Microsoft released a single update last week with this February Patch Tuesday, after a week’s delay. Or, perhaps MS17-005 is considered an out-of-band update from Microsoft? I am not sure, as it does not look like we will see the usual accompanying updates to Microsoft, .NET and the Windows (desktop and server) platforms. This sole update to Adobe Flash Player is worth deploying immediately. Evergreen browsers such as Microsoft Edge and Google Chrome will automatically update (using the default settings) and so will patch this serious memory-related vulnerability in Flash Player. MS17-005 — CriticalThe sole update released from Microsoft for this February Patch Tuesday is a Windows platform update for Adobe Flash player. This patch addresses 13 vulnerabilities relating to type confusion and a special kind of memory handling error commonly referred to as “use-after-free,” where Adobe Flash Player could allow an attacker to execute code in memory areas that should have been “cleaned up” and de-allocated after use. This update is rated critical by Microsoft and by Adobe and should be considered a “Patch Now” update from Microsoft. Microsoft has recommended a number of mitigations for this type of Adobe Flash Player vulnerability, including whitelisting sites in the Microsoft Compatibility View List and of course disabling ActiveX controls. I recommend disabling and removing Adobe Flash Player at your earliest convenience (again). This article is published as part of the IDG Contributor Network. Want to Join? The post IDG Contributor Network: February Patch Tuesday updated appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/idg-contributor-network-february-patch-tuesday-updated/
0 Comments
Mike Mimoso talks to Luta Security’s Katie Moussouris at RSA Conference 2017 about how bug bounty programs have gone mainstream, the success around Hack the Pentagon and Hack the Army, and where things stand with the Wassenaar Arrangement. Download: Katie_Moussouris_on_Bug_Bounties_Hack_the_Army_and_Wassenaar.mp3 Music by Chris Gonsalves The post Katie Moussouris on Bug Bounty Programs, Hack the Army, and Wassenaar appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/katie-moussouris-on-bug-bounty-programs-hack-the-army-and-wassenaar/ Mike Mimoso talks to Luta Security’s Katie Moussouris at RSA Conference 2017 about how bug bounty programs have gone mainstream, the success around Hack the Pentagon and Hack the Army, and where things stand with the Wassenaar Arrangement. Download: Katie_Moussouris_on_Bug_Bounties_Hack_the_Army_and_Wassenaar.mp3 Music by Chris Gonsalves The post Katie Moussouris on Bug Bounty Programs, Hack the Army, and Wassenaar appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/katie-moussouris-on-bug-bounty-programs-hack-the-army-and-wassenaar/ ![]() Google has announced that E2EMail, an experimental end-to-end encryption system, has now been given to the open-source community with no strings attached. Whether you are concerned about government surveillance and spying, man-in-the-middle (MiTM) attacks by threat actors or you are an enterprise player with the need to keep communications as secure and private as possible, end-to-end encryption is viewed as a method to prevent snooping. Not every email service provider offers end-to-end encryption — the best-known being PGP — although, in the wake of former NSA contractor Edward Snowden’s disclosures concerning the mass-spying efforts of the US government, more services have popped up or increased in popularity, including ProtonMail, Wire, WhatsApp, and Signal. As we become more concerned with digital threats and surveillance, everything from email services to apps and social network chats is being locked up with cryptographic methods. However, end-to-end encryption is yet to reach a wider audience — and this is where Google intends to make a difference. Last week, Google engineers KB Sriram, Eduardo Vela Nava, and Stephan Somogyi said in a blog post that as part of the tech giant’s End-to-End research efforts, E2EMail is going open-source. Built on the Javascript crypto library developed at Google, E2EMail offers a way to integrate OpenPGP into Gmail via a Chrome Extension while keeping cleartext of messages exclusively on the client. Google is keen to emphasize that E2EMail is not a Google product, but thanks to the efforts of security engineers from across the spectrum, it is now a “fully community-driven open-source project.” The current form of E2EMail is rather bare when it comes to keyserver testing. However, Google’s Key Transparency, made available earlier this year, may improve the security of the service far beyond its current incarnation. “Key discovery and distribution lie at the heart of the usability challenges that OpenPGP implementations have faced,” Google’s engineers say. “Key Transparency delivers a solid, scalable, and thus practical solution, replacing the problematic web-of-trust model traditionally used with PGP.” “We look forward to working alongside the community to integrate E2EMail with the Key Transparency server, and beyond,” the team added. See also: Linus Torvalds on SHA-1 and Git: ‘The sky isn’t falling’ If you’re interested, you can check out the e2email-org/e2email repository on GitHub. Last week, Google gave the “Upspin” project to the open-source community. Upspin aims to reduce the fragmentation of current services such as Dropbox, Google Storage and Apple’s iCloud and the amount of time wasted on “multi-step copying and repackaging” by creating a global namespace for files. Upspin is a set of protocols and standards which puts secure sharing at the forefront and is enabled with end-to-end encryption by default. More security news
