  electronics  skimmers  gas-stations  usa  petrol-stations  hc-05 
september 2017 by jm
Turning Off Wi-Fi and Bluetooth in iOS 11's Control Center Doesn’t Actually Turn Off Wi-Fi or Bluetooth - Motherboard
"in iOS 11 and later, when you toggle the Wi-Fi or Bluetooth buttons in Control Center, your device will immediately disconnect from Wi-Fi and Bluetooth accessories. Both Wi-Fi and Bluetooth will continue to be available." That is because Apple wants the iPhone to be able to continue using AirDrop, AirPlay, Apple Pencil, Apple Watch, Location Services, and other features, according to the documentation.
wifi  bluetooth  iphone  ios  security  fail  off-means-off 
september 2017 by jm
malware piggybacking on CCleaner
On September 13, 2017 while conducting customer beta testing of our new exploit detection technology, Cisco Talos identified a specific executable which was triggering our advanced malware protection systems. Upon closer inspection, the executable in question was the installer for CCleaner v5.33, which was being delivered to endpoints by the legitimate CCleaner download servers. Talos began initial analysis to determine what was causing this technology to flag CCleaner. We identified that even though the downloaded installation executable was signed using a valid digital signature issued to Piriform, CCleaner was not the only application that came with the download. During the installation of CCleaner 5.33, the 32-bit CCleaner binary that was included also contained a malicious payload that featured a Domain Generation Algorithm (DGA) as well as hardcoded Command and Control (C2) functionality. We confirmed that this malicious version of CCleaner was being hosted directly on CCleaner's download server as recently as September 11, 2017.
ccleaner  malware  avast  piriform  windows  security 
september 2017 by jm
Malicious typosquatting packages in PyPI
skcsirt-sa-20170909-pypi vulnerability announcement from SK-CSIRT:
SK-CSIRT identified malicious software libraries in the official Python package
repository, PyPI, posing as well known libraries. A prominent example is a fake
package urllib-1.21.1.tar.gz, based upon a well known package
urllib3-1.21.1.tar.gz.

Such packages may have been downloaded by unwitting developer or administrator
by various means, including the popular “pip” utility (pip install urllib).
There is evidence that the fake packages have indeed been downloaded and
incorporated into software multiple times between June 2017 and September 2017.
pypi  python  typos  urllib  security  malware 
september 2017 by jm
GitHub - hillbrad/U2FReviews
'Reviews of U2F [Universal Second Factor] devices' -- ie. Yubico keys et al.
u2f  totp  oath  otp  one-time-passwords  authentication  devices  gadgets  security  2fa 
august 2017 by jm
Malicious packages in npm
The node.js packaging system is being exploited by bad guys to steal auth tokens at build time. This is the best advice they can come up with:
Always check the name of packages you’re installing. You can look at the downloads number: if a package is popular but the downloads number is low, something is wrong.


:facepalm: What a mess. Security needs to become a priority....
javascript  security  npm  node  packaging  packages  fail 
august 2017 by jm
How the coffee-machine took down a factories control room : talesfromtechsupport
A coffee machine was plugged into both a secure network and also connected to the main wifi network, and became a vector for malware to take down the factory's control room. Security is hard
coffee-machines  fail  security  networking  wifi 
july 2017 by jm
SECURITY ALERT - Critical bug in Parity's MultiSig-Wallet
'Together, we were able to determine that malicious actors had exploited a flaw in the Parity Multisig code, which allowed a known party to steal over 153,000 ETH from several projects including Edgeless Casino, Aeternity, and Swarm City.'

by leaving "internal" (a visibility restricting keyword) off of the wallet contract, it was possible for attackers to steal millions from a "secure" multi-sig wallet in Ethereum: https://press.swarm.city/parity-multisig-wallet-exploit-hits-swarm-city-funds-statement-by-the-swarm-city-core-team-d1f3929b4e4e

https://twitter.com/ncweaver/status/887821804038873088 : 'Time from "OMFG there is a bug" to "geez, someone steal $16M"? 2 hours. Gotta love JavaScript FunBukx, err Ethereum'
ethereum  fail  security  exploits  javascript  parity 
july 2017 by jm
Chris's Wiki :: blog/sysadmin/UnderstandingIODNSIssue
On the ns-a1.io security screwup for the .io CCTLD:
Using data from glue records instead of looking things up yourself is common but not mandatory, and there are various reasons why a resolver would not do so. Some recursive DNS servers will deliberately try to check glue record information as a security measure; for example, Unbound has the harden-referral-path option (via Tony Finch). Since the original article reported seeing real .io DNS queries being directed to Bryant's DNS server, we know that a decent number of clients were not using the root zone glue records. Probably a lot more clients were still using the glue records, through.


