we are now in backoffice working with some services to close down a securityhole - well it is a securityhole an sich - that is so big and mindblowing that I just can't believe - and I just needed some googling and webservices to show how rotten and corrupt it was (and that is all I do, go through lots of Tor, webforums and sites and googling the belgian web, I never used local tools on the pc against any website)
it really is that simple
but when you find another big one - than the really hard part starts - and that is deciding what you should do with the information.
with this information I can go to the press and make headlines - even better than headlines have a real security panick in certain circles
but what is the net result of all that ?
in fact not much
remember that VOO lost half a million data of its members ? Or the NMBS a million ? Or online parttime and credit companies who lost information ?
what did it change ?
well, one day I will tell, but now we will be working to get it offline because there is nothing else you can do in fact
but if you are running on servers and code that is more than 8 years old (yes really) than what do you expect
some of my friends tell me that I should leak it or just let it be hacked and that that will wake up people, well we had Belgacom the worst total hacking of a total telecomnetwork during 3 years, we had the hacking of several other federal institutions and so on
and we still have no central cybersecuritycenter, the CERT has still not the necessary funding (some say that FEDICT had cut the budget) nor the manpower, still no real cybersecurity laws with teeth
remember all the trouble when we published the information about the EID some years ago. That was frontpage news. They fixed the securityhole that made it possible for any virus to intercept all the information on your EID half a year later but did it change the security of the EID dramatically ?
it also means that backoffice information is safe with us
untill it gets too much - even for us
In fact it couldn't be made better if it was made for a spy agency or a criminal organisation
it means that ATM's and paying machines in stores will have to be designed differently to give more protection
They already have a law that limits gaming during the night for children and youngsters
"In late 2011, after a published report indicated teenage students were spending more than 2 hours every day after school playing video games, the government passed the Shutdown Law, which prevents adolescents under the age of 16 from playing games from midnight to 6AM.
They are now discussing a new law that will even go further
This is what McAfee is telling in a new report about Mobile malware
"The addictive Flappy Birds app was pulled by its creator from app stores in February, which meant a surge in clones of the game. According to McAfee Labs, much of the malware found on these copycats included ways for perpetrators to make phone calls, install additional apps, extract contact lists, track geo-location, and establish control over the device to let them do things like record, send, and receive text messages.
this is why it was a bad idea to take it offline and not to keep it herdered by an organisation even if the developer wanted some anonimity back
the main result of his action by which he wanted to do some good is the enormous rise of very dangerous clones
De Nederlandse Spoorwegen plannen het einde van de OV-chipkaart. Het concern gaat een pilot doen met in- en uitchecken met bankpassen, die zijn voorzien van NFC, dezelfde technologie als de OV-chipkaart. Vooral ING en ABN-AMRO zetten vol in op de pinpas met NFC, in eerste instantie voor contactloos betalen. Dat systeem is echter ook prima geschikt voor reizen, waarbij de transactie meteen van de rekening van de pashouder wordt afgeschreven.
Er zijn immers nog andere mogelijkheden maar het betekent wel dat de bankkaart met haar betalingsmogelijkheden een unique fail point is geworden.
De hele vraag is dan ook of onze Mobib kaart ook deze weg zou opgaan ......
this is one from yesterday
meanwhile the International press is writing withoiut questioning that he is showing his good intentions and that some European countries are believing him
Ireland’s data-protection authority is in charge of Facebook’s compliance with EU data-protection law because the social network owner’s European headquarters are located in Dublin. Facebook’s Irish unit is responsible for the business outside of the U.S. and Canada.
“The Snowden revelations demonstrate a massive overreach on the part of the security authorities, with an almost studied indifference to the privacy interests of ordinary citizens,” Hogan said in his decision. “Their data protection rights have been seriously compromised by mass and largely unsupervised surveillance programs.”
Facebook told the Irish authority that it only handed data to U.S. security agencies “by means of targeted requests which were properly and lawfully made,” Hogan said in the ruling. The Irish Commissioner also ruled that Facebook had “appropriate procedures” to handle such requests.
Revelations of mass surveillance by former U.S. contractor Edward Snowden may have “exposed gaping holes in contemporary U.S. data protection practice” that could undermine an accord that allows companies to transfer information to the U.S. from Europe, Irish High Court Judge Gerard Hogan said in a decision published online. The European Union’s top court should decide whether data-protection regulators can probe allegations that Facebook Inc. (FB)’s Irish unit illegally handed over data to U.S. spies, an Irish judge ruled today.
The Safe harboragreement is nothing but an agreement to be able to harbor European data in the US is anything but safe and the Snowden leaks did confirm that this way European data came without expliticit European consent European data came into the hands of US spy angency and that due process was not always followed
The firms that are not awaiting the décisions and are keeping European data in Europe are more futureproof than others.
1. "The Federal Information Security Modernization Act of 2014 would update the Federal Information Security Act of 2002 and address critical issues that have risen over the past 12 years. The bill would better delineate the roles and responsibilities of the Office of Management and Budget and DHS, move agencies away from paperwork-heavy processes toward real-time and automated security and put greater management and oversight attention on data breaches.
