RSS

YAHOO TO RELEASE END-TO-END ENCRYPTION FOR EMAIL USERS

Yahoo plans to enable end-to-end encryption for all of its Mail users next year. The company is working with Google on the project and the encryption will be mostly transparent for users, making it as simple as possible to use.

Alex Stamos, CISO at Yahoo, said that the project has been a priority since he joined the company a few months ago and will be a key way to make online life safer for millions of users. Yahoo is using the browser plugin Google released in June that enables end-to-end encryption of all data leaving the browser. Stamos said Yahoo is working to ensure that its system works well with Google’s so that encrypted communications between Yahoo Mail and Gmail users will be simple.

“The goal is to have complete compatibility with Gmail,” Stamos said during a talk at the Black Hat USA conference here Thursday.

The email encryption isn’t the only security improvement on the horizon for Yahoo. The company is also working on enabling HSTS on its servers, as well as certificate transparency. HSTS (HTTP strict transport security) allows Web sites to tell users’ browsers that they only want to communicate over an encrypted connection. The certificate transparency concept involves a system of public logs that list all certificates issued by cooperating certificate authorities. It requires the CAs to voluntarily submit their certificates, but it would help protect against attacks such as spoofing Web sites or man-in-the-middle.

The security upgrades on the docket at Yahoo are aimed at making it easier for everyday users to use the Internet safely and securely, without needing to be security or privacy experts, Stamos said. The security industry spends a lot of time working out defenses and new products to protect against exotic attacks while users are being targeted by much more mundane attacks that still don’t have effective solutions.

“Post-Snowden, we have a strain of nihilism that’s keeping us from focusing on what’s real,” Stamos said. “We as an industry have failed. We’ve failed to keep users safe.

“If we can’t build systems that our users in the twenty-fifth percentile can use, we’re failing. And we are failing. We don’t build systems that normal people can use.”
reference
http://threatpost.com/yahoo-to-release-end-to-end-encryption-for-email-users

Advertisements
 
Leave a comment

Posted by on August 8, 2014 in Security

 

OpenSSL patches Nine Vulnerabilities

OpenSSL has released updates patching nine vulnerabilities, some of which may allow an attacker to cause a Denial of Service (DoS) condition or force the client to revert to a less secure Transport Layer Security (TLS) 1.0 protocol. The following updates are available:

➡️OpenSSL 0.9.8 users should upgrade to 0.9.8zb
➡️OpenSSL 1.0.0 users should upgrade to 1.0.0n
➡️OpenSSL 1.0.1 users should upgrade to 1.0.1i

References: URL for this Security Advisory: http://www.openssl.org/news/secadv_20140806.txt

Note: the online version of the advisory may be updated with additional details over time.

 
Leave a comment

Posted by on August 8, 2014 in Security

 

Russian Hackers Amass Over a Billion Internet Passwords

A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses, security researchers say.

The records, discovered by Hold Security, a firm in Milwaukee, include confidential material gathered from 420,000 websites, including household names, and small Internet sites. Hold Security has a history of uncovering significant hacks, including the theft last year of tens of millions of records from Adobe Systems.

Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable. A security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic. Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information.
“Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites,” said Alex Holden, the founder and chief information security officer of Hold Security. “And most of these sites are still vulnerable.”

http://mobile.nytimes.com/2014/08/06/technology/russian-gang-said-to-amass-more-than-a-billion-stolen-internet-credentials.html?_r=0&referrer=

 
Leave a comment

Posted by on August 7, 2014 in Security

 

Hijacking-planes-navigation-system-with an Android app

It is a terrifying prospect, a hack that allows an attacker to take control of plane navigation and cockpit systems has been revealed at a security conference in Europe.
This was demonstrated by Hugo Teso, a researcher at security consultancy N.Runs in Germany who’s also a commercial airline pilot. He explained that by building an exploit framework called Simon and a complimentary Android app that delivers attack messages, he could manipulate a plane’s path as he saw fit.
“You can use this system to modify approximately everything related to the navigation of the plane,” Teso told reporters. Teso found he was able to eavesdrop on the system’s communications over its 1MBps link, as well as blocking information and injecting data into link.
It took three years of hunting down holes in standard systems to work out how he could use radio signals to send his own navigation commands to a plane’s control system, using publicly available Flight Management System (FMS) hardware and software which mirror the code onboard real planes.
The results of Teso’s hard work are terrifying. The hack targets two technologies, Automatic Dependent Surveillance-Broadcast (ADS-B) and Aircraft Communications Addressing and Report System (ACARS).
“I expected them to have security issues but I did not expect them to be so easy to spot. I thought I would have to fight hard to get into them but it was not that difficult,” Teso said.
He stressed his app was merely a proof of concept, intended to alert aircraft manufacturers to the security loopholes. He claimed the Federal Aviation Administration and the European Aviation Safety Administration were already working on fixing the vulnerability.

http://thehackernews.com/2013/04/hijacking-planes-navigation-system-with.html?m=1

 
Leave a comment

Posted by on August 6, 2014 in Security

 

AusPost raises red flag on latest scam email

Australia Post has issued a warning on a scam email designed to lure unsuspecting customers into downloading potentially malicious information.

