As explained in a paper titled A Formal Security Analysis of the Signal Messaging Protocol (PDF) from the International Association for Cryptologic Research, Signal has no discernible flaws and offers a well-designed and compromise-resistant architecture.

Signal uses a double rachet algorithm that employs ephemeral key exchanges continually during each session, minimising the amount of text that can be decrypted at any point should a key be compromised.

Signal was examined by a team of five researchers from the UK, Australia, and Canada, namely Oxford University information security Professor Cas Cremers and his PhDs Katriel Cohn-Gordon and Luke Garratt, Queensland University of Technology PhD Benjamin Dowling, and McMaster University Assistant Professor Douglas Stebila.
[…]
The team finds some room for improvement which they passed on to the app’s developers, namely that the protocol can be further strengthened with negligible cost by using “constructions in the spirit of the NAXOS (authenticated key exchange) protocol” [PDF]” by or including a static-static Diffie-Hellman shared secret in the key derivation. This would solve the risk of attackers compromising communications should the random number generator become fully predictable.

The paper does, however, cover only a subsection of Signal’s efforts, as it ignores non-Signal library components, plus application and implementation variations. It should therefore be considered a substantial starting point for future analysis, the authors say, rather than the final world on Signal.

Source: ‘Trust it’: Results of Signal’s first formal crypto analysis are in

Cisco has fixed a vulnerability in its Professional Careers portal that may have exposed truckloads of personal information.

The networking giant has sent an email to affected users in which it says a “limited set of job application related information” was leaked from the mobile version of the website, blaming an “incorrect security setting” placed after system maintenance on a third party site.
[…]
It says exposed data may have included real and login names; passwords; physical and email addresses, phone numbers; answers to security questions; users’ education and professions; cover letters and resumes.

Any hacker hoovering up that data would have also gained applicants’ voluntary information including gender, race, and veteran and disability status, and disability.

Source: Cisco’s job applications site leaked personal data

Linux/IRCTelnet, as the underlying malware has been named, borrows code from several existing malicious IoT applications. Most notably, it lifts entire sections of source code from Aidra, one of the earliest known IoT bot packages. Aidra was discovered infecting more than 30,000 embedded Linux devices in an audacious and ethically questionable research project that infected more than 420,000 Internet-connected devices in an attempt to measure the security of the global network. As reported by the anonymous researcher, Aidra forced infected devices to carry out a variety of distributed denial-of-service attacks but worked on a limited number of devices.

Linux/IRCTelnet also borrows telnet-scanning logic from a newer IoT bot known as Bashlight. It further lifts a list of some 60 widely used username-password combinations built into Mirai, a different IoT bot app whose source code was recently published on the Internet. It goes on to add code for attacking sites that run the next-generation Internet protocol known as IPv6.

[…]

Once a device is infected, its IP address is stored so the botnet operator can re-infect it if it suddenly loses contact with the command and control channel.

Source: New, more-powerful IoT botnet infects 3,500 devices in 5 days

The nation state has a single point of failure fiber, recently installed in 2011, and it could spell disaster for dozens of other countries

The attack was said to be upwards of 1.1Tbps — more than double the attack a few weeks earlier on security reporter Brian Krebs’ website, which was about 620Gbps in size, said to be one of the largest at the time. The attack was made possible by the Mirai botnet, an open-source botnet that anyone can use, which harnesses the power of insecure Internet of Things (IoT) devices.

This week, another Mirai botnet, known as Botnet 14, began targeting a small, little-known African country, Liberia, sending it almost entirely offline each time.

Security researcher Kevin Beaumont, who was one of the first to notice the attacks and wrote about what he found, said that the attack was one of the largest capacity botnets ever seen.

One transit provider said the attacks were over 500Gbps in size. Beaumont said that given the volume of traffic, it “appears to be the owned by the actor which attacked Dyn”.

Source: Mirai botnet attackers are trying to knock an entire country offline

Long-overdue rules protecting security research and vehicle repair have finally taken effect, as they should have done last year. Though the Copyright Office and the Librarian of Congress unlawfully and pointlessly delayed their implementation, for the next two years the public can take advantage of the freedom they offer.

Source: Why Did We Have to Wait a Year to Fix Our Cars? | Electronic Frontier Foundation

Government idiots.

The researchers found that when connected to a target user on a Skype call, they could record the audio of the user’s keystrokes. With a small amount of knowledge about the victim’s typing style and the keyboard he’s using, the researchers could accurately get 91.7 percent of keystrokes. The attack does not require any malware on the victim’s machine and simply takes advantage of the way that VoIP software acquires acoustic emanations from the machine it’s on.

