Security

"The so-called "hacktivist" group Anonymous claimed responsibility for the attack on government and law enforcement computers in Alabama on Friday in response to what it called the state's "racist" immigration law." - LANjackal from Bookmarklet

"Another question is why is Apple allowing this kind of behavior from iOS apps? The whole point of Apple's app approval process is to protect its users from malware and privacy violations. So why aren't privacy protections being extended to your address book when apps are being reviewed? So much for the safety of Apple's walled garden." - LANjackal from Bookmarklet

"The Supreme Court struck down the U.S. government's argument that it can use GPS to track a suspect's vehicle without a warrant. In a unanimous decision, the court said the Fourth Amendment protection of "persons, houses, papers, and effects, against unreasonable searches and seizures" would be violated if law enforcement agencies were allowed to attach a GPS location to a suspect's vehicle without obtaining a warrant." - LANjackal from Bookmarklet

"I recently found out that it is possible to kill a screensaver/screen locker program on the latest version of Xorg (1.11 shipped with archlinux, debian wheezy..) using the Ctrl+Alt+Multiply key binding." - imabonehead from Bookmarklet

"As I'm sure many of you know, the rise of mobile-based malware has been on the rise for some time now. We've been steadily seeing this criminal space mature in the same way that malware on the Windows platform did in years past. A new milestone for mobile malware was recently discovered in the wild by Denis Maslennikov of Kaspersky Labs-- IRC bot control." - imabonehead from Bookmarklet

*whistle* that is impressive hacking... and yes, very new meets old school - Michael W. May

"In the current threat environment, rapid communication of pertinent threat information is the key to quickly detecting, responding and containing targeted attacks. OpenIOC is designed to fill a void that currently exists for organizations that want to share threat information both internally and externally in a machine-digestible format. OpenIOC is an extensible XML schema that enables you to describe the technical characteristics that identify a known threat, an attacker’s methodology, or other evidence of compromise. OpenIOC was originally designed to enable MANDIANT’s products to codify intelligence in order to rapidly search for potential security breaches. Now, in response to requests from across the user community, MANDIANT has standardized and open sourced the OpenIOC schema and is releasing tools and utilities to allow communication of threat information at machine speed." - imabonehead from Bookmarklet

"Recently I have been asked about how I handle the gpg key I use for Apache releases. For what is worth, the question popped up in the context of a few other community members taking on the release manager role. As those of you that follow Apache Camel already know the Camel PMC decided to actively support and issue patch releases for the two latest minor branches. But I digress. As I mentioned, I don't keep my private key on my laptop, but on an encrypted usb flash disk. The main reason is security, as the probability of someone getting access to my box greater than zero. In particular the key used for Apache releases is trusted by other ASF members and making sure it doesn't get compromised is one of the duties of the release manager. Of course one could revoke a key, but then verifying the integrity of a release becomes complicated at best. My setup works on Ubuntu 11.10 and the idea behind it was using something similar to 2-factor authentication (something I have and something I... more... - imabonehead from Bookmarklet

"Today we're going to run down, step-by-step, how to crack a Wi-Fi network with WEP security turned on. But first, a word: Knowledge is power, but power doesn't mean you should be a jerk, or do anything illegal. Knowing how to pick a lock doesn't make you a thief. Consider this post educational, or a proof-of-concept intellectual exercise." - imabonehead from Bookmarklet

"[Hacker] groups realised that by using the Anonymous name they could effectively use other Anonymous members as a 'human' shield and have some plausible deniability... Using Anonymous, anyone can hack/leak and delete corporate or government secrets and make it look like it was the 'hacktivists' that did it." - LANjackal from Bookmarklet

hey, nice thisbut just check........http://arrangeyourvacation.com/events... - Roshni Padole

"Twitter plans to open source some of the Android security products built by the developers behind Whisper Systems, which Twitter acquired last month. Twitter is starting with Whisper Systems' TextSecure, an Android text messaging client that encrypts messages. Developers can view the source code at GitHub. "We hope that as an open source project, TextSecure will be able to reach even more people, with an even larger number of contributors working to make it a great product," developers and Whisper Systems' founders Moxie Marlinspike and Stuart Anderson wrote on the Whisper Systems blog." - imabonehead from Bookmarklet

