Fake Google subdomain certificates found in the wild

An Indian certificate authority in the Microsoft root of trust has been caught issuing fake Google subdomain certificates that would allow nearly undetectable eavesdropping on "secure" connections to services like Google Docs.

Read the rest

Google Maps' enduring security holes put businesses at risk


It's been more than a year since a series of high-profile articles demonstrated that Google Maps' crowdsourcing function can be used create new listings, alter existing business listings, and even create fake Secret Service offices that real-life cops end up calling.

Read the rest

"Personal Internet security" is a team sport


My latest column in Locus magazine, Security in Numbers, looks at the impossibility of being secure on your own -- if you use the Internet to talk to other people, they have to care about security, too.

Read the rest

ISPs sue UK spies over hack-attacks


ISPs in US, UK, Netherlands and South Korea are suing the UK spy agency GCHQ over its illegal attacks on their networks in the course of conducting surveillance.

Read the rest

UK cinemas ban Google Glass from screenings


UK cinema exhibitors -- which already makes a practice of recklessly confiscating mobile phones full of sensitive, unprotected data during preview screenings -- have announced that it will not allow Google Glass wearers into cinemas, lest they commit an act of piracy (Glass has a 45 minute battery life when in recording mode).

Read the rest

Cyber-crooks turn to Bitcoin extortion


Security journalist Brian Krebs documents a string of escalating extortion crimes perpetrated with help from the net, and proposes that the growth of extortion as a tactic preferred over traditional identity theft and botnetting is driven by Bitcoin, which provides a safe way for crooks to get payouts from their victims.

Read the rest

Charlie Stross on the stop/go nature of technological change

Charlie Stross's keynote speech to the Yet Another Perl Conference is an inspired riff on the weird, gradual-then-sudden nature of technological change. As Charlie points out, almost everything today -- including the people -- was around 20 years ago, and most of what's around now will be around in 20 years. But there will be some changes that would shock your boots off. Improbably, he manages to tie this all into perl programming, which, apparently, is the future of smart sidewalks. Charlie's thoughtfully provided a transcript of his talk, and there's a video for those who prefer to hear his rather good comic delivery.

Read the rest

Cops bust cybercrook who sent heroin to Brian Krebs

Sergei "Fly" Vovnenko, a Russo-Ukrainian cybercrook who stalked and harassed security journalist Brian Krebs -- at one point conspiring to get him arrested by sending him heroin via the Silk Road -- has been arrested. According to Krebs, Vovnenko was a prolific credit-card crook, specializing in dumps of stolen Italian credit-card numbers, and faces charges in Italy and the USA. Krebs documents how Vovnenko's identity came to light because he installed a keylogger on his own wife's computer, which subsequently leaked her real name, which led to him.

Read the rest

Researchers publish secret details of cops' phone-surveillance malware


Kaspersky Labs (Russia) and Citizen Lab (University of Toronto) have independently published details of phone-hacking tools sold to police departments worldwide by the Italian firm Hacking Team (here's Kaspersky's report and Citizen Lab's). The tools can be used to attack Android, Ios, Windows Mobile and Blackberry devices, with the most sophisticated attacks reserved for Android and Ios.

The spyware can covertly record sound, images and keystrokes, capture screenshots, and access the phones' storage and GPS. The tools are designed to detect attempts to search for them and to delete themselves without a trace if they sense that they are under attack.

Hacking Team insists that its tools are only sold to "democratic" police forces, but Citizen Lab's report suggests that the tool was used by the Saudi government to target dissidents.

The means of infection is device-specific. If police have physical access, it's simple. Android devices can be attacked by infecting a PC with a virus that installs the police malware when the device is connected to it. This attack also works on jailbroken Iphones.

Read the rest

Anti-forensic mobile OS gets your phone to lie for you

In Android Anti-forensics: Modifying CyanogenMod Karl-Johan Karlsson and William Bradley Glisson present a version of the Cyanogenmod alternate operating system for Android devices, modified so that it generates plausible false data to foil forensic analysis by law enforcement. The idea is to create a mobile phone that "lies" for you so that adversaries who coerce you into letting them take a copy of its data can't find out where you've been, who you've been talking to, or what you've been talking about.

I'm interested in this project but wonder about how to make it practical for daily use. Presently, it maintains a hidden set of true data, and a trick set of false data intended to be fetched by forensic tools. Presumably, this only works until the forensic tools are modified to spot the real data. But you can conceptually imagine a phone that maintains a normal address book and SMS history, etc -- all the things that are useful to have in daily use -- but that, on a certain signal (say, when an alternate unlock code is entered, or after a certain number of failed unlock attempts) scrubs all that and replaces it with plausible deniability data.

Obviously, this kind of thing doesn't work against state-level actors who can subpoena (or coerce) your location data and call history from your carrier, but those people don't need to seize your phone in the first place.

Read the rest

US appeals court rules a warrant is required for cell phone location tracking

logo25

Big news in the fight for security and privacy in the US: the 11th Circuit Court of Appeals this week ruled that a warrant is required for cell phone location tracking.

Read the rest

Criminal website selling thousands of credit cards hijacked from PF Chang's diners


In an echo of the massive breach of credit-card numbers from Target, credit-card numbers from thousands of PF Chang's customers who used their cards at the restaurant between March and May 2014 are being sold on the criminal underground. Rescator, the criminal selling the PF Chang's customers' card, has branded his product "Ronald Reagan", and offers cards at different prices based on whether they're regular, gold or platinum cards.

Read the rest

Encrypt like a boss with the Email Self-Defense Guide


Libby writes, "Today the Free Software Foundation is releasing Email Self-Defense, a guide to personal email encryption to help everyone, including beginners, make the NSA's job a little harder. We're releasing it as part of Reset the Net, a global day of action to push back against the surveillance-industrial complex. The guide will get you encrypting your emails in under 30 minutes, and takes you all the way through sending and receiving your first encrypted email."

Email Self-Defense - a guide to fighting surveillance with GnuPG (Thanks, Libby!)

Hackers in Iran set up fake news websites in cyberattack on US

"An elaborate, three-year cyberespionage campaign against United States military contractors, members of Congress, diplomats, lobbyists and Washington-based journalists has been linked to hackers in Iran." The NYT's Nicole Perlroth has more from a report released this week by the Dallas computer security firm iSight Partners.

Massive theft of medical data in LA sparks new security moves

la-me-ln-county-data-encryption-20140527-001In Los Angeles, the theft of computers from a county contractor's office that contained personal data for over 342,000 patients has led to a call for tighter security.

Read the rest