(via Tony Finch)
via:fanf  dns  security  dot-io  cctlds  glue-records  delegation 
july 2017 by jm
mozilla/sops: Secrets management stinks, use some sops!
sops is an editor of encrypted files that supports YAML, JSON and BINARY formats and encrypts with AWS KMS and PGP.
secrets  encryption  security  kms  pgp  gpg  editors  configuration 
july 2017 by jm
Use AWS WAF to Mitigate OWASP’s Top 10 Web Application Vulnerabilities
'describes how you can use AWS WAF, a web application firewall, to address the top application security flaws as named by the Open Web Application Security Project (OWASP). Using AWS WAF, you can write rules to match patterns of exploitation attempts in HTTP requests and block requests from reaching your web servers. This whitepaper discusses manifestations of these security vulnerabilities, AWS WAF–based mitigation strategies, and other AWS services or solutions that can help address these threats.'
security  waf  aws  http  owasp  filtering 
july 2017 by jm
Talos Intelligence review of Nyetya and the M.E.Doc compromise
Our Threat Intelligence and Interdiction team is concerned that the actor in question burned a significant capability in this attack.  They have now compromised both their backdoor in the M.E.Doc software and their ability to manipulate the server configuration in the update server. In short, the actor has given up the ability to deliver arbitrary code to the 80% of UA businesses that use M.E.Doc as their accounting software, along with any multinational corporations that leveraged the software.  This is a significant loss in operational capability, and the Threat Intelligence and Interdiction team assesses with moderate confidence that it is unlikely that they would have expended this capability without confidence that they now have or can easily obtain similar capability in target networks of highest priority to the threat actor.
security  malware  nyetya  notpetya  medoc  talos  ransomware 
july 2017 by jm
Revealed: Facebook exposed identities of moderators to suspected terrorists | Technology | The Guardian
Oh man, this is awful. Poor guy. And this should have been there right from the start:
The moderator said that when he started, he was given just two weeks training and was required to use his personal Facebook account to log into the social media giant’s moderation system.

“They should have let us use fake profiles,” he said, adding: “They never warned us that something like this could happen.”

Facebook told the Guardian that as a result of the leak it is testing the use of administrative accounts that are not linked to personal profiles.
facebook  security  counter-terrorism  moderation  social-media  role-accounts  admin 
june 2017 by jm
Mounir Mahjoub​i​, the 'geek' who saved Macron's campaign: 'We knew we were going to be attacked' | World news | The Guardian
What a great story.

As a child, he was into maths and geometry, the middle child with one sister 10 years older and another 10 years younger. “I heard about this incredible new thing called the internet,” he says, adding how, aged 12, he saw an advert for the Paris science museum where you could try the internet for free. “There were 15 computers and you queued to have an hour free if you bought an entry ticket. I bought an annual pass to the museum and every Saturday and Sunday I’d travel from one side of Paris to the other to get on the internet and see what it was about. I’d go on Yahoo, chat with people on the other side of the world. I didn’t speak great English then so it wasn’t brilliant chat ...”


(via Niall Murphy)
france  mounir-mahjoubi  internet  computers  society  macron  politics  security 
june 2017 by jm
How Turla hackers (ab)used satellites to stay under the radar | Ars Technica
A very nifty hack. DVB-S broadcasts a subset of unencrypted IP traffic across a 600-mile radius:
The Turla attackers listen for packets coming from a specific IP address in one of these classes. When certain packets—say, a TCP/IP SYN packet—are identified, the hackers spoof a reply to the source using a conventional Internet line. The legitimate user of the link just ignores the spoofed packet, since it goes to an otherwise unopened port, such as port 80 or 10080. With normal Internet connections, if a packet hits a closed port, the end user will normally send the ISP some indication that something went wrong. But satellite links typically use firewalls that drop packets to closed ports. This allows Turla to stealthily hijack the connections.

The hack allowed computers infected with Turla spyware to communicate with Turla C&C servers without disclosing their location. Because the Turla attackers had their own satellite dish receiving the piggybacked signal, they could be anywhere within a 600-mile radius. As a result, researchers were largely stopped from shutting down the operation or gaining clues about who was carrying it out.

"It's probably one of the most effective methods of ensuring their operational security, or that nobody will ever find out the physical location of their command and control server," Tanase told Ars. "I cannot think of a way of identifying the location of a command server. It can be anywhere in the range of the satellite beam."
turla  hacks  satellite  security  dvb  dvb-s  tcpip  command-and-control  syn 
june 2017 by jm
Turla’s watering hole campaign: An updated Firefox extension abusing Instagram
Pretty crazy.
The extension will look at each photo’s comment and will compute a custom hash value. If the hash matches 183, it will then run this regular expression on the comment in order to obtain the path of the bit.ly URL:
(?:\\u200d(?:#|@)(\\w)

Looking at the photo’s comments, there was only one for which the hash matches 183. This comment was posted on February 6, while the original photo was posted in early January. Taking the comment and running it through the regex, you get the following bit.ly URL: bit.ly/2kdhuHX

