Doug Vitale Tech Blog

March-April 2015 News Archive

Top 30 Targeted High Risk Vulnerabilities

US CERT, 29 Apr 2015 – This alert provides information on the thirty most commonly exploited vulnerabilities used in cyber-attacks, along with prevention and mitigation recommendations. [More]

Encrypting Your Laptop Like You Mean It

The Intercept, 27 Apr 2015 – Time and again, people are told there is one obvious way to mitigate privacy threats of all sorts, from mass government surveillance to pervasive online tracking to cybercriminals: encryption. But how can ordinary people get started using encryption? [More]

At RSA Conference, Computer Security Done Right and Wrong

NY Times, 22 Apr 2015 – If 2013 was the “Year of the Breach” and 2014 was the “Year of the Mega-Breach,” 2015 may be the year that we run out of adjectives and start demanding real accountability from security vendors. [More]

New Browser Hack Can Spy On 8 Out Of 10 PCs

Forbes, 20 Apr 2015 – A group of Columbia University security researchers have uncovered a new and insidious way for a hacker to spy on a computer, Web app or virtual machine running in the cloud without being detected. Any computer running a late-model Intel microprocessor and a Web browser using HTML5 (i.e., 80% of all PCs in the world) is vulnerable to this attack. [More]

Cyber extortion: A growth industry

CSO, 17 Apr 2015 – The traditional philosophy of never negotiating with extortionists has had to adapt to the realities of cybercrime – if you don’t pay, your data may be lost forever [More]

18-Year-Old Windows Glitch Revived to Steal Login Credentials

Softpedia, 14 Apr 2015 – The initial vulnerability was discovered by Aaron Spangler in 1997, who found that any URL beginning with “file://” followed by an IP address would cause Internet Explorer 3 to authenticate with the machine at the respective address. Machines that are improperly configured from a security standpoint will try to log into the SMB server in order to retrieve the resource. The new variant of the attack, which has been dubbed Redirect to SMB by security researchers at Cylance, consists in intercepting the HTTP requests from applications via the man-in-the-middle (MitM) technique and redirecting them to an untrusted SMB location where the victim’s machine authenticates. [More]

Critical infrastructure cyberattacks increase across the Americas

FCW, 13 Apr 2015 – Trendmicro reports that attacks on critical infrastructure providers by attackers looking to steal information and even destroy critical government, energy, banking and other industries’ networks have spread across dozens of countries in the Americas. [More]

Criminals borrowing HTTPS security to hide attacks

Tech World, 13 Apr 2015 – The HTTPS protocol might not be the protection it once was according to IT giant Dell which has spotted an increase in the number of attacks trying to sneak malware past firewalls. Dell Security calculates that the number of HTTPS web connections in use rose from 182 billion in January 2014 to 437 billion by March 2015. This means that HTTPS made up the majority of web connections, averaging around 60 percent throughout the year. Although this is only one company’s numbers, it’s clear that the adoption of SSL/TLS by many large brands shows how encrypted web traffic has become almost a default for many sites. Unfortunately, criminals are launching more attacks exploiting the same technology. [More]

BitTorrent’s audacious P2P-powered ‘Project Maelstrom’ enters public beta

PCWorld, 10 Apr 2015 – In December, BitTorrent Inc. announced its plan to radically change how we use the Internet with Project Maelstrom, a browser that retrieves web content from peer-to-peer-distributed torrents instead of traditional servers. Now the company is ready to give us an early look at its work. Maelstrom is a Chromium-based browser that can function as a regular browser that accesses sites over standard HTTP/HTTPS protocols. The program also contains the ability to grab websites packaged as torrents and display them. [More]

As encryption spreads, U.S. grapples with clash between privacy, security

Washington Post, 10 Apr 2015 – For months, federal law enforcement agencies and industry have been deadlocked on a highly contentious issue: Should tech companies be obliged to guarantee government access to encrypted data on smartphones and other digital devices, and is that even possible without compromising the security of law-abiding customers? [More]

One after Heartbleed, you don’t remember it — and that’s a problem

Venture Beat, 31 Mar 2015 – One year ago a security vulnerability came to light that could have potentially “broken the Internet”. It had a name. It even had a scary logo. For a few days in April 2014, the world’s media did their best to explain a bug that could truly break the ‘Net. Its name? Heartbleed. [More]

The FBI used to recommend encryption. Now they want to ban it

The Guardian, 28 Mar 2015 – FBI director Jim Comey was back before Congress this week – this time in front of the House Appropriations Committee – imploring Congressmen to pass a law that would force tech companies to create a backdoor in any phone or communications tool that uses encryption. He also revealed the Obama administration may be crafting such a law right now. [More]

Passphrases That You Can Memorize — But That Even the NSA Can’t Guess

The Intercept, 26 Mar 2015 – It’s getting easier to secure your digital privacy. iPhones now encrypt a great deal of personal information; hard drives on Mac and Windows 8.1 computers are now automatically locked down; even Facebook, which made a fortune on open sharing, is providing end-to-end encryption in the chat tool WhatsApp. But none of this technology offers as much protection as you may think if you don’t know how to come up with a good passphrase. [More]

Bad analogies and the threat to “cybersecurity”

EDRi, 25 Mar 2015 – In policy discussions about the online world a general pattern repeats: The online sphere is differentiated from its offline equivalent by adding the prefix “cyber”, giving it both immediacy and generating a fear of the unknown “cyberworld”. Then, in order to explain “cyberspace”, practitioners draw analogies between cyber and non-cyber, often being blissfully unaware of, or indifferent to, the invalidity of the comparisons. Here we will focus on two clear examples stemming from recent news, namely Germany’s and Switzerland’s capability to hack computer systems and networks located abroad. [More]

PoSeidon, A Deep Dive Into Point of Sale Malware

Cisco, 20 Mar 2015 – There is a new malware family targeting PoS systems, infecting machines to scrape memory for credit card information and exfiltrate that data to servers, also primarily .ru TLD, for harvesting and likely resale. This new malware family, that we’ve nicknamed PoSeidon, has a few components to it. [More]

Premera Blue Cross Breached, Medical Information Exposed

ReCode, 17 Mar 2015 – Health insurer Premera Blue Cross said on Tuesday it was a victim of a cyber attack that may have exposed medical data and financial information of 11 million customers in the latest case of a health care company reporting a serious breach. [More]

Don’t trust your phone, don’t trust your laptop

Guardian, 8 Mar 2015 – What Snowden did was careful and considered: he identified examples of what he regarded were unconstitutional activities on the part of the NSA and then downloaded documentary evidence of these activities that would corroborate his judgment. Given the staggering scale of the activities revealed, I remember thinking that it would take us a long time to realize the full extent of the surveillance mesh in which we are entangled. So it has proved. [More]

DNS enhancement catches malware sites by understanding sneaky domain names

Ars Technica, 5 Mar 2015 – A researcher at OpenDNS Security Labs has developed a new way to automatically detect and block sites used to distribute malware almost instantaneously without having to scan them. Called NLPRank, the approach uses natural language processing and other analytics to detect malicious domains before they can attack by spotting host names that are designed as camouflage. [More]

FREAK Vulnerability Exposes SSL/TLS Security Hole

Security Week, 4 Mar 2015 – Researchers have released details of a vulnerability (CVE-2015-0204) that makes it possible for hackers to crack HTTPS-protected traffic by forcing vulnerable clients to downgrade to weaker crypto. It was discovered by a group of researchers from Microsoft Research and the French Institute for Research in Computer Science and Automation, who found it was possible to make web browsers use encryption intentionally weakened in order to comply with U.S. government regulations in effect during the 1990s that banned American companies from exporting strong encryption abroad. [More]

Carnegie Mellon faculty, staff fall victim to email scam

Education DIVE, 3 Mar 2015 – About 200 Carnegie Mellon faculty and staff members received an email Saturday that indicated they should log in to the university’s site for more information about a raise. Pittsburgh’s WPXI-TV reports that the hackers linked a very accurate replica of the Carnegie Mellon login site, tricking at least a handful of people into logging in with their personal IDs and passwords. [More]

New Federal Regulation Deters Experts On Road To Security

Tech Crunch, 3 Mar 2015 – Security experts were abuzz last month in anticipation of President Barack Obama’s proposal for new federal regulations that would concentrate on bolstering the nation’s stance on cybersecurity. But despite President Obama’s well-intentioned efforts to strengthen security, as they stand, the proposed regulations have garnered mixed reviews. [More]

The Democratization of Cyberattack

Schneier, 2 Mar 2015 – When I was working with the Guardian on the Snowden documents, the one top-secret program the NSA desperately did not want us to expose was QUANTUM. This is the NSA’s program for what is called packet injection–basically, a technology that allows the agency to hack into computers. Turns out, though, that the NSA was not alone in its use of this technology. The Chinese government uses packet injection to attack computers. The cyberweapons manufacturer Hacking Team sells packet injection technology to any government willing to pay for it. [More]


Written by Doug Vitale

May 30, 2015 at 7:41 AM

%d bloggers like this: