jm + security   202

"Macaroons" for fine-grained secure database access
Macaroons are an excellent fit for NoSQL data storage for several reasons. First, they enable an application developer to enforce security policies at very fine granularity, per object. Gone are the clunky security policies based on the IP address of the client, or the per-table access controls of RDBMSs that force you to split up your data across many tables. Second, macaroons ensure that a client compromise does not lead to loss of the entire database. Third, macaroons are very flexible and expressive, able to incorporate information from external systems and third-party databases into authorization decisions. Finally, macaroons scale well and are incredibly efficient, because they avoid public-key cryptography and instead rely solely on fast hash functions.
security  macaroons  cookies  databases  nosql  case-studies  storage  authorization  hyperdex 
7 hours ago by jm
Wired on "Regin"
The researchers have no doubt that Regin is a nation-state tool and are calling it the most sophisticated espionage machine uncovered to date—more complex even than the massive Flame platform, uncovered by Kaspersky and Symantec in 2012 and crafted by the same team who created Stuxnet.

“In the world of malware threats, only a few rare examples can truly be considered groundbreaking and almost peerless,” writes Symantec in its report about Regin.

Though no one is willing to speculate on the record about Regin’s source, news reports about the Belgacom and Quisquater hacks pointed a finger at GCHQ and the NSA. Kaspersky confirms that Quisqater was infected with Regin, and other researchers familiar with the Belgacom attack have told WIRED that the description of Regin fits the malware that targeted the telecom, though the malicious files used in that attack were given a different name, based on something investigators found inside the platform’s main file.
regin  malware  security  hacking  exploits  nsa  gchq  symantec  espionage 
4 days ago by jm
How I created two images with the same MD5 hash
I found that I was able to run the algorithm in about 10 hours on an AWS large GPU instance bringing it in at about $0.65 plus tax.


Bottom line: MD5 is feasibly attackable by pretty much anyone now.
crypto  images  md5  security  hashing  collisions  ec2  via:hn 
24 days ago by jm
curl | sh
'People telling people to execute arbitrary code over the network. Run code from our servers as root. But HTTPS, so it’s no biggie.'

YES.
humor  sysadmin  ops  security  curl  bash  npm  rvm  chef 
25 days ago by jm
Chip & PIN vs. Chip & Signature
Trust US banks to fuck up their attempts at security :( US "chip-and-signature" cards are still entirely forgeable because the banks fear that consumers are too stupid to use a PIN, basically.
BK: So, I guess we should all be grateful that banks and retailers in the United States are finally taking steps to move toward chip [and signature] cards, but it seems to me that as long as these chip cards still also store cardholder data on a magnetic stripe as a backup, that the thieves can still steal and counterfeit this card data — even from chip cards.

Litan: Yes, that’s the key problem for the next few years. Once mag stripe goes away, chip-and-PIN will be a very strong solution. The estimates are now that by the end of 2015, 50 percent of the cards and terminals will be chip-enabled, but it’s going to be several years before we get closer to full compliance. So, we’re probably looking at about 2018 before we can start making plans to get rid of the magnetic stripe on these cards.
magstripe  banks  banking  chip-and-pin  security  brian-krebs  chip-and-signature 
28 days ago by jm
PSA: don't run 'strings' on untrusted files (CVE-2014-8485)
ffs.
Perhaps simply by the virtue of being a part of that bundle, the strings utility tries to leverage the common libbfd infrastructure to detect supported executable formats and "optimize" the process by extracting text only from specific sections of the file. Unfortunately, the underlying library can be hardly described as safe: a quick pass with afl (and probably with any other competent fuzzer) quickly reveals a range of troubling and likely exploitable out-of-bounds crashes due to very limited range checking
strings  libbfd  gnu  security  fuzzing  buffer-overflows 
4 weeks ago by jm
Google Online Security Blog: This POODLE bites: exploiting the SSL 3.0 fallback
Today we are publishing details of a vulnerability in the design of SSL version 3.0. This vulnerability allows the plaintext of secure connections to be calculated by a network attacker.


ouch.
ssl3  ssl  tls  security  exploits  google  crypto 
6 weeks ago by jm
Shellshock
An _extremely_ detailed resource about the bash bug
bash  hacking  security  shell  exploits  reference  shellshock 
7 weeks ago by jm
Mandos
'a system for allowing servers with encrypted root file systems to reboot unattended and/or remotely.' (via Tony Finch)
via:fanf  mandos  encryption  security  server  ops  sysadmin  linux 
7 weeks ago by jm
oss-sec: Re: CVE-2014-6271: remote code execution through bash
this is truly heinous. Given that any CGI which invokes popen()/system() on a Linux system where /bin/sh is a link to bash is vulnerable, there will be a lot of vulnerable services out there (via Elliot)
via:elliottucker  cgi  security  bash  sh  exploits  linux  popen  unix 
9 weeks ago by jm
Not Safe For Not Working On
Excellent post from Dan Kaminsky on concrete actions that cloud service providers like Apple and Google need to start taking.
*It's time to ban Password1*: [...] Defenders are using simple rules like “doesn’t have an uppercase letter” and “not enough punctuation” to block passwords while attackers are just straight up analyzing password dumps and figuring out the most likely passwords to attempt in any scenario.  Attackers are just way ahead.  That has to change.  Defenders have password dumps too now.  It’s time we start outright blocking passwords common enough that they can be online brute forced, and it’s time we admit we know what they are. [...]

*People use communication technologies for sexy times. Deal with it*: Just like browsers have porn mode for the personal consumption of private imagery, cell phones have applications that are significantly less likely to lead to anyone else but your special friends seeing your special bits. I personally advise Wickr, an instant messaging firm that develops secure software for iPhone and Android. What’s important about Wickr here isn’t just the deep crypto they’ve implemented, though it’s useful too. What’s important in this context is that with this code there’s just a lot fewer places to steal your data from. Photos and other content sent in Wickr don’t get backed up to your desktop, don’t get saved in any cloud, and by default get removed from your friend’s phone after an amount of time you control. Wickr is of course not the only company supporting what’s called “ephemeral messaging”; SnapChat also dramatically reduces the exposure of your private imagery. [...]


via Leonard.
icloud  apple  privacy  security  via:lhl  snapchat  wickr  dan-kaminsky  cloud-services  backup 
11 weeks ago by jm
Apple: Untrustable
Today, Apple announced their “Most Personal Device Ever”. They also announced Apple Pay (the only mentions of “security” and “privacy” in today’s event), and are rolling out health tracking and home automation in iOS 8.

