jm + security   313

A Cute Internet Star Flirts. All He Wants Is Your Password. - The New York Times
whoa.
Mr. Johnson’s fans are not naïve. Handing over their passwords to some strange, cute boy actually constitutes a minor act of youthful rebellion. The whole encounter delivers a heady mix of intimacy and transgression — the closest digital simulation yet to a teenage crush.


(via Adam Shostack)
via:adam-shostack  passwords  authentication  security  teens  rebellion 
2 days ago by jm
Shopify/ejson
'a small library to manage encrypted secrets using asymmetric encryption.'
The main benefits provided by ejson are:

Secrets can be safely stored in a git repo.
Changes to secrets are auditable on a line-by-line basis with git blame.
Anyone with git commit access has access to write new secrets.
Decryption access can easily be locked down to production servers only.
Secrets change synchronously with application source (as opposed to secrets provisioned by Configuration Management).
Simple, well-tested, easily-auditable source.
crypto  security  credentials  encryption  ejson  json  configuration  config 
12 days ago by jm
E-Voting in Estonia needs to be discontinued
After studying other e-voting systems around the world, the team was particularly alarmed by the Estonian I-voting system. It has serious design weaknesses that are exacerbated by weak operational management. It has been built on assumptions which are outdated and do not reflect the contemporary reality of state-level attacks and sophisticated cybercrime. These problems stem from fundamental architectural problems that cannot be resolved with quick fixes or interim steps. While we believe e-government has many promising uses, the Estonian I-voting system carries grave risks — elections could be stolen, disrupted, or cast into disrepute. In light of these problems, our urgent recommendation is that to maintain the integrity of the Estonian electoral process, use of the Estonian I-voting system should be immediately discontinued.
internet  technology  e-voting  voting  security  via:mattblaze  estonia  i-voting  russia  cybercrime 
4 weeks ago by jm
Finding pearls; fuzzing ClamAV
great how-to for practical scanner fuzz testing
fuzz-testing  clamav  scanners  security  vulnerabilities  testing 
5 weeks ago by jm
Stop it with short PGP key IDs!
What happened today? We still don't really know, but it seems we found a first potentially malicious collision — that is, the first "nonacademic" case. Enrico found two keys sharing the 9F6C6333 short ID, apparently belonging to the same person (as would be the case of Asheesh, mentioned above). After contacting Gustavo, though, he does not know about the second — That is, it can be clearly regarded as an impersonation attempt. Besides, what gave away this attempt are the signatures it has: Both keys are signed by what appears to be the same three keys: B29B232A, F2C850CA and 789038F2. Those three keys are not (yet?) uploaded to the keyservers, though... But we can expect them to appear at any point in the future. We don't know who is behind this, or what his purpose is. We just know this looks very evil.
Now, don't panic: Gustavo's key is safe. Same for his certifiers, Marga, Agustín and Maxy. It's just a 32-bit collision. So, in principle, the only parties that could be cheated to trust the attacker are humans, right? Nope.
Enrico tested on the PGP pathfinder & key statistics service, a keyserver that finds trust paths between any two arbitrary keys in the strong set. Surprise: The pathfinder works on the short key IDs, even when supplied full fingerprints. So, it turns out I have three faked trust paths into our impostor.
pgp  gpg  keys  collisions  hashing  security  debian 
6 weeks ago by jm
The Mitsubishi Outlander vulnerability allows trivial remote car alarm unlocking.
Nearly-open wifi (easily-cracked weak WPA PSK), and a 6-byte string to disable the car alarm, discovered via replay attack. Massive fail
internetofshit  mitsubishi  fail  outlander  wpa  alarms  security  replay-attack 
6 weeks ago by jm
Live Streaming Security Games
Rapid Fire is a special event we started hosting at our own in-person CTFs in 2014. The idea is pretty simple:

Create several CTF challenges that can be solved in a few minutes each.
Set up the challenges on 4 identical computers with some basic tools.
Mirror the player’s screens so the audience can watch their actions.
Whoever solves the most challenges the fastest wins.

This event is interesting for a number of reasons: the players are under intense pressure, as everything they do is being watched by several people; the audience can watch several different approaches to the same problems; and people can follow along fairly easily with what is going on with the challenges.


With e-sports-style video!
gaming  hacking  security  e-sports  streaming  twitch  ctf 
8 weeks ago by jm
100 thieves steal $13m in three hours from cash machines across Japan
'Police believe that as many as 100 people, none of whom have been apprehended, worked together using forged credit cards containing account details illegally obtained from a bank in South Africa. The culprits used the fake cards at 1,400 convenience store automated teller machines on the morning of 15 May, according to police. Each made a single withdrawal of 100,000 yen – the maximum allowed by the cash machines.'

1,600 forged/stolen credit card credentials from a single bank, then a synchronised attack made possible by the eventually-consistent ledger model of ATM accounting.

(via William Gibson)
atms  banking  japan  fraud  security  credit-cards 
8 weeks ago by jm
Bike thief reveals tricks of the trade in this shockingly candid interview
This is an eye-opener:
A former bicycle thief has revealed the tricks of the trade in an interview, which clearly and shockingly shows the extent that thieves will go to in order to steal a bike. He talks about the motivations behind the theft, the tools used to crack locks and how the bikes were moved around and sold for a significant sum. He also gives tips on how to prevent your bike from being stolen.
[...]

'Don’t be fooled by Kryptonite locks, they’re not as tough as made out to be. Also D-bars with tubular locks, never use them, they’re the most easy to pick with a little tool. It’s small and discreet, no noise and it looks like you are just unlocking your bike. With the bolt cutters we would go out on high performance motorbikes, two men on a bike.'
bikes  locks  bike-locks  security  london  theft  lockpicking  d-locks 
9 weeks ago by jm
​Why I Hate Security, Computers, and the Entire Modern Banking System | Motherboard
I am honestly amazed the US banking system still works this way, after over a decade of rampant identity theft:
I cannot count the number of times I’ve freely given out my routing and account numbers—in emails, in webforms, in paperwork. This is because it’s necessary for other people to know my routing number and account number in order for them to send me money. But apparently, with that same information, they can also snatch money straight from my account. What kind of insane system is this? There’s two factor authentication, there’s one factor authentication, and then there’s this, which I think I can call zero factor authentication.
identity-theft  phishing  banking  banks  usa  authentication  2fa  0fa  security 
11 weeks ago by jm
Exclusive: SWIFT bank network says aware of multiple cyber fraud incidents
"SWIFT is aware of a number of recent cyber incidents in which malicious insiders or external attackers have managed to submit SWIFT messages from financial institutions' back-offices, PCs or workstations connected to their local interface to the SWIFT network," the group warned customers on Monday in a notice seen by Reuters.