"Today, I gave a talk on an implementation of a man in the middle (MITM) attack on HDCP-secured video links. Here is a full copy of the slides that I presented (with explanatory diagrams), as well as the text-only of the paper which accompanies the slides, below. Also, please note that the hardware disclosed in this talk is now available for purchase from the good folks at Adafruit. You can find more technical documentation about the NeTV at the kosagi.com wiki, and you can discuss at the kosagi.com forum." - imabonehead from Bookmarklet

"WebSockets is definately one of the brighter features of HTML5. It allows for easy and efficient real-time commucation with the server, and with the introduction of Socket.IO, node.js and similar libraries, it is sure to gain popularity. It's a must when you're developing an interactive application like chat, game, realtime reporting system etc. But, from a security standpoint there are many things to consider when implementing WebSockets in your next project. I don't call them vulnerabilities - but they will most likely create a vulnerability when not dealt with correctly. In this post I describe all these aspects and release socket_io_client - tool for testing & exploiting WebSockets servers." - imabonehead from Bookmarklet

"I’m happy to announce the release of version 3 of the REMnux Linux distribution for reverse-engineering malware. This release incorporates many usability improvements, software updates and new tools to make the environment even more useful for analyzing malicious software. REMnux is available as a VMware virtual appliance and as an ISO image of a Live CD. The easiest way to get started with and derive the most value from REMnux is to refer to the new REMnux Usage Tips cheat sheet." - imabonehead from Bookmarklet

"The growing role of the Internet in everyday life and business is creating a rich trove of digital information about people, companies, and nations, Deibert noted in a recent blog post. "Unsurprisingly, a massive cyber industrial complex has sprouted around the commercial exploitation of [it]," he wrote. Deibert notes that censoring the Web used to be considered an undertaking for only hubristic, authoritarian regimes, but is now being considered by defense departments worldwide being courted by corporations like those featured in the new Wikileaks documents." - imabonehead from Bookmarklet

"We were first to post the story yesterday by almost an hour, thanks to some fantastic international patrons of aviationintel.com, and I have yet to find any in-depth analysis of the evidence presented by the Iranian Government of what appears to be an RQ-170 Sentinel displayed in a basketball gym, almost fully intact. The experts have chimed in all over the networks and print media, and I have to say this is even worse superficial analysis than the Stealth Blackhawk tail fiasco back in May (a story we were over a day ahead of anyone else, broken on the Lars Larson National Radio Program). I am not trying to sing my own praises here, I am just trying to underline that you have to be careful who you listen to. Just because they may work for a well-known news outlet it does not mean their commentary is totally informed. One “expert” today even said the drone was a fake because the wings were drooping. Apparently he did not look at the evidence for more than a couple of seconds, as this... more... - imabonehead from Bookmarklet

"This article is about how to use the S/MIME encryption function of common e-mail clients to sign and/or encrypt your mails safely. S/MIME uses SSL certificates which you can either create yourself or let a trusted certificate authority (CA) create one for you. This tutorial comes without warranty of any kind. I do not guarantee that this will work for you." - imabonehead from Bookmarklet

"The US stealth drone broadcast last week on Iranian state television was captured by spoofing its GPS coordinates, a hack that tricked the bird into landing in Iranian territory instead of where it was programmed to touch down, The Christian Science Monitor reported. The 1700-word article cited an unnamed Iranian engineer who said he's studying the inner workings of the American bat-wing RQ-170 Sentinel that recently went missing over Iranian airspace. He said the spoofing technique made the craft “land on its own where we wanted it to, without having to crack the remote-control signals and communications” from the US control center." - imabonehead from Bookmarklet

Wow, that's ingenious. - Andrew C (✓)