The scam is based on the premise of a failed parcel delivery, with an email advising customers to download information about the parcel that a courier has failed to deliver. Customers are asked to print the information and go to the post office to receive the package.
AusPost Parcel-Scam

Australia Post has advised customers to not open the scam email, uses six address variations including:

•info@aust-post.com
•infor@aus-post.info
•info@aus-post.biz
•info@auspost.biz
•info@aust-post.net
•info@aut-post.com

Australia Post has also added that it has no policy of charging customers for holding their parcel.

“Australia Post does not request customers to remit a payment for parcel collection, nor does it charge customers for holding a parcel,” the company said in its advisory

http://www.businessspectator.com.au/news/2014/8/5/technology/auspost-raises-red-flag-latest-scam-email

 
Leave a comment

Posted by on August 6, 2014 in Security

 

Cisco warns of big remote management hole in tiny routers

A vulnerability in the web server used in multiple Cisco Wireless Residential Gateway products could allow an unauthenticated, remote attacker to exploit a buffer overflow and cause arbitrary code execution.

The vulnerability is due to incorrect input validation for HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available.

Affected Products
•Cisco DPC3212 VoIP Cable Modem
•Cisco DPC3825 8×4 DOCSIS 3.0 Wireless Residential Gateway
•Cisco EPC3212 VoIP Cable Modem
•Cisco EPC3825 8×4 DOCSIS 3.0 Wireless Residential Gateway
•Cisco Model DPC3010 DOCSIS 3.0 8×4 Cable Modem
•Cisco Model DPC3925 8×4 DOCSIS 3.0 with Wireless Residential Gateway with EDVA
•Cisco Model DPQ3925 8×4 DOCSIS 3.0 Wireless Residential Gateway with EDVA
•Cisco Model EPC3010 DOCSIS 3.0 Cable Modem
•Cisco Model EPC3925 8×4 DOCSIS 3.0 with Wireless Residential Gateway with EDVA

Products Confirmed Not Vulnerable
•Cisco Model DCP2100 DOCSIS 2.0 Cable Modem
•Cisco Model DPC3008 DOCSIS 3.0 8×4 Cable Modem
•Cisco Model DPC3208 8×4 DOCSIS 3.0 Cable Modem
•Cisco Model DPC3828 DOCSIS 3.0 8×4 Residential Wireless Gateway
•Cisco Model DPC3928 DOCSIS 3.0 8×4 Wireless Residential Gateway
•Cisco Model EPC2425 EuroDOCSIS 2.0 Cable Modem
•Cisco Model EPC3008 EuroDOCSIS 3.0 8×4 VoIP Cable Modem
•Cisco Model EPC3208 8×4 DOCSIS 3.0 Cable Modem
•Cisco Model EPC3828 EuroDOCSIS 3.0 8×4 Residential Wireless Gateway
•Cisco Model EPC3928 EuroDOCSIS 3.0 8×4 Wireless Residential Gateway
•Scientific Atlanta DPR2320 Cable Modem
•Scientific Atlanta DPX 2000 Cable Modem
•Scientific Atlanta EPC2203 VoIP Cable Modem
•WebSTAR DPX2100 Cable Modem
•WebSTAR DPX2203C VoIP Cable Modem
•WebSTAR EPC2100R2 Cable Modem
•WebSTAR EPR2325 EuroDOCSIS Residential Gateway with Wireless Access Point

 
Leave a comment

Posted by on July 18, 2014 in Security

 

CNET User Database Hacked By W0rm

A Russian hacker group that goes by the name of W0rm hacked CNET.com over the weekend. In a conversation between W0rm and CNET, W0rm revealed that they used a security hold in CNET.com’s implementation of the Symfony PHP framework. W0rm has previously claimed credit for online security breaches of BBC, Adobe Systems, and Bank of America. In the weekend attack, W0rm was reportedly able to steal a database of over 1 million registered CNET users. The data stolen includes names, emails, and encrypted passwords. The breach was first realized when W0rm teased a carefully edited screenshot of CNET.com’s source via twitter on 7/12/14.

On 7/14/14, W0rm briefly offered to sell the entire database for the grand sum of 1 Bitcoin, W0rm’s tweets to that effect have since been removed.

 
Leave a comment

Posted by on July 16, 2014 in Security