GlassWire displays your network activity on an easy to understand graph while searching for unusual Internet behavior that could indicate malware or violations of your privacy. Once unusual network activity is discovered you’re instantly alerted with detailed information so you can protect your computer, privacy, and data.
via GlassWire Network Security Monitor & Firewall Tool.
Fact does not come from the grand leaps of discovery but rather from the small, careful steps of verification. That is the premise of the Open Source Security Testing Methodology Manual also known as the OSSTMM (pronounced as "awstem") It is a peer-reviewed manual of security testing and analysis which result in verified facts. These facts provide actionable information that can measurably improve your operational security. By using the OSSTMM you no longer have to rely on general best practices, anecdotal evidence, or superstitions because you will have verified information specific to your needs on which to base your security decisions. One way to assure a security analysis has value is to know it has been done thoroughly, efficiently, and accurately. For that you need to use a formal methodology. The OSSTMM aims to be it.
via ISECOM – Open Source Security Testing Methodology Manual (OSSTMM).
LibreSSL is backed by OpenBSD and will be prepped for other platforms later. Now they’re working through a complete rewrite as apparently OpenSSL is just too too messy.
Read the story here:OpenSSL code beyond repair, claims creator of “LibreSSL” fork | Ars Technica.
read the rage and the coding diffs here on OpenSSL Rampage
In the latest case, an employee from personal credit ratings firm Korea Credit Bureau KCB has been arrested and accused of stealing the data from customers of three credit card firms while working for them as a temporary consultant.Seoul’s financial regulators on Sunday confirmed the number of affected users as at least 20 million, in a country of 50 million.The stolen data includes the customers’ names, social security numbers, phone numbers, and credit card numbers and expiration dates, the Financial Supervisory Service FSS said in a statement.
via Bank data of 20 million customers leaked in South Korea | ZDNet.
That’s just less than 1/2 the population! And goes to show, humans are usually the weakest link in these kind of things.
Due to a DNS problem with onmicrosoft.com, the glue tying domain names to Microsoft cloud services logins, these services were down. Long live the cloud!
http://www.theregister.co.uk/2013/11/14/office_365_cloudy_oopsie/
Bewustwording pakt de belangrijkste schakel in online veiligheid aan: de mens
Online gebeurt er veel. Bedrijven stellen steeds vaker web-based systemen ter beschikking aan medewerkers. Zo kunnen ze altijd en overal bij de gegevens en functionaliteiten die ze nodig hebben en vaak zelfs nog méér. Alles SaaS, Cloud en 2.0. Met goede reden; er hoeft minder specialistische infrastructuur onderhouden te worden. Verantwoordelijkheid wordt overgenomen door derde partijen. Maar is dat wel zo?
Personeels- en snel afschrijvende hardwarekosten worden vermeden. Particulieren maken veelvuldig gebruik van de internet giganten: Zoekmachines, social media en winkelen. De opkomst van betaalbaar mobiel internet, smartphones en tablets zorgen ervoor dat mensen steeds vaker online zijn. Ook dat er meer vervlochtenheid is tussen privé en werk: mensen willen graag bedrijfsemail op hun persoonlijke tablet lezen, of hun eigen PC of laptop gebruiken om met bedrijfsgegevens te werken. (BYOD)
Bewustwording noodzakelijk
Bedrijven kunnen zich niet alleen meer bezig houden met de beveiliging van hun eigen netwerk. Ook de beveiliging van apparatuur van de werknemer is belangrijk. Het surfgedrag van werknemers is – niet alleen thuis – veranderd. Overal wordt o.a. getweet en geFacebookt. Hierdoor wordt het potentieel voor onveilige situaties veel hoger. Er is veel minder controle over wat er gebeurt op een netwerk. Je firewall, virus- en malwarescanners kunnen in orde zijn, maar wat een werknemer mee van huis neemt is vaak onbeschermd. Het is duidelijk dat de mensen zelf bewust moeten zijn wat de risico’s op het internet zijn.
Jij bent het product geworden
De risico’s zijn niet gelimiteerd tot virussen en malware. Ons dagprogramma “privacy & security in één dag”, geeft duidelijk aan dat het geven van informatie aan Cloud providers verregaande consequenties heeft: je geeft hen namelijk vaak de mogelijkheid om te doen waar ze zin in hebben met de data die je ze geeft. Hieronder valt letterlijk alles wat je intypt of opslaat in hun systemen. Jij bent het product geworden. De informatie die jij geeft valt niet meer te verwijderen of te corrigeren. De consequenties zijn dus levenslang. Het is zeer moeilijk om deze gegevens te beschermen tegen hackers. Uiteraard zijn er mogelijkheden om deze risico’s sterk te verminderen. AlertOnline biedt hiertoe een goed begin: bedrijven en particulieren informeren dat het niet allemaal zo onschuldig is als het lijkt op het internet.