Given their feckless track record [with cloud-service security], would you really trust Apple with (even more of) your digital life?
icloud  apple  fail  security  hacks  privacy 
11 weeks ago by jm
Comcast Wi-Fi serving self-promotional ads via JavaScript injection | Ars Technica
Comcast is adding data into the broadband packet stream. In 2007, it was packets serving up disconnection commands. Today, Comcast is inserting JavaScript that is serving up advertisements, according to [Robb] Topolski, who reviewed Singel's data. "It's the duty of the service provider to pull packets without treating them or modifying them or injecting stuff or forging packets. None of that should be in the province of the service provider," he said. "Imagine every Web page with a Comcast bug in the lower righthand corner. It's the antithesis of what a service provider is supposed to do. We want Internet access, not another version of cable TV."


The company appears to be called Front Porch: http://arstechnica.com/tech-policy/2014/09/meet-the-tech-company-performing-ad-injections-for-big-cable/
comcast  ads  injection  security  javascript  http  network-neutrality  isps 
11 weeks ago by jm
Nik Cubrilovic - Notes on the Celebrity Data Theft
tl;dr: a lot of people are spending a lot of time stealing nudie pics from celebrities. See also http://www.zdziarski.com/blog/?p=3783 for more details on the probable approaches used. Grim.
apple  privacy  security  celebrities  pics  hacking  iphone  ipad  ios  exploits  brute-force  passwords  2fa  mfa  find-my-iphone  icloud  backups 
12 weeks ago by jm
Two Factor Auth List
List of websites and whether or not they support 2FA.
Also see the list of 2FA providers and the platforms they support.
2fa  mfa  authentication  security  web-services  web 
12 weeks ago by jm
Google's new end-to-end key distribution proposal
'For End-To-End, our current approach to key distribution, is to use a model similar to Certificate Transparency, and use the email messages themselves as a gossip protocol, which allow the users themselves to keep the centralized authorities honest. This approach allows users to not have to know about keys, but at the same time, be able to make sure that the servers involved aren't doing anything malicious behind the users' back.'
end-to-end  encryption  google  security  email  crypto  key-distribution 
august 2014 by jm
"CryptoPhone" claims to detect IMSI catchers in operation
To show what the CryptoPhone can do that less expensive competitors cannot, he points me to a map that he and his customers have created, indicating 17 different phony cell towers known as “interceptors,” detected by the CryptoPhone 500 around the United States during the month of July alone.  Interceptors look to a typical phone like an ordinary tower.  Once the phone connects with the interceptor, a variety of “over-the-air” attacks become possible, from eavesdropping on calls and texts to pushing spyware to the device.

“Interceptor use in the U.S. is much higher than people had anticipated,” Goldsmith says.  “One of our customers took a road trip from Florida to North Carolina and he found 8 different interceptors on that trip.  We even found one at South Point Casino in Las Vegas.”
imsi-catchers  security  cryptophone  phones  mobile  3g  4g  eavesdropping  surveillance 
august 2014 by jm
The poisoned NUL byte, 2014 edition
A successful exploit of Fedora glibc via a single NUL overflow (via Tony Finch)
via:fanf  buffer-overflows  security  nul  byte  exploits  google  project-zero 
august 2014 by jm
Nyms Identity Directory
The way that [problems with the PGP bootstrapping] are supposed to be resolved is with an authentication model called the Web of Trust where users sign keys of other users after verifying that they are who they say they are. In theory, if some due diligence is applied in signing other people’s keys and a sufficient number of people participate you’ll be able to follow a short chain of signatures from people you already know and trust to new untrusted keys you download from a key server. In practice this has never worked out very well as it burdens users with the task of manually finding people to sign their keys and even experts find the Web of Trust model difficult to reason about. This also reveals the social graph of certain communities which may place users at risk for their associations. Such signatures also reveal metadata about times and thus places for meetings for key signings.

The Nyms Identity Directory is a replacement for all of this. Keyservers are replaced with an identity directory that gives users full control over publication of their key information and web of trust is replaced with a distributed network of trusted notaries which validate user keys with an email verification protocol.
web-of-trust  directories  nyms  privacy  crypto  identity  trust  pgp  gpg  security  via:ioerror  keyservers  notaries 
august 2014 by jm
NTP's days are numbered for consumer devices
An accurate clock is required to negotiate SSL/TLS, so clock sync is important for internet-of-things usage. but:
Unfortunately for us, the traditional and most widespread method for clock synchronisation (NTP) has been caught up in a DDoS issue which has recently caused some ISPs to start blocking all NTP communication. [....] Because the DDoS attacks are so widespread, and the lack of obvious commercial pressure to fix the issue, it’s possible that the days of using NTP as a mechanism for setting clocks may well be numbered. Luckily for us there is a small but growing project that replaces it.

tlsdate was started by Jacob Appelbaum of the Tor project in 2012, making use of the SSL handshake in order to extract time from a remote server, and its usage is on the rise. [....] Since we started encountering these problems, we’ve incorporated tlsdate into an over-the-air update, and have successfully started using this in situations where NTP is blocked.
tlsdate  ntp  clocks  time  sync  iot  via:gwire  ddos  isps  internet  protocols  security 
august 2014 by jm
Hacker Redirects Traffic From 19 Internet Providers to Steal Bitcoins | Threat Level | WIRED
'The attacker specifically targeted a collection of bitcoin mining “pools”–bitcoin-producing cooperatives in which users contribute their computers’ processing power and are rewarded with a cut of the resulting cryptocurrency the pool produces. The redirection technique tricked the pools’ participants into continuing to devote their processors to bitcoin mining while allowing the hacker to keep the proceeds. At its peak, according to the researchers’ measurements, the hacker’s scam was pocketing a flow of bitcoins and other digital currencies including dogecoin and worldcoin worth close to $9,000 a day. “With this kind of hijacking, you can quite easily grab a large collection of clients,” says Pat Litke, one of the Dell researchers. “It takes less than a minute, and you end up with a lot of mining traffic under your control.”'

'In total, Stewart and Litke were able to measure $83,000 worth of cryptocurrency stolen in the BGP attack [...] but the total haul could be larger'
bitcoin  mining  fraud  internet  bgp  routing  security  attacks  hacking 
august 2014 by jm
How to take over the computer of any JVM developer
To prove how easy [MITM attacking Mavencentral JARs] is to do, I wrote dilettante, a man-in-the-middle proxy that intercepts JARs from maven central and injects malicious code into them. Proxying HTTP traffic through dilettante will backdoor any JARs downloaded from maven central. The backdoored version will retain their functionality, but display a nice message to the user when they use the library.
jars  dependencies  java  build  clojure  security  mitm  http  proxies  backdoors  scala  maven  gradle 
july 2014 by jm
'Identifying Back Doors, Attack Points and Surveillance Mechanisms in iOS Devices'
lots of scary stuff in this presentation from this year's Hackers On Planet Earth conf. I'm mainly interested to find out that Jonathan "D-Spam" Zdziarski was also a jailbreak dev-team member until around iOS 4 ;)
d-spam  jonathan-zdziarski  security  apple  ios  iphone  surveillance  bugging 
july 2014 by jm
Tor exit node operator prosecuted in Austria
'The operator of an exit node is guilty of complicity, because he enabled others to transmit content of an illegal nature through the service.'