Ouch. They seem to be indicating that they're all phishing/impersonation-based attacks.
phishing  swift  banking  hacks  exploits  banks  security 
12 weeks ago by jm
How I Hacked Facebook, and Found Someone's Backdoor Script
Great writeup of a practical pen test. Those crappy proprietary appliances that get set up "so the CEO can read his email on the road" etc. are always a weak spot
facebook  hacking  security  exploits  pen-tests  backdoors 
april 2016 by jm
Detecting the use of "curl | bash" server side
tl;dr:
The better solution is never to pipe untrusted data streams into bash. If you still want to run untrusted bash scripts a better approach is to pipe the contents of URL into a file, review the contents on disk and only then execute it.
bash  security  shell  unix  curl  tcp  buffers 
april 2016 by jm
The problems with forcing regular password expiry

The new password may have been used elsewhere, and attackers can exploit this too. The new password is also more likely to be written down, which represents another  vulnerability. New passwords are also more likely to be forgotten, and this carries the productivity costs of users being locked out of their accounts, and service desks having to reset passwords.
It’s one of those counter-intuitive security scenarios; the more often users are forced to change passwords, the greater the overall vulnerability to attack. What appeared to be a perfectly sensible, long-established piece of advice doesn’t, it turns out, stand up to a rigorous, whole-system analysis. CESG now recommend organisations do not force regular password expiry.
cesg  recommendations  guidelines  security  passwords  expiry  uk  gchq 
april 2016 by jm
Canadian Police Obtained BlackBerry’s Global Decryption Key in 2010
According to technical reports by the Royal Canadian Mounted Police that were filed in court, law enforcement intercepted and decrypted roughly one million PIN-to-PIN BlackBerry messages in connection with the probe. The report doesn't disclose exactly where the key — effectively a piece of code that could break the encryption on virtually any BlackBerry message sent from one device to another — came from. But, as one police officer put it, it was a key that could unlock millions of doors.
Government lawyers spent almost two years fighting in a Montreal courtroom to keep this information out of the public record.
canada  crime  encryption  security  blackberry  crypto  rcmp  police  rogers  montreal  rim 
april 2016 by jm
Data Protection Mishap Leaves 55M Philippine Voters at Risk
Every registered voter in the Philippines is now susceptible to fraud and other risks after a massive data breach leaked the entire database of the Philippines’ Commission on Elections (COMELEC). While initial reports have downplayed the impact of the leak, our investigations showed a huge number of sensitive personally identifiable information (PII)–including passport information and fingerprint data–were included in the data dump. [....]

Based on our investigation, the data dumps include 1.3 million records of overseas Filipino voters, which included passport numbers and expiry dates. What is alarming is that this crucial data is just in plain text and accessible to everyone. Interestingly, we also found a whopping 15.8 million record of fingerprints and a list of people running for office since the 2010 elections.

In addition, among the data leaked were files on all candidates running on the election with the filename VOTESOBTAINED. Based on the filename, it reflects the number of votes obtained by the candidate. Currently, all VOTESOBTAINED file are set to have NULL as figure.

fingerprints  biometrics  philippines  authentication  data-dumps  security  hacks  comelec  e-voting  pii  passports  voting 
april 2016 by jm
Neutered RNG let man rig million dollar lotteries | Ars Technica
A forensic examination found that the generator had code that was installed after the machine had been audited by a security firm that directed the generator not to produce random numbers on three particular days of the year if two other conditions were met. Numbers on those days would be drawn by an algorithm that Tipton could predict [...] All six prizes linked to Tipton were drawn on either Nov. 23 or Dec. 29 between 2005 and 2011.
prng  randomness  security  hacks  exploits  lottery  us  audits  holes 
april 2016 by jm
Irish drone register allowed access to personal details of 2,000 members
The breach, which allowed registered users to view names, addresses, email addresses and phone numbers of other people registered on the site, was brought to the attention of the authority on Sunday night.
In a statement to TheJournal.ie, the IAA revealed it was aware of four users who downloaded the file.
fail  drones  ireland  iaa  security 
april 2016 by jm
GCHQ intervenes to prevent catastrophically insecure UK smart meter plan - The Inquirer

GCHQ barged in after spooks cast their eyes over the plans and realised that power companies were proposing to use a single decryption key for communications from the 53 million smart meters that will eventually be installed in the UK.


holy crap.
gchq  security  smart-meters  power  uk  electricity  gas  infrastructure 
april 2016 by jm
'Devastating' bug pops secure doors at airports, hospitals
"A command injection vulnerability exists in this function due to a lack of any sanitisation on the user-supplied input that is fed to the system() call," Lawshae says.


:facepalm:
security  iot  funny  fail  linux  unix  backticks  system  udp  hid  vertx  edge 
april 2016 by jm
CNBC "How Secure Is Your Password" tester form is a spectacular security shitshow
It not only runs over HTTP, it also sends your password to a bunch of third-party ad trackers. omgwtfbbqfail
fail  wtf  funny  cnbc  clowns  inept  security  passwords  http  ad-trackers 
march 2016 by jm
Qualys SSL Server Test
pretty sure I had this bookmarked previously, but this is the current URL -- SSL/TLS quality report
ssl  tls  security  tests  ops  tools  testing 
march 2016 by jm
Interesting Lottery Terminal Hack - Schneier on Security
Neat manual timing attack.
An investigator for the Connecticut Lottery determined that terminal operators could slow down their lottery machines by requesting a number of database reports or by entering several requests for lottery game tickets. While those reports were being processed, the operator could enter sales for 5 Card Cash tickets. Before the tickets would print, however, the operator could see on a screen if the tickets were instant winners. If tickets were not winners, the operator could cancel the sale before the tickets printed.
attacks  security  lottery  connecticut  kiosks 
march 2016 by jm
The disturbingly simple way dozens of celebrities had their nude photos stolen
Basic phishing:

'Collins hacked over 100 people by sending emails that looked like they came from Apple and Google, such as “e-mail.protection318@icloud.com,” “noreply_helpdesk0118@outlook.com,” and “secure.helpdesk0019@gmail.com.” According to the government, Collins asked for his victims’ iCloud or Gmail usernames and passwords and “because of the victims’ belief that the email had come from their [Internet Service Providers], numerous victims responded by giving [them].”'
security  phishing  nudes  fappening  celebs  gmail  icloud  apple 
march 2016 by jm
DROWN attack
The latest SSL security hole. 'DROWN shows that merely supporting SSLv2 is a threat to modern servers and clients. It allows an attacker to decrypt modern TLS connections between up-to-date clients and servers by sending probes to a server that supports SSLv2 and uses the same private key.'
drown  attacks  vulnerabilities  sslv2  ssl  tls  security  holes 
march 2016 by jm
How To Implement Secure Bitcoin Vaults
At the Bitcoin workshop in Barbados, Malte Möser will present our solution to the Bitcoin private key management problem. Specifically, our paper describes a way to create vaults, special accounts whose keys can be neutralized if they fall into the hands of attackers. Vaults are Bitcoin’s decentralized version of you calling your bank to report a stolen credit card -- it renders the attacker’s transactions null and void. And here’s the interesting part: in so doing, vaults demotivate key theft in the first place. An attacker who knows that he will not be able to get away with theft is less likely to attack in the first place, compared to current Bitcoin attackers who are guaranteed that their hacking efforts will be handsomely rewarded.