Vanaf welke leeftijd begint u met digitale voorlichting?
Bewustwording begint echter met het onderwijs. Vaak hoor ik dat de huidige jeugd de computergeneratie is, die er alles van snapt. Als ik jongeren met een computer om zie gaan, dan merk ik dat ook zij niets snappen van computers. Ze begrijpen hoe ze Instagram, Twitter en Word moeten gebruiken maar hebben geen idee hoe het allemaal werkt. Op school is computerles eigenlijk les in het gebruiken van bepaalde programma’s. Veiligheid, privacy maar ook vooral basis hardware theorie, databases en programmeren zouden vanaf de middelbare school verplichte kost moeten zijn (en zo mogelijk eerder). Alleen dan kan de jeugd begrijpen hoe bepaalde onveiligheden werken en logischerwijs zelf bedenken wat wel en niet kan op internet. Daarbij zouden ze in staat zijn om een belangrijke bijdrage te kunnen bieden aan onze maatschappij, die inmiddels bijna overal op IT middelen draait.
Open Source software de toekomst
Ook moet er meer aandacht zijn voor Open Source en het MKB. Uit deze hoek komt de meeste innovatie. Veelal hebben zij moeite om voet aan de grond te krijgen omdat er nog steeds een idée fixe bestaat dat deze groepen weinig stabiliteit kunnen bieden. Niets is minder waar. Open Source is veilig omdat iedereen in de code kan kijken en fouten er uit kan halen. Het is betrouwbaar omdat de meeste aanbieders meedoen aan de ontwikkeling ervan. Het is fijn omdat het omgeschreven kan worden naar precies de functionaliteiten die jij nodig hebt. Vooral belangrijk is dat je gemakkelijk van leverancier kunt wisselen omdat meerdere leveranciers bekend zijn met het product dat jij gebruikt en er support op kunnen leveren.
Bewustwording méér dan een checklist
Bewustwording is dus niet alleen een checklist met puntjes die je aan iedereen kan geven en af kan lopen. Het is een manier van denken aanleren, die niet alleen beveiliging maar ook consequenties van gedrag in de hand loopt. Het zorgt er voor dat je meer kan met de middelen die je hebt. Computers kunnen veel, maar het blijft de mens die er voor zorgt welke mogelijkheden er worden benut en op welke manier dit allemaal gaat
Robin Edgar
Off-the-Record (OTR) Messaging allows you to have private conversations over instant messaging by providing:
Encryption
No one else can read your instant messages.
Authentication
You are assured the correspondent is who you think it is.
Deniability
The messages you send do not have digital signatures that are checkable by a third party. Anyone can forge messages after a conversation to make them look like they came from you. However,during a conversation, your correspondent is assured the messages he sees are authentic and unmodified.
Perfect forward secrecy
If you lose control of your private keys, no previous conversation is compromised.
It plugs in to loads of xmpp clients out of the box
Off-the-Record (OTR) Messaging allows you to have private conversations over instant messaging by providing:
Encryption
No one else can read your instant messages.
Authentication
You are assured the correspondent is who you think it is.
Deniability
The messages you send do not have digital signatures that are checkable by a third party. Anyone can forge messages after a conversation to make them look like they came from you. However,during a conversation, your correspondent is assured the messages he sees are authentic and unmodified.
Perfect forward secrecy
If you lose control of your private keys, no previous conversation is compromised.
It plugs in to loads of xmpp clients out of the box
Wickr is a free app that provides:
·military-grade encryption of text, picture, audio and video messages
·sender-based control over who can read messages, where and for how long
·best available privacy, anonymity and secure file shredding features
·security that is simple to use
https://www.mywickr.com/en/index.php
For both iphone and android
The CIA is not in the habit of discussing its clandestine operations, but the agency’s purpose is clear enough. As then-chief James Woolsey said in a 1994 speech to former intelligence operatives: “What we really exist for is stealing secrets.” Indeed, the agency declined to comment for this article, but over the course of more than 80 interviews, 25 people—including more than a dozen former agency officers—described the workings of a secret CIA unit that employed Groat and specialized in stealing codes, the most guarded secrets of any nation.
The CIA Burglar Who Went Rogue | History & Archaeology | Smithsonian Magazine.
Homomorphic encryption is where one party (Alice) encrypts data and passes it to another (Bob) with an encrypted key. This means that Bob can’t read the data, but can perform computations on it, and pass the encrypted results (which Bob can’t read) to Alice, so that she can decrypt it with her key. This is especially useful in the age of cloud computing, webservices, SaaS and private records.
Alice and Bob in Cipherspace » American Scientist.
The researchers realized that apparently identical graphics processors are actually different in subtle, unforgeable ways. A piece of software developed by the researchers is capable of discerning these fine differences. The order of magnitude of these differences is so minute, in fact, that manufacturing equipment is incapable of manipulating or replicating them. Thus, the fine-grained manufacturing differences can act as a sort of a key to reliably distinguish each of the processors from one another.
The implication of this discovery is that such differences can be used as PUFs to securely link the graphics cards, and by extension, the computers in which they reside and the persons using them, to specific online accounts.
Authentication Implications in Uniquely Identifiable Graphics Cards | threatpost.
Bojinov and colleagues designed a game lasting 30 to 45 minutes in which players intercept falling objects by pressing a key. The objects appear in one of six positions, each corresponding to a different key. Positions of objects were not always random. a hidden sequence of 30 successive positions was repeated over 100 times. Players made fewer errors when they encountered this sequence on successive rounds. This learning persisted when the players were tested two weeks later.
via Neuroscience joins cryptography.
Which basically means that anyone with an NFC reader can steal someone else’s bank data and use the information to purchase at online shops that don’t ask for CVC numbers (such as Amazon).
Incredible how badly secured this is.
Miljoenen NFC-bankpassen lekken data | Webwereld.
This runs as a java applet on your side and also analyses traffic on the university of Berkely servers, giving you a good view of connection problems from both inside and outside of your network. It takes a few minutes to run though.
It sends your personal information, can be commanded from remote servers and comes packaged with legal software in certain compromised Chinese Android marketplaces…
The Official Lookout Blog | Security Alert: Geinimi, Sophisticated New Android Trojan Found in Wild.
So basically the huge investment into backscatter porno scanners was a huge waste of money (as we all knew). The threat was (once again) thwarted through the use of good old fashioned investigative work.
Yemen Cargo Bombs Designed to Thwart DHS Detectors – Blog.
He’s also pissed off with all the technology being put into airports and the ignoring of human intelligence.
Marijn Ornstein, the manager of security policy at Schiphol airport in Amsterdam, said: “If you look at all the recent terrorist incidents, the bombs were detected because of human intelligence not because of screening … If even a fraction of what is spent on screening was invested in the intelligence services we would take a real step toward making air travel safer and more pleasant.
via EUobserver / Security chief criticises EU approach to air safety.
These liquid bans, x-ray scanners to ogle your naked arse as you walk through, all that – it’s nonsense!
The system is not open enough and basically only offers the illusion of extra security. Don’t do it say the government advisors.
Regeringsadviseur hekelt Nederland om vingerafdruk – UPDATE | Webwereld.
BLADE is a new Windows immunization system that prevents surreptitious drive-by download exploits from infecting vulnerable Windows hosts. BLADE is implemented as a series of kernel extensions, which interrupt the covert binary installation phase of current malware drive-by exploits.
Ie. it checks if you authorised the download and execution of a file.
via BLADE – Block All Drive-by Download Exploits.
The AIVD, the Dutch internal security police, have issued a warning that Dutch government and businesses are being spied on at an unprecedented rate, usually by trying to install trojans activated by email attachments. The spies are often foreign governments and China is being fingered specifically as a culprit.
AIVD: Nederland steeds vaker digitaal bespioneerd | Webwereld.
We now have approximately 4,000 in the Federal Air Marshals Service, yet they have made an average of just 4.2 arrests a year since 2001. This comes out to an average of about one arrest a year per 1,000 employees.Now, let me make that clear. Their thousands of employees are not making one arrest per year each. They are averaging slightly over four arrests each year by the entire agency. In other words, we are spending approximately $200 million per arrest. Let me repeat that: we are spending approximately $200 million per arrest.
Now if they could take a look at what the TSA is doing too!
Well, they have tested the full body scanner on TV and the guy carrying bomb parts wasn’t stopped. And it’s not like he tried really hard to hide them either – they weren’t particularly small bomb parts and the only cavity he used was his mouth.
Basically they’re just a huge invasion of privacy, an excuse to see you naked. They don’t work.
Schneier on Security: German TV on the Failure of Full-Body Scanners.