Via Tony Finch.
austria  tor  security  law  liability  internet  tunnelling  eu  via:fanf 
july 2014 by jm
'Robust De-anonymization of Large Sparse Datasets' [pdf]
paper by Arvind Narayanan and Vitaly Shmatikov, 2008.

'We present a new class of statistical de- anonymization attacks against high-dimensional micro-data, such as individual preferences, recommendations, transaction records and so on. Our techniques are robust to perturbation in the data and tolerate some mistakes in the adversary's background knowledge. We apply our de-anonymization methodology to the Netflix Prize dataset, which contains anonymous movie ratings of 500,000 subscribers of Netflix, the world's largest online movie rental service. We demonstrate that an adversary who knows only a little bit about an individual subscriber can easily identify this subscriber's record in the dataset. Using the Internet Movie Database as the source of background knowledge, we successfully identified the Netflix records of known users, uncovering their apparent political preferences and other potentially sensitive information.'
anonymisation  anonymization  sanitisation  databases  data-dumps  privacy  security  papers 
june 2014 by jm
Chef Vault
A way to securely store secrets (auth details, API keys, etc.) in Chef
chef  storage  knife  authorisation  api-keys  security  encryption 
june 2014 by jm
NYC generates hash-anonymised data dump, which gets reversed
There are about 1000*26**3 = 21952000 or 22M possible medallion numbers. So, by calculating the md5 hashes of all these numbers (only 24M!), one can completely deanonymise the entire data. Modern computers are fast: so fast that computing the 24M hashes took less than 2 minutes.


(via Bruce Schneier)

The better fix is a HMAC (see http://benlog.com/2008/06/19/dont-hash-secrets/ ), or just to assign opaque IDs instead of hashing.
hashing  sha1  md5  bruce-schneier  anonymization  deanonymization  security  new-york  nyc  taxis  data  big-data  hmac  keyed-hashing  salting 
june 2014 by jm
Code Spaces data and backups deleted by hackers
Rather scary story of an extortionist wiping out a company's AWS-based infrastructure. Turns out S3 supports MFA-required deletion as a feature, though, which would help against that.
ops  security  extortion  aws  ec2  s3  code-spaces  delete  mfa  two-factor-authentication  authentication  infrastructure 
june 2014 by jm
BPF - the forgotten bytecode
'In essence Tcpdump asks the kernel to execute a BPF program within the kernel context. This might sound risky, but actually isn't. Before executing the BPF bytecode kernel ensures that it's safe:

* All the jumps are only forward, which guarantees that there aren't any loops in the BPF program. Therefore it must terminate.
* All instructions, especially memory reads are valid and within range.
* The single BPF program has less than 4096 instructions.

All this guarantees that the BPF programs executed within kernel context will run fast and will never infinitely loop. That means the BPF programs are not Turing complete, but in practice they are expressive enough for the job and deal with packet filtering very well.'

Good example of a carefully-designed DSL allowing safe "programs" to be written and executed in a privileged context without security risk, or risk of running out of control.
coding  dsl  security  via:oisin  linux  tcpdump  bpf  bsd  kernel  turing-complete  configuration  languages 
may 2014 by jm
Minimum Viable Block Chain
Ilya Grigorik describes the design of the Bitcoin/altcoin block chain algorithm. Illuminating writeup
algorithms  bitcoin  security  crypto  blockchain  ilya-grigorik 
may 2014 by jm
All at sea: global shipping fleet exposed to hacking threat | Reuters
Hackers recently shut down a floating oil rig by tilting it, while another rig was so riddled with computer malware that it took 19 days to make it seaworthy again; Somali pirates help choose their targets by viewing navigational data online, prompting ships to either turn off their navigational devices, or fake the data so it looks like they're somewhere else; and hackers infiltrated computers connected to the Belgian port of Antwerp, located specific containers, made off with their smuggled drugs and deleted the records.


(via Mikko Hypponen)
via:mikko  security  hacking  oilrigs  shipping  ships  maritime  antwerp  piracy  malware 
april 2014 by jm
Using AWS in the context of Australian Privacy Considerations
interesting new white paper from Amazon regarding recent strengthening of the Aussie privacy laws, particularly w.r.t. geographic location of data and access by overseas law enforcement agencies...
amazon  aws  security  law  privacy  data-protection  ec2  s3  nsa  gchq  five-eyes 
april 2014 by jm
ImperialViolet - No, don't enable revocation checking
...because it doesn't stop attacks. Turning it on does nothing but slow things down. You can tell when something is security theater because you need some absurdly specific situation in order for it to be useful.
cryptography  crypto  heartbleed  ssl  security  tls  https  internet  revocation  crls 
april 2014 by jm
OpenSSL Valhalla Rampage
OpenBSD are going wild ripping out "arcane VMS hacks" in an attempt to render OpenSSL's source code comprehensible, and finding amazing horrors like this:

'Well, even if time() isn't random, your RSA private key is probably pretty random. Do not feed RSA private key information to the random subsystem as entropy. It might be fed to a pluggable random subsystem…. What were they thinking?!'
random  security  openssl  openbsd  coding  horror  rsa  private-keys  entropy 
april 2014 by jm
Dan Kaminsky on Heartbleed
When I said that we expected better of OpenSSL, it’s not merely that there’s some sense that security-driven code should be of higher quality.  (OpenSSL is legendary for being considered a mess, internally.)  It’s that the number of systems that depend on it, and then expose that dependency to the outside world, are considerable.  This is security’s largest contributed dependency, but it’s not necessarily the software ecosystem’s largest dependency.  Many, maybe even more systems depend on web servers like Apache, nginx, and IIS.  We fear vulnerabilities significantly more in libz than libbz2 than libxz, because more servers will decompress untrusted gzip over bzip2 over xz.  Vulnerabilities are not always in obvious places – people underestimate just how exposed things like libxml and libcurl and libjpeg are.  And as HD Moore showed me some time ago, the embedded space is its own universe of pain, with 90’s bugs covering entire countries.