The post Google End-To-End Encrypted Email Code Goes Open-Source appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/google-end-to-end-encrypted-email-code-goes-open-source/ The ongoing struggle to provide encrypted email solutions that aren’t on a PGP level of complexity and difficulty is a real challenge. Google’s attempt at it, called E2EMail, was introduced more than a year ago as an effort to give users a Chrome app that allows for the simple exchange of private emails. On Friday, Google cut it loose to open source. The project integrates OpenPGP into Gmail via a Chrome extension. KB Sriram, Eduardo Vela Nava, and Stephan Somogyi, of Google’s security and privacy engineering teams, said that engineers have been contributing to the code from inside and out of Google during the past year. They point out that E2EMail targets non-technical users without the need to run an email or OpenPGP client. “It is a Chrome app that runs independent of the normal Gmail web interface. It behaves as a sandbox where you can only read or write encrypted email, but is otherwise similar to any other communication app,” Google said. “When launched, the app shows just the encrypted mail in the user’s Gmail account. Any email sent from the app is also automatically signed and encrypted.” Early versions are text-only, and support only PGP/MIME messages. “The goal is to improve data confidentiality for occasional small, sensitive messages. This way even the mail provider, Google in the case of Gmail, is unable to extract the message content,” Google said. “However, it does not protect against attacks on the local device, and, as usual with PGP, the identities of the correspondents and the subject line of the mail is not protected.” E2EMail for now uses its own keyserver, but will eventually rely on Google’s recent Key Transparency initiative for cryptographic key lookups, addressing a usability challenge hampering mainstream adoption of OpenPGP. Last month, Google released Key Transparency to open source with the aim of simplifying public key lookups at Internet scale. Google singled out secure messaging systems as one beneficiary of the system, a directory developers could use when building apps to find public keys associated with an account along with a public audit log of any key changes. “Key Transparency delivers a solid, scalable, and thus practical solution, replacing the problematic web-of-trust model traditionally used with PGP,” Google said. Google explained that during installation, E2EMail generates an OpenPGP key and uploads the public key to the keyserver. The private key is always stored on the local machine. “The target is a simple user experience – install app, approve permissions, start reading or send sending messages. As a result, the app automatically handles most of the key management,” Google said. The post Google Releases E2EMail to Open Source appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/google-releases-e2email-to-open-source/ I spent several days in San Francisco on my annual pilgrimage to the RSA security conference. This year, I attended a few sessions related to cloud security, privacy and compliance, since my world these days is consumed with enhancing the security of our cloud platform and addressing the never-ending burden of maintaining compliance with the likes of PCI, SSAE 16, SOC 2 and HIPAA, and the recent changes related to Privacy Shield, which is the replacement for the European Union’s Safe Harbor. Of course the RSA conference wouldn’t be complete without spending quality time with colleagues and friends at the myriad lunch events and evening parties. We talked about the convenience of having access to so many vendors — two huge expo floors, with some vendors on both. It’s definitely my preferred way of interacting with vendors. Some of the ones I talked to offer technology I was interested in and some have technology I have already deployed. RSA gives me a chance to discuss challenges or get face time with knowledgeable engineers. In my office, if I’m interested in a technology, I typically have to set aside an hour for an office visit or online meeting. The first 15 minutes are usually gobbled up by logistics such as getting the representatives badged in, escorting them to the conference room and connecting with the remote people. Murphy’s Law usually applies, and folks get lost or there are remote setup problems. Then, you need 10 minutes for all the introductions. That’s followed by 15 minutes of marketing slides. So we have about 20 minutes left, and so far nothing of value. Finally, we might get a meaningful demo and a discussion about architecture. Most meetings end with me wishing I had been able to ask more questions. At RSA, the formalities are tossed and you can jump right in, asking about the things you most want to know about. After a few short hours on the floor, six or seven vendors have given me a wealth of information and I have leads on several technologies I might be interested in moving forward with, as well as answers to questions about technologies I have already deployed. This year I spent time with vendors that offer CASB (cloud access security broker) technology, which would let us extend and apply our security policies to the many SaaS-based cloud applications we use. Also intriguing was a tool that could help our operations team with behavior monitoring of privileged access to our production infrastructure. Another company of interest offers a way to very easily manage the security configurations of our critical infrastructure, although for now I will just be keeping tabs on its progress, because it doesn’t yet work with many of the primary devices and operating systems we use. Until that shortcoming is eliminated, I’ll continue