2. In May, the committee approved the DHS Cybersecurity Workforce Recruitment and Retention Act of 2014, which would help address critical challenges that DHS faces in hiring and retaining cybersecurity professionals by providing the DHS secretary hiring and compensation authorities for cybersecurity experts like those of the Secretary of Defense.
3. Tuesday the National Cybersecurity and Communications Integration Center (NCCIC) Act of 2014 and the Federal Information Security Modernization (FISMA) Act of 2014 -- legislation that would take a number of steps to modernize and address critical challenges to the nation’s cyber security capabilities – were introduced by Senate Homeland Security and Governmental Affairs Committee Chairman Sen Tom Carper (D-Del.) and co-sponsor Sen. Tom Coburn (R-Okla.), ranking member of the committee. The National Cybersecurity and Communications Integration Center Act of 2014 would codify the existing cybersecurity and communications operations center at DHS, known as the National Cybersecurity and Communications Integration Center. The bill calls on the center is to serve as the federal civilian information sharing interface for cybersecurity. The bill authorizes the center’s current activities to share cybersecurity information and analysis with the private sector, provide incident response and technical assistance to companies and federal agencies, and recommend security measures to enhance cybersecurity
"The Federal Aviation Association (FAA) published an order last Friday in the Federal Register, an official federal journal containing government rules and public notices, requiring Boeing to modify the technology aboard 737 jetliners to protect the planes against computer hackers.
Effective immediately, the order applies to 737-700, -700C, -800, -900ER, -7, -8 and -9 aircraft. These models feature a digital systems architecture composed of several connected networks. According to the FAA, the network configuration on these models allows increased connectivity with external networks, such as passenger entertainment and information services, which create possible vulnerabilities that can be exploited by hackers.
“This may allow the exploitation of network security vulnerabilities resulting in intentional or unintentional destruction, disruption, degradation, or exploitation of data and systems critical to the safety and maintenance of the airplane, which could result in unsafe conditions for the airplane and its occupants,” the FAA explained in its order.
after snakes on the plane it will be computerhackers on the train disabling or distorting information for the pilots, changing direction, playing sick jokes on the internal tv system and playing death metal over the speakers (for example)
it fact it means that the pilot should be able to disactivate the smart system and fly the airplane without all that socalled smart stuff and networks and overload of information
if there is no cause for alarm the FAA wouldn't have published an order publicly, problably somebody dismissed their earlier remarks and concerns
Microsoft and Samsung working on an Antitheft kill switch for phones after succesful introduction by Apple
"In New York City, robberies and grand larcenies from a person involving Apple products dropped 19% and 29%, respectively, in the first five months of this year, compared with a year earlier. In San Francisco, iPhone robberies declined 38%. In London, Apple thefts declined 24%. The statistics were compiled by New York Attorney General Eric Schneiderman.
The declines followed Apple's introduction last fall of an Activation Lock in the latest version of its mobile operating system. The feature allows the owner of a stolen device to remotely deactivate a phone, rendering it nearly useless to thieves.
Apple took this decision Under heavy pressure by the NY prosecutor general and police who were complaining of the enormous workload by stolen Iphones. Some anecdoctical evidence says that thiefs are now rather looking for other phones but the other phone companies have decided to develop also a kill switch.
This doesn't mean that the evidence is conclusive but it is always better than nothing and it gives the possibility for the victim to try to block access to his data.
""This course really helps us get our workforce certified and trained in concert with their active component brethren," said Senior Chief Information Systems Technician Ramon Cuevas, N7 senior enlisted advisor for Commander Information Dominance Corps Reserve Command.
Highly-qualified instructors, composed entirely of drilling Reservists working on Annual Training orders, spent each class day directing students through the challenging course, highlighting such topics as operational security, threats and vulnerabilities, as well as discussing strategies and tactics to those who are charged with standing on the front lines of the constantly evolving cyber battlefield. At the end of the course, Reservists needed to pass a rigorous, comprehensive exam in order to achieve certification. All 11 students passed the test.
Focusing on the "bottom line," Director of Training (N7), Shawn L. Smith, explained the necessity to always take "the approach that best serves the mission" first. Stressing fiscal re-sponsibility and the welfare of every Sailor, Smith recognized early that Reserve Component (RC) service members, already providing certification training to AC units, could be optimally utilized by serving as instructors to RC commands as well, reducing costs for the DOD across the board. By exercising this cost-effective tactic, Smith believes the Navy is getting "the most bang for our training buck."
As outlined in his Navigation Plan for 2013-2017, Chief of Naval Operations Adm. Jonathan Greenert expressly stated the Navy's intention to "fully exploit cyberspace and the electro-magnetic spectrum as war fighting domains." This mission directly calls upon highly trained, operationally ready ITs to "defend our computer networks, sustain information assurance, devel-op network operations technology, as well as educate the next generation of cyber operators."
By implementing this new, stream-lined training model, SRP aims to coordinate its training mis-sion with the objectives set forth by the CNO, concentrating on delivering top-quality instruction to future cyber war-fighters, equipped with the skillset to maintain sustainable deterrence throughout the cyber world.