If we accept that a software dependency becomes Critical Infrastructure at some level of economic dependency, the game becomes identifying those dependencies, and delivering direct technical and even financial support.  What are the one million most important lines of code that are reachable by attackers, and least covered by defenders?  (The browsers, for example, are very reachable by attackers but actually defended pretty zealously – FFMPEG public is not FFMPEG in Chrome.)

Note that not all code, even in the same project, is equally exposed.    It’s tempting to say it’s a needle in a haystack.  But I promise you this:  Anybody patches Linux/net/ipv4/tcp_input.c (which handles inbound network for Linux), a hundred alerts are fired and many of them are not to individuals anyone would call friendly.  One guy, one night, patched OpenSSL.  Not enough defenders noticed, and it took Neel Mehta to do something.
development  openssl  heartbleed  ssl  security  dan-kaminsky  infrastructure  libraries  open-source  dependencies 
april 2014 by jm
Open Crypto Audit Project: TrueCrypt
phase I, a source code audit by iSEC Partners, is now complete. Bruce Schneier says: "I'm still using it".
encryption  security  crypto  truecrypt  audits  source-code  isec  matthew-green 
april 2014 by jm
Akamai's "Secure Heap" patch wasn't good enough
'Having the private keys inaccessible is a good defense in depth move.
For this patch to work you have to make sure all sensitive values are stored in
the secure area, not just check that the area looks inaccessible. You can't do
that by keeping the private key in the same process. A review by a security
engineer would have prevented a false sense of security. A version where the
private key and the calculations are in a separate process would be more
secure. If you decide to write that version, I'll gladly see if I can break
that too.'

Akamai's response: https://blogs.akamai.com/2014/04/heartbleed-update-v3.html -- to their credit, they recognise that they need to take further action.

(via Tony Finch)
via:fanf  cryptography  openssl  heartbleed  akamai  security  ssl  tls 
april 2014 by jm
Of Money, Responsibility, and Pride
Steve Marquess of the OpenSSL Foundation on their funding, and lack thereof:
I stand in awe of their talent and dedication, that of Stephen Henson in particular. It takes nerves of steel to work for many years on hundreds of thousands of lines of very complex code, with every line of code you touch visible to the world, knowing that code is used by banks, firewalls, weapons systems, web sites, smart phones, industry, government, everywhere. Knowing that you’ll be ignored and unappreciated until something goes wrong. The combination of the personality to handle that kind of pressure with the relevant technical skills and experience to effectively work on such software is a rare commodity, and those who have it are likely to already be a valued, well-rewarded, and jealously guarded resource of some company or worthy cause. For those reasons OpenSSL will always be undermanned, but the present situation can and should be improved. There should be at least a half dozen full time OpenSSL team members, not just one, able to concentrate on the care and feeding of OpenSSL without having to hustle commercial work. If you’re a corporate or government decision maker in a position to do something about it, give it some thought. Please. I’m getting old and weary and I’d like to retire someday.
funding  open-source  openssl  heartbleed  internet  security  money 
april 2014 by jm
When two-factor authentication is not enough
Fastmail.FM nearly had their domain stolen through an attack exploiting missing 2FA authentication in Gandi.
An important lesson learned is that just because a provider has a checkbox labelled “2 factor authentication” in their feature list, the two factors may not be protecting everything – and they may not even realise that fact themselves. Security risks always come on the unexpected paths – the “off label” uses that you didn’t think about, and the subtle interaction of multiple features which are useful and correct in isolation.
gandi  2fa  fastmail  authentication  security  mfa  two-factor-authentication  mail 
april 2014 by jm
Cloudflare demonstrate Heartbleed key extraction
from nginx. 'Based on the findings, we recommend everyone reissue + revoke their private keys.'
security  nginx  heartbleed  ssl  tls  exploits  private-keys 
april 2014 by jm
Why no SSL ? — Varnish version 4.0.0 documentation
Poul-Henning Kemp details why Varnish doesn't do SSL -- basically due to the quality and complexity of open-source SSL implementations:
There is no other way we can guarantee that secret krypto-bits do not leak anywhere they should not, than by fencing in the code that deals with them in a child process, so the bulk of varnish never gets anywhere near the certificates, not even during a core-dump.


Now looking pretty smart, post-Heartbleed.
ssl  tls  varnish  open-source  poul-henning-kemp  https  http  proxies  security  coding 
april 2014 by jm
Does the heartbleed vulnerability affect clients as severely?
'Yes, clients are vulnerable to attack. A malicious server can use the Heartbleed vulnerability to compromise an affected client.'

Ouch.
openssl  ssl  security  heartbleed  exploits  tls  https 
april 2014 by jm
Mark McLoughlin on Heartbleed
An excellent list of aspects of the Heartbleed OpenSSL bug which need to be thought about/talked about/considered
heartbleed  openssl  bugs  exploits  security  ssl  tls  web  https 
april 2014 by jm
LastPass Sentry Warns You When Your Online Accounts Have Been Breached
This is a brilliant feature. It just sent a warning to a friend about an old account he was no longer using
lastpass  security  passwords  hacking  accounts 
april 2014 by jm
Florida cops used IMSI catchers over 200 times without a warrant
Harris is the leading maker of [IMSI catchers aka "stingrays"] in the U.S., and the ACLU has long suspected that the company has been loaning the devices to police departments throughout the state for product testing and promotional purposes. As the court document notes in the 2008 case, “the Tallahassee Police Department is not the owner of the equipment.”

The ACLU now suspects these police departments may have all signed non-disclosure agreements with the vendor and used the agreement to avoid disclosing their use of the equipment to courts. “The police seem to have interpreted the agreement to bar them even from revealing their use of Stingrays to judges, who we usually rely on to provide oversight of police investigations,” the ACLU writes.
aclu  police  stingrays  imsi-catchers  privacy  cellphones  mobile-phones  security  wired 
march 2014 by jm
ImperialViolet - Apple's SSL/TLS bug
as we all know by now, a misplaced "goto fail" caused a critical, huge security flaw in versions of IOS and OSX SSL, since late 2012.

Lessons:

1. unit test the failure cases, particularly for critical security code!
2. use braces.
3. dead-code analysis would have caught this.

I'm not buying the "goto considered harmful" line, though, since any kind of control flow structure would have had the same problem.
coding  apple  osx  ios  crypto  ssl  security  goto-fail  goto  fail  unit-testing  coding-standards 
february 2014 by jm
Belkin managed to put their firmware update private key in the distribution
'The firmware updates are encrypted using GPG, which is intended to prevent this issue. Unfortunately, Belkin misuses the GPG asymmetric encryption functionality, forcing it to distribute the firmware-signing key within the WeMo firmware image. Most likely, Belkin intended to use the symmetric encryption with a signature and a shared public key ring. Attackers could leverage the current implementation to easily sign firmware images.'

