cross pond high tech
Follow
Find tag "security"
27.0K views | +1 today
cross pond high tech
light views on high tech in both Europe and US
Your new post is loading...
Your new post is loading...
Scooped by Philippe J DEWOST
Scoop.it!

USB has a huge security problem that could take years to fix

USB has a huge security problem that could take years to fix | cross pond high tech | Scoop.it

In July, researchers Karsten Nohl and Jakob Lell announced that they'd found a critical security flaw they called BadUSB, allowing attackers to smuggle malware on the devices effectively undetected. Even worse, there didn't seem to be a clear fix for the attack. Anyone who plugged in a USB stick was opening themselves up to the attack, and because the bad code was residing in USB firmware, it was hard to protect against it without completely redesigning the system. The only good news was that Nohl and Lell didn't publish the code, so the industry had some time to prepare for a world without USB.

"YOU HAVE TO PROVE TO THE WORLD THAT IT'S PRACTICAL."

 

As of this week, that's no longer true. In a joint talk at DerbyCon, Adam Caudill and Brandon Wilson announced they had successfully reverse-engineered BadUSB, and they didn't share Nohl and Lell's concerns about publishing the code. The pair has published the code on GitHub, and demonstrated various uses for it, including an attack that takes over a user's keyboard input and turns control over to the attacker. According to Caudill, the motive for the release was to put pressure on manufacturers. "If the only people who can do this are those with significant budgets, the manufacturers will never do anything about it," he told Wired's Andy Greenberg. "You have to prove to the world that it’s practical, that anyone can do it."

Philippe J DEWOST's insight:

Repeat after me : "I will not accept any USB drive from strangers"

more...
No comment yet.
Scooped by Philippe J DEWOST
Scoop.it!

TidBITS: How to Protect Your iCloud Keychain from the NSA

TidBITS: How to Protect Your iCloud Keychain from the NSA | cross pond high tech | Scoop.it

Apple has released a massive update to its “iOS Security” white paper for IT professionals. It contains more information on iOS security than Apple has ever shared publicly before, including extensive details on Touch ID, Data Protection, network security, application security, and nearly all security-related features, options, and protective controls.

For the first time, we have extensive details on iCloud security. For security professionals like myself, this is like waking up and finding a pot of gold sitting on my keyboard. Along with some of the most impressive security I’ve ever seen, Apple has provided a way to make it impossible for agencies like the NSA to obtain your iCloud Keychain passwords.

Philippe J DEWOST's insight:

This is getting very serious even if I start worrying for Dashlane

more...
No comment yet.
Scooped by Philippe J DEWOST
Scoop.it!

Researchers can slip an undetectable trojan into Intel’s Ivy Bridge CPUs

Researchers can slip an undetectable trojan into Intel’s Ivy Bridge CPUs | cross pond high tech | Scoop.it

Scientists have developed a technique to sabotage the cryptographic capabilities included in Intel's Ivy Bridge line of microprocessors. The technique works without being detected by built-in tests or physical inspection of the chip.

The proof of concept comes eight years after the US Department of Defense voiced concern that integrated circuits used in crucial military systems might be altered in ways that covertly undermined their security or reliability. The report was the starting point for research into techniques for detecting so-called hardware trojans. But until now, there has been little study into just how feasible it would be to alter the design or manufacturing process of widely used chips to equip them with secret backdoors.

 

In a recently published research paper, scientists devised two such backdoors they said adversaries could feasibly build into processors to surreptitiously bypass cryptographic protections provided by the computer running the chips. The paper is attracting interest following recent revelations the National Security Agency is exploiting weaknesses deliberately built-in to widely used cryptographic technologies so analysts can decode vast swaths of Internet traffic that otherwise would be unreadable.

Philippe J DEWOST's insight:

Oops

more...
No comment yet.
Scooped by Philippe J DEWOST
Scoop.it!

SSH Backdoors Found in Barracuda Networks Gear

SSH Backdoors Found in Barracuda Networks Gear | cross pond high tech | Scoop.it

A variety of the latest firewall, spam filter and VPN appliances sold by Campbell, Calif. based Barracuda Networks Inc. contain undocumented backdoor accounts, the company disclosed today. Worse still, while the backdoor accounts are apparently set up so that they would only be accessible from Internet addresses assigned to Barracuda, they are in fact accessible to potentially hundreds of other companies and network owners.


Barracuda’s hardware devices are broadly deployed in corporate environments, including the Barracuda Web Filter, Message Archiver, Web Application Firewall, Link Balancer, and SSL VPN. Stefan Viehböck, a security researcher at Vienna, Austria-based SEC Consult Vulnerability Lab., discoveredin November 2012 that these devices all included undocumented operating system accounts that could be used to access the appliances remotely over the Internet via secure shell (SSH).

 

Viehböck found that the username “product” could be used to login and gain access to the device’s MySQL database (root@localhost) with no password, which he said would allow an attacker to add new users with administrative privileges to the appliances. SEC Consult found a password file containing a number of other accounts and hashed passwords, some of which were uncomplicated and could be cracked with little effort.

Philippe J DEWOST's insight:

Oops. Looks like some have been around for almost 10 years...

more...
No comment yet.
Scooped by Philippe J DEWOST
Scoop.it!

Babel phish: In which languages are internet passwords easiest to crack?

Babel phish: In which languages are internet passwords easiest to crack? | cross pond high tech | Scoop.it
In which languages are internet passwords easiest to crack?

DESPITE entreaties not to, many people choose rather predictable passwords to protect themselves online. "12345"; "password"; and the like are easy to remember but also easy for attackers to guess, especially with programs that automate the process using lists ("dictionaries") of common choices. Cambridge University computer scientist Joseph Bonneau has recently published an analysis of the passwords chosen by almost 70m (anonymised) Yahoo! users. One interesting result is shown below. The chart shows what percentage of accounts could be cracked after 1,000 attempts using such a dictionary. Amateur linguists can have fun speculating on why the Chinese do so well and the Indonesians do not. But one particularly interesting twist is how little difference using language-specific dictionaries makes. It is possible to crack roughly 4% of Chinese accounts using a Chinese dictionary; using a generic dictionary containing the most common terms from many languages, that figure drops only slightly, to 2.9%. Speakers of every language, it seems, have fairly similar preferences.
more...
No comment yet.
Scooped by Philippe J DEWOST
Scoop.it!

Does your Heartbleed ?

Does your Heartbleed ? | cross pond high tech | Scoop.it

"The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.

 

Basically, an attacker can grab 64K of memory from a server.  The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory.  This means that anything in memory -- SSL private keys, user keys, anything -- is vulnerable.  And you have to assume that it is all compromised.  All of it.

"Catastrophic" is the right word.  On the scale of 1 to 10, this is an 11.

Philippe J DEWOST's insight:

I have been used to see BT's Security Chief more softtoned. This OpenSSL bug must be very serious.

more...
No comment yet.
Scooped by Philippe J DEWOST
Scoop.it!

Hackers allegedly exploit Snapchat security hole and leak 4.6m usernames and phone numbers online

Hackers allegedly exploit Snapchat security hole and leak 4.6m usernames and phone numbers online | cross pond high tech | Scoop.it
If you're a Snapchat user, then you might be interested to know that someone may have found a way to save the usernames and phone numbers for 4.6 million accounts. The website SnapchatDB.info ...
Philippe J DEWOST's insight:

Content vanishes (supposedly) yet identity seems more resilient (and less protected)

more...
No comment yet.
Scooped by Philippe J DEWOST
Scoop.it!

'Biggest ever attack' slows internet

'Biggest ever attack' slows internet | cross pond high tech | Scoop.it

The internet around the world has been slowed down in what security experts are describing as the biggest cyber-attack of its kind in history.

A row between a spam-fighting group and hosting firm has sparked retaliation attacks affecting the wider internet.

It is having an impact on popular services like Netflix - and experts worry it could escalate to affect banking and email systems.

Five national cyber-police-forces are investigating the attacks.

Philippe J DEWOST's insight:

Dooo yoouu feeeel the sloooow doooown?

more...
No comment yet.
Scooped by Philippe J DEWOST
Scoop.it!

how to check if your Apple device UDID has been compromised by the AntiSec leak

how to check if your Apple device UDID has been compromised by the AntiSec leak | cross pond high tech | Scoop.it
If you're worried that you might own one of the 1 million Apple devices that have had their UDIDs leaked by AntiSec, reportedly from a breach of an FBI agent's laptop, our rockstar ...
more...
No comment yet.