Firmware bug in CCTV software may have given POS hackers a foothold

A researcher with RSA says faulty firmware found in security cameras sold by at least 70 vendors may be a contributor to many of the credit card breaches that have proved costly to retailers.Rotem Kerner based his research on a paper RSA published in December 2014 into a malware nicknamed Backoff, which steals payment card details processed by point-of-sale systems.The U.S. Secret Service and Department of Homeland Security warned in August 2014 that upwards of 1,000 U.S. businesses may have been infected with Backoff.To read this article in full or to leave a comment, please click here

Learning Tools Updates

One of the projects that I started last year was my GitHub “learning-tools” repository, in which I store tools (of various sorts) to help with learning new technologies. Many of these tools are Vagrant environments, but some are sample templates for other tools like Terraform. I recently made some updates to a couple of the tools in this repo, so I wanted to briefly update my readers.

Docker with IPVLAN L2 Interfaces

This area of the repository was already present, but I had a note in the repo’s main README.md noting that it wasn’t fully functional. After having to work through some other issues (issues that resulted in this blog post), I was finally able to create the tools and assets to make this environment easily repeatable. So, if you’d like to work with Docker using IPVLAN interfaces in L2 mode, then have a look in the docker-ipvlan folder of the repository. The folder-specific README.md is pretty self-explanatory, but if you run into any problems or issues feel free to open a GitHub issue.

Docker with IPVLAN L3 Interfaces

This is an entirely new area of the repo. Thanks in part to being able to complete Continue reading

DOJ knew of possible iPhone-cracking method before Apple case

Weeks before the FBI sought a court order forcing Apple to help it break into an iPhone used by one of the the San Bernardino gunmen, a sister agency in the Department of Justice was already using an Israeli security firm's technology to attempt to crack a similar device.The FBI and the DOJ have repeatedly insisted that they had no other option but to force Apple to help them crack an iPhone used by the gunman Syed Rizwan Farook, at least until an outside party offered assistance earlier this week.“We have engaged all parts of the U.S. government” to find a way to access the device without Apple’s help, FBI Director James Comey told lawmakers in early March. “If we could have done this quietly and privately, we would have done it.”To read this article in full or to leave a comment, please click here

ISPs have built huge data systems to track you with, report says

Web users face an even greater threat to their privacy as large ISPs align themselves more closely with data brokers to track their customers, an advocacy group said.Several large ISPs have either formed partnerships with, or acquired, data tracking and analytics firms in recent years, giving them a "vast storehouse of consumer data," according to a report Wednesday from the Center for Digital Democracy."ISPs have been on a shopping spree to help build their data-targeting system across devices and platforms," the report says. "Superfast computers analyze our information ... to decide in milliseconds whether to target us for marketing and more."To read this article in full or to leave a comment, please click here

FBI to hack into locked iPhone with help from Israeli company

Apple's saga with the FBI isn't over just yet, but it appears that the two entities are no longer on a collision course, legally speaking of course. Earlier this week, the DOJ filed a motion with the court overseeing the matter to postpone an upcoming hearing which was scheduled to take place on Tuesday. The reason? The DOJ relayed that the FBI may have found a way to access the locked iPhone of one of the San Bernardino terrorists with out Apple's assistance..As has been recounted before, the iPhone in question was equipped with a passcode and may have been set up to erase itself after 10 failed passcode entries. As a result, the FBI wanted Apple to create an entirely new and modified version of iOS that would have bypassed this security mechanism. In turn, the FBI would have been able to implement a brute force attack to access the device.To read this article in full or to leave a comment, please click here

Take a 4K VR tour around Google’s Oregon data center

Data centers are typically high-security locations and operators don't like you snooping around, but Google is giving users a look at one of its latest and most advanced data centers using virtual reality.The tour of Google's data center in The Dalles, Oregon, was published to coincide with the company's Google Compute Summit which starts Wednesday in San Francisco.Google is trying to entice more customers to its cloud services, to compete better with Amazon Web Services and Microsoft, and showing off its advanced facilities might help with that goal.The tour is best viewed in a virtual reality headset, like Google Cardboard, but you can also see it on a plan old smartphone or desktop. On a phone you can look around by moving the handset. On a desktop, you use the mouse.To read this article in full or to leave a comment, please click here

Social engineering 101: 18 ways to hack a human [Infographic]

What will the cause of your next security breach? Will it be your firewall? Will it be your VPN? Will it be your website? Nope. Chances are, your next security breach will be caused by hackers exploiting someone within your organization. In just the last two months, a single, simple phishing scam targeted seven organizations, gaining access to W2 information. And business email compromise attacks, in particular, are growing fast and hard to defend against.To read this article in full or to leave a comment, please click here(Insider Story)

Here’s how the FBI plans to crack terrorist’s iPhone

An outside contractor with established ties to the FBI has most likely shown investigators how to circumvent the iPhone's security measures by copying the contents of the device's flash storage, a forensics expert said today.Called "NAND mirroring," the technique relies on using numerous copies of the iPhone storage to input possible passcodes until the correct one is found."The other ideas, I've kind of ruled out," said Jonathan Zdziarski in an interview. Zdziarski is a noted iPhone forensics and security expert. "None of them seemed to fit."+ MORE Let's hope the FBI can really crack the iPhone +To read this article in full or to leave a comment, please click here

Uber dares hackers to find flaws, offers up to $10K bounty

On-demand car service Uber is offering from $3,000 to $10,000 to hackers who can find flaws in its computer and communications systems.HackerOne, a company that connects white-hat hackers to companies who want to use them to test the security of systems, is running Uber's "bounty program."The amount of the reward is based on the severity of the flaw discovered by a hackers, i.e., security researchers.HackerOne has established three categories of rewards; $10,000 for a "critical flaw," $5,000 for a "significant flaw" and $3,000 for "medium issues."INSIDER: Traditional anti-virus is dead: Long live the new and improved AV "Chaining of bugs is not frowned upon in any way, we love to see clever exploit chains!" Uber stated in its online challenge. "If you get access to an Uber server, please report it us and we will reward you with an appropriate bounty taking into full consideration the severity of what could be done. Chaining a CSRF vulnerability with a self-XSS? Nice! Using AWS access key to dump user info? Not cool."To read this article in full or to leave a comment, please click here

Microsoft adds macros lockdown feature in Office 2016 in response to increasing attacks

Enterprise system administrators can now block attackers from using a favorite malware infection method: Microsoft Office documents with malicious macros. Microsoft this week added a new option in Office 2016 that allows administrators to block macros -- embedded automation scripts -- from running in Word, Excel and PowerPoint documents that originate from the Internet. Microsoft Office programs support macros written in Visual Basic for Applications (VBA), and they can be used for malicious activities like installing malware. Macro viruses were popular more than a decade ago but became almost extinct after Microsoft disabled macros by default in its Office programs.To read this article in full or to leave a comment, please click here

TLS Certificate Optimization: The Technical Details behind “No Browser Left Behind”

Overview

Back in early December we announced our "no browser left behind" initiative to the world. Since then, we have served well over 500 billion SHA-1 certificates to visitors that otherwise would not have been able to communicate securely with our customers’ sites using HTTPS. All the while, we’ve continued to present newer SHA-2 certificates to modern browsers using the latest in elliptic curve cryptography, demonstrating that one does not have to sacrifice security to accommodate all the world’s Internet users. (If you weren’t able to acquire a SHA-1 certificate before CAs ceased issuing them on 2015/12/31, you can still sign up for a paid plan and we will immediately generate one to serve to your legacy visitors.)

Shortly after we announced these new benefits for our paid Universal SSL customers, we started hearing from other technology leaders who were implementing (or already had implemented) similar functionality. At first glance, the logic to identify incoming connections that only support SHA-1 seems straightforward, but as we spoke with our friends at Facebook, Twitter, and Mozilla, I realized that everyone was taking a slightly different approach. Complicating the matter even further was the fact that at CloudFlare we not only Continue reading

What does Etsy’s architecture look like today?

This is a guest post by Christophe Limpalair based on an interview (video) he did with Jon Cowie, Staff Operations Engineer and Breaksmith @ Etsy.

Etsy has been a fascinating platform to watch, and study, as they transitioned from a new platform to a stable and well-established e-commerce engine. That shift required a lot of cultural change, but the end result is striking.

In case you haven't seen it already, there's a post from 2012 that outlines their growth and shift. But what has happened since then? Are they still innovating? How are engineering decisions made, and how does this shape their engineering culture? These are questions we explored with Jon Cowie, a Staff Operations Engineer at Etsy, and the author of Customizing Chef, in a new podcast episode.

What does Etsy's architecture look like nowadays?

1 3,035 3,036 3,037 3,038 3,039 3,793