Looking a bit more closely at the regular expression, we see it is looking for either @|# or the Unicode character \200d. This character is actually a non-printable character called ‘Zero Width Joiner’, normally used to separate emojis. Pasting the actual comment or looking at its source, you can see that this character precedes each character that makes the path of the bit.ly URL
security  malware  russia  turla  zwj  unicode  characters  social-media  instagram  command-and-control 
june 2017 by jm
'I've Got Nothing to Hide' and Other Misunderstandings of Privacy by Daniel J. Solove :: SSRN
In this short essay, written for a symposium in the San Diego Law Review, Professor Daniel Solove examines the nothing to hide argument. When asked about government surveillance and data mining, many people respond by declaring: "I've got nothing to hide." According to the nothing to hide argument, there is no threat to privacy unless the government uncovers unlawful activity, in which case a person has no legitimate justification to claim that it remain private. The nothing to hide argument and its variants are quite prevalent, and thus are worth addressing. In this essay, Solove critiques the nothing to hide argument and exposes its faulty underpinnings.


Via Fred Logue
law  philosophy  privacy  security  essay  papers  daniel-solove  surveillance  snooping 
may 2017 by jm
V2V and the challenge of cooperating technology
A great deal of effort and attention has gone into a mobile data technology that you may not be aware of. This is "Vehicle to Vehicle" (V2V) communication designed so that cars can send data to other cars. There is special spectrum allocated at 5.9ghz, and a protocol named DSRC, derived from wifi, exists for communications from car-to-car and also between cars and roadside transmitters in the infrastructure, known as V2I.

This effort has been going on for some time, but those involved have had trouble finding a compelling application which users would pay for. Unable to find one, advocates hope that various national governments will mandate V2V radios in cars in the coming years for safety reasons. In December 2016, the U.S. Dept. of Transportation proposed just such a mandate. [....] "Connected Autonomous Vehicles -- Pick 2."
cars  self-driving  autonomous-vehicles  v2v  wireless  connectivity  networking  security 
may 2017 by jm
The World Is Getting Hacked. Why Don’t We Do More to Stop It? - The New York Times
Zeynep Tufekci is (as usual!) on the money with this op-ed. I strongly agree with the following:
First, companies like Microsoft should discard the idea that they can abandon people using older software. The money they made from these customers hasn’t expired; neither has their responsibility to fix defects. Besides, Microsoft is sitting on a cash hoard estimated at more than $100 billion (the result of how little tax modern corporations pay and how profitable it is to sell a dominant operating system under monopolistic dynamics with no liability for defects).

At a minimum, Microsoft clearly should have provided the critical update in March to all its users, not just those paying extra. Indeed, “pay extra money to us or we will withhold critical security updates” can be seen as its own form of ransomware. In its defense, Microsoft probably could point out that its operating systems have come a long way in security since Windows XP, and it has spent a lot of money updating old software, even above industry norms. However, industry norms are lousy to horrible, and it is reasonable to expect a company with a dominant market position, that made so much money selling software that runs critical infrastructure, to do more.

Microsoft should spend more of that $100 billion to help institutions and users upgrade to newer software, especially those who run essential services on it. This has to be through a system that incentivizes institutions and people to upgrade to more secure systems and does not force choosing between privacy and security. Security updates should only update security, and everything else should be optional and unbundled.

More on this twitter thread: https://twitter.com/zeynep/status/863734133188681732
security  microsoft  upgrades  windows  windows-xp  zeynep-tufekci  worms  viruses  malware  updates  software 
may 2017 by jm
iKydz
'Total Parent Control' for kids internet access at home. Dublin-based product, dedicated wifi AP with lots of child-oriented filtering capabilities
filtering  security  ikydz  kids  children  internet  wifi  ap  hardware  blocking 
may 2017 by jm
Backdooring an AWS account
eek. Things to look out for on your AWS setup:
So you’ve pwned an AWS account — congratulations — now what? You’re eager to get to the data theft, amirite? Not so fast whipper snapper, have you disrupted logging? Do you know what you have? Sweet! Time to get settled in. Maintaining persistence in AWS is only limited by your imagination but there are few obvious and oft used techniques everyone should know and watch for.
aws  security  hacks  iam  sts 
may 2017 by jm
Online security won’t improve until companies stop passing the buck to the customer
100% agreed!
Giving good security advice is hard because very often individuals have little or no effective control over their security. The extent to which a customer is at risk of being defrauded largely depends on how good their bank’s security is, something customers cannot know.

Similarly, identity fraud is the result of companies doing a poor job at verifying identity. If a criminal can fraudulently take out a loan using another’s name, address, and date of birth from the public record, that’s the fault of the lender – not, as Cifas, a trade organisation for lenders, claims, because customers “don’t take the same care to protect our most important asset – our identities”.
cifas  uk  passwords  security  regulation  banking  ncsc  riscs  advice 
may 2017 by jm
After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts • The Register
Experts have been warning for years about security blunders in the Signaling System 7 protocol – the magic glue used by cellphone networks to communicate with each other. [...]