private-keys  vaults  bitcoin  security  crypto  theft 
february 2016 by jm
Troy Hunt: Controlling vehicle features of Nissan LEAFs across the globe via vulnerable APIs
holy crap. Nissan expose a public API authenticated _solely_ using the car's VIN -- which is more or less public info; the API allows turning on/off AC, grabbing driving history, etc.
security  fail  nissan  leaf  cars  apis  vin  authentication 
february 2016 by jm
This is Why People Fear the ‘Internet of Things’
Ugh. This is a security nightmare. Nice work Foscam...
Imagine buying an internet-enabled surveillance camera, network attached storage device, or home automation gizmo, only to find that it secretly and constantly phones home to a vast peer-to-peer (P2P) network run by the Chinese manufacturer of the hardware. Now imagine that the geek gear you bought doesn’t actually let you block this P2P communication without some serious networking expertise or hardware surgery that few users would attempt. This is the nightmare “Internet of Things” (IoT) scenario for any system administrator: The IP cameras that you bought to secure your physical space suddenly turn into a vast cloud network designed to share your pictures and videos far and wide. The best part? It’s all plug-and-play, no configuration necessary!
foscam  cameras  iot  security  networking  p2p 
february 2016 by jm
The NSA’s SKYNET program may be killing thousands of innocent people
Death by Random Forest: this project is a horrible misapplication of machine learning. Truly appalling, when a false positive means death:

The NSA evaluates the SKYNET program using a subset of 100,000 randomly selected people (identified by their MSIDN/MSI pairs of their mobile phones), and a a known group of seven terrorists. The NSA then trained the learning algorithm by feeding it six of the terrorists and tasking SKYNET to find the seventh. This data provides the percentages for false positives in the slide above.

"First, there are very few 'known terrorists' to use to train and test the model," Ball said. "If they are using the same records to train the model as they are using to test the model, their assessment of the fit is completely bullshit. The usual practice is to hold some of the data out of the training process so that the test includes records the model has never seen before. Without this step, their classification fit assessment is ridiculously optimistic."

The reason is that the 100,000 citizens were selected at random, while the seven terrorists are from a known cluster. Under the random selection of a tiny subset of less than 0.1 percent of the total population, the density of the social graph of the citizens is massively reduced, while the "terrorist" cluster remains strongly interconnected. Scientifically-sound statistical analysis would have required the NSA to mix the terrorists into the population set before random selection of a subset—but this is not practical due to their tiny number.

This may sound like a mere academic problem, but, Ball said, is in fact highly damaging to the quality of the results, and thus ultimately to the accuracy of the classification and assassination of people as "terrorists." A quality evaluation is especially important in this case, as the random forest method is known to overfit its training sets, producing results that are overly optimistic. The NSA's analysis thus does not provide a good indicator of the quality of the method.
terrorism  surveillance  nsa  security  ai  machine-learning  random-forests  horror  false-positives  classification  statistics 
february 2016 by jm
git integrity - Google Groups
It seems git's default behavior in many situations is -- despite communicating objectID by content-addressable hashes which should be sufficient to assure some integrity -- it may not actually bother to *check* them.  Yes, even when receiving objects from other repos.  So, enabling these configuration parameters may "slow down" your git operations.  The return is actually noticing if someone ships you a bogus object.  Everyone should enable these.
git  security  integrity  error-checking  dvcs  version-control  coding 
february 2016 by jm
Amazon Echo security fail
Ughhhh.
Amazon Echo sends your WiFi password to Amazon. No option to disable. Trust us it's in an "encrypted file"
amazon  echo  wifi  passwords  security  data-privacy  data-protection 
january 2016 by jm
ImperialViolet - Juniper: recording some Twitter conversations
Adam Langley on the Juniper VPN-snooping security hole:
... if it wasn't the NSA who did this, we have a case where a US gov­ern­ment back­door ef­fort (Dual-EC) laid the ground­work for some­one else to at­tack US in­ter­ests. Cer­tainly this at­tack would be a lot eas­ier given the pres­ence of a back­door-friendly RNG al­ready in place. And I've not even dis­cussed the SSH back­door. [...]
primes  ecc  security  juniper  holes  exploits  dual-ec-drbg  vpn  networking  crypto  prngs 
december 2015 by jm
Big Brother Watch on Twitter: "Anyone can legally have their phone or computer hacked by the police, intelligence agencies, HMRC and others #IPBill https://t.co/3ZS610srCJ"
As Glynn Moody noted, if UK police, intelligence agencies, HMRC and others call all legally hack phones and computers, that also means that digital evidence can be easily and invisibly planted. This will undermine future court cases in the UK, which seems like a significant own goal...
hmrc  police  gchq  uk  hacking  security  law-enforcement  evidence  law 
december 2015 by jm
Birthday problem calculator
I keep having to google this, so here's a good one which works -- unlike Wolfram Alpha!
birthday  birthday-paradox  birthday-problem  hashes  hash-collision  attacks  security  collisions  calculators  probability  statistcs 
december 2015 by jm
Authenticated app packages on Sandstorm with PGP and Keybase
Nice approach to package authentication UX using Keybase/PGP.
When you go to install a package, Sandstorm verifies that the package is correctly signed by the Ed25519 key. It looks for a PGP signature in the metadata, and verifies that the PGP-signed assertion is for the correct app ID and the email address specified in the metadata. It queries the Keybase API to see what accounts the packager has proven ownership of, and lists them with their links on the app install page.
authentication  auth  packages  sandstorm  keybase  pgp  gpg  security 
november 2015 by jm
Report: Everyone Should Get a Security Freeze
“Whether your personal information has been stolen or not, your best protection against someone opening new credit accounts in your name is the security freeze (also known as the credit freeze), not the often-offered, under-achieving credit monitoring. Paid credit monitoring services in particular are not necessary because federal law requires each of the three major credit bureaus to provide a free credit report every year to all customers who request one. You can use those free reports as a form of do-it-yourself credit monitoring.”
us  credit  credit-freeze  security  phishing  brian-krebs 
november 2015 by jm
Three quarters of cars stolen in France 'electronically hacked' - Telegraph
The astonishing figures come two months after computer scientists in the UK warned that thousands of cars – including high-end brands such as Porsches and Maseratis - are at risk of electronic hacking. Their research was suppressed for two years by a court injunction for fear it would help thieves steal vehicles to order. The kit required to carry out such “mouse jacking”, as the French have coined the practice, can be freely purchased on the internet for around £700 and the theft of a range of models can be pulled off “within minutes,” motor experts warn.
hacking  security  security-through-obscurity  mouse-jacking  cars  safety  theft  crime  france  smart-cars 
november 2015 by jm
User data plundering by Android and iOS apps is as rampant as you suspected
An app from Drugs.com, meanwhile, sent the medical search terms "herpes" and "interferon" to five domains, including doubleclick.net, googlesyndication.com, intellitxt.com, quantserve.com, and scorecardresearch.com, although those domains didn't receive other personal information.
privacy  security  google  tracking  mobile  phones  search  pii 
november 2015 by jm
Google tears Symantec a new one on its CA failure
Symantec are getting a crash course in how to conduct an incident post-mortem to boot:
More immediately, we are requesting of Symantec that they further update their public incident report with:
A post-mortem analysis that details why they did not detect the additional certificates that we found.
Details of each of the failures to uphold the relevant Baseline Requirements and EV Guidelines and what they believe the individual root cause was for each failure.
We are also requesting that Symantec provide us with a detailed set of steps they will take to correct and prevent each of the identified failures, as well as a timeline for when they expect to complete such work. Symantec may consider this latter information to be confidential and so we are not requesting that this be made public.
google  symantec  ev  ssl  certificates  ca  security  postmortems  ops 
october 2015 by jm
The Okinawa missiles of October | Bulletin of the Atomic Scientists
'By Bordne's account, at the height of the Cuban Missile Crisis, Air Force crews on Okinawa were ordered to launch 32 missiles, each carrying a large nuclear warhead. Only caution and the common sense and decisive action of the line personnel receiving those orders prevented the launches—and averted the nuclear war that most likely would have ensued.'
okinawa  nukes  launch-codes  pal  cold-war  cuban-missile-crisis  history  accidents  ui  security  horror  via:mattblaze 
october 2015 by jm
How a criminal ring defeated the secure chip-and-PIN credit cards | Ars Technica
Ingenious --
The stolen cards were still considered evidence, so the researchers couldn’t do a full tear-down or run any tests that would alter the data on the card, so they used X-ray scans to look at where the chip cards had been tampered with. They also analyzed the way the chips distributed electricity when in use and used read-only programs to see what information the cards sent to a Point of Sale (POS) terminal.

According to the paper, the fraudsters were able to perform a man-in-the-middle attack by programming a second hobbyist chip called a FUN card to accept any PIN entry, and soldering that chip onto the card’s original chip. This increased the thickness of the chip from 0.4mm to 0.7mm, "making insertion into a PoS somewhat uneasy but perfectly feasible,” the researchers write. [....]

The researchers explain that a typical EMV transaction involves three steps: card authentication, cardholder verification, and then transaction authorization. During a transaction using one of the altered cards, the original chip was allowed to respond with the card authentication as normal. Then, during card holder authentication, the POS system would ask for a user’s PIN, the thief would respond with any PIN, and the FUN card would step in and send the POS the code indicating that it was ok to proceed with the transaction because the PIN checked out. During the final transaction authentication phase, the FUN card would relay the transaction data between the POS and the original chip, sending the issuing bank an authorization request cryptogram which the card issuer uses to tell the POS system whether to accept the transaction or not.
security  chip-and-pin  hacking  pos  emv  transactions  credit-cards  debit-cards  hardware  chips  pin  fun-cards  smartcards 
october 2015 by jm
How is NSA breaking so much crypto?
If a client and server are speaking Diffie-Hellman, they first need to agree on a large prime number with a particular form. There seemed to be no reason why everyone couldn’t just use the same prime, and, in fact, many applications tend to use standardized or hard-coded primes. But there was a very important detail that got lost in translation between the mathematicians and the practitioners: an adversary can perform a single enormous computation to “crack” a particular prime, then easily break any individual connection that uses that prime.
How enormous a computation, you ask? Possibly a technical feat on a scale (relative to the state of computing at the time) not seen since the Enigma cryptanalysis during World War II. Even estimating the difficulty is tricky, due to the complexity of the algorithm involved, but our paper gives some conservative estimates. For the most common strength of Diffie-Hellman (1024 bits), it would cost a few hundred million dollars to build a machine, based on special purpose hardware, that would be able to crack one Diffie-Hellman prime every year.
Would this be worth it for an intelligence agency? Since a handful of primes are so widely reused, the payoff, in terms of connections they could decrypt, would be enormous. Breaking a single, common 1024-bit prime would allow NSA to passively decrypt connections to two-thirds of VPNs and a quarter of all SSH servers globally. Breaking a second 1024-bit prime would allow passive eavesdropping on connections to nearly 20% of the top million HTTPS websites. In other words, a one-time investment in massive computation would make it possible to eavesdrop on trillions of encrypted connections.


(via Eric)
via:eric  encryption  privacy  security  nsa  crypto 
october 2015 by jm
Designing the Spotify perimeter
How Spotify use nginx as a frontline for their sites and services
scaling  spotify  nginx  ops  architecture  ssl  tls  http  frontline  security 
october 2015 by jm
AWS re:Invent 2015 | (CMP406) Amazon ECS at Coursera - YouTube
Coursera are running user-submitted code in ECS! interesting stuff about how they use Docker security/resource-limiting features, forking the ecs-agent code, to run user-submitted code. :O
coursera  user-submitted-code  sandboxing  docker  security  ecs  aws  resource-limits  ops 
october 2015 by jm
From Radio to Porn, British Spies Track Web Users’ Online Identities
Inside KARMA POLICE, GCHQ's mass-surveillance operation aimed to record the browsing habits of "every visible user on the internet", including UK-to-UK internal traffic. more details on the other GCHQ mass surveillance projects at https://theintercept.com/gchq-appendix/
surveillance  gchq  security  privacy  law  uk  ireland  karma-police  snooping 
september 2015 by jm
Malware infecting jailbroken iPhones stole 225,000 Apple account logins | Ars Technica

KeyRaider, as the malware family has been dubbed, is distributed through a third-party repository of Cydia, which markets itself as an alternative to Apple's official App Store. Malicious code surreptitiously included with Cydia apps is creating problems for people in China and at least 17 other countries, including France, Russia, Japan, and the UK. Not only has it pilfered account data for 225,941 Apple accounts, it has also disabled some infected phones until users pay a ransom, and it has made unauthorized charges against some victims' accounts.


Ouch. Not a good sign for Cydia
cydia  apple  security  exploits  jailbreaking  ios  iphone  malware  keyraider  china 
september 2015 by jm
Using Samsung's Internet-Enabled Refrigerator for Man-in-the-Middle Attacks
Whilst the fridge implements SSL, it FAILS to validate SSL certificates, thereby enabling man-in-the-middle attacks against most connections. This includes those made to Google's servers to download Gmail calendar information for the on-screen display. So, MITM the victim's fridge from next door, or on the road outside and you can potentially steal their Google credentials.


The Internet of Insecure Things strikes again.
iot  security  fridges  samsung  fail  mitm  ssl  tls  google  papers  defcon 
september 2015 by jm
London Calling: Two-Factor Authentication Phishing From Iran
some rather rudimentary anti-2FA attempts, presumably from Iranian security services
authentication  phishing  security  iran  activism  2fa  mfa 
august 2015 by jm
grsecurity
Open source security team has had enough of embedded-systems vendors taking the piss with licensing:
This announcement is our public statement that we've had enough. Companies in the embedded industry not playing by the same rules as every other company using our software violates users' rights, misleads users and developers, and harms our ability to continue our work. Though I've only gone into depth in this announcement on the latest trademark violation against us, our experience with two GPL violations over the previous year have caused an incredible amount of frustration. These concerns are echoed by the complaints of many others about the treatment of the GPL by the embedded Linux industry in particular over many years.

With that in mind, today's announcement is concerned with the future availability of our stable series of patches. We decided that it is unfair to our sponsors that the above mentioned unlawful players can get away with their activity. Therefore, two weeks from now, we will cease the public dissemination of the stable series and will make it available to sponsors only. The test series, unfit in our view for production use, will however continue to be available to the public to avoid impact to the Gentoo Hardened and Arch Linux communities. If this does not resolve the issue, despite strong indications that it will have a large impact, we may need to resort to a policy similar to Red Hat's, described here or eventually stop the stable series entirely as it will be an unsustainable development model.
culture  gpl  linux  opensource  security  grsecurity  via:nelson  gentoo  arch-linux  gnu 
august 2015 by jm
Analysis of PS4's security and the state of hacking
FreeBSD jails and Return-Oriented Programming:
Think of [Return-Oriented Programming] as writing a new chapter to a book, using only words that have appeared at the end of sentences in the previous chapters.
ps4  freebsd  jails  security  exploits  hacking  sony  rop  return-oriented-programming 
august 2015 by jm
GSMem: Data Exfiltration from Air-Gapped Computers over GSM Frequencies
Holy shit.
Air-gapped networks are isolated, separated both logically and physically from public networks. Although the feasibility of invading such systems has been demonstrated in recent years, exfiltration of data from air-gapped networks is still a challenging task. In this paper we present GSMem, a malware that can exfiltrate data through an air-gap over cellular frequencies. Rogue software on an infected target computer modulates and transmits electromagnetic signals at cellular frequencies by invoking specific memory-related instructions and utilizing the multichannel memory architecture to amplify the transmission. Furthermore, we show that the transmitted signals can be received and demodulated by a rootkit placed in the baseband firmware of a nearby cellular phone.
gsmem  gsm  exfiltration  air-gaps  memory  radio  mobile-phones  security  papers 
august 2015 by jm
Preventing Dependency Chain Attacks in Maven
using a whitelist of allowed dependency JARs and their SHAs
security  whitelisting  dependencies  coding  jar  maven  java  jvm 
august 2015 by jm
HACKERS REMOTELY KILL A JEEP ON THE HIGHWAY—WITH ME IN IT
Jaysus, this is terrifying.
Miller and Valasek’s full arsenal includes functions that at lower speeds fully kill the engine, abruptly engage the brakes, or disable them altogether. The most disturbing maneuver came when they cut the Jeep’s brakes, leaving me frantically pumping the pedal as the 2-ton SUV slid uncontrollably into a ditch.


Avoid any car which supports this staggeringly-badly-conceived Uconnect feature:

All of this is possible only because Chrysler, like practically all carmakers, is doing its best to turn the modern automobile into a smartphone. Uconnect, an Internet-connected computer feature in hundreds of thousands of Fiat Chrysler cars, SUVs, and trucks, controls the vehicle’s entertainment and navigation, enables phone calls, and even offers a Wi-Fi hot spot.


:facepalm:

Also, Chrysler's response sucks: "Chrysler’s patch must be manually implemented via a USB stick or by a dealership mechanic."
hacking  security  cars  driving  safety  brakes  jeeps  chrysler  fiat  uconnect  can-bus  can 
july 2015 by jm
"Customer data is a liability, not an asset."
Great turn of phrase from Matthew Green (@matthew_d_green). Emin Gün Sirer adds some detail: "well, an asset with bounded value, and an unbounded liability"
data  privacy  data-protection  ashleymadison  hacks  security  liability 
july 2015 by jm
Security theatre at Allied Irish Banks
Allied Irish Banks's web and mobile banking portals are ludicrously insecure. Vast numbers of accounts have easily-guessable registration numbers and are thus 'protected' by a level of security that is twice as easy to crack as would be provided by a single password containing only two lowercase letters.
A person of malicious intent could easily gain access to hundreds, possibly thousands, of accounts as well as completely overwhelm the branch network by locking an estimated several 100,000s of people out of their online banking.
Both AIB and the Irish Financial Services Ombudsman have refused to respond meaningfully to multiple communications each in which these concerns were raised privately.
aib  banking  security  ireland  hacking  ifso  online-banking 
june 2015 by jm
AV vendors still relying on MD5 to identify malware
oh dear. I can see how this happened -- in many cases they may not still have samples to derive new sums from :(
md5  hashing  antivirus  malware  security  via:fanf  bugs 
june 2015 by jm
How Plex is doing HTTPS for all its users
large-scale automated TLS certificate deployment. very impressive and not easy to reproduce, good work Plex!

(via Nelson)
via:nelson  https  ssl  tls  certificates  pki  digicert  security  plex 
june 2015 by jm
SolarCapture Packet Capture Software
Interesting product line -- I didn't know this existed, but it makes good sense as a "network flight recorder". Big in finance.
SolarCapture is powerful packet capture product family that can transform every server into a precision network monitoring device, increasing network visibility, network instrumentation, and performance analysis. SolarCapture products optimize network monitoring and security, while eliminating the need for specialized appliances, expensive adapters relying on exotic protocols, proprietary hardware, and dedicated networking equipment.


See also Corvil (based in Dublin!): 'I'm using a Corvil at the moment and it's awesome- nanosecond precision latency measurements on the wire.'

(via mechanical sympathy list)
corvil  timing  metrics  measurement  latency  network  solarcapture  packet-capture  financial  performance  security  network-monitoring 
may 2015 by jm
DRUG PUMP’S SECURITY FLAW LETS HACKERS RAISE DOSE LIMITS
The Hospira drug pump vulnerabilities described here sound pretty horrific
drugs  drug-pumps  hospira  exploits  vulnerabilities  security  root  dosage  limits 
may 2015 by jm
How the NSA Converts Spoken Words Into Searchable Text - The Intercept
This hits the nail on the head, IMO:
To Phillip Rogaway, a professor of computer science at the University of California, Davis, keyword-search is probably the “least of our problems.” In an email to The Intercept, Rogaway warned that “When the NSA identifies someone as ‘interesting’ based on contemporary NLP methods, it might be that there is no human-understandable explanation as to why beyond: ‘his corpus of discourse resembles those of others whom we thought interesting'; or the conceptual opposite: ‘his discourse looks or sounds different from most people’s.' If the algorithms NSA computers use to identify threats are too complex for humans to understand, it will be impossible to understand the contours of the surveillance apparatus by which one is judged.  All that people will be able to do is to try your best to behave just like everyone else.”
privacy  security  gchq  nsa  surveillance  machine-learning  liberty  future  speech  nlp  pattern-analysis  cs 
may 2015 by jm
s3.amazonaws.com "certificate verification failed" errors due to crappy Verisign certs and overzealous curl policies
Seth Vargo is correct. Its not the bit length of the key which is at issue, its the signature algorithm. The entire keychain for the s3.awsamazon.com key is signed with SHA1withRSA:

https://www.ssllabs.com/ssltest/analyze.html?d=s3.amazonaws.com&s=54.231.244.0&hideResults=on

At issue is that the root verisign key has been marked as weak because of SHA1 and taken out of the curl bundle which is widely popular, and this issue will continue to cause more and more issues going forwards as that bundle makes it way into shipping o/s distributions and aws certification verification breaks.


'This is still happening and curl is now failing on my machine causing all sorts of fun issues (including breaking CocoaPods that are using S3 for storage).' -- @jmhodges

This may be a contributory factor to the issue @nelson saw: https://nelsonslog.wordpress.com/2015/04/28/cyberduck-is-responsible-for-my-bad-ssl-certificate/

Curl's ca-certs bundle is also used by Node: https://github.com/joyent/node/issues/8894 and doubtless many other apps and packages.

Here's a mailing list thread discussing the issue: http://curl.haxx.se/mail/archive-2014-10/0066.html -- looks like the curl team aren't too bothered about it.
curl  s3  amazon  aws  ssl  tls  certs  sha1  rsa  key-length  security  cacerts 
april 2015 by jm
Vault
HashiCorp's take on the secrets-storage system. looks good
hashicorp  deployment  security  secrets  authentication  vault  storage  keys  key-rotation 
april 2015 by jm
Google Online Security Blog: A Javascript-based DDoS Attack [the Greatfire DDoS] as seen by Safe Browsing
We hope this report helps to round out the overall facts known about this attack. It also demonstrates that collectively there is a lot of visibility into what happens on the web. At the HTTP level seen by Safe Browsing, we cannot confidently attribute this attack to anyone. However, it makes it clear that hiding such attacks from detailed analysis after the fact is difficult.

Had the entire web already moved to encrypted traffic via TLS, such an injection attack would not have been possible. This provides further motivation for transitioning the web to encrypted and integrity-protected communication. Unfortunately, defending against such an attack is not easy for website operators. In this case, the attack Javascript requests web resources sequentially and slowing down responses might have helped with reducing the overall attack traffic. Another hope is that the external visibility of this attack will serve as a deterrent in the future.


Via Nelson.
google  security  via:nelson  ddos  javascript  tls  ssl  safe-browsing  networking  china  greatfire 
april 2015 by jm
OWASP KeyBox
a web-based SSH console that centrally manages administrative access to systems. Web-based administration is combined with management and distribution of user's public SSH keys. Key management and administration is based on profiles assigned to defined users.

Administrators can login using two-factor authentication with FreeOTP or Google Authenticator . From there they can create and manage public SSH keys or connect to their assigned systems through a web-shell. Commands can be shared across shells to make patching easier and eliminate redundant command execution.
keybox  owasp  security  ssh  tls  ssl  ops 
april 2015 by jm
Meet the e-voting machine so easy to hack, it will take your breath away | Ars Technica
The AVS WinVote system -- mind-bogglingly shitty security.
If an election was held using the AVS WinVote, and it wasn’t hacked, it was only because no one tried. The vulnerabilities were so severe, and so trivial to exploit, that anyone with even a modicum of training could have succeeded. They didn’t need to be in the polling place—within a few hundred feet (e.g., in the parking lot) is easy, and within a half mile with a rudimentary antenna built using a Pringles can. Further, there are no logs or other records that would indicate if such a thing ever happened, so if an election was hacked any time in the past, we will never know. I’ve been in the security field for 30 years, and it takes a lot to surprise me. But the VITA report really shocked me—as bad as I thought the problems were likely to be, VITA’s five-page report showed that they were far worse. And the WinVote system was so fragile that it hardly took any effort. While the report does not state how much effort went into the investigation, my estimation based on the description is that it was less than a person week.
security  voting  via:johnke  winvote  avs  shoup  wep  wifi  windows 
april 2015 by jm
attacks using U+202E - RIGHT-TO-LEFT OVERRIDE
Security implications of in-band signalling strikes again, 43 years after the "Blue Box" hit the mainstream.

Jamie McCarthy on Twitter: ".@cmdrtaco - Remember when we had to block the U+202E code point in Slashdot comments to stop siht ekil stnemmoc? https://t.co/TcHxKkx9Oo"

See also http://krebsonsecurity.com/2011/09/right-to-left-override-aids-email-attacks/ -- GMail was vulnerable too; and http://en.wikipedia.org/wiki/Unicode_control_characters for more inline control chars.

http://unicode.org/reports/tr36/#Bidirectional_Text_Spoofing has some official recommendations from the Unicode consortium on dealing with bidi override chars.
security  attacks  rlo  unicode  control-characters  codepoints  bidi  text  gmail  slashdot  sanitization  input 
april 2015 by jm
credstash
'CredStash is a very simple, easy to use credential management and distribution system that uses AWS Key Management System (KMS) for key wrapping and master-key storage, and DynamoDB for credential storage and sharing.'
aws  credstash  python  security  keys  key-management  secrets  kms 
april 2015 by jm
The missing MtGox bitcoins
Most or all of the missing bitcoins were stolen straight out of the MtGox hot wallet over time, beginning in late 2011. As a result, MtGox operated at fractional reserve for years (knowingly or not), and was practically depleted of bitcoins by 2013. A significant number of stolen bitcoins were deposited onto various exchanges, including MtGox itself, and probably sold for cash (which at the bitcoin prices of the day would have been substantially less than the hundreds of millions of dollars they were worth at the time of MtGox's collapse).

MtGox' bitcoins continuously went missing over time, but at a decreasing pace. Again by the middle of 2013, the curve goes more or less flat, matching the hypothesis that by that time there may not have been any more bitcoins left to lose. The rate of loss otherwise seems unusually smooth and at the same time not strictly relative to any readily available factors such as remaining BTC holdings, transaction volumes or the BTC price. Worth pointing out is that, thanks to having matched up most of the deposit/withdrawal log earlier, we can at this point at least rule out the possibility of any large-scale fake deposits — the bitcoins going into MtGox were real, meaning the discrepancy was likely rather caused by bitcoins leaving MtGox without going through valid withdrawals.
mtgox  bitcoin  security  fail  currency  theft  crime  btc 
april 2015 by jm
SCADA systems online, and a horror story about a non-airgapped Boeing 747 engine management system
747's are big flying Unix hosts. At the time, the engine management system on this particular airline was Solaris based. The patching was well behind and they used telnet as SSH broke the menus and the budget did not extend to fixing this. The engineers could actually access the engine management system of a 747 in route. If issues are noted, they can re-tune the engine in air.

The issue here is that all that separated the engine control systems and the open network was NAT based filters. There were (and as far as I know this is true today), no extrusion controls. They filter incoming traffic, but all outgoing traffic is allowed.


(via Paddy Benson)
air-gap  planes  boeing  security  747  solaris  unix 
april 2015 by jm
HACKERS COULD COMMANDEER NEW PLANES THROUGH PASSENGER WI-FI
Boeing 787 Dreamliner jets, as well as Airbus A350 and A380 aircraft, have Wi-Fi passenger networks that use the same network as the avionics systems of the planes


What the fucking fuck. Air-gap or gtfo
air-gap  security  planes  boeing  a380  a350  dreamliner  networking  firewalls  avionics 
april 2015 by jm
Keeping Your Car Safe From Electronic Thieves - NYTimes.com
In a normal scenario, when you walk up to a car with a keyless entry and try the door handle, the car wirelessly calls out for your key so you don’t have to press any buttons to get inside. If the key calls back, the door unlocks. But the keyless system is capable of searching for a key only within a couple of feet. Mr. Danev said that when the teenage girl turned on her device, it amplified the distance that the car can search, which then allowed my car to talk to my key, which happened to be sitting about 50 feet away, on the kitchen counter. And just like that, open sesame.


What the hell -- who designed a system that would auto-unlock based on signal strength alone?!!
security  fail  cars  keys  signal  proximity  keyless-entry  prius  toyota  crime  amplification  power-amplifiers  3db  keyless 
april 2015 by jm
« earlier      
per page:    204080120160