Figuring out better ways to utilize ITs throughout the RC and developing a more capable ready response force is at the center of what Capt. Andrew Caldera, deputy commander, Information Dominance Corps Reserve Command sees his office supporting "The Reserves' role, first and foremost, is to be a strategic capability, ready to deploy forward, whenever needed," said Caldera.
reservists I read
giving training and courses to Professional soldiers
helping soldiers to protect their lives by having secure networks during military operations
"Human geography is a multi-discipline study of the Earth and how people move across it, where they gather and how they interact there. It combines numerous fields including history, political science, economics, geology, urban studies and anthropology. Studying human geography can be very important for soldiers, Lohman said, noting on-the-ground knowledge can indicate what is normal and what is out of place in a society, a province or a village.
In five deployments to Iraq with Special Forces, Lohman said, “we learned everything about an area before going there.” The important part of that learning, wasn't just the facts like what percentage of the populations was urban or who the local power players were, but “how is this going to affect what we're doing when we're there.” In short, area analysis and mission analysis, he said.
While human geography isn't a panacea for every military challenge, “it can provide a greater understanding of this world we live in and hopefully, we'll make fewer mistakes,” he said.
"The prediction of storms and atmospheric conditions like turbulence is undergoing a revolution that has the potential to trim airline delays, cut costs and reduce in-flight injuries. Even incremental improvements in delays are important when late flights cost airlines as much as $8 billion a year.
By feeding better data into U.S. National Weather Service computer models, the devices are also helping the government make more accurate predictions, said Richard Mamrosh, a senior forecaster at the Weather Service’s office in Green Bay, Wisconsin.
United Parcel Service Inc. (UPS) has equipped 25 of its planes with the Houston-based SpectraSensors Inc. devices and, together with Southwest, provides more than 50,000 reports a day across North America. American Airlines Group Inc. (AAL) has started getting real-time turbulence reports, and Panasonic Corp. (6752) has helped outfit 225 U.S. planes with humidity-measuring equipment.
so even if sensors can be abused to invade our privacy and our lives in every aspect, it can also be used for very interesting applications for the better of us all
everybody heard that the app Yo had one million users, said only Yo and was worth 1 million, not that it is hackable
yo, security is not my problem YO YO
"now they're being designed for a different but similarly vulnerable group: the political or human rights activist. On June 23 Amnesty International released their secret alert system for activists, an Android app called Panic Button. Panic Button (Beta), which techPresident covered at an earlier stage last year, is now available for download in the Google Play Store.
The way it works is simple: in an emergency, pressing the power button in rapid succession will activate the alert, sending a text message and regular location tracking information to trusted contacts. The hard work takes place offline: choosing three trusted contacts; figuring out a plan of action in the event that they receive an alert.
The app shields user data with a disguise screen and pin number, although the protection is limited.
They also warn that the identities of users and their contacts are vulnerable: “A competent adversary might be able to find out about your location, that you are alerting your contacts or the identity of your contacts.”
I don't think that the people in Amnesty International who made this app have any idea how strong the Tools are to incercept anything that is installed or transferred from and to mobiles.
Installing and using this app seriously undermines the security of yourself and all of your contacts and will in fact make it much easier for the security services during their repression to select only those contacts that matter (because you can't attack all those contacts that are in one's mobile but knowing immediately which ones are part of a network is much more important)
if you are Wise you send an sms or message to someone specific who knows that if he receives this that you are in trouble. This is a century old trick that probably is still proving its usefulness. Naturally the message should be normal and should be hidden in a flood of other messages or a conversation that is as normal.
it can even be a picture that you send
but definitely not this app that Amnesty International should retire immediately except if they have too few dissidents that are being tortured and murdered for the moment and they need some new victims for their fundraising (cynical)
if I was an intelligence service I would promote this heavily by my infiltrators in networks of dissidents - definitely
as even more very old and very fundamental mistakes in openssl are being discovered, there is an even more fundamental question that needed to be answered
how is it possible that all those coders didn't see all those bugs and vulnerabilities before
the answer is even more astonishing than the problem
sometimes they did but openssl couldn't implement the patches or fixes or close the holes because they had to be compatible with so many systems and so on that it wasn't possible (or affordable) to do so
Google in its posting said that it implimented 70 patches of its own on its own version of Openssl but that openssl itself was not always capable of implementing them
but as many of its partners are now leaving openssl and looking for alternatives many have asked Google for their own version of openssl that they have decided to put it today at the disposal of the community
they are going to use it for chrome and Android soon
which means also that some in the Google community have no confidence that the money that Google and others are now investing in a foundation to pay for the cleanup of the openssl code and the implementation of the fixes will be too late and that too many things will stay vulnerable because it ain't possible to implement it for all the users
it is another way to say that if the technological industry doesn't invest much more in openssl it won't make a difference and that opensll should be abandoned if you are really serious about your own security and that of your clients and their transactions
and just as with openssl this doesn't mean that the code is any safer, it is only as safe as there are enough people working only at that code with all the knowledge and checks that are necessary to keep code clean