Using GPG to sign your firmware updates: yay. Accidentally leaving the private key in the distribution: sad trombone.
fail  wemo  belkin  firmware  embedded-systems  security  updates  distribution  gpg  crypto  public-key  pki  home-automation  ioactive 
february 2014 by jm
Why dispute resolution is hard
Good stuff (as usual) from Ross Anderson and Stephen Murdoch.

'Today we release a paper on security protocols and evidence which analyses why dispute resolution mechanisms in electronic systems often don’t work very well. On this blog we’ve noted many many problems with EMV (Chip and PIN), as well as other systems from curfew tags to digital tachographs. Time and again we find that electronic systems are truly awful for courts to deal with. Why?
The main reason, we observed, is that their dispute resolution aspects were never properly designed, built and tested. The firms that delivered the main production systems assumed, or hoped, that because some audit data were available, lawyers would be able to use them somehow.
As you’d expect, all sorts of things go wrong. We derive some principles, and show how these are also violated by new systems ranging from phone banking through overlay payments to Bitcoin. We also propose some enhancements to the EMV protocol which would make it easier to resolve disputes over Chip and PIN transactions.'
finance  security  ross-anderson  emv  bitcoin  chip-and-pin  banking  architecture  verification  vvat  logging 
february 2014 by jm
193_Cellxion_Brochure_UGX Series 330
The Cellxion UGX Series 330 is a 'transportable Dual GSM/Triple UMTS Firewall and Analysis Tool' -- ie. an IMSI catcher in a briefcase, capable of catching IMSI/IMEIs in 3G. It even supports configurable signal strength. Made in the UK
cellxion  imsi-catchers  imei  surveillance  gsocgate  gsm  3g  mobile-phones  security  spying 
february 2014 by jm
Why Mt. Gox is full of shit
leading Bitcoin exchange "Magic The Gatherine Online Exchange" turns out to suffer from crappy code, surprise:
why does Mt. Gox experience this issue? They run a custom Bitcoin daemon, with a custom implementation of the Bitcoin protocol. Their implementation, against all advice, does rely on the transaction ID, which makes this attack possible. They have actually been warned about it months ago by gmaxwell, and have apparently decided to ignore this warning. In other words, this is not a vulnerability in the Bitcoin protocol, but an implementation error in Mt. Gox' custom Bitcoin software.


The rest of the article is eyeopening, including the MySQL injection vulnerabilities and failure to correctly secure a Prolexic-defended server.

https://news.ycombinator.com/item?id=7211286 has some other shocking reports of Bitcoin operators being incompetent, including 'Bitomat, the incompetent exchange that deleted their own [sole] amazon instance accidentally which contained all their keys, and thus customer funds'. wtfbbq
mtgox  security  bitcoin  standards  omgwtfbbq  via:hn  bitomat 
february 2014 by jm
QuakeNet IRC Network- Article - PRESS RELEASE: IRC NETWORKS UNDER SYSTEMATIC ATTACK FROM GOVERNMENTS
QuakeNet are not happy about GCHQ's DDoS attacks against them.
Yesterday we learned ... that GCHQ, the British intelligence agency, are performing persistent social and technological attacks against IRC networks. These attacks are performed without informing the networks and are targeted at users associated with politically motivated movements such as "Anonymous". While QuakeNet does not condone or endorse and actively forbids any illegal activity on its servers we encourage discussion on all topics including political and social commentary. It is apparent now that engaging in such topics with an opinion contrary to that of the intelligence agencies is sufficient to make people a target for monitoring, coercion and denial of access to communications platforms. The ... documents depict GCHQ operatives engaging in social engineering of IRC users to entrap themselves by encouraging the target to leak details about their location as well as wholesale attacks on the IRC servers hosting the network. These attacks bring down the IRC network entirely affecting every user on the network as well as the company hosting the server. The collateral damage and numbers of innocent people and companies affected by these forms of attack can be huge and it is highly illegal in many jurisdictions including the UK under the Computer Misuse Act.
quakenet  ddos  security  gchq  irc  anonymous 
february 2014 by jm
Target Hackers Broke in Via HVAC Company
Avivah Litan, a fraud analyst with Gartner Inc., said that although the current PCI standard does not require organizations to maintain separate networks for payment and non-payment operations (page 7), it does require merchants to incorporate two-factor authentication for remote network access originating from outside the network by personnel and all third parties.


Target shared the same network for outside contractor access and the critical POS devices. fail. (via Joe Feise)
via:joe-feise  hvac  contractors  fraud  malware  2fa  security  networking  payment  pci 
february 2014 by jm
A looming breakthrough in indistinguishability obfuscation
'The team’s obfuscator works by transforming a computer program into what Sahai calls a “multilinear jigsaw puzzle.” Each piece of the program gets obfuscated by mixing in random elements that are carefully chosen so that if you run the garbled program in the intended way, the randomness cancels out and the pieces fit together to compute the correct output. But if you try to do anything else with the program, the randomness makes each individual puzzle piece look meaningless. This obfuscation scheme is unbreakable, the team showed, provided that a certain newfangled problem about lattices is as hard to solve as the team thinks it is. Time will tell if this assumption is warranted, but the scheme has already resisted several attempts to crack it, and Sahai, Barak and Garg, together with Yael Tauman Kalai of Microsoft Research New England and Omer Paneth of Boston University, have proved that the most natural types of attacks on the system are guaranteed to fail. And the hard lattice problem, though new, is closely related to a family of hard problems that have stood up to testing and are used in practical encryption schemes.'

(via Tony Finch)
obfuscation  cryptography  via:fanf  security  hard-lattice-problem  crypto  science 
february 2014 by jm
GCHQ slide claiming that they DDoS'd anonymous' IRC servers
Mikko Hypponen: "This makes British Government the only Western government known to have launched DDoS attacks."
ddos  history  security  gchq  dos  anonymous  irc  hacking 
february 2014 by jm
Chinese Internet Traffic Redirected to Small Wyoming House
'That address — which is home to some 2,000 companies on paper — was the subject of a lengthy 2011 Reuters investigation that found that among the entities registered to the address were a shell company controlled by a jailed former Ukraine prime minister; the owner of a company charged with helping online poker operators evade an Internet gambling ban; and one entity that was banned from government contracts after selling counterfeit truck parts to the Pentagon.'
china  internet  great-firewall  dns  wyoming  attacks  security  not-the-onion 
january 2014 by jm
More than 50% of Irish companies have "suffered a data breach" in 2013
The research, conducted among hundreds of Irish companies' IT managers by the Irish Computer Society, reveals that 51 per cent of Irish firms have suffered a data breach over the last year, a jump on 43 per cent recorded in 2012.