Source: Recording Keystroke Sounds Over Skype to Steal User Data | On the Wire

Redmond’s digital crimes unit senior attorney Courtney Gregoire says half of respondents between the age of 18 and 34 had followed tech support scammer instructions, handing over remote access to their machines or downloading software after encountering a scam page.

Only 17 per cent of respondents 55 years and older took the bait. Meanwhile, one in three (34 per cent) of folks aged between 36 and 54 fell for scams.

Source: Kids today are so stupid they fall for security scams more often than greybeards

A total of 32 lakh debit cards across 19 banks could have been compromised on account of a purported fraud, the National Payment Corporation of India said in a statement.

The issue was brought to light when State Bank of India blocked the debit cards of 6 lakh customers on October 14. This was done after the bank was alerted to a possible fraud by the National Payment Corporation of India, MasterCard and Visa, said Managing Director Rajnish Kumar in a telephonic interview with BloombergQuint.

In a statement released on Thursday evening, the NPCI clarified that the problem was brought to their attention when they received complaints from a few banks that customers’ cards were used fraudulently, mainly in China and the U.S., while those cardholders were in India.

Source: The Big Debit Card Breach: Three Things Card Holders Need To Understand

The BTB provides a history of branches taken by the processor as it runs through its code: after the CPU is told to make a decision, it usually jumps to another part of the program based on the outcome of that decision. For example, if something fetched from memory has a value greater than zero, then jump to location A or jump to location B if not.

If a jump location is in the history buffer then the CPU knows this branch is usually taken so can start priming itself with instructions from the jump landing point. That means branches routinely taken execute with minimal delay.

By flooding the BTB with a range of branch targets, hackers can observe the BTB refilling with values of regularly taken jumps. This allows the miscreants to work out where in memory the operating system has randomly placed the application’s vital components. It takes a few tens of milliseconds to perform, we’re told. The eggheads say this allows an “attacker to identify the locations of known branch instructions in the address space of the victim process or kernel.”

Source: Boffins exploit Intel CPU weakness to run rings around code defenses

For the past two years, since researchers discovered the attack, the term Rowhammer has been used to describe a procedure through which attackers launch read & write operations at a row of memory bits inside a RAM memory card.

The repeated read and write operations cause an electromagnetic field to appear, which changes local memory bits from 0 to 1 and vice versa, in a process called bit flipping.

For their research paper, called Drammer: Deterministic Rowhammer Attacks on Mobile Platforms, researchers tested and found multiple smartphone models to be vulnerable to their attack.

The list includes LG Nexus (4, 5, 5X), LG G4, Motorola Moto G (2013 and 2014), One Plus One, HTC Desire 510, Lenovo K3 Note, Xiaomi Mi 4i, and Samsung Galaxy (S4, S5, and S6) devices. Researchers estimate that millions of Android users might be vulnerable.

Source: Rowhammer Attack Can Now Root Android Devices

iTrack Easy, Nut Smart Tracker, TrackR Bravo en Tile were looked at: both the data the device itself sends and the apps they use. They don’t come out well.

Source: Stalkers volgen je dankzij je eigen GPS-trackers

On Oct 1, after a 2h absence from his phone, Bob attempted to check his email and discovered he’d been logged out of his gmail account. Upon trying to log back in, Google notified him that his email password had been changed less than an hour ago.

He then tried to make a call and discovered that his phone service was no longer active. Calling Verizon, he discovered that someone (the attacker) had called less than an hour ago and switched his service to an iPhone 4. Verizon later conceded that they had transferred his account despite having neither requested nor being given the 4-digit PIN they had on record.

The attacker was able to reset Bob’s password and take control of his account. He or she then removed Bob’s recovery email, changed the password, changed the name on the account, and enabled two factor authentication. (Records show that the account was accessed from IP addresses in Iowa and Germany.)

Source: Adding a phone number to your Google account can make it LESS secure.

What is the CVE-2016-5195?

CVE-2016-5195 is the official reference to this bug. CVE (Common Vulnerabilities and Exposures) is the Standard for Information Security Vulnerability Names maintained by MITRE.

Why is it called the Dirty COW bug?

“A race condition was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.” (RH)

Source: Dirty COW (CVE-2016-5195)

Now we have yet another massive database leak has been uncovered related to an insecure MongoDB installation, exposing at least 58 million subscriber records.

Twitter user @0x2Taylor posted exfiltrated data on the file sharing site MEGA twice over the weekend, each time resulting in the data being taken down very quickly. The data was then released for a third time on a smaller file sharing website. After analyzing the dataset, we can confirm that nearly 58 million records contain full names, IP addresses, dates of birth, email addresses, vehicle data, and occupations were included in the leak.

Who Is Modern Business Solutions?

Modern Business Solutions (MBS) describes itself as a technology and application service provider specializing in data management and monetization services for data owners. Based in Austin, TX, the firm claims to help “clients build their revenue streams by providing content and services” to a variety of industries including the automotive and employment verticals.

Source: Modern Business Solutions Stumbles Over A Modern Business Problem – 58M Records Dumped From An Unsecured Database

A data management company that can’t configure a database? What a bunch of tits!

A new strain of malware has been discovered by Kaspersky Labs, named ‘StrongPity,’ which targets users looking for two legitimate computer programs, WinRAR and TrueCrypt. WinRAR is a file archiver utility for Windows, which compresses and extracts files, while the latter is a discontinued encryption tool.

The malware contains components that not only has the ability to give attackers complete control on the victim’s computer, but also steal disk contents and download other software that the cybercriminals need. It was found that users in Italy and Belgium were affected the most, but there were also records found in Turkey, North Africa, and the Middle East.

To be able to gather victims, the attackers have built special fake websites that supposedly host the two programs. One instance that was discovered by the researchers is that the criminals transposed two letters in a domain name, in order to fool the potential victim into thinking that the program was a legitimate WinRAR installer website.

Source: ‘StrongPity’ malware infects users through illegitimate WinRAR and TrueCrypt installers

inisters have been barred from wearing Apple Watches during Cabinet meetings amid concerns that they could be hacked by Russian spies, The Telegraph has learned.

Under David Cameron, several cabinet ministers wore the smart watches, including Michael Gove, the former Justice Secretary.

However, under Theresa May ministers have been barred from wearing them amid concerns that they could be used by hackers as listening devices.

Mobile phones have already been barred from the Cabinet because of similar concerns.

One source said: “The Russians are trying to hack everything.”

Source: Apple Watches banned from Cabinet after ministers warned devices could be vulnerable to hacking 

In the latest exchange between Mobileye and Tesla, however, the chip company has accused Tesla of lying. “The allegations recently attributed to a spokesperson for Tesla … are incorrect and can be refuted by the facts,” Mobileye said in a statement.
[…]
Tesla was “pushing the envelope in terms of safety,” the company’s chairman and CTO Amnon Shashua said in an interview with Reuters on Wednesday. “It [the autopilot system] is not designed to cover all possible crash situations in a safe manner … It is a driver assistance system and not a driverless system,” he said.
[…]
While the assisted-driving technology is undoubtedly impressive, Mobileye says it was very unhappy when Tesla started suggesting it would allow customers to drive their car hands-free. Brown was thought to be watching a movie when the crash happened.

“It has long been Mobileye’s position that Tesla’s Autopilot should not be allowed to operate hands-free without proper and substantial technological restrictions and limitations,” said the company’s most recent statement, adding: “In communications dating back to May 2015 between Mobileye Chairman and Tesla’s CEO, Mobileye expressed safety concerns regarding the use of Autopilot hands-free.”
[…]
Mobileye claims that after the crash, it had a face-to-face meeting with Musk in which he promised that the autopilot would be “hands on.” But then Musk reneged on the agreement, it says, and offered a hands-free activation mode.

Source: Is Tesla telling us the truth over autopilot spat?

Sounds pretty typical of Elon Musk

Qubes is a security-oriented, open-source operating system for personal computers.
Qubes takes an approach called security by compartmentalization, which allows you to compartmentalize the various parts of your digital life into securely isolated compartments called qubes.

This approach allows you to keep the different things you do on your computer securely separated from each other in isolated qubes so that one qube getting compromised won’t affect the others. For example, you might have one qube for visiting untrusted websites and a different qube for doing online banking. This way, if your untrusted browsing qube gets compromised by a malware-laden website, your online banking activities won’t be at risk. Similarly, if you’re concerned about malicious email attachments, Qubes can make it so that every attachment gets opened in its own single-use disposable qube. In this way, Qubes allows you to do everything on the same physical computer without having to worry about a single successful cyberattack taking down your entire digital life in one fell swoop.

Source: Qubes OS Project

It runs lightweight Virtual Machines for your processes (Qubes) which isolate them, making sure they don’t infect other parts of your machines.

Whonix is a desktop operating system designed for advanced security and privacy. It realistically addresses attacks while maintaining usability. It makes online anonymity possible via fail-safe, automatic, and desktop-wide use of the Tor network. A heavily reconfigured Debian base is run inside multiple virtual machines, providing a substantial layer of protection from malware and IP leaks. Pre-installed applications, pre-configured with safe defaults are ready for use. Additionally, installing custom applications or personalizing the desktop will in no way jeopardize the user. Whonix is the only actively developed OS designed to be run inside a VM and paired with Tor.

This safeguards your privacy by running on 2 VMs in your OS, so it can’t know much about what your computer is doing.

Whonix

Then there is tails, which has as advantage that it runs off a USB stick. This does, however, mean that every time you restart, everything resets. This ensures the base package stays clean, but updates to software or personal documents cannot be part of your tails.

An in-depth security guidance report aimed at Internet of Things developers has been released by the Cloud Security Alliance.

Titled Future-proofing the Connected World: 13 steps to developing secure IoT products, the report offers practical and technical guidance to devs trying to secure networks of IoT devices.

“An IoT system is only as secure as its weakest link,” wrote Brian Russell, chair of the CSA’s IoT working group. “This document is our attempt at providing actionable and useful guidance for securing the individual products that make up an IoT system.”

Split into comprehensive sections, the guide covers: the need for IoT security; why dev organisations should care about securing IoT networks; device security challenges; and includes detailed guidance for secure IoT development, including everything from tips on implementing a secure dev environment to designing in hardware security controls and securing your firmware updates. A “detailed checklist for security engineers to follow during the development process” is also included.

Source: Devs! Here’s how to secure your IoT network, in, uh, 75 easy pages

Avi Freedman has worked in networking for 30+ years and seen over 100 startups scale their infrastructure. Here are the most vital pieces of advice he has to share.

They land themselves in Cloud Jail.

They get sucked in by “hipster tools.”

They don’t design for monitorability.

Source: The Three Infrastructure Mistakes Your Company Must Not Make

A tweak to Microsoft’s Outlook.com cloud service has blocked a good number of people from accessing their messages.

Specifically, the baffling and unannounced change affects Outlook.com users with connected accounts: these are email accounts hosted on third-party servers (such as a company’s private server or an ISP’s mail server) that are accessed via the Outlook.com cloud. People with this setup are no longer able to send or receive mail through Redmond’s webmail service.

Source: Never explain, never apologize: Microsoft silent on Outlook.com email server grief

MS cloud services are doing their best to piss people off!

A typical test environment consists of a fresh Windows computer image loaded into a VM environment. The OS image usually lacks documents and other telltale signs of real world use, Fenton said. The malware sample that Fenton found inside of a Word document looks for existing documents on targeted PCs.

If no Microsoft Word documents are found, the VBA macro code execution terminates, shielding the malware from automated analysis and detection. Alternately, if more than two Word documents are found on the targeted system, the macro will download and install the malware payload.
[…]
When documents are detected via RecentFiles, the malware assumes the system is a valid target and goes into action triggering a PowerShell script that links the victim’s PC to a command-and-control server to download a low-level system keylogger.

In another obfuscation technique, the malware uses an IP detection web service (Maxmind) to determine the network used by the targeted system. The IP address is cross referenced with a list of blacklisted IP addresses tied to security firms such as BlueCoat, Palo Alto and others. Those IPs are red flagged and stop the malware from executing, according to Fenton.

Source: Malware Evades Detection with Novel Technique | Threatpost | The first stop for security news

MaterCard’s “selfie pay” will be coming to Europe next year after trials in the US, Canada and the Netherlands.

The financial services firm is rolling out technologies that will allow European consumers to authenticate their identity without a password, but with a selfie, in order to provide customers with a more convenient method to sign in and a faster checkout process. Security firms view the development as another sign of the mainstream availability of biometric authentication, comparing it to the introduction of TouchID fingerprint authentication technology in the iPhone.

Source: Mastercard rolls out pay-by-selfie across Europe

We show how an attacker can use DNS requests to mount highly precise website fingerprinting attacks: Mapping DNS traffic to websites is highly accurate even with simple techniques, and correlating the observed websites with a website fingerprinting attack greatly improves the precision when monitoring relatively unpopular websites. Our results show that DNS requests from Tor exit relays traverse numerous autonomous systems that subsequent web traffic does not traverse. We also find that a set of exit relays, at times comprising 40% of Tor’s exit bandwidth, uses Google’s public DNS servers—an alarmingly high number for a single organization. We believe that Tor relay operators should take steps to ensure that the network maintains more diversity into how exit relays resolve DNS domains.

What does our work mean for Tor users? As we outline in our blog post, we don’t believe that there is any immediate cause for concern. While our attacks work well in simulations, not many entities are in a position to mount them. Besides, they require non-trivial engineering effort to be reliable, and The Tor Project is already working on improved website fingerprinting defenses.

Source: The Effect of DNS on Tor’s Anonymity