"The father of free software philosophy spoke to RT on evil developers, spying social networks, the almost-legitimacy of Anonymous hacks and the condition under which he would take a proprietary program and a million dollars. Stallman is the man behind the concept that every computer program must be free for users to study and modify as they want. This is the only way to ensure that by using the software users do not compromise their human rights, he says." - imabonehead from Bookmarklet

"If you routinely use multiple computers, it can be a challenge to keep your data files organized and to manage multiple login IDs. OpenSSH can help you with those tasks. It’s a powerful, secure tool that lets you share files without having to set up a file server, run applications remotely, and perform remote administration chores quickly and securely. You probably already know how to use OpenSSH for file transfers. Here we’ll uncover some less well-known OpenSSH tricks that can make life easier for roaming computer users." - imabonehead from Bookmarklet

"A collection of documents recently published by Wikileaks casts a light on surveillance vendors who sell intrusive monitoring technology to governments and law enforcement agencies. This growing industry—which serves countries around the world—offers the ability to monitor entire populations and circumvent the privacy and security safeguards built into conventional consumer technology. In our report last week, we highlighted DigiTask, a German company that sells malware for law enforcement investigations. The company's marketing materials says that its software, which is deployed through zero day exploits, can intercept encryption keys to provide law enforcement agents with access to encrypted communications. DigiTask is just one of the many vendors who produce such software. In this article, we will give you a brief look at some of the marketing material that was included in the Wikileaks Spy Files." - imabonehead from Bookmarklet

"Well-known iPhone hacker Chpwn tweeted today that versions at least as recent as iPhone OS 3.1.3 contained references to Carrier IQ and later confirmed it's in all versions of iOS, including iOS 5. We were able to independently verify that at the very least, references to Carrier IQ's servers do exist within iPhoneOS 3.1.3 in a file located at /usr/bin/IQAgent. What exactly that binary is able to access or how it may communicate with either carriers or Carrier IQ is not yet known, though there are references to an IQAgent log on the device as well as references to collector.sky.carrieriq.com." - LANjackal from Bookmarklet

"We do a ton of password cracking for our clients. Sometimes its because we've compromised one system and are looking for password reuse, sometimes its because we're pulling password complexity statistics to prove a point, and sometimes we're just trying to break a WPA-PSK. Nonetheless it helps to have a beefy system on your side. We've recently revamped our cracking server, here is some information about its specifications and configuration." - imabonehead from Bookmarklet

"Last year we introduced HTTPS by default for Gmail and encrypted search. We’re pleased to see that other major communications sites are following suit and deploying HTTPS in one form or another. We are now pushing forward by enabling forward secrecy by default. Most major sites supporting HTTPS operate in a non-forward secret fashion, which runs the risk of retrospective decryption. In other words, an encrypted, unreadable email could be recorded while being delivered to your computer today. In ten years time, when computers are much faster, an adversary could break the server private key and retrospectively decrypt today’s email traffic." - imabonehead from Bookmarklet

"DigitalPersona has open sourced its new MINEX-certified FingerJetFX fingerprint feature extraction technology. FingerJetFX, Open Source Edition (OSE), is free, portable software that device manufacturers and application developers can use to convert bulky fingerprint images into small, mathematical representations called fingerprint “templates” for efficient storage or comparison." - imabonehead from Bookmarklet

"Researchers from German security firm Recurity Labs have released a JavaScript implementation of the OpenPGP specification that allows users to encrypt and decrypt webmail messages. Called GPG4Browsers, the tool functions as an extension for Google Chrome and now is capable of working with Gmail. According to its developers, GPG4Browsers is a prototype, but it supports almost all asymmetric and symmetric ciphers and hash functions specified in the OpenPGP standard." - imabonehead from Bookmarklet

"Four British men charged with computer hacking in connection with online groups LulzSec and Anonymous will not stand trial before November next year. The four – Peter David Gibson, 22, Ashley Rhodes, 26, Christopher Weatherhead, 20 and a 17-year-old student – were given a provisional trial date of 7 November 2012 at a short hearing at Southwark crown court in London on Friday." - LANjackal from Bookmarklet