Combo Breaker is a motorized, battery powered, 3D printed, Arduino-based combination lock cracking device. It is portable, open source, 3D models provided, and exploits a new technique I’ve discovered for cracking combination locks in 8 attempts or less, but in an even more exciting, automated fashion.
Source: Combo Breaker – combination lock cracking device
Light up your house if fire alarm or outage. Prevent break-ins and intrusions by making home look lived-in.
Source: Proactive Home Protection: Safety and Security
Let’s Encrypt has received cross-signatures from IdenTrust, which means that our certificates are now trusted by all major browsers. This is a significant milestone since it means that visitors to websites using Let’s Encrypt certificates can enjoy a secure browsing experience with no special configuration required.
Source: Let’s Encrypt is Trusted
Let’s Encrypt wants to offer free trusted SSL certificates to everyone to ensure an encrypted web.
Wifatch’s code does not ship any payloads used for malicious activities, such as carrying out DDoS attacks, in fact all the hardcoded routines seem to have been implemented in order to harden compromised devices. We’ve been monitoring Wifatch’s peer-to-peer network for a number of months and have yet to observe any malicious actions being carried out through it.
In addition, there are some other things that seem to hint that the threat’s intentions may differ from traditional malware.
Wifatch not only tries to prevent further access by killing the legitimate Telnet daemon, it also leaves a message in its place telling device owners to change passwords and update the firmware.
Wifatch has a module that attempts to remediate other malware infections present on the compromised device. Some of the threats it tries to remove are well known families of malware targeting embedded devices.
The threat author left a comment in the source code that references an email signature used by software freedom activist Richard Stallman (Figure 2).
Wifatch’s code is not obfuscated; it just uses compression and contains minified versions of the source code. It would have been easy for the author to obfuscate the Perl code but they chose not to. The threat also contains a number of debug messages that enable easier analysis. It looks like the author wasn’t particularly worried about others being able to inspect the code.
The threat has a module (dahua.pm) that seems to be an exploit for Dahua DVR CCTV systems. The module allows Wifatch to set the configuration of the device to automatically reboot every week. One could speculate that because Wifatch may not be able to properly defend this type of device, instead, its strategy may be to reboot it periodically which would kill running malware and set the device back to a clean state.
Linux.Wifatch compromises routers and other Internet of Things devices and appears to try and improve infected devices’ security.
Source: Is there an Internet-of-Things vigilante out there? | Comunidad de Symantec Connect
names, addresses, Social Security numbers, email addresses and other sensitive data were contained in the system accessed as well as encrypted passwords.
Source: scottrade.com
Don’t we just love huge databases?
Patreon is a funding site for artists and creators.
15 GB file hits dump sites
Source: Patreon attackers drop data, expose users
Because the source code was left outside the firewall, there is a chance that the encryption is vulnerable too.
The data included some personally identifiable information for approximately 15 million consumers in the US, including those who applied for T-Mobile USA postpaid services or device financing from September 1, 2013 through September 16, 2015, based on Experian’s investigation to date. This incident did not impact Experian’s consumer credit database
Let’s Encrypt is a free, automated, and open certificate authority brought to you by the Internet Security Research Group (ISRG). ISRG is a California public benefit corporation, and is recognized by the IRS as a tax-exempt organization under Section 501(c)(3) of the Internal Revenue Code.
Source: Blog
It will hopefully be live in about a month.
The strategy, known as predictive policing, combines elements of traditional policing, like increased attention to crime “hot spots” and close monitoring of recent parolees. But it often also uses other data, including information about friendships, social media activity and drug use, to identify “hot people” and aid the authorities in forecasting crime.
Source: Police Program Aims to Pinpoint Those Most Likely to Commit Crimes
This is very worrying. Reading the article it seems they are handling it well – they are inviting potential purpetrators in and explaining what’s going on, hoping to shock them. If a crime is committed, everyone in the predictive chain is picked up and they sling the book at them for everything they can find. Fair enough, they shouldn’t have been breaking the law anyway and if they get picked up for it because they were in an associative chain is just as good as if they get picked up due to any other reason.
However, if you are friends with a criminal, you may get invited to the courts again and again and again, even if you did nothing wrong yourself – the same problem no-fly lists have: false positives. Another thing is that you need to troll through huge amounts of personal data in order to get these predictive models to work. This means that people and organisations could (in practice shows they do!) misuse their access to your personal data.
The article has some figures on how well this does compared to traditional policing and other predictive models, but the jury is still out on that really. It needs longer and more testing.
Oh dear, it seems they have been stealing from the POS terminals between 21 april – 27 july 2015, from Hilton as well as Doubletree, Embassy Suites, Hampton, and Waldorf Astoria hotels.
Source: Hilton hotels in credit-card-stealing malware infection scare
WASHINGTON — The number of people applying for or receiving security clearances whose fingerprint images were stolen in one of the worst U.S. government data breaches is now believed to be 5.6 million, not 1.1 million as first thought, the Office of Personnel Management announced Wednesday.
The agency was the victim of what the U.S. believes was a Chinese espionage operation that affected an estimated 21.5 million current and former federal employees or job applicants. The theft could give Chinese intelligence a huge leg up in recruiting informants inside the U.S. government, experts believe. It also could help the Chinese identify U.S. spies abroad, according to American officials.
The US Department of Justice (DoJ) said Bridges admitted to using a seized administrator account on Silk Road in order to lift Bitcoin from various accounts and deposit them into his own wallet. He then sold off the Bitcoin on the Mt Gox exchange between March and May of 2013 and came away with $820,000 in cash.
Bridges also admitted to lying to investigators and working to obstruct others who were investigating both Silk Road and his own actions.
Source: Ex-Secret Service agent who siphoned Bitcoin from Silk Road takes plea deal
It’s a good idea – you can easily share your WiFi keys with people in your contacts list. However, Microsoft keeps the keys encrypted (how?) on their own servers to do this. This is not a good idea, turning the MS cloud into a treasure trove of WiFi passwords and locations. Also, if you’re giving out your WiFi password but the other party doesn’t have internet, the system doesn’t work – kind of making it a bit useless.
Tell a pal your password … and their FB mates will get it too
Source: UH OH: Windows 10 will share your Wi-Fi key with your friends’ friends • The Register
DescriptionThe LaZagne project is an open source application used to retrieve lots of passwords stored on a local computer. Each software stores its passwords using different techniques (plaintext, APIs, custom algorithms, databases, etc.). This tool has been developed for the purpose of finding these password for the most commonly-used software. At this moment, it supports 22 Programs on Microsoft Windows and 12 on a Linux/Unix-Like OS.Usage Launch all modules cmd: laZagne.exe all Launch only a specific module cmd: laZagne.exe example: laZagne.exe browsers help: laZagne.exe -h Laun
Source: The LaZagnen – Credentials Recovery Project | Mayur Agnihotri | LinkedIn
Bishop Fox consultant Byrne and Trustwave testing chief Henderson say passwords Z66816 and 166816 – the 1 and Z being variations according to PoS keyboard layouts
via Cash register maker used same password – 166816 – non-stop since 1990 • The Register.
The Wassenaar Arrangement, signed by 42 nations, can be implemented differently by each of these nations. Hackers are worried that exploits are controlled by these arms controls and will be punishable.
Leaving 0-day exploits in the wild or unpublished is not good for IT security, as only the people who have them can use them and there is no incentive to report them to the makers of the software, or for the makers to fix them (if they know about them)
Hackers fear arms control pact makes exporting flaws illegal • The Register.
Lynis is an open source security auditing tool. Primary goal is to help users with auditing and hardening of Unix and Linux based systems. The software is very flexible and runs on almost every Unix based system (including Mac).
via Lynis – Security auditing tool for Unix/Linux systems.
Hint: Truecrypt, Tor, PGP, ZRTP
Inside the NSA's War on Internet Security – SPIEGEL ONLINE.
“Today, we celebrate an achievement that will define the point at which the old world order of passwords and PINs started to wither and die,” said Michael Barrett, president of the FIDO Alliance. “FIDO Alliance pioneers can forever lay claim to ushering in the ‘post password’ era, which is already revealing new dimensions in Internet services and digital commerce.”
The specifications outline a new standard for devices, servers and client software, including browsers, browser plugins, and native app subsystems. Any website or cloud application can interface with a broad variety of existing and future FIDOenabled authenticators, ranging from biometrics to hardware tokens, to be used by consumers, enterprises, service providers, governments and organizations of all types.
Keeping with the FIDO Alliance mission, both specifications are unencumbered by FIDO member patents. Members are free to implement and market solutions around FIDOenabled strong authentication, and nonmembers are free to deploy those solutions. As previously announced, current implementations available in the market include those from Nok Nok Labs, Synaptics, Alibaba, PayPal, Samsung, Google, Yubico and PlugUp.
via FIDO Alliance.
GlassWire displays your network activity on an easy to understand graph while searching for unusual Internet behavior that could indicate malware or violations of your privacy. Once unusual network activity is discovered you’re instantly alerted with detailed information so you can protect your computer, privacy, and data.
via GlassWire Network Security Monitor & Firewall Tool.
Fact does not come from the grand leaps of discovery but rather from the small, careful steps of verification. That is the premise of the Open Source Security Testing Methodology Manual also known as the OSSTMM (pronounced as "awstem") It is a peer-reviewed manual of security testing and analysis which result in verified facts. These facts provide actionable information that can measurably improve your operational security. By using the OSSTMM you no longer have to rely on general best practices, anecdotal evidence, or superstitions because you will have verified information specific to your needs on which to base your security decisions. One way to assure a security analysis has value is to know it has been done thoroughly, efficiently, and accurately. For that you need to use a formal methodology. The OSSTMM aims to be it.
via ISECOM – Open Source Security Testing Methodology Manual (OSSTMM).
LibreSSL is backed by OpenBSD and will be prepped for other platforms later. Now they’re working through a complete rewrite as apparently OpenSSL is just too too messy.
Read the story here:OpenSSL code beyond repair, claims creator of “LibreSSL” fork | Ars Technica.
read the rage and the coding diffs here on OpenSSL Rampage
In the latest case, an employee from personal credit ratings firm Korea Credit Bureau KCB has been arrested and accused of stealing the data from customers of three credit card firms while working for them as a temporary consultant.Seoul’s financial regulators on Sunday confirmed the number of affected users as at least 20 million, in a country of 50 million.The stolen data includes the customers’ names, social security numbers, phone numbers, and credit card numbers and expiration dates, the Financial Supervisory Service FSS said in a statement.
via Bank data of 20 million customers leaked in South Korea | ZDNet.
That’s just less than 1/2 the population! And goes to show, humans are usually the weakest link in these kind of things.