to manage cumbersome XML-based policy files. At the evening events, my colleagues and I shared thoughts on security strategy and opinions on what works and what doesn’t. Those discussions are a good way to validate that my security program is on track and a reminder that I’m not the only one with frustrations and problems. (In the case of our yearly PCI audit, our problems related to the auditors’ interpretation of some of the controls are paltry compared with what some colleagues are going through.) Back in the office, I passed out the swag I had collected on the expo floor. Now I need to schedule some follow-up meetings with the most promising vendors and get back to maturing my security program. This week’s journal is written by a real security manager, “Mathias Thurman,” whose name and employer have been disguised for obvious reasons. Contact him at [email protected]. Click here for more security articles. The post RSA Conference is a timesaver appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/rsa-conference-is-a-timesaver/ The Necurs botnet has learned a new trick. Instead of spewing spam delivering Locky ransomware, the notorious botnet is now capable of launching DDoS attacks. According to BitSight’s Anubis Labs, the malware was modified in September to include a module that adds DDoS capabilities and new proxy command-and-control communication functions. Necurs is the malware that makes up the botnet that goes by the same name and is currently active on one million Windows PCs, according to researcher Tiago Pereira, threat intel researcher with Anubis Labs. “Necurs is a modular malware that can be used for many different purposes. What’s new with the sample we found is the addition of a module that adds SOCKS/HTTP proxy and DDoS capabilities to this malware,” he said. About six months ago, Pereira said, Anubis Labs noticed that beside the usual port 80 communications, a Necurs-infected system was communicating with a set of IPs through a different port using, what appeared to be, a different protocol. When Anubis Labs researchers reverse engineered the sample of the Necurs malware, they noticed what appeared to be a simple SOCKS/HTTP proxy module for communications between it and the command-and-control server. “As we looked at the commands the bot would accept from the C2, we realized that there was an additional command, that would cause the bot to start making HTTP or UDP requests to an arbitrary target in an endless loop, in a way that could only be explained as a DDoS attack,” Pereira described in a research blog posted Friday. Researchers are careful to point out the DDoS function has not been utilized by those behind the Necurs botnet at this time. Botnet owners use the compromised bots as proxies (HTTP, SOCKSv4 and SOCKSv5 protocols), relaying connections through them in two modes of operation (direct proxy and proxy backconnect), according to the report. “There are also three types of messages (or commands) sent by the C2 to the bot, that can be distinguished,” Pereira said. Those commands include Start Proxybackconnect, Sleep and Start DDoS, he said. Breaking it down even further, the Start DDoS attack command includes two possible modes: HTTPFlood and UDPFlood. The Necurs bot will start an HTTP flood attack against the target if the first bytes of the message payload are the string “http:/”. If the first bytes of the message payload are not the string “http:/”, the bot will start an UDP flood attack against the target. “Given the size of the Necurs botnets (more than one million IP/24 hours in the largest botnet), even the most basic techniques should produce a very powerful attack,” Pereira wrote. “The HTTP attack works by starting 16 threads that perform an endless loop of HTTP requests… The UDP flood attack works by repeatedly sending a random payload with size between 128 and 1024 bytes,” according to the report. The post Necurs Botnet Learns New DDoS Trick appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/necurs-botnet-learns-new-ddos-trick/ When it comes to website security questions, this pilot fish has a bad attitude — and that’s “bad” spelled P-R-A-C-T-I-C-A-L. “When they let me write my own questions, I write stuff like ‘Top line of the Spanish text on the control box of the computer speakers,'” says fish. “It’s easy enough for me to find that answer — just look down and read it — but unless you’re in my house or know exactly what speakers I bought five years ago, you aren’t gonna get it. “Otherwise, I usually type in nonsense, because I don’t forget my passwords. “Then sometimes the company has a security breach, locks every affected account and says, ‘You’ll need to reset your password using your security questions.’ “I’ve been locked out of my 401(k) for about a year, and their support keeps saying there’s nothing they can do. Whatever — I won’t need it for a while.” …But Sharky really needs your true tale of IT life right now. So send me your story at [email protected]. You’ll snag a snazzy Shark shirt if I use it. Comment on today’s tale at Sharky’s Google+ community, and read thousands of great old tales in the Sharkives. Get your daily dose of out-takes from the IT Theater of the Absurd delivered directly to your Inbox. Subscribe now to the Daily Shark Newsletter. The post Now THAT'S secure! appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/now-thats-secure/ This blog has featured several stories about “overlay” card and PIN skimmers made to be placed atop Ingenico-brand card readers at store self-checkout lanes. I’m revisiting the topic again because a security technician at a U.S.