How fraudsters' call centers work

callme

Say you've just scammed someone out of all their financial details using an online fraud, but now you need to call up their bank and impersonate them, and you don't speak their language, have the wrong accent, or are of a different gender -- what do you do? Read the rest

Juniper blinks: firewall will nuke the NSA's favorite random number generator

image02

In the month since network security giant Juniper Networks was forced to admit that its products had NSA-linked backdoors, the company's tried a lot of different strategies: minimizing assurances, apologies, firmware updates -- everything, that is, except for removing th Dual_EC random number generator that is widely understood to have been compromised by the NSA. Read the rest

Vtech, having leaked 6.3m kids' data, now wants to run your home security

animation

Remember the Hong Kong-based crapgadgeteer Vtech, who breached 6.3 million kids' data from a database whose security was jaw-droppingly poor (no salted hashes, no code-injection countermeasures, no SSL), who then lied and stalled after they were outed? They want to make home security devices that will know everything you say and do in your house. Read the rest

Juniper's products are still insecure; more evidence that the company was complicit

MX480_left.png

It's been a month since Juniper admitted that its firewalls had back-doors in them, possibly inserted by (or to aid) US intelligence agencies. In the month since, Juniper has failed to comprehensively seal those doors, and more suspicious information has come to light. Read the rest

Someone at the Chaos Communications Congress inserted a poem into at least 30 million servers' logfiles

CXeyD1AUQAEfhN4

On December 30th, someone using an IP address from the 32nd Chaos Communications Congress in Hamburg sent a probe out to every IPv4 address with an open connection on Port 80, consisting of a poem exhorting the reader to "DELETE your logs. Delete your installations. Wipe everything clean, Walk out into the path of cherry blossom trees and let your motherboard feel the stones." Read the rest

Help wanted: malware researcher for U of T's Citizenlab

citlab-cities

Ronald Deibert from the University of Toronto's Citizenlab (previously) sez, "The Citizen Lab at the Munk School of Global Affairs, University of Toronto has a job posting for a security researcher/malware analyst. Read the rest

Paypal rolls out the welcome mat for hackers

online_payment (2)

It's not bad enough that Paypal is prone to shutting down your account and seizing your dough if you have a particularly successful fundraiser -- they also have virtually no capacity to prevent hackers from changing the email address, password and phone numbers associated with your account, even if you're using their two-factor authentication fob. Read the rest

Dieselgate: an analysis of VW's cheating firmware

animation (1)

Daniel Lange and Felix "tmbinc" Domke bought some of Volkswagen's cheating Engine Control Units on Ebay and extracted and decompiled the software in them to learn exactly how the cheating took place. Read the rest

Videos from the thirty-second Chaos Communications Congress

32c3_logo

More overtly political than security events like Vegas's Defcon, more regular than New York's HOPE, CCC events in Hamburg are an annual gathering of the hacktivist tribes. Read the rest

Payment system security is hilariously bad

056c026d-1c66-4d42-9fae-a8e96df290c5-1020x910

In Shopshifting: The potential for payment system abuse, Karsten Nohl and Fabian Bräunlein showed attendees at Hamburg's Chaos Communications Congress just how poor the security in payment terminals is, and demonstrated several attacks that would let them harvest card numbers and PINs, make undetectable phantom charges and refunds to merchant accounts, and commit other mischief. Read the rest

The DMCA poisoned the Internet of Things in its cradle

IMG_0724

Bruce Schneier explains the short, terrible history of the Internet of Things, in which companies were lured to create proprietary lock-ins for their products because the DMCA, a stupid 1998 copyright law, gave them the power to sue anyone who made a product that connected to theirs without permission. Read the rest

3.3 million Hello Kitty website accounts leaked

056c026d-1c66-4d42-9fae-a8e96df290c5-1020x906

Last week, security researcher Chris Vickery discovered a database containing 3.3 million accounts from Sanriotown, a commercial Hello Kitty fansite operated by Sanrio, Hello Kitty's corporate owners. Read the rest

Israeli company's product can (allegedly) pwn any nearby mobile phone

056c026d-1c66-4d42-9fae-a8e96df290c5-1020x909

The Interapp from Tel Aviv's Rayzone Group is an intrusion appliance that uses a cache of zero-day exploits against common mobile phone OSes and is marketed as having the capability to infect and take over any nearby phone whose wifi is turned on. Read the rest

Bro: a free/open intrusion detection system

bro-400px.png

"Bro network" an (unfortunately named) open/free IDS that turns all your network traffic into events that can trigger scripts you write. As Nat writes, "Good pedigree (Vern Paxson, a TCP/IP elder god) despite the wince-inducing name." Read the rest

Juniper Networks backdoor confirmed, password revealed, NSA suspected

056c026d-1c66-4d42-9fae-a8e96df290c5-1020x906

Juniper Networks makes a popular line of enterprise firewalls whose operating system is called Screen OS. The company raised alarm bells with a late-day-on-a-Friday advisory announcing that they'd discovered "unauthorized code" in some versions of Screen OS, a strange occurrence that hinted at a security agency or criminal enterprise had managed to tamper with the product before it shipped. Read the rest

Unevenly distributed futures: an interview with @internetofshit

056c026d-1c66-4d42-9fae-a8e96df290c5-1020x918

The @internetofshit account posts sardonic observations about the Internet of Things, which is filled with the most depressing array of useless, dangerously insecure, exploitative junk imaginable. Read the rest

Security appliance lets hackers pwn whole nets with a never-opened email

fireeye-management-device.png

The Fireeye "threat prevention device" is designed to scan all the emails, attachments, and other files coming in and out of your network, but a bug in the device allowed hackers to embed malware in an email that would take over the device -- and your whole network -- when the device checked it for viruses. Read the rest

More posts