O2-Telefonica in Germany has confirmed to Süddeutsche Zeitung that some of its customers have had their bank accounts drained using a two-stage attack that exploits SS7.

In other words, thieves exploited SS7 to intercept two-factor authentication codes sent to online banking customers, allowing them to empty their accounts. The thefts occurred over the past few months, according to multiple sources.
o2  telefonica  germany  ss7  mobile  2fa  security  hacks  cellphones 
may 2017 by jm
Capturing all the flags in BSidesSF CTF by pwning Kubernetes/Google Cloud
good exploration of the issues with running a CTF challenge (or any other secure infrastructure!) atop Kubernetes and a cloud platform like GCE
gce  google-cloud  kubernetes  security  docker  containers  gke  ctf  hacking  exploits 
april 2017 by jm
NVD - CVE-2016-10229
udp.c in the Linux kernel before 4.5 allows remote attackers to execute arbitrary code via UDP traffic that triggers an unsafe second checksum calculation during execution of a recv system call with the MSG_PEEK flag.
udp  security  cve  linux  msg_peek  exploits 
april 2017 by jm
Smart TV hack embeds attack code into broadcast signal—no access required | Ars Technica
Awesome.
The proof-of-concept exploit uses a low-cost transmitter to embed malicious commands into a rogue [DVB-T] signal. That signal is then broadcast to nearby devices. It worked against two fully updated TV models made by Samsung. By exploiting two known security flaws in the Web browsers running in the background, the attack was able to gain highly privileged root access to the TVs. By revising the attack to target similar browser bugs found in other sets, the technique would likely work on a much wider range of TVs.
dvb-t  tv  security  exploits  samsung  smart-tvs  broadcast 
april 2017 by jm
Watching the hearings, I learned my "Bernie bro" harassers may have been Russian bots
However, the rest of the abuse came from accounts purporting to be supporters of Vermont Independent Senator Bernie Sanders. And these were “people” with whom I believed I shared common values and policy interests. Almost all of the accounts presented as men — mostly young and white — and used sexist and misogynistic tones and words. I was called “mom” and “grandma” as epithets by these “young men.” I was called every vile sexualized name you can imagine. For some reason that I did not understand at the time, they liked to call me a “vagina.” (I now believe non-native English — i.e. Russian — speakers wrote the algorithms controlling these bots and perhaps imagined “vagina” to be the equivalent of the c-word when hurled at a woman.) Not being conversant in the mechanisms of Russian psychological warfare techniques at the time, it never occurred to me that, like the #MAGA bots, these “Bernie Bro” accounts were actually bots too.
And the abuse from these accounts was much harder to dismiss. It went in further, emotionally speaking. The vitriol of the attacks felt like a painful betrayal. After all, “we” probably shared 99 percent of our political perspective; we just supported different candidates — which is something I said repeatedly in my attempts to appeal to reason with some of the attackers over the course of those long months. Nonetheless, even the mildest criticism of Sanders or comment of support for Clinton would bring out a swarm of these “Bernie Bro” accounts spouting off with abusive language and mockery.
bernie-bros  abuse  twitter  russia  security  bots  elections  hilary-clinton 
april 2017 by jm
American Snoper – Medium
The grugq on Putin vs France:
How modern conflicts play out in the informatics sphere, what I mean when I talk about cyber war, is happening in France. After France there will be Germany, then the Scandinavian countries have their elections. There is no chance that Putin attempting to shape the world to best suit Russian interests will abate. Currently, the strongest area that he can contend in is the informatics sphere, the cyber realm, where human perception of reality is shaped.
putin  france  elections  russia  cyber-war  hacking  security  wikileaks 
march 2017 by jm
[no title]
'For decades, the transaction concept has played a central role in
database research and development. Despite this prominence, transactional
databases today often surface much weaker models than the
classic serializable isolation guarantee—and, by default, far weaker
models than alternative,“strong but not serializable” models such as
Snapshot Isolation. Moreover, the transaction concept requires the
programmer’s involvement: should an application programmer fail
to correctly use transactions by appropriately encapsulating functionality,
even serializable transactions will expose programmers
to errors. While many errors arising from these practices may be
masked by low concurrency during normal operation, they are susceptible
to occur during periods of abnormally high concurrency. By
triggering these errors via concurrent access in a deliberate attack, a
determined adversary could systematically exploit them for gain.
In this work, we defined the problem of ACIDRain attacks and
introduced 2AD, a lightweight dynamic analysis tool that uses traces
of normal database activity to detect possible anomalous behavior
in applications. To enable 2AD, we extended Adya’s theory of weak
isolation to allow efficient reasoning over the space of all possible
concurrent executions of a set of transactions based on a concrete
history, via a new concept called an abstract history, which also
applies to API calls. We then applied 2AD analysis to twelve popular
self-hosted eCommerce applications, finding 22 vulnerabilities
spread across all but one application we tested, affecting over 50%
of eCommerce sites on the Internet today.