Wow, that's high.
hacking  security  ireland  ics  data-breaches 
january 2014 by jm
The Target hack and PCI-DSS
Both Heartland Payment Systems and Hannaford Bros. were in fact certified PCI-compliant while the hackers were in their system. In August 2006, Wal-Mart was also certified PCI-compliant while unknown attackers were lurking on its network. [...] “This PCI standard just ain’t working,” says Litan, the Gartner analyst. “I wouldn’t say it’s completely pointless. Because you can’t say security is a bad thing. But they’re trying to patch a really weak [and] insecure payment system [with it].”


Basically, RAM scrapers have been in use in live attacks, sniffing credentials in the clear, since 2007. Ouch.
ram-scrapers  trojans  pins  pci-dss  compliance  security  gartner  walmart  target 
january 2014 by jm
Full iSight report on the Kaptoxa attack on Target
'POS malware is becoming increasingly available to cyber criminals' ... 'there is growing demand for [this kind of malware]'. Watch your credit cards...
debit-cards  credit-cards  security  card-present  attacks  kaptoxa  ram-scrapers  trojans  point-of-sale  pos  malware  target 
january 2014 by jm
The Malware That Duped Target Has Been Found
a Windows 'RAM scraper' trojan known as Trojan.POSRAM, which was used to attack the Windows-based point-of-sales systems which the POS terminals are connected to. part of an operation called Kaptoxa. 'The code is based on a previous malicious tool known as BlackPOS that is believed to have been developed in 2013 in Russia, though the new variant was highly customized to prevent antivirus programs from detecting it' ... 'The tool monitors memory address spaces used by specific programs, such as payment application programs like pos.exe and PosW32.exe that process the data embossed in the magnetic strip of credit and debit cards data. The tool grabs the data from memory.' ... 'The siphoned data is stored on the system, and then every seven hours the malware checks the local time on the compromised system to see if it’s between the hours of 10 a.m. and 5 p.m. If so, it attempts to send the data over a temporary NetBIOS share to an internal host inside the compromised network so the attackers can then extract the data over an FTP ... connection.'

http://www.pcworld.com/article/2088920/target-credit-card-data-was-sent-to-server-in-russia.html says the data was then transmitted to another US-based server, and from there relayed to Russia, and notes: 'At the time of its discovery, Trojan.POSRAM “had a zero percent antivirus detection rate, which means that fully updated antivirus engines on fully patched computers could not identify the software as malicious,” iSight said.'

Massive AV fail.
kaptoxa  trojans  ram-scrapers  trojan.posram  posram  point-of-sale  security  hacks  target  credit-cards  pin  ftp  netbios  smb 
january 2014 by jm
How an emulator-fueled robot reprogrammed Super Mario World on the fly
Suffice it to say that the first minute-and-a-half or so of this [speedrun] is merely an effort to spawn a specific set of sprites into the game's Object Attribute Memory (OAM) buffer in a specific order. The TAS runner then uses a stun glitch to spawn an unused sprite into the game, which in turn causes the system to treat the sprites in that OAM buffer as raw executable code. In this case, that code has been arranged to jump to the memory location for controller data, in essence letting the user insert whatever executable program he or she wants into memory by converting the binary data for precisely ordered button presses into assembly code (interestingly, this data is entered more quickly by simulating the inputs of eight controllers plugged in through simulated multitaps on each controller port).


oh. my. god. This is utterly bananas.
games  hacking  omgwtfbbq  hacks  buffer-overrun  super-mario  snes  security 
january 2014 by jm
Bruce Schneier and Matt Blaze on TAO's Methods
An important point:
As scarily impressive as [NSA's TAO] implant catalog is, it's targeted. We can argue about how it should be targeted -- who counts as a "bad guy" and who doesn't -- but it's much better than the NSA's collecting cell phone location data on everyone on the planet. The more we can deny the NSA the ability to do broad wholesale surveillance on everyone, and force them to do targeted surveillance in individuals and organizations, the safer we all are.
nsa  tao  security  matt-blaze  bruce-schneier  surveillance  tempest 
january 2014 by jm
On Hacking MicroSD Cards
incredible stuff from Bunnie Huang:
Today at the Chaos Computer Congress (30C3), xobs and I disclosed a finding that some SD cards contain vulnerabilities that allow arbitrary code execution — on the memory card itself. On the dark side, code execution on the memory card enables a class of MITM (man-in-the-middle) attacks, where the card seems to be behaving one way, but in fact it does something else. On the light side, it also enables the possibility for hardware enthusiasts to gain access to a very cheap and ubiquitous source of microcontrollers.
security  memory  hacking  hardware  ccc  sd-cards  memory-cards 
december 2013 by jm
xelerance/xl2tpd · GitHub
IRR-recommended self-hosted VPN endpoint implementation
vpn  l2tp  tunneling  internet  privacy  security  xl2tpd  xelerance  via:irr 
december 2013 by jm
SkyJack - autonomous drone hacking
Samy Kamkar strikes again. 'Using a Parrot AR.Drone 2, a Raspberry Pi, a USB battery, an Alfa AWUS036H wireless transmitter, aircrack-ng, node-ar-drone, node.js, and my SkyJack software, I developed a drone that flies around, seeks the wireless signal of any other drone in the area, forcefully disconnects the wireless connection of the true owner of the target drone, then authenticates with the target drone pretending to be its owner, then feeds commands to it and all other possessed zombie drones at my will.'
drones  amazon  hacking  security  samy-kamkar  aircrack  node  raspberry-pi  airborne-zombies 
december 2013 by jm
Who Is Watching the Watch Lists? - NYTimes.com
it might seem that current efforts to identify and track potential terrorists would be approached with caution. Yet the federal government’s main terrorist watch list has grown to at least 700,000 people, with little scrutiny over how the determinations are made or the impact on those marked with the terrorist label.
“If you’ve done the paperwork correctly, then you can effectively enter someone onto the watch list,” said Anya Bernstein, an associate professor at the SUNY Buffalo Law School and author of “The Hidden Costs of Terrorist Watch Lists,” published by the Buffalo Law Review in May. “There’s no indication that agencies undertake any kind of regular retrospective review to assess how good they are at predicting the conduct they’re targeting.”

terrorism  watchlists  blacklists  filtering  safety  air-travel  government  security  dhs  travel 
december 2013 by jm
Newegg trial: Crypto legend takes the stand, goes for knockout patent punch | Ars Technica

"We've heard a good bit in this courtroom about public key encryption," said Albright. "Are you familiar with that?

"Yes, I am," said Diffie, in what surely qualified as the biggest understatement of the trial.

