Hacking Team supplied cyber-weapons to corrupt Latin American governments for human rights abuses

056c026d-1c66-4d42-9fae-a8e96df290c5-1020x1040

In Hacking Team Malware Para La Vigilancia en América Latina, a new report from Derechos Digitales, we learn how Hacking Team, the hacked-and-disgraced cyber-arms dealer (previously) supplied weapons to corrupt state actors in latinamerica who used them to spy on political opposition, journalists and academics. Read the rest

Brussels terrorists kept their plans in an unencrypted folder called "TARGET"

056c026d-1c66-4d42-9fae-a8e96df290c5-1020x1029

Remember how, in the wake of the horrific terrorist attacks on Brussels last month, authorities all over the world declared that the world was critically endangered by cryptography, insisting that crazy, far-reaching crypto-bans were necessary to prevent another attack? Read the rest

Let's Encrypt is actually encrypting the whole Web

free-ssl-certificate

Let's Encrypt (previously) a joint EFF-Mozilla-Linux Foundation project that lets anyone easily create an SSL certificate for free in minutes and install and configure it so that visitors to their Websites will be shielded from surveillance, came out of beta this week, and it's already making a huge difference. Read the rest

URL shorteners are a short path to your computer's hard drive

shortn

Lots of cloud services use URL shorteners to allow their users to share access to networked folders, but with only six characters to brute force, it's possible to scan all the URLs associated with a cloud service, locate the open shared folders, and poison them with malware while you plunder them for secrets. Read the rest

UL has a new, opaque certification process for cybersecurity

UL_Mark.svg.png

The idea of a "Cyber-Underwriters Laboratories mark" is really in the air; in the past six months, I've had it proposed to me by spooks, regulators, activists, consumer protection advocates, and security experts. But the devil is in the details. Read the rest

The perfect suffix for your "cyber-" buzzword

tumblr_o5gjpjjiKe1s2jikwo1_1280 (1)

Adding "cyber-" to any initiative is a sure-fire budget- and approval-winner, at least in the military industrial complex. If you're struggling to figure out what to use on your opening slide, here's a handy crib-sheet. Read the rest

Philippines electoral data breach much worse than initially reported, possibly worst ever

comelec-website-hacked-20160327-1_01734F0CE6684E148BDC4AA19C1C2D87

In late March, the Philippine Commission on Elections website was defaced in an Anonymous op, and a few days later, Lulzsec Pilipinas dumped its voter database. At the time, the Commission claimed that no sensitive information was exposed in the breach, but that is clearly not the case. Read the rest

Why the rise of ransomware attacks should worry you

20012127713_aed0df29b4_b

Sean Gallagher does an excellent job of running down the economics and technology behind the rise and rise of ransomware attacks: ransomware has become a surefire way to turn a buck on virtually any network intrusion, and network intrusions themselves are trivial if you don't especially care whose networks you break into. Read the rest

The price of stealing an identity is crashing, with no bottom in sight

056c026d-1c66-4d42-9fae-a8e96df290c5-1020x1030

The sharp increase in known, unpatched vulnerabilities in the tools we use to access the Internet has caused the price of exploits is falling through the floor. Read the rest

A perfect storm of broken business and busted FLOSS backdoors everything, so who needs the NSA?

animation

In 2014, Poul-Henning Kamp, a prolific and respected contributor to many core free/open projects gave the closing keynote at the Free and Open Source Developers' European Meeting (FOSDEM) in Belgium, and he did something incredibly clever: he presented a status report on a fictional NSA project (ORCHESTRA) whose mission was to make it cheaper to spy on the Internet without breaking any laws or getting any warrants. Read the rest

Ransomware creeps steal two more hospitals. Again. Again.

056c026d-1c66-4d42-9fae-a8e96df290c5-1020x1016

Unlike the Hollywood hospital shutdown in Feb and the Kentucky shutdown in March which got in by phishing attacks on employees, the two hospitals in Baltimore that were taken offline by ransomware were targeted by server-based attacks that got in through vulnerabilities in public-facing hospital services. Read the rest

Automated drug cabinets have 1400+ critical vulns that will never be patched

pyxis-supplystation-system_1_SU_0609_0124

The Pyxis Supplystation from Carefusion is an automated pharmaceutical drug cabinet system that's still widely used despite being end-of-lifed by its manufacturer -- a new report from CERT discloses that independent researchers Billy Rios and Mike Ahmadi have found over 1,400 critical remote-attack vulnerabilities. Read the rest

CNBC's secure password tutorial sent your password in the clear to 30 advertisers

056c026d-1c66-4d42-9fae-a8e96df290c5-1020x1012

CNBC's Big Crunch blog put up a well-intentioned, but disastrously designed tutorial on secure password creation, which invited users to paste their passwords into a field to have them graded on how difficult it would be to guess them. Read the rest

Security researchers: help EFF keep the Web safe for browser research!

fight_for_the_user_by_nostrildarmus-d385u9h

With the Electronic Frontier Foundation, I've been lobbying the World Wide Web Consortium (W3C), which sets the open standards that the Web runs on, to take measures to protect security researchers (and the users they help) from their own bad decision to standarize Digital Rights Management as part of HTML5. Read the rest

Ransomware gets a lot faster by encrypting the master file table instead of the filesystem

056c026d-1c66-4d42-9fae-a8e96df290c5-1020x1005

In just a few short years, ransomware -- malware that encrypts all the files on the computer and then charges you for a key to restore them -- has gone from a clever literary device for technothrillers to a cottage industry to an epidemic to a public menace. Read the rest

Security-conscious darkweb crime marketplaces institute world-leading authentication practices

056c026d-1c66-4d42-9fae-a8e96df290c5-1020x1002

If you are a seller on Alphabay -- a darkweb site that sells "drugs, stolen data and hacking tools," you'll have to use two-factor authentication (based on PGP/GPG) for all your logins. Read the rest

Names that break databases

056c026d-1c66-4d42-9fae-a8e96df290c5-1020x998

Jennifer Null is impossible: her name can't be entered into most modern databases (plane reservations, wedding registries) because "null" is used to separate fields in databases themselves. Read the rest

More posts