We believe that the magnitude and the prevalence of these vulnerabilities
to ACIDRain attacks merits a broader reconsideration of
the success of the transaction concept as employed by programmers
today, in addition to further pursuit of research in this direction.
Based on our early experiences both performing ACIDRain attacks
on self-hosted applications as well as engaging with developers, we
believe there is considerable work to be done in raising awareness
of these attacks—for example, via improved analyses and additional
2AD refinement rules (including analysis of source code to
better highlight sources of error)—and in automated methods for defending
against these attacks—for example, by synthesizing repairs
such as automated isolation level tuning and selective application
of SELECT FOR UPDATE mechanisms. Our results here—as well as
existing instances of ACIDRain attacks in the wild—suggest there
is considerable value at stake.'
databases  transactions  vulnerability  security  acidrain  peter-bailis  storage  isolation  acid 
march 2017 by jm
That thing about pwning N26
Whitehat CCC hacker thoroughly pwns N26 bank -- there's a lot of small leaks and insecurities here. Sounds like N26 are dealing with them though
ccc  hacks  exploits  n26  banks  banking  security 
march 2017 by jm
Gravitational Teleport
Teleport enables teams to easily adopt the best SSH practices like:

Integrated SSH credentials with your organization Google Apps identities or other OAuth identity providers.
No need to distribute keys: Teleport uses certificate-based access with automatic expiration time.
Enforcement of 2nd factor authentication.
Cluster introspection: every Teleport node becomes a part of a cluster and is visible on the Web UI.
Record and replay SSH sessions for knowledge sharing and auditing purposes.
Collaboratively troubleshoot issues through session sharing.
Connect to clusters located behind firewalls without direct Internet access via SSH bastions.
ssh  teleport  ops  bastions  security  auditing  oauth  2fa 
february 2017 by jm
St. Petersburg team operated a PRNG hack against Vegas slots
According to Willy Allison, a Las Vegas–based casino security consultant who has been tracking the Russian scam for years, the operatives use their phones to record about two dozen spins on a game they aim to cheat. They upload that footage to a technical staff in St. Petersburg, who analyze the video and calculate the machine’s pattern based on what they know about the model’s pseudorandom number generator. Finally, the St. Petersburg team transmits a list of timing markers to a custom app on the operative’s phone; those markers cause the handset to vibrate roughly 0.25 seconds before the operative should press the spin button.

“The normal reaction time for a human is about a quarter of a second, which is why they do that,” says Allison, who is also the founder of the annual World Game Protection Conference. The timed spins are not always successful, but they result in far more payouts than a machine normally awards: Individual scammers typically win more than $10,000 per day. (Allison notes that those operatives try to keep their winnings on each machine to less than $1,000, to avoid arousing suspicion.) A four-person team working multiple casinos can earn upwards of $250,000 in a single week.
prng  hacking  security  exploits  randomness  gambling  las-vegas  casinos  slot-machines 
february 2017 by jm
Banks biased against black fraud victims
We raised the issue of discrimination in 2011 with one of the banks and with the Commission for Racial Equality, but as no-one was keeping records, nothing could be proved, until today. How can this discrimination happen? Well, UK rules give banks a lot of discretion to decide whether to refund a victim, and the first responders often don’t know the full story. If your HSBC card was compromised by a skimmer on a Tesco ATM, there’s no guarantee that Tesco will have told anyone (unlike in America, where the law forces Tesco to tell you). And the fraud pattern might be something entirely new. So bank staff end up making judgement calls like “Is this customer telling the truth?” and “How much is their business worth to us?” This in turn sets the stage for biases and prejudices to kick in, however subconsciously. Add management pressure to cut costs, sometimes even bonuses for cutting them, and here we are.
discrimination  racism  fraud  uk  banking  skimming  security  fca 
january 2017 by jm
« earlier      
per page:    204080120160