"And how is it that you're familiar with public key encryption?"

"I invented it."


(via burritojustice)
crypto  tech  security  patents  swpats  pki  whitfield-diffie  history  east-texas  newegg  patent-trolls 
november 2013 by jm
The New Threat: Targeted Internet Traffic Misdirection
MITM attacks via BGP route hijacking now relatively commonplace on the internet, with 60 cases observed so far this year by Renesys
bgp  mitm  internet  security  routing  attacks  hijacking 
november 2013 by jm
Software Detection of Currency
Steven J. Murdoch presents some interesting results indicating that the EURion constellation may have been obsoleted:
Recent printers, scanners and image manipulation software identify images of currency, will not process the image and display an error message linking to www.rulesforuse.org. The detection algorithm is not disclosed, however it is possible to test sample images as to whether they are identified as currency. This webpage shows an initial analysis of the algorithm's properties, based on results from the automated generation and testing of images. [...]

Initially it was thought that the "Eurion constellation" was used to identify banknotes in the newly deployed software based system, since this has been confirmed to be the technique used by colour photocopiers, and was both necessary and sufficient to prevent an item being duplicated using the photocopier tested. However further investigation showed that the detection performed by software is different from the system used in colour photocopiers, and the Eurion constellation is neither necessary nor sufficent, and in fact it probably is not even a factor.
eurion  algorithms  photoshop  security  currency  money  euro  copying  obscurity  reversing 
november 2013 by jm
Mike Hearn - Google+ - The packet capture shown in these new NSA slides shows…
The packet capture shown in these new NSA slides shows internal database replication traffic for the anti-hacking system I worked on for over two years. Specifically, it shows a database recording a user login.


This kind of confirms my theory that the majority of interesting traffic for the NSA/GCHQ MUSCULAR sniffing system would have been inter-DC replication. Was, since it sounds like that stuff's all changing now to use end-to-end crypto...
google  crypto  security  muscular  nsa  gchq  mike-hearn  replication  sniffing  spying  surveillance 
november 2013 by jm
Metropolitan police detained David Miranda for promoting 'political' causes | World news | The Observer
"We assess that Miranda is knowingly carrying material [...] the disclosure or threat of disclosure is designed to influence a government, and is made for the purpose of promoting a political or ideological cause. This therefore falls within the definition of terrorism."
security  david-miranda  journalism  censorship  terrorism  the-guardian 
november 2013 by jm
Russia: Hidden chips 'launch malware attacks from irons'
Cyber criminals are planting chips in electric irons and kettles to launch spam [jm: actually, malware] attacks, reports in Russia suggest. State-owned channel Rossiya 24 even showed footage of a technician opening up an iron included in a batch of Chinese imports to find a "spy chip" with what he called "a little microphone". Its correspondent said the hidden devices were mostly being used to spread viruses, by connecting to any computer within a 200m (656ft) radius which were using unprotected Wi-Fi networks. Other products found to have rogue components reportedly included mobile phones and car dashboard cameras.
wifi  viruses  spam  malware  security  russia  china  toasters  kettles  appliances 
october 2013 by jm
Experian Sold Consumer Data to ID Theft Service
This is what happens when you don't have strong controls on data protection/data privacy -- the US experience.
While [posing as a US-based private investigator] may have gotten the [Vietnam-based gang operating the massive identity fraud site Superget.info] past Experian and/or CourtVentures’ screening process, according to Martin there were other signs that should have alerted Experian to potential fraud associated with the account. For example, Martin said the Secret Service told him that the alleged proprietor of Superget.info had paid Experian for his monthly data access charges using wire transfers sent from Singapore.

“The issue in my mind was the fact that this went on for almost a year after Experian did their due diligence and purchased” Court Ventures, Martin said. “Why didn’t they question cash wires coming in every month? Experian portrays themselves as the data-breach experts, and they sell identity theft protection services. How this could go on without them detecting it I don’t know. Our agreement with them was that our information was to be used for fraud prevention and ID verification, and was only to be sold to licensed and credentialed U.S. businesses, not to someone overseas.”


via Simon McGarr
via:tupp_ed  privacy  security  crime  data-protection  data-privacy  experian  data-breaches  courtventures  superget  scams  fraud  identity  identity-theft 
october 2013 by jm
Schneier on Security: Air Gaps
interesting discussion in the comments. "Patricia"'s process is particularly hair-raisingly complex, involving 3 separate machines and a multitude of VMs
air-gaps  security  networking  bruce-schneier  via:adulau 
october 2013 by jm
« earlier      
per page:    204080120160

