Gentlemachines
3.2K views | +0 today
Follow
Gentlemachines
What's new at the crossroads of culture, technology and science
Curated by Artur Alves
Your new post is loading...
Your new post is loading...
Scooped by Artur Alves
Scoop.it!

The Hacking of Federal Data Is Much Worse Than First Thought

The Hacking of Federal Data Is Much Worse Than First Thought | Gentlemachines | Scoop.it
Hackers linked to China appear to have stolen security-clearance records with sensitive data about millions of American military and intelligence personnel.
Artur Alves's insight:

«

On Friday, it was revealed that all of the data on Standard Form 86— filled out by millions of current and former military and intelligence workers— is now believed to be in the hands of Chinese hackers.

 

This not only means that the hackers may have troves of personal data about Americans with highly sensitive jobs, but also that contacts or family members of American intelligence employees living abroad could potentially be targeted for coercion. At its worst, this cyberbreach also provides a basic roster of every American with a security clearance.

«

more...
No comment yet.
Scooped by Artur Alves
Scoop.it!

Why Heartbleed is the most dangerous security flaw on the web

Why Heartbleed is the most dangerous security flaw on the web | Gentlemachines | Scoop.it
Monday afternoon, the IT world got a very nasty wakeup call, an emergency security advisory from the OpenSSL project warning about an open bug called "Heartbleed." The bug could be used to pull a...
Artur Alves's insight:

«Discovered by Google researcher Neel Mehta, the bug allows an attacker to pull 64k at random from a given server's working memory. It's a bit like fishing — attackers don't know what usable data will be in the haul — but since it can be performed over and over again, there's the potential for a lot of sensitive data to be exposed. The server's private encryption keys are a particular target, since they're necessarily kept in working memory and are easily identifiable among the data. That would allow attackers to eavesdrop on traffic to and from the service, and potentially decrypt any past traffic that had been stored in encrypted form.«

more...
Henrik Safegaard - Cloneartist's curator insight, April 10, 2014 3:16 AM

Seems 2 out of 3 servers is inflected or has been.


Apple, Google and Microsoft appear to be unaffected, along with the major e-banking services. Yahoo, on the other hand, was affected and leaking user credentials for a significant portion of the day before its core sites were fixed. More generally, any server running OpenSSL on Apache or Nginx will be affected, which implicates a huge variety of everyday websites and services.

Click to read more.

Artur Alves's comment, April 10, 2014 8:42 AM
I am scooping two more pieces on Heartbleed
Asil's comment, April 10, 2014 11:07 AM
I put a ticket in with ScoopIt asking them to advise what the situation is with their servers. So far, have only received the automatic response. I'm still not finding anything official posted by ScoopIt themselves, but a user has started a ScooptIt topic on the exploit: http://www.scoop.it/t/heartbleed
Scooped by Artur Alves
Scoop.it!

Dissecting social engineering

Dissecting social engineering | Gentlemachines | Scoop.it

Dissecting social engineering. Behaviour & Information Technology. doi: 10.1080/0144929X.2013.763860

Artur Alves's insight:

Abstract:

"In information security terms, social engineering (SE) refers to incidents in which an information system is penetrated through the use of social methods. The literature to date (40 texts), which was reviewed for this article, emphasises individual techniques in its description of SE. This leads to a very scattered, anecdotal, and vague notion of SE. In addition, due to the lack of analytical concepts, research conducted on SE encounters difficulties in explaining the success of SE. In such explanations, the victim's psychological traits are overemphasised, although this kind of explanation can cover only a small portion of SE cases. In this article, we have sought to elaborate the concept of SE through analysis of the functions of different techniques. In this way, we have been able to extrapolate three dimensions of SE: persuasion, fabrication, and data gathering. By utilising these dimensions, SE can be grasped in all its aspects instead of through individual techniques. Furthermore, research can benefit from our multidimensional approach as each of the dimensions pertains to a different theory. Therefore, the victim's personal traits cannot function as the only explanation. All in all, the analysis, understanding, and explanation of the success of SE can be furthered using our new approach."

more...
No comment yet.
Scooped by Artur Alves
Scoop.it!

Apple patent could remotely disable protesters' phone cameras | ZDNet

Apple patent could remotely disable protesters' phone cameras | ZDNet | Gentlemachines | Scoop.it

"A new patent, granted to Apple, could prevent academic cheating, cinema interruptions, but also see areas of political protest activity 'ring-fenced' disabling phone and tablet cameras.

(...) It's clear that although Apple may implement the technology, it would not be Apple's decision to activate the 'feature,' such as a remote-switch -- it would be down governments, businesses and network owners to set such policies.

Those policies would be activated by GPS, and Wi-Fi or mobile base-stations, which would ring-fence ("geofence") around a building, a protest, or a sensitive area to prevent phone cameras from taking pictures or recording video.

Other features, such as email or connecting to non-authorized networks -- such as working in the office and connecting to a non-work network on a company-owned device -- could be set, for example.

This sort of 'feature' would not bode well for journalists taking photos and citizens recording acts of state violence or police brutality in areas where ordinary people are facing increasing crackdowns on civil and human rights."

 

 

more...
No comment yet.
Scooped by Artur Alves
Scoop.it!

Railroads want one-man crews on massive freight trains

Railroads want one-man crews on massive freight trains | Gentlemachines | Scoop.it

yinMonday's fiery oil train crash was the latest in a string of explosive wrecks that have sparked fears about America's surge in oil train traffic.

Artur Alves's insight:

Railroads are pushing for staff reductions on trains carrying large amounts of oil in North America, even as multiple accidents demonstrate the risks of security compromises.

«
Monday’s fiery oil train crash in West Virginia was the latest in a string of explosive wrecks that have sparked fears about America’s surge in oil train traffic. And soon those trains may be rumbling through populated areas with just a single person at the controls, a change that railroad workers say presents an unacceptable risk.

Railroads have proposed eliminating the job of on-board conductor on most trains, leaving just an engineer aboard. The workers argue that one-person crews will mean more out-of-control trains, like the runaway that caused the Lac-Mégantic disaster in 2013. An oil train rolled downhill in the tiny Quebec town and exploded, killing 47 people. The company that owned the train had just downsized to a one-man crew, and that engineer failed to set the brakes properly, according to regulators.

Railroad executives counter that a new GPS-based braking system—required by Congress by the end of this year—will be enough to blunt that risk. But railroad workers, environmental groups, and people in the communities along the tracks strongly disagree.

“It’s a recipe for disaster,” said Mark Voelker, a switchman for BNSF Railway and an organizer for the SMART union, which represents conductors nationwide.

“These are mile-long trains carrying every kind of hazardous material you can think of through communities,” said Jen Wallis, another BNSF employee and founder of a caucus with members from 13 different railroad unions. “Why would you compromise the safe passage of these trains for profit?”
«

more...
No comment yet.
Scooped by Artur Alves
Scoop.it!

GCHQ taps fibre-optic cables for secret access to world's communications

GCHQ taps fibre-optic cables for secret access to world's communications | Gentlemachines | Scoop.it
Exclusive: British spy agency collects and stores vast quantities of global email messages, Facebook posts, internet histories and calls, and shares them with NSA, latest documents from Edward Snowden reveal...
Artur Alves's insight:

"The sheer scale of the agency's ambition is reflected in the titles of its two principal components: Mastering the Internet and Global Telecoms Exploitation, aimed at scooping up as much online and telephone traffic as possible. This is all being carried out without any form of public acknowledgement or debate.

One key innovation has been GCHQ's ability to tap into and store huge volumes of data drawn from fibre-optic cables for up to 30 days so that it can be sifted and analysed. That operation, codenamed Tempora, has been running for some 18 months.

GCHQ and the NSA are consequently able to access and process vast quantities of communications between entirely innocent people, as well as targeted suspects."

more...
No comment yet.
Scooped by Artur Alves
Scoop.it!

ITU Approves Deep Packet Inspection Standard Behind Closed Doors, Ignores Huge Privacy Implications | Techdirt

ITU Approves Deep Packet Inspection Standard Behind Closed Doors, Ignores Huge Privacy Implications | Techdirt | Gentlemachines | Scoop.it

"The ITU-T DPI standard holds very little in reserve when it comes to privacy invasion. For example, the document optionally requires DPI systems to support inspection of encrypted traffic “in case of a local availability of the used encryption key(s).” It’s not entirely clear under what circumstances ISPs might have access to such keys, but in any event the very notion of decrypting the users’ traffic (quite possibly against their will) is antithetical to most norms, policies, and laws concerning privacy of communications. In discussing IPSec, an end-to-end encryption technology that obscures all traffic content, the document notes that “aspects related to application identification are for further study” – as if some future work may be dedicated to somehow breaking or circumventing IPSec." (https://www.cdt.org/blogs/cdt/2811adoption-traffic-sniffing-standard-fans-wcit-flames)

more...
No comment yet.