related tags

0fa  2fa  3db  3des  3dsecure  3g  4chan  4g  9-11  512-bit  a350  a380  abuse  accidents  accounts  accuracy  aclu  actel  activism  ad-trackers  ads  adversarial-attacks  advertising  aes  aggregation  ai  aib  air-gap  air-gaps  air-travel  airborne-zombies  aircrack  airport  akamai  alarm  alarms  alert  algorithms  allcrypt  amazon  america  amplification  android  anonymisation  anonymity  anonymization  anonymous  anti-phishing  anti-spam  antivirus  antwerp  apache  apache-harmony  api-keys  apis  apple  applets  appliances  apps  arab-spring  arch-linux  architecture  ars-technica  as-34109  asf  ashleymadison  atm  atms  attack  attacks  audits  australia  austria  auth  authentication  authorisation  authorization  authy  auto-learning  automation  av  aviation  avionics  avs  aws  backbone  backdoors  backticks  backup  backups  banking  banks  bash  bbc  belkin  ben-goldacre  bernie  bgp  bidi  big-brother  big-data  bike  bike-locks  bikes  biometrics  bios  birthday  birthday-paradox  birthday-problem  bitcoin  bitomat  blackberry  blacklists  blockchain  blue-coat  bluetooth  boeing  books  botnet  bpf  brakes  brian-krebs  browsers  bruce-schneier  brute-force  bsafe  bsd  btc  buffer-overflows  buffer-overrun  buffers  bug-reports  bugging  bugs  bugzilla  build  byte  c  ca  cacerts  calculators  calibre  cameras  can  can-bus  canada  cao  card-present  cars  case-studies  cassandra  cauce  cb3rob  cbc  ccc  cctlds  celebrities  celebs  cellphones  cellxion  censorship  certificates  certs  cesg  cgi  chef  china  chip-and-pin  chip-and-signature  chipandpin  chips  chrome  chrysler  chunked-encoding  cia  cipav  citizen-lab  cityhash  clamav  clampi  classification  clocks  clojure  cloud-services  cloudflare  clowns  cnbc  cnnic  code-spaces  codepad  codepoints  coding  coding-standards  cold-war  colin-holder  collisions  comcast  comelec  comerica  communication  comodo  compartmentalisation  compliance  compression  concurrency  config  configuration  connecticut  console  containerization  containers  contractors  control-characters  cookies  copying  corvil  cory-doctorow  coursera  courtventures  cpu  cracking  credentials  credit  credit-cards  credit-freeze  credstash  crime  crl  crls  crowdsourcing  crypto  crypto-ag  cryptography  cryptophone  cs  css  ctf  ctr  cuban-missile-crisis  culture  curl  currency  customer-care  customer-support  cybercrime  cycling  cydia  d-link  d-locks  d-spam  dailywtf  dan-kaminsky  danger  darknet  data  data-breaches  data-dumps  data-privacy  data-protection  data-retention  database  databases  datamining  datavis  date-of-birth  david-miranda  david-simon  ddos  deanonymization  death  debian  debit-cards  defaults  defcon  delete  dependencies  deployment  des  desfire  design  desktop-sharing  dessid  development  dhs  diffie-hellman  digicert  digital-rights  directories  distraction  distribution  diy  djb  dkim  dmca  dns  dnsbls  docker  doh  domain-keys  domains  dos  dosage  dot-net  dpc  dreamliner  driving  drones  dropbox  drown  drug-pumps  drugs  dsl  dual-ec-drbg  dual-use  dual_ec_drbg  dublin  dug-song  dvcs  e-sports  e-voting  east-texas  eastern-europe  eavesdropping  ec2  ecb  ecc  ecdhe  echo  ecommerce  ecs  edge  eff  eircom  ejson  elb  electricity  elliptic-curve  elliptic-curves  email  embedded-systems  emergency  emr  emrfs  emv  encryption  end-to-end  entropy  epic-marketplace  epsilon-interactive  eric-brandwine  error-checking  escaping  esp  espionage  estonia  ethics  eu  eurion  euro  ev  events  evidence  exfiltration  experian  expiry  exploits  extortion  facebook  facebook-api  factorisation  fail  fail0verflow  false-positives  fappening  farebot  fastmail  fbi  fghack  fiat  filesharing  filtering  finance  financial  find-my-iphone  fine-gael  fingerprinting  fingerprints  firefox  firewall  firewalls  firmware  five-eyes  flame  flash  flight  floating-point  foscam  fpga  france  fraud  freak  freebsd  fridges  frontline  froyo  ftp  fun-cards  funding  funny  fuse  future  fuzz-testing  fuzzing  games  gaming  gandi  gartner  gas  gchq  gemalto  gentoo  git  gmail  gnu  google  goto  goto-fail  government  gpg  gpl  grades  gradle  great-cannon  great-firewall  greatfire  grsecurity  gsm  gsmem  gsocgate  guardian  guidelines  gwibber  hackers  hacking  hacks  hadoop  hamachi  han  handshake  haproxy  hard-lattice-problem  hardware  hash  hash-collision  hashdos  hashes  hashicorp  hashing  hashmap  hbgary  health  heartbleed  hid  hijacking  history  history-stealing  hmac  hmrc  holes  home  home-alarms  home-automation  homebrew  homeplug  horror  horror-stories  hospira  house  html  http  https  humor  hvac  hyperdex  hypervisor  i-voting  iaa  iam  icann  icloud  ics  id-cards  id-numbers  identity  identity-theft  idiots  ifso  ilya-grigorik  images  imaging  imei  immixgroup  imsi-catchers  india  inept  infrastructure  injection  input  install  insteon  insulin  integrity  intel  internet  internet-voting  internetofshit  ioactive  ioerror  ios  iot  ip  ipad  iphone  ipmi  ipsec  iran  irc  ireland  isec  isps  israel  jailbreaking  jails  jamming  japan  jar  jars  java  javascript  jdk  jeeps  jenkins  jira  jmx  joe-stewart  jon-callas  jonathan-zdziarski  journalism  json  jtag  juniper  jvm  kaptoxa  karma-police  karsten-nohl  kernel  kettles  key-distribution  key-length  key-lengths  key-management  key-rotation  keybase  keybox  keyed-hashing  keyless  keyless-entry  keyloggers  keyraider  keys  keyservers  keywhiz  kids  kiosks  kiss  kms  knife  korea  l2tp  languages  lastpass  latency  launch-codes  law  law-enforcement  lawsuits  leaf  legacy  lenovo  liability  libbfd  liberty  libraries  limits  linkedin  linux  location  lockpicking  locks  logging  lols  london  lottery  lucid-intelligence  lxc  mac  macaroons  machine-learning  maciej  magstripe  mail  malware  mandos  maritime  mastercard  matt-blaze  matthew-green  maven  mcafee  md5  measurement  medicine  memcached  memory  memory-cards  metadata  metrics  mfa  michael-hayden  microsemi  microsoft  mifare  mig  mike-hearn  miniduke  mining  mitm  mitsubishi  mobile  mobile-phones  money  montreal  moores-law  mouse-jacking  movies  mozilla  mtgox  mugging  murmurhash  muscular  mysore  nai  namespaces  neorouter  netbios  network  network-monitoring  network-neutrality  networking  new-york  newegg  nginx  nissan  nlp  nmap  node  north-korea  nosql  not-the-onion  notaries  npm  nsa  nsls  nsw  ntp  nudes  nukes  nul  nyc  nyms  nytimes  oauth  obfuscation  obscurity  ocsp  offshoring  oilrigs  okinawa  omgwtfbbq  one-time-passwords  online  online-backup  online-banking  online-shopping  online-storage  online-voting  open-source  openbsd  opensource  openssh  openssl  openwrt  opie  opportunistic  ops  opt-out  oracle  osx  ota  otp  outlander  owasp  p2p  packages  packaging  packet-capture  packet-injection  packets  pal  paper  papers  passports  passwords  pastebin  patent-trolls  patents  pathetic  pattern-analysis  payment  pci  pci-dss  pdf  pea  peering  pen-tests  per-thorsheim  perfect-forward-secrecy  performance  pgp  phil-zimmermann  philippines  phish  phishing  phones  photos  photoshop  php  pics  pii  pin  pins  piracy  pki  plainscapital  planes  planex  playstation  plcs  plex  plugins  point-of-sale  poisoning  police  policies  politics  popen  port-forwarding  pos  posram  post-its  postmortems  poul-henning-kemp  power  power-amplifiers  power-management  powerline-networking  prefetching  primes  prism  prius  privacy  private-keys  prng  prngs  probability  programming  project-zero  protocols  proxies  proximity  proxy  proxying  ps3  ps4  psn  public-key  pump  python  quakenet  qualcomm  radio  rails  rainbow-tables  ram-scrapers  ramnica-valcea  random  random-forests  randomness  raspberry-pi  rcmp  rebellion  recommendations  reddit  reference  regin  reinvent  remote  replay-attack  replication  reports  resilience  resource-limits  return-oriented-programming  reverse-engineering  reversing  review  revocation  rf  rfid  rick-falkvinge  rim  risk  risks  rlo  rmi  rng  rngs  road-safety  robin-xu  rogers  romania  root  rop  ross-anderson  router  routers  routing  rsa  ruby  runa-sandvik  russia  rvm  s3  safe-browsing  safety  salting  samsung  samy-kamkar  sandbox  sandboxing  sandstorm  sanitisation  sanitization  satis  scala  scaling  scams  scanner  scanners  scanning  scareware  scary  schneier  science  screening  sd-cards  sdn  search  secrecy  secrets  securecode  secureworks  security  security-theatre  security-through-obscurity  seizure  serialization  server  servers  setuid  sh  sha  sha1  sha256  shell  shellshock  shipping  ships  shodan  shopping  shoup  side-channels  siemens  sigint  signal  silent-circle  silentcircle  silicon  sim-cards  siphash  skey  skimmers  slashdot  slides  smart-cars  smart-meters  smartcards  smartphones  smb  smc8014  sms  snapchat  snes  sniffing  snooping  social-media  society  software  solarcapture  solaris  sony  source-code  south-africa  south-korea  spam  spamhaus  spear-phishing  speech  speed  spinvox  spoofing  spotify  spying  spyware  sql  square  ssh  sshd  sshuttle  ssl  ssl-labs  ssl3  sslv2  ssn  standards  statistcs  statistics  stingrays  stock-markets  storage  streaming  strings  stud  stuxnet  super-mario  superfish  superget  surveillance  svm  swift  swpats  symantec  sync  sysadmin  sysadmins  system  systemd  tao  target  taxis  tcp  tcpcrypt  tcpdump  tech  technology  teens  telefonica  tempest  terrorism  tesco  testing  tests  text  the-guardian  the-interview  theft  thomas-ptacek  thunderbird  time  time-warner  timing  tips  tlds  tls  tlsdate  toasters  tog  tomato  tools  tor  torrents  toyota  tracking  transactions  transcription  transit  transparent-proxies  travel  trojan.posram  trojans  truecrypt  trust  trustwave  tsa  tunisia  tunneling  tunnelling  turing-complete  tv  tv5monde  twitch  twitter  two-factor-auth  two-factor-authentication  u-locks  ubuntu  uconnect  udp  ui  uk  ukraine  unicode  unit-testing  unix  upd4t3  updates  urls  us  us-politics  usa  user-submitted-code  usertrust  varnish  vault  vaults  vbv  vc  verification  verified-by-visa  version-control  vertx  via:adam-shostack  via:adamshostack  via:adulau  via:alec-muffet  via:boingboing  via:bruces  via:cscotta  via:elliottucker  via:eric  via:fanf  via:filippo  via:gwire  via:hn  via:ioerror  via:irr  via:jgc  via:joe-feise  via:johnke  via:kragen  via:lhl  via:mattblaze  via:mikko  via:nelson  via:oisin  via:pixelbeat  via:pjakma  via:reddit  via:risks  via:securitay  via:tupp_ed  via:waxy  vin  viruses  visa  vlans  vm  voting  vpc  vpn  vulnerabilities  vvat  walmart  war  warning  watchlists  web  web-of-trust  web-services  webdev  webkit  wemo  wep  whitelisting  whitepapers  whitfield-diffie  wickr  wifi  windows  winvote  wired  wireless  wordpress  worms  wow  wpa  wtf  wyoming  x-ray  xelerance  xl2tpd  xss 

Copy this bookmark:



description:


tags: