And that password is: <<< %s(un='%s') = %u.

Source: How to log into any backdoored Juniper firewall – hard-coded password published

The energy-time entanglement technology for quantum encryption studied here is based on testing the connection at the same time as the encryption key is created. Two photons are sent out at exactly the same time in different directions. At both ends of the connection is an interferometer where a small phase shift is added. This provides the interference that is used to compare similarities in the data from the two stations. If the photon stream is being eavesdropped there will be noise, and this can be revealed using a theorem from quantum mechanics – Bell’s inequality.

On the other hand if the connection is secure and free from noise, you can use the remaining data, or photons, as an encryption key to protect your message.

What the LiU researchers Jan-Åke Larsson and his doctoral student Jonathan Jogenfors have revealed about energy-time entanglement is that if the photon source is replaced with a traditional light source, an eavesdropper can identify the key, the code string. Consequently they can also read the message without detection. The security test, which is based on Bell’s inequality, does not react – even though an attack is underway.

Physicists at Stockholm University have subsequently been able to demonstrate in practical experiments that it is perfectly possible to replace the light source and thus also eavesdrop on the message.

But this problem can also be solved.

“In the article we propose a number of countermeasures, from simple technical solutions to rebuilding the entire machine,” said Jonathan Jogenfors.

Source: Swedish researchers reveal security hole

When a user opens an Outlook email or previews the email in one of the Outlook panels, the OLE mechanism will automatically read the embedded Flash object and try to execute it, to provide a preview.

Since most Flash exploits only need to be executed to work, and because there’s a flaw in the Outlook security sandboxing system, an attacker can easily embed malicious Flash objects inside emails and have other malicious code executed via older (Flash) vulnerabilities.

Source: BadWinmail Microsoft Outlook Bug Can Give Attackers Control Over PCs

A database for sanriotown.com, the official online community for Hello Kitty and other Sanrio characters, has been discovered online by researcher Chris Vickery. The database houses 3.3 million accounts, and has ties to a number of other Hello Kitty portals.

The records exposed include first and last names, birthday (encoded, but easily reversible Vickery said), gender, country of origin, email addresses, unsalted SHA-1 password hashes, password hint questions, their corresponding answers, and other data points that appear to be website related.

Source: Database leak exposes 3.3 million Hello Kitty fans

ouch

Source: Important Announcement about ScreenOS® – J-Net Community

FireEye sell security appliances to enterprise and government customers. FireEye’s flagship products are monitoring devices designed to be installed at egress points of large networks, i.e. where traffic flows from the intranet to the internet.

Source: Project Zero: FireEye Exploitation: Project Zero’s Vulnerability of the Beast

All you need to do is send the jar in an email or get someone to visit a site with the jar on it and you can modify the bios and get access to their network information.

A vulnerability in Grub2 has been found. Versions from 1.98 (December, 2009) to 2.02 (December, 2015) are affected. The vulnerability can be exploited under certain circumstances, allowing local attackers to bypass any kind of authentication (plain or hashed passwords). And so, the attacker may take control of the computer.

Source: Back to 28: Grub2 Authentication Bypass 0-Day

Oops

Apparently people hate the software as well

Source: MacKeeper valt eindelijk door de mand

Vuvuzela relies on dummy traffic to hide the real connections

Before it’s decided where to store its content, the message goes through different servers, which send out dummy traffic to all interconnected users.

The server notifies the recipient that there’s a message for them, the user then goes to retrieve it, also passing through different mailboxes to get at the message’s location. When a connection is made through one of these mailboxes by a recipient searching for their message, each of these servers sends out dummy network packets on the network.

With so much fake traffic, and with senders and recipients moving past their destinations to intentionally create even more fake traffic after they’ve left or retrieved the actual message, you can only imagine how much data an attacker would have to sniff out before getting a clue of who’s talking to whom.

MIT researchers claim that attackers can even infiltrate more than half of its mailbox network, but if at least one mailbox server is left intact, users will be able to safely communicate because of all the fake traffic.

Source: MIT Creates Untraceable Anonymous Messaging System Called Vuvuzela

Transport and energy companies will have to ensure that the digital infrastructure that they use to deliver essential services, such as traffic control or electricity grid management, is robust enough to withstand cyber-attacks, under new rules provisionally agreed by internal market MEPs and the Luxembourg Presidency of the EU Council of Ministers on Monday.
[…]
Moreover this directive marks the beginning of platform regulation
[…]
MEPs put an end to current fragmentation of 28 cybersecurity systems by listing sectors – energy, transport, banking, financial market, health and water supply – in which critical service companies will have to ensure that they are robust enough to resist cyber-attacks. These companies must also be ready to report serious security breaches to public authorities.

Member states will have to identify concrete “operators of essential services” from these sectors using certain criteria: whether the service is critical for society and the economy, whether it depends on network and information systems and whether an incident could have significant disruptive effects on its provision or public safety.

In addition, some internet services providers, such as online marketplaces (e.g. eBay, Amazon), search engines (e.g. Google) and clouds, will also have to ensure the safety of their infrastructure and to report on major incidents. Micro and small digital companies will get an exemption, the deal says.

In addition, a network of Computer Security Incidents Response Teams (CSIRTs), set up by each member state to handle incidents, will have to be established to discuss cross border security incidents and identify coordinated responses.

Source: First ever EU rules on cybersecurity

This does give member states a large amount of power over sectors they deign to call essential – they can burden these companies with huge administrative overhead and crush them that way, with the only recourse being the expensive EU courts.

A litany of unsecured portals with generic usernames, sometimes no passwords at all, personnel allowing views of unencrypted Google docs with passwords…

Source: Epic failure of Phone House & Dutch telecom providers to protect personal data: How I could access 12+ million records #phonehousegate | Weblog | Sijmen Ruwhof

Nasty maintenance software allows all kinds of privilege escalation. Please uninstall!

Source: Lenovo: Verwijder onze bloatware

A hacker is releasing customer records after a bank in the United Arab Emirates refused to pay a ransom of $3 million in bitcoins.

Most of the bank’s customers, however, did not learn that their data had been stolen and published online until the newspaper contacted them.

Files purporting to come from the hacker, and viewed by WIRED, appear to show bank customer credit card transactions for purchases made at retailers and restaurants around the world, including the US. The records include the credit card number, amount of purchase and authorization code, though not the customer name. Other files purport to show the balances on 50,000 bank cards. Some of the files are Excel spreadsheets; others appear to be entire SQL databases stolen by the hacker.

Source: Hacker Leaks Customer Data After a United Arab Emirates Bank Fails to Pay Ransom

What a wonderful thing working in the cloud is!

Source: Part of the world’s IT brought down by Azure Active Directory issue

App Engine task queue tasks sloo…ooww for ~10% of instances

Source: Google in 24-hour cloud brownout

PHP continues to be one of the main sources for many security bugs

With a huge fanbase and used in countless of apps and websites around the Internet, PHP is ranked the worst when it came to command injection bugs, but also came close to the top when it came to SQL injections, cross-site scripting bugs, and cryptographic issues.

Taking a closer look at PHP, we also see that 86% of all the analyzed apps included XSS issues, 73% included cryptographic issues, 67% allowed for directory traversal, 61% for code injection, 58% had problems with credentials management, 56% included SQL injection issues, and 50% allowed for information leakage.

When it came to policy compliance tests, scanned PHP applications passed the OWASP Top 10 tests only in 19% of the cases. ColdFusion had the only lowest rating with 17% while C/C++ passed OWASP tests in 60% of the cases.

Source: Top Programming Languages That Generate Software Vulnerabilities

If storing the personal data of almost 5 million parents and more than 200,000 kids wasn’t bad enough, it turns out that hacked toymaker VTech also left thousands of pictures of parents and kids and a year’s worth of chat logs stored online in a way easily accessible to hackers.

On Friday, Motherboard revealed that earlier this month a hacker broke into the servers of VTech, a Hong Kong-based company that makes internet-connected gadgets and toys. Inside the servers, the hacker found the names, email addresses, passwords, and home addresses of 4,833,678 parents, and the first names, genders and birthdays of more than 200,000 kids.

Source: Hacker Obtained Children’s Headshots and Chatlogs From Toymaker VTech

And now here’s how you can really destroy it

Source: Superfish 2.0 worsens: Dell’s dodgy security certificate is an unkillable zombie

Laat de voertuigbeveiliging installeren door een erkend inbouwbedrijf. U ontvangt dan een VbV-SCM certificaat en uw auto wordt voorzien van een keurmerksticker. De registratie wordt door VbV – SCM vastgelegd..

Source: Doe de kentekencheck – Laat je auto niet hacken.nl

Who thinks these things up?

Want a FIPS 140-2 RNG? Look at the universe

Source: Big Bang left us with a perfect random number generator

Unfortunately the processing power required is a bit much for home computers…

Because it’s out of date – nowadays you need to be using TLS! You can download the best practices here…

Source: Qualys SSL Labs – Projects / Documentation

Source: Your Unhashable Fingerprints Secure Nothing

An article on how poor fingerprint security is:

– they are not secret
– they can be copied (even from photos!)
– they are not revocable
– they can’t be hashed