-based retailer recently shared a few photos of several of these devices pulled from compromised card terminals, and the images and his story offer a fair bit more detail than in previous articles. ![]() An “overlay” skimming device (right) that was found attached to a card reader at a retail establishment. The device featured here is a Bluetooth-based skimmer; it is designed to steal both the card data when a customer swipes and to record the victim’s PIN using a PIN pad overlay. The Bluetooth component of the skimmer allows the thieves to retrieve stolen data wirelessly via virtually any Bluetooth enabled device — just by being in proximity to the compromised card terminal (~30 meters). If we look on the backside of this skimmer, we can see the electronics needed to intercept the PIN. The source who shared these pictures said an employee thought the PIN pad buttons were a little too difficult to press down, and soon discovered this plastic overlay and others just like it on two more self-checkout terminals. Here’s a closeup of the electronics that power this skimmer (sorry, this is the highest resolution photo available): This model of overlay skimmers appears to be quite similar to a version sold in the cybercrime underground and detailed in this post. According to my retail source who shared these pictures, the overlay skimmers used parts cannibalized from Samsung smart phones. The source said the devices placed themselves in a mode to transmit stolen card data and PINs as soon as they were turned off and back on again. Investigators also discovered that they could connect via Bluetooth to the skimming devices by entering the PIN “2016” on a Bluetooth-enabled wireless device. However, the source said none of the overlay skimmers they found appeared to have any on-board data storage, suggesting the thieves had planted a second wireless device somewhere in or near the store and were hoovering up card and PIN data via Bluetooth in real time. Or, perhaps the crooks were simply sitting outside the store in the parking lot, using a laptop and high-gain antenna to pull down card and PIN data.
Customers generally are the first line of defense against these types of scams. Not long ago, KrebsOnSecurity published a post on how to spot Ingenico self-checkout skimmers. Unfortunately, most of the telltale signs are only noticeable if you are already well familiar with the appearance of a legitimate Ingenico ISC 250 terminal. Nevertheless, most of these skimmers will detach themselves with a gentle tug on the card reader. For more tips on spotting these Ingenico overlay skimmers, check out this post. Want to read more about skimming devices, check out my series, All About Skimmers. Tags: Bluetooth, Ingenico overlay skimmer, ISC-250, self-checkout skimmer
You can skip to the end and leave a comment. Pinging is currently not allowed. The post More on Bluetooth Ingenico Overlay Skimmers appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/more-on-bluetooth-ingenico-overlay-skimmers/ Soon, your Samsung phone may be able to recognize your iris and log you into your Windows PC. Iris-scanning via phone is not yet a feature available for Samsung’s latest Galaxy Book 2-in-1s, which were announced at Mobile World Congress. But the company wants to quickly bridge the gap between its Galaxy smartphones, which run on Android, and its Windows PCs and 2-in-1s. Software called Samsung Flow links the company’s Android smartphones to Windows PCs. Samsung and Microsoft are looking to collaborate on logins via Windows Hello — designed to use biometric authentication to log into PCs — and one big Flow feature is the ability to use Galaxy smartphones to wirelessly log in to the new Galaxy Book. Samsung is providing the ability to log into its Windows 10 PCs with Galaxy smartphones for convenience and security. For example, users will be able to bypass Windows Hello and keep retina scan information on a smartphone once that feature is available. Otherwise, a user now can swipe a finger on a Galaxy smartphone or use pattern authentication to log into Galaxy Book. That’s a unique feature and independent of Windows Hello. The Galaxy Book doesn’t have a fingerprint scanner, so the smartphone is needed for that. An NFC connection is established for smartphone-based logins into Windows PCs. Samsung is working with Microsoft to integrate more advanced authentication features, said Eric McCarty, vice president of mobile product marketing for Samsung Electronics America. Samsung has some unique biometric authentication technology on its handsets that could be used to log into Windows PCs. The now defunct Galaxy Note 7 had an iris scanner, which could make it to future Galaxy handsets. In addition to its efforts on authentication, Samsung is trying to figure out ways to better link up its Android handsets, Windows PCs and Tizen OSes. There is a considerable gap between Samsung’s Windows PCs and devices with Tizen, like smartwatches and TVs. Samsung Flow links the Galaxy Books only to Android handsets, not Tizen devices. That’s a big hole in an otherwise strong product lineup, and keeps it a step behind main rival Apple, whose devices link up seamlessly. Samsung is also looking at ways for wearables to better communicate with its PCs, McCarty said. These are forward-looking plans, and Samsung has to determine the best user experience and utility for customers, McCarty said. The post Samsung mulls iris scanners on smartphones to log into Windows PCs appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/samsung-mulls-iris-scanners-on-smartphones-to-log-into-windows-pcs/ |
ABOUT USFree, secure collections for I.T recycling and CESG approved data erasure for individuals, businesses and large-scale projects. I.T Asset Disposal | Computer Recycling | Re-marketing & Cashback | Secure Data Erasure. Archives
May 2017
Categories |