related tags

2fa  3des  3dsecure  3g  4chan  4g  9-11  512-bit  abuse  accounts  accuracy  aclu  actel  ads  advertising  aes  air-gap  air-gaps  air-travel  airborne-zombies  aircrack  airport  akamai  alarm  alert  algorithms  amazon  america  android  anonymisation  anonymity  anonymization  anonymous  anti-phishing  anti-spam  antivirus  antwerp  apache  apache-harmony  api-keys  apis  apple  applets  appliances  apps  arab-spring  architecture  ars-technica  as-34109  asf  atm  attack  attacks  audits  austria  authentication  authorisation  authorization  auto-learning  automation  av  aviation  aws  backbone  backdoors  backup  backups  banking  banks  bash  bbc  belkin  bernie  bgp  big-brother  big-data  bike  biometrics  bios  bitcoin  bitomat  blacklists  blockchain  bluetooth  boeing  books  botnet  bpf  brian-krebs  browsers  bruce-schneier  brute-force  bsafe  bsd  buffer-overflows  buffer-overrun  bug-reports  bugging  bugs  bugzilla  build  byte  c  ca  calibre  cao  card-present  case-studies  cb3rob  cbc  ccc  cctlds  celebrities  cellphones  cellxion  censorship  certificates  cgi  chef  china  chip-and-pin  chip-and-signature  chipandpin  chips  chrome  chunked-encoding  cia  cipav  cityhash  clampi  clocks  clojure  cloud-services  cloudflare  code-spaces  codepad  coding  coding-standards  colin-holder  collisions  comcast  comerica  communication  comodo  compartmentalisation  compliance  compression  concurrency  configuration  console  containerization  containers  contractors  cookies  copying  cory-doctorow  courtventures  cpu  cracking  credit-cards  crime  crl  crls  crypto  cryptography  cryptophone  css  ctr  curl  currency  customer-care  cycling  d-link  d-spam  dailywtf  dan-kaminsky  danger  data  data-breaches  data-dumps  data-privacy  data-protection  data-retention  database  databases  datamining  david-miranda  david-simon  ddos  deanonymization  death  debit-cards  defaults  delete  dependencies  des  desfire  design  desktop-sharing  dessid  development  dhs  diffie-hellman  digital-rights  directories  distraction  distribution  diy  djb  dkim  dmca  dns  dnsbls  docker  doh  domain-keys  domains  dos  dot-net  dpc  driving  drones  dropbox  dsl  dual-use  dual_ec_drbg  dug-song  east-texas  eastern-europe  eavesdropping  ec2  ecb  ecc  ecdhe  ecommerce  eff  eircom  elb  elliptic-curve  elliptic-curves  email  embedded-systems  emergency  emv  encryption  end-to-end  entropy  epic-marketplace  escaping  espionage  eu  eurion  euro  experian  exploits  extortion  facebook  facebook-api  factorisation  fail  fail0verflow  false-positives  farebot  fastmail  fbi  fghack  filesharing  filtering  finance  find-my-iphone  fine-gael  fingerprinting  fingerprints  firefox  firewall  firewalls  firmware  five-eyes  flame  flight  floating-point  fpga  fraud  froyo  ftp  funding  funny  fuzzing  games  gandi  gartner  gchq  gmail  gnu  google  goto  goto-fail  government  gpg  grades  gradle  great-firewall  gsm  gsocgate  guardian  gwibber  hacking  hacks  hamachi  han  handshake  haproxy  hard-lattice-problem  hardware  hash  hashdos  hashes  hashing  hashmap  hbgary  health  heartbleed  hijacking  history  history-stealing  hmac  home  home-alarms  home-automation  horror  house  html  http  https  humor  hvac  hyperdex  hypervisor  icann  icloud  ics  identity  identity-theft  idiots  ilya-grigorik  images  imei  immixgroup  imsi-catchers  india  inept  infrastructure  injection  install  insteon  insulin  intel  internet  ioactive  ioerror  ios  iot  ipad  iphone  ipmi  ipsec  iran  irc  ireland  isec  isps  israel  jails  jamming  jars  java  javascript  jdk  jira  joe-stewart  jon-callas  jonathan-zdziarski  journalism  jtag  kaptoxa  karsten-nohl  kernel  kettles  key-distribution  key-length  key-lengths  keyed-hashing  keyservers  kids  kiss  knife  l2tp  languages  lastpass  latency  law  lawsuits  liability  libbfd  libraries  linux  location  locks  logging  london  lucid-intelligence  lxc  mac  macaroons  machine-learning  maciej  magstripe  mail  malware  mandos  maritime  mastercard  matt-blaze  matthew-green  maven  mcafee  md5  medicine  memcached  memory  memory-cards  mfa  michael-hayden  microsemi  microsoft  mifare  mig  mike-hearn  miniduke  mining  mitm  mobile  mobile-phones  money  moores-law  mozilla  mtgox  mugging  murmurhash  muscular  mysore  nai  namespaces  neorouter  netbios  network  network-neutrality  networking  new-york  newegg  nginx  nmap  node  nosql  not-the-onion  notaries  npm  nsa  nsls  ntp  nul  nyc  nyms  nytimes  oauth  obfuscation  obscurity  ocsp  offshoring  oilrigs  omgwtfbbq  one-time-passwords  online  online-backup  online-shopping  online-storage  open-source  openbsd  opensource  openssh  openssl  openwrt  opie  opportunistic  ops  opt-out  oracle  osx  ota  otp  p2p  packaging  packet-injection  packets  papers  passwords  pastebin  patent-trolls  patents  pathetic  payment  pci  pci-dss  pdf  pea  peering  perfect-forward-secrecy  performance  pgp  phil-zimmermann  phish  phishing  phones  photos  photoshop  php  pics  pin  pins  piracy  pki  plainscapital  planex  plugins  point-of-sale  poisoning  police  policies  politics  popen  port-forwarding  pos  posram  poul-henning-kemp  power-management  prefetching  prism  privacy  private-keys  prng  prngs  programming  project-zero  protocols  proxies  proxy  proxying  ps3  public-key  pump  quakenet  radio  rails  rainbow-tables  ram-scrapers  ramnica-valcea  random  randomness  raspberry-pi  reddit  reference  regin  remote  replication  reverse-engineering  reversing  review  revocation  rf  rfid  risk  risks  rngs  road-safety  robin-xu  romania  ross-anderson  router  routers  routing  rsa  ruby  russia  rvm  s3  safety  salting  samy-kamkar  sandbox  sanitisation  satis  scala  scams  scanner  scanning  scareware  scary  schneier  science  screening  sd-cards  secrecy  securecode  secureworks  security  security-theatre  seizure  server  servers  setuid  sh  sha  sha1  sha256  shell  shellshock  shipping  ships  shopping  side-channels  siemens  silent-circle  silentcircle  silicon  sim-cards  siphash  skey  skimmers  smartcards  smartphones  smb  smc8014  sms  snapchat  snes  sniffing  snooping  social-media  software  source-code  south-africa  spam  spamhaus  speed  spinvox  spoofing  spying  spyware  sql  ssh  sshd  ssl  ssl-labs  ssl3  standards  stingrays  stock-markets  storage  strings  stud  stuxnet  super-mario  superget  surveillance  svm  swpats  symantec  sync  sysadmin  systemd  tao  target  taxis  tcp  tcpcrypt  tcpdump  tech  technology  tempest  terrorism  tesco  testing  the-guardian  theft  thomas-ptacek  thunderbird  time  time-warner  tips  tlds  tls  tlsdate  toasters  tomato  tools  tor  torrents  transcription  transit  transparent-proxies  travel  trojan.posram  trojans  truecrypt  trust  trustwave  tsa  tunisia  tunneling  tunnelling  turing-complete  tv  twitter  two-factor-auth  two-factor-authentication  u-locks  ubuntu  uk  ukraine  unit-testing  unix  upd4t3  updates  urls  us-politics  usa  usertrust  varnish  vbv  vc  verification  verified-by-visa  via:adamshostack  via:adulau  via:alec-muffet  via:boingboing  via:cscotta  via:elliottucker  via:fanf  via:filippo  via:gwire  via:hn  via:ioerror  via:irr  via:jgc  via:joe-feise  via:lhl  via:mikko  via:nelson  via:oisin  via:pjakma  via:reddit  via:risks  via:tupp_ed  via:waxy  viruses  visa  vm  vpn  vvat  walmart  war  warning  watchlists  web  web-of-trust  web-services  webdev  webkit  wemo  whitelisting  whitfield-diffie  wickr  wifi  windows  wired  wireless  worms  wow  wyoming  x-ray  xelerance  xl2tpd  xss 

Copy this bookmark:



description:


tags: