What we can learn from 2016: the year of the security breach

Ryan McGeehan, who specializes in helping companies recover from data-breaches, reflects on the worst year of data breaches (so far) and has some sound practical advice on how to reduce your risk and mitigate your losses: some easy wins are to get your staff to use password managers and two-factor authentication for their home computers (since everyone is expected to work in their off-hours, most home computers are an easy way to get into otherwise well-defended networks); and stress-test your network for breach recovery. Read the rest

Panasonic's in-flight entertainment systems have critical security flaws

In March 2015, IOActive's Ruben Santamarta privately disclosed his findings on the major bugs in Panasonic's Avionics IFE in-flight entertainment systems; 18 months later, it's not clear whether all airlines have patched these bugs. Read the rest

Trump's policies on net neutrality, free speech, press freedom, surveillance, encryption and cybersecurity

Three posts from the Electronic Frontier Foundation dispassionately recount the on-the-record policies of Trump and his advisors on issues that matter to a free, fair and open internet: net neutrality; surveillance, encryption and cybersecurity; free speech and freedom of the press. Read the rest

Freedom of the Press releases an automated, self-updating report card grading news-sites on HTTPS

Secure the News periodically checks in with news-sites to see how many of them implement HTTPS -- the secure protocol that stops your ISP and people snooping on it from knowing which pages you're looking at and from tampering with them -- and what proportion of them default to HTTPS. Read the rest

Bruce Schneier's four-year plan for the Trump years

1. Fight the fights (against more government and commercial surveillance; backdoors, government hacking); 2. Prepare for those fights (push companies to delete those logs; remind everyone that security and privacy can peacefully co-exist); 3. Lay the groundword for a better future (figure out non-surveillance internet business models, privacy-respecting law enforcement, and limits on corporate surveillance); 4. Continue to solve the actual problems (cybercrime, cyber-espionage, cyberwar, the Internet of Things, algorithmic decision making, foreign interference in our elections). Read the rest

Digital self-defense for journalists

The Opennews project has published a set of annotated links to digital operational security tutorials that are relevant to journalists looking to defend themselves against various kinds of attacks, covering two-factor authentication, password managers, phishing, first aid for malware infections, and related subjects. (via 4 Short Links) Read the rest

Malware delivered by bad ads takes over your home router to serve more bad ads (for now)

Proofpoint has identified a new version of DNSChanger EK, a strain of malware that changes your DNS settings so that the ads on the websites you browse are replaced with other ads that benefit the attackers -- and which can also be used for more nefarious ends, because controlling your DNS means controlling things like where your computer gets software updates. Read the rest

Yahoo reveals hackers took a further 1 billion accounts (phone, DoB, names, emails)

Just a few months after Yahoo disclosed a 2014 breach of 500 million user accounts, the company today revealed this was preceded by a 1 billion account breach in 2013, in which the hackers took everything: hashed passwords, names, email addresses, phone numbers, dates of birth, and possibly the tools necessary to forge login cookies that would bypass password checks altogether.

Read the rest

How hackers tried to knock blacklivesmatter.com offline

DBO writes, "A new report by Deflect Labs tracks the complex ways that hackers have sought to take down the Black Lives Matter website. The attacks, which relied on harvesting WordPress sites, increased in sophistication and left a murky, unsavory trail by actors who did everything from try to extort the website to taking it down entirely." Read the rest

Florida appeals says you can be compelled to utter your phone's passphrase

A state appeals-court judge in Florida has broken with the precedent that the courts may not compel suspects to reveal the unlock codes for their devices as this would violate the Fifth Amendment's prohibition against forced self-incrimination. Read the rest

PWC threatens to sue security firm for disclosing embarrassing, dangerous defects in its software

ESNC, a German security research firm, discovered a critical flaw in PWC's enterprise software, which would allow attackers to hack into PWC customers' systems; when ESNC gave PWC notice of its intent to publish an advisory in 90 days, PWC promptly threatened to sue them if they did. Read the rest

Cryptomancer: RPG based on real crypto fundamentals

In Cryptomancer, players inhabit a fantasy world populated with elves, dwarves and humans, but they win out by designing and undermining cryptographically secured networks of magical gems that allow different factions to coordinate their actions over distance. Read the rest

The Mirai worm is gnawing its way through the Internet of Things and will not stop

The Mirai worm made its way into information security lore in September, when it was identified as the source of the punishing flood of junk traffic launched against Brian Krebs in retaliation for his investigative reporting about a couple of petty Israeli criminals; subsequent analysis showed Mirai to be amateurish and clumsy, and despite this, it went on to infect devices all over the world, gaining virulence as it hybridized with other Internet of Things worms, endangering entire countries, growing by leaps and bounds, helped along by negligent engineering practices at major companies like Sony. Read the rest

12 days of two-factor authentication: this Xmas, give yourself the gift of opsec

The Electronic Frontier Foundation has launched a new series, 12 Days of 2FA, in which every installment explains how to turn on two-factor authentication for a range of online services and platforms. Read the rest

Why are hackers so political?

Gabriella Coleman is the "hacker anthropologist" whose book on the anthropology of Anonymous is among the best books on hacking I've ever read; her new paper in Current Anthropology, From Internet Farming to Weapons of the Geek, poses a fascinating question: given that hackers are as well-paid and privileged as doctors, lawyers and academics, how come hackers are so much more political than other members of the professional elites? Read the rest

Mr Robot has driven a stake through the Hollywood hacker, and not a moment too soon

Mr Robot is the most successful example of a small but fast-growing genre of "techno-realist" media, where the focus is on realistic portrayals of hackers, information security, surveillance and privacy, and it represents a huge reversal on the usual portrayal of hackers and computers as convenient plot elements whose details can be finessed to meet the story's demands, without regard to reality. Read the rest

Not just crapgadgets: Sony's enterprise CCTV can be easily hacked by IoT worms like Mirai

The unprecedented denial-of-service attacks powered by the Mirai Internet of Things worm have harnessed crappy, no-name CCTVs, PVRs, and routers to launch unstoppable floods of internet noise, but it's not just faceless Chinese businesses that crank out containerloads of vulnerable, defective-by-design gear -- it's also name brands like Sony. Read the rest

More posts