related tags

0fa  0rtt  2fa  3d-printing  3db  3des  3dsecure  3g  4chan  4g  9-11  512-bit  a350  a380  aadhaar  abuse  accidents  accounts  accuracy  acid  acidrain  aclu  acm  actel  activism  ad-trackers  admin  ads  adversarial-attacks  adversarial-classification  advertising  advice  aes  age  aggregation  ai  aib  air-gap  air-gaps  air-travel  airborne-zombies  aircrack  airport  akamai  alarm  alarms  alert  alexa  algorithms  allcrypt  amazon  amd  america  amplification  analysis  android  anonymisation  anonymity  anonymization  anonymous  anti-phishing  anti-spam  antivirus  antwerp  anycast  ap  apache  apache-harmony  api-keys  apis  apple  applets  appliances  apps  apt  apt-get  arab-spring  arch-linux  architecture  arm  ars-technica  as-34109  asf  ashleymadison  athena  atm  atms  att  attack  attacks  audio  auditing  audits  australia  austria  auth  authentication  authorisation  authorization  authy  auto-learning  automation  autonomous-vehicles  av  avast  aviation  avionics  avs  aws  b2  backbone  backdoors  backticks  backup  backups  bad-press  banking  banks  bash  bastions  bbc  belkin  ben-goldacre  bernie  bernie-bros  bgp  bidi  big-brother  big-data  bike  bike-locks  bikes  biohacking  biometrics  bios  birthday  birthday-paradox  birthday-problem  bitcoin  bitomat  blackberry  blacklists  blockchain  blocking  blue-coat  bluetooth  boeing  books  bordeaux  botnet  botnets  bots  bpf  brain  brakes  brian-krebs  bridge  british-airways  broadcast  browsers  bruce-schneier  brute-force  bsafe  bsd  btc  buffer-overflows  buffer-overrun  buffers  bug-bounties  bug-reports  bugging  bugs  bugzilla  build  burner-phones  business  buttcoin  byte  c  ca  cacerts  caching  calculators  calibre  cameras  can  can-bus  canada  canary  canarytokens  cao  card-present  cards  cars  case-studies  casinos  cassandra  cauce  cb3rob  cbc  ccc  ccleaner  cctlds  celebrities  celebs  cellphones  cellxion  censorship  certificates  certs  cesg  cgi  characters  chef  children  china  chip-and-pin  chip-and-signature  chipandpin  chips  chrome  chrysler  chunked-encoding  cia  cifas  cipav  cisco  citizen-lab  cityhash  clamav  clampi  classification  cli  clocks  clojure  cloud  cloud-services  cloudflare  clowns  cnbc  cnnic  code-spaces  codepad  codepoints  coding  coding-standards  coffee-machines  cold-war  colin-holder  collisions  colmmacc  comcast  comelec  comerica  command-and-control  communication  comodo  compartmentalisation  compliance  compression  computer-vision  computers  concurrency  config  configuration  connecticut  connectivity  console  contactless  contacts  containerization  containers  contractors  control-characters  cookies  copying  cortana  corvil  cory-doctorow  counter-terrorism  coursera  courtventures  cpu  cpus  cracking  credentials  credit  credit-cards  credit-freeze  credstash  creepy  crime  crl  crls  crowdsourcing  crypto  crypto-ag  crypto-pan  cryptocurrency  cryptography  cryptophone  cs  css  ctf  ctr  cuban-missile-crisis  culture  curl  currency  customer-care  customer-support  cve  cyber-attacks  cyber-war  cybercrime  cyberpower  cyberwar  cycling  cydia  d-link  d-locks  d-spam  d1000  dailywtf  dan-kaminsky  danger  daniel-solove  darknet  data  data-breaches  data-dumps  data-leak  data-privacy  data-protection  data-retention  database  databases  datamining  datavis  date-of-birth  david-miranda  david-simon  ddos  deanonymization  death  debian  debit-cards  debugging  deep-learning  defaults  defcon  delegation  delete  dependencies  deployment  des  desfire  design  desktop-sharing  dessid  development  devices  dhs  dick-cheney  diffie-hellman  digicert  digital-rights  directories  discrimination  distraction  distribution  diy  djb  dkim  dmca  dna  dnc  dns  dnsbls  docker  doh  domain-keys  domains  dorking  dos  dosage  dot-io  dot-net  dotfiles  dpc  dpkg  dreamliner  driving  drm  drones  dropbox  drown  drug-pumps  drugs  dsl  dual-ec-drbg  dual-use  dual_ec_drbg  dublin  dug-song  duplicity  dvb  dvb-s  dvb-t  dvcs  e-sports  e-voting  east-texas  eastern-europe  eavesdropping  ec2  ecb  ecc  ecdhe  echo  ecommerce  ecs  edge  editors  eff  eir  eircom  ejson  elb  elections  electricity  electronics  elliptic-curve  elliptic-curves  email  embedded-systems  emergency  emissions  emr  emrfs  emv  encryption  end-to-end  entropy  ep  epic-marketplace  epsilon-interactive  eric-brandwine  error-checking  escaping  esp  espionage  essay  estonia  ethereum  ethics  eu  eurion  euro  europarl  europe  europol  ev  events  evidence  exchanges  exfiltration  experian  expiry  exploits  export-control  extortion  facebook  facebook-api  factorisation  fail  fail0verflow  false-positives  fappening  farebot  fastmail  fbi  fca  fghack  fiat  filesharing  filtering  finance  financial  find-my-iphone  fine-gael  fingerprinting  fingerprints  firefox  firewall  firewalls  firmware  five-eyes  flame  flash  flight  floating-point  foscam  fpga  france  fraud  freak  freebsd  fridges  frontline  froyo  ftp  fun-cards  funding  funny  fuse  future  fuzz-testing  fuzzing  gadgets  gambling  games  gaming  gandi  gartner  gas  gas-stations  gavin-sheridan  gce  gchq  gemalto  genome  gentoo  geodata  geotagging  germany  git  github  gke  glue-records  gmail  gnu  google  google-cloud  google-now  goto  goto-fail  government  gpg  gpl  grades  gradle  great-cannon  great-firewall  greatfire  grsecurity  gsm  gsmem  gsocgate  guardian  guidelines  gwibber  hackers  hacking  hacks  hadoop  hamachi  han  handshake  haproxy  hard-lattice-problem  hardening  hardware  hash  hash-collision  hashdos  hashes  hashicorp  hashing  hashmap  hbgary  hc-05  health  heartbleed  hid  hijacking  hilary-clinton  history  history-stealing  hmac  hmrc  holes  home  home-alarms  home-automation  homebrew  homeplug  honeypots  honeytokens  horror  horror-stories  hospira  house  hsts  html  http  http2  https  humor  hvac  hyperdex  hypervisor  i-voting  iaa  iam  icann  icloud  ics  id-cards  id-numbers  identity  identity-theft  idiots  ieee  ifso  ikydz  ilya-grigorik  image-classification  images  imaging  imei  immixgroup  imsi-catchers  inceptionv3  india  inept  infrastructure  infusion-pumps  injection  input  instagram  install  insteon  insulin  integrity  intel  internet  internet-voting  internetofshit  intrusion-detection  ioactive  ioerror  ios  iot  ip  ip-addresses  ipad  iphone  ipmi  ipsec  ipv4  ipv6  iran  irc  ireland  isec  isolation  isps  israel  jailbreaking  jails  jamming  japan  jar  jars  java  javascript  jdk  jeeps  jenkins  jim-gettys  jira  jmx  joe-stewart  jon-callas  jonathan-zdziarski  journalism  json  jtag  juniper  jvm  kaptoxa  karma-police  karsten-nohl  kerberos  kernel  kettles  key-distribution  key-length  key-lengths  key-management  key-rotation  keybase  keybox  keyed-hashing  keyless  keyless-entry  keyloggers  keyraider  keys  keyservers  keywhiz  kids  kiosks  kiss  kms  knife  kompromat  korea  krack  kubernetes  l2tp  languages  las-vegas  lastpass  latency  launch-codes  law  law-enforcement  lawsuits  leaf  leaks  legacy  lenovo  liability  libbfd  liberty  libraries  lighttpd  limits  linkedin  linux  location  location-tracking  locationsmart  lockpicking  locks  logging  lol  lols  london  lottery  lpt  lucid-intelligence  lxc  mac  macaroons  machine-learning  maciej  macron  magecart  magstripe  mail  malware  mandos  maritime  mastercard  matt-blaze  matthew-green  maven  mcafee  md5  measurement  medical  medicine  medoc  meltdown  memcached  memory  memory-cards  metadata  metrics  mfa  michael-hayden  microsemi  microsoft  mifare  mig  mike-hearn  military  minecraft  miniduke  mining  mirai  mit  mitm  mitsubishi  mobile  mobile-phones  models  moderation  money  montreal  moores-law  mounir-mahjoubi  mouse-jacking  movies  mozilla  msg_peek  mtgox  mugging  murmurhash  muscular  mysore  n26  nai  namespaces  national-security  ncsc  nearform  nehemiah  neorouter  netbios  network  network-monitoring  network-neutrality  networking  neurostimulators  new-york  newegg  nginx  nicole-perlroth  nissan  nlp  nmap  node  north-korea  nosql  not-the-onion  notaries  notpetya  npm  nsa  nsls  nsw  ntp  nudes  nukes  nul  nyc  nyetya  nyms  nytimes  o2  oath  oauth  obfuscation  objects  obscurity  ocsp  off-means-off  offshoring  oilrigs  okinawa  omgwtfbbq  one-time-passwords  online  online-backup  online-banking  online-shopping  online-storage  online-voting  open-source  openbsd  opensource  openssh  openssl  openwrt  operability  opie  opportunistic  ops  opt-out  oracle  oss  osx  ota  otp  outlander  owasp  p2p  pacemakers  packages  packaging  packer  packet-capture  packet-injection  packets  pal  paper  papers  parity  passports  passwords  pastebin  patent-trolls  patents  pathetic  pattern-analysis  payment  paypal  pci  pci-dss  pdf  pea  peering  pen-tests  per-thorsheim  perfect-forward-secrecy  performance  peter-bailis  petrol-stations  pgp  phil-zimmermann  philippines  philosophy  phish  phishing  phones  photos  photoshop  php  pics  pii  pin  pins  piracy  piriform  pix  pki  plainscapital  planes  planex  playstation  plcs  plex  plugins  point-of-sale  poisoning  police  policies  politics  popen  porn  port-forwarding  pos  posram  post-its  postmortems  poul-henning-kemp  power  power-amplifiers  power-management  powerline-networking  prefetching  primes  prism  prius  privacy  private-keys  prng  prngs  probability  programming  project-zero  protocols  proxies  proximity  proxy  proxying  ps3  ps4  psc  psn  public-key  pump  putin  pymk  pypi  python  quad9  quakenet  qualcomm  quic  racism  radio  rails  rainbow-tables  ram-scrapers  ramnica-valcea  random  random-forests  randomness  ransomware  raspberry-pi  rcmp  rebellion  recommendations  reddit  reference  regin  regulation  reinvent  remote  replay-attack  replay-attacks  replication  reports  resilience  resolvers  resource-limits  return-oriented-programming  reverse-engineering  reversing  review  revocation  rf  rfid  rick-falkvinge  rifles  rim  riscs  risk  risks  rlo  rmi  rng  rngs  road-safety  roads  robin-xu  rogers  role-accounts  romania  root  rop  ross-anderson  router  routers  routing  rsa  ruby  runa-sandvik  russia  rutgers  rvm  s3  safe-browsing  safety  salting  samsung  samy-kamkar  sandbox  sandboxing  sandstorm  sanitisation  sanitization  satellite  satis  scala  scaling  scams  scanner  scanners  scanning  scareware  scary  schneier  science  screening  sd-cards  sdn  search  searching  secrecy  secrets  securecode  secureworks  security  security-theatre  security-through-obscurity  seizure  self-driving  self-driving-cars  sequencing  serialization  server  servers  setuid  sh  sha  sha1  sha256  shame  shaming  shell  shellshock  shipping  ships  shodan  shopping  shoup  side-channels  siemens  sigint  signal  signs  silent-circle  silentcircle  silicon  sim-cards  siphash  siri  skey  skimmers  skimming  slashdot  slides  slot-machines  smart-cars  smart-contracts  smart-meters  smart-tvs  smartcards  smartphones  smb  smc8014  sms  snapchat  snes  sniffing  snooping  social-media  society  software  solarcapture  solaris  sony  source-code  south-africa  south-korea  spam  spamhaus  spear-phishing  spectre  speculative-execution  speech  speech-recognition  speed  spin  spinvox  spoofing  spotify  sprint  spying  spyware  sql  square  ss7  ssh  sshd  sshuttle  ssl  ssl-labs  ssl3  sslv2  ssn  standards  statistcs  statistics  stickers  stingrays  stock-markets  storage  strava  streaming  strings  sts  stud  stuxnet  super-mario  superfish  superget  surveillance  svm  swift  swpats  symantec  syn  sync  sysadmin  sysadmins  system  systemd  t-mobile  talos  tao  target  taxis  tcp  tcpcrypt  tcpdump  tcpip  tech  technology  teens  telefonica  telegraph  telegraphes-chappe  teleport  tempest  terrorism  tesco  testing  tests  text  the-guardian  the-interview  theft  thomas-ptacek  thunderbird  time  time-warner  timing  tips  tlds  tls  tlsdate  toasters  tog  tomato  tools  tor  torrents  totp  tou  toyota  tr-064  tracking  traffic  transactions  transcription  transit  transparent-proxies  travel  trend-micro  trojan.posram  trojans  troy-hunt  truecrypt  trump  trust  trustwave  tsa  tunisia  tunneling  tunnelling  turing-complete  turla  turtles  tv  tv-license-detector-vans  tv-licenses  tv5monde  twitch  twitter  two-factor-auth  two-factor-authentication  typos  u-locks  u2f  ubuntu  uconnect  udp  ui  uk  ukraine  unicode  unit-testing  unix  upd4t3  updates  upgrades  urllib  urls  us  us-politics  usa  user-submitted-code  usertrust  v2v  varnish  vault  vaults  vbv  vc  verification  verified-by-visa  verizon  version-control  vertx  via  via:adam-shostack  via:adamshostack  via:adulau  via:alec-muffet  via:boingboing  via:bruces  via:cscotta  via:elliottucker  via:eric  via:fanf  via:filippo  via:gwire  via:hn  via:ioerror  via:irr  via:jgc  via:joe-feise  via:johnke  via:jzdziarski  via:kragen  via:lhl  via:mattblaze  via:mikko  via:nelson  via:oisin  via:pixelbeat  via:pjakma  via:reddit  via:risks  via:securitay  via:tupp_ed  via:waxy  via:zeynep  video  vin  viruses  visa  vision  vlans  vlc  vm  voting  vpc  vpn  vulnerabilities  vulnerability  vvat  waf  walmart  war  warning  watchlists  web  web-of-trust  web-services  webdev  webkit  wemo  wep  whatsapp  whitelisting  whitepapers  whitfield-diffie  wickr  wifi  wikileaks  windows  windows-xp  winvote  wired  wireless  wordpress  worms  wow  wpa  wtf  wyoming  x-ray  x-windows  x11  x86  xelerance  xl2tpd  xss  yale  yubikey  zeynep-tufekci  zwj  zyxel 

Copy this bookmark:



description:


tags: