MS Office Built-in Feature Allows Malware Execution Without Macros Enabled

This exploit uses the users’ common sense against themselves.

Security researchers at Cisco’s Talos threat research group have discovered one such attack campaign spreading malware-equipped Microsoft Word documents that perform code execution on the targeted device without requiring Macros enabled or memory corruption.

This Macro-less code execution in MSWord technique, described in detail on Monday by a pair of security researchers from Sensepost, Etienne Stalmans and Saif El-Sherei, which leverages a built-in feature of MS Office, called Dynamic Data Exchange (DDE), to perform code execution.

Dynamic Data Exchange (DDE) protocol is one of the several methods that Microsoft allows two running applications to share the same data. The protocol can be used by applications for one-time data transfers and for continuous exchanges in which apps send updates to one another as new data becomes available.

Read the article to see how this attack is accomplished…

Source: MS Office Built-in Feature Allows Malware Execution Without Macros Enabled

Apple Allows Uber to Use a Powerful Feature that Lets it Record iPhone Screen

What could possibly go wrong when your privacy and phone are given “selectively” without your knowledge or ability to intervene?  What happens when Uber is hijacked?  Or Uber uses this access unscrupulously?

Security researcher Will Strafach recently revealed that Apple selectively grants (what’s known as an “entitlement“) Uber a powerful ability to use the newly introduced screen-recording API with intent to improve the performance of the Uber app on Apple Watch.

The screen-recording API allows the Uber app to record user’s screen information even when the app is closed, giving Uber access to all the personal information passing through an iPhone screen.

What’s more? The company’s access to such permission could make this data vulnerable to hackers if they, somehow, able to hijack Uber’s software.

Read more…

Source: Apple Allows Uber to Use a Powerful Feature that Lets it Record iPhone Screen

Hackers pounce on 3 vulnerable WordPress plugins – Naked Security

Remember the old saying about bad things coming in threes? Flaw hunters Wordfence would probably agree with the sentiment after uncovering some nasty zero-day flaws in a trio of WordPress plugins.

Not a great start, then, but much worse is that the vulnerabilities were already being exploited when the company discovered them by chance during recent attack investigations – meaning anyone running them is vulnerable and should update immediately.

Read the article to see what plugins are affected

Source: Hackers pounce on 3 vulnerable WordPress plugins – Naked Security

It’s 3 Billion! Yes, Every Single Yahoo Account Was Hacked In 2013 Data Breach

Anyone still using Yahoo is either really uninformed or masochistic (or maybe employed by Equifax?)…

The largest known hack of user data in the history just got tripled in size.

Yahoo, the internet company that’s acquired by Verizon this year, now believes the total number of accounts compromised in the August 2013 data breach, which was disclosed in December last year, was not 1 billion—it’s 3 Billion.

Yes, the record-breaking Yahoo data breach affected every user on its service at the time.

Late last year, Yahoo revealed the company had suffered a massive data breach in August 2013, which affected 1 billion user accounts.

The 2013 hack exposed user account information, including names, email addresses, telephone numbers, dates of births, hashed passwords (using MD5), and, in some cases, “encrypted or unencrypted security questions and answers,” Yahoo said in 2016.

Read more…

Source: It’s 3 Billion! Yes, Every Single Yahoo Account Was Hacked In 2013 Data Breach

Over 711 Million Email Addresses Exposed From SpamBot Server

Don’t despair, here is a link to a site that will tell you whether your email account has been breached.  https://haveibeenpwned.com/  I am very careful and I was breached in 4 areas: Adobe breach 2012 (changed in 2014); LinkedIn in 2013 (changed in 2013); and 2 other sites that sold the 2 old breaches.  If you have been breached, CHANGE YOUR PASSWORD TO A REAL PASSWORD!  And don’t use the same password for every site!  Get a password keeper to store and retrieve your passwords.

A massive database of 630 million email addresses used by a spambot to send large amounts of spam to has been published online in what appears to be one of the biggest data dumps of its kind.

A French security researcher, who uses online handle Benkow, has spotted the database on an “open and accessible” server containing a vast amount of email addresses, along with millions of SMTP credentials from around the world.

The database is hosted on the spambot server in Netherlands and is stored without any access controls, making the data publicly available for anyone to access without requiring any password.

read the article…

 

Source: Over 711 Million Email Addresses Exposed From SpamBot Server

WikiLeaks Reveals ‘Athena’ CIA Spying Program Targeting All Versions of Windows

More CIA spying tools…

WikiLeaks has published a new batch of the ongoing Vault 7 leak, detailing a spyware framework – which “provides remote beacon and loader capabilities on target computers” – allegedly being used by the CIA that works against every version of Microsoft’s Windows operating systems, from Windows XP to Windows 10.

Dubbed Athena/Hera, the spyware has been designed to take full control over the infected Windows PCs remotely, allowing the agency to perform all sorts of things on the target machine, including deleting data or uploading malicious software, and stealing data and send them to CIA server.

Read the article and where to find the download & docs on how it works…

Source: WikiLeaks Reveals ‘Athena’ CIA Spying Program Targeting All Versions of Windows

WannaCry Ransomware Decryption Tool Released; Unlock Files Without Paying Ransom

If you were infected by WannaCry, they have released a decryption tool to unlock your files without paying the ransom.

If your PC has been infected by WannaCry – the ransomware that wreaked havoc across the world last Friday – you might be lucky to get your locked files back without paying the ransom of $300 to the cyber criminals.

Adrien Guinet, a French security researcher from Quarkslab, has discovered a way to retrieve the secret encryption keys used by the WannaCry ransomware for free, which works on Windows XP, Windows 7, Windows Vista, Windows Server 2003 and 2008 operating systems.

WannaCry Ransomware Decryption Keys

The WannaCry’s encryption scheme works by generating a pair of keys on the victim’s computer that rely on prime numbers, a “public” key and a “private” key for encrypting and decrypting the system’s files respectively.

Read the entire article here…

Source: WannaCry Ransomware Decryption Tool Released; Unlock Files Without Paying Ransom

Source Code for CIA’s Tool to Track Whistleblowers Leaked by Wikileaks

Yet one more reason why Microsoft should be worried about their market share…

“It generates a random watermark for each document, inserts that watermark into the document, saves all such processed documents in an output directory, and creates a log file which identifies the watermarks inserted into each document,” Scribbles’ user guide manual reads.

Scribbles Only Works with Microsoft Office Products

The user manual also specifies that the tool is intended for off-line preprocessing of Microsoft Office documents. So, if the watermarked documents are opened in any other application like OpenOffice or LibreOffice, they may reveal watermarks and URLs to the user.

Source: Source Code for CIA’s Tool to Track Whistleblowers Leaked by Wikileaks

The future of the open internet — and our way of life — is in your hands

Why is net neutrality important and why should you care?

The war for the open internet is the defining issue of our time. It’s a scramble for control of the very fabric of human communication. And human communication is all that separates us from the utopia that thousands of generations of our ancestors slowly marched us toward — or the Orwellian, Huxleyan, Kafkaesque dystopia that a locked-down internet would make possible.

By the end of this article, you’ll understand what’s happening, the market forces that are driving this, and how you can help stop it. We’ll talk about the brazen monopolies who maneuver to lock down the internet, the scrappy idealists who fight to keep it open, and the vast majority of people who are completely oblivious to this battle for the future.

Please read this article in its entirety here…

Source: The future of the open internet — and our way of life — is in your hands

Hackers Can Steal Your Passwords Just by Monitoring SmartPhone Sensors

People worry about the data their camera and GPS captures, but there are so many hidden sensors that relay data that most users are unaware of.

Hackers Can Steal Your PINs and Passwords Just by Monitoring Sensors on Your SmartPhone

Do you know how many kinds of sensors your smartphone has inbuilt? And what data they gather about your physical and digital activities?

An average smartphone these days is packed with a wide array of sensors such as GPS, Camera, microphone, accelerometer, magnetometer, proximity, gyroscope, pedometer, and NFC, to name a few.

Now, according to a team of scientists from Newcastle University in the UK, hackers can potentially guess PINs and passwords – that you enter either on a bank website, app, your lock screen – to a surprising degree of accuracy by monitoring your phone’s sensors, like the angle and motion of your phone while you are typing.

Read entire article…

Source: Hackers Can Steal Your Passwords Just by Monitoring SmartPhone Sensors

Microsoft Finally Reveals What Data Windows 10 Collects From Your PC

Microsoft has always collected data for diagnostics, but it’s never really said what data it actually collects:

… now for the first time, Microsoft has revealed what data Windows 10 is collecting from your computer with the release of the Windows 10 Creators Update, bringing an end to nearly two years of its mysterious data collection practices.

The Windows 10 Creators Update, which will be available from April 11 for users to download for free, comes with a revamped Privacy settings section.

Read the article…

Source: Microsoft Finally Reveals What Data Windows 10 Collects From Your PC

Tools We Recommend – ibVPN

These are some great tools to secure your online privacy.  Just getting a vpn or using Tor browser is not enough.  Btw, just because someone values their privacy doesn’t mean they are doing something wrong. Privacy can be, and is, eroded at any time, especially when corporate corruption and greed are such strong motivations and there are little or no consequences.

In the last 7 years of ibVPN, we’ve secured the online privacy for hundreds of thousands of people. But first, we did our best to secure our own privacy and be one step ahead when it comes to security and online freedom. So, we’ve tested the tools we sincerely recommend below

Source: Tools We Recommend – ibVPN

Unpatched Python and Java Flaws Let Hackers Bypass Firewall Using FTP Injection

This newly discovered bugs in Java and Python is a big deal today.

The two popular programming languages, Java and Python, contain similar security flaws that can be exploited to send unauthorized emails and bypass any firewall defenses.

And since both the flaws remain unpatched, hackers can take advantage to design potential cyber attack operations against critical networks and infrastructures.

The unpatched flaws actually reside in the way Java and Python programming languages handle File Transfer Protocol (FTP) links, where they don’t syntax-check the username parameter, which leads to, what researchers call, protocol injection flaw.

Read more…

Source: Unpatched Python and Java Flaws Let Hackers Bypass Firewall Using FTP Injection

Smart TV Maker Fined $2.2 Million For Spying on Its 11 Million Users

The smarter the object, the more able to relay your personal data.

Your government is spying on you! Businesses are spying on you! Your phone and browser are constantly spying on you!

Even your TV is spying on you!Yes, you should also worry about your “smart” TV, as one of the world’s biggest smart TV makers Vizio has been caught secretly collecting its consumers’ data through over 11 Million smart TVs and then selling them to third-parties without the user’s explicit consent.

Source: Smart TV Maker Fined $2.2 Million For Spying on Its 11 Million Users

Webinar for Consumers on Tax Identity Theft | Federal Trade Commission

During tax time, there are a lot of clever people who use their powers for evil waiting to take advantage of you.  Here is one tool to fight back.

As part of National Tax Identity Theft Awareness Week, AARP’s Fraud Watch Network and AARP Foundation Tax-Aide are joining forces with federal agencies to highlight the dangers of tax identity theft and recovery steps for victims. To register for the free webinar on February 2 at 2 pm EST, click here.
How it Works:
Tax identity theft occurs when someone steals your personal information for a fraudulent refund or to earn wages. It can involve:

  • Filing a tax return using another person’s Social Security number.
  • Claiming someone else’s children as dependents.
  • Claiming a tax refund using a deceased taxpayer’s information.
What Are The Signs:
  • Your Social Security number is lost, stolen or compromised.
  • Your tax refund is delayed.
  • You receive a notice from the IRS stating it has received a duplicate tax return filing, you have unreported income, or you and somebody else are claiming the same dependents.
What You Should Do:
To avoid becoming a victim of tax identity theft:

  • Submit your tax return as early in the tax season as possible.
  • Be careful what you share – don’t give out your personal information unless you know who is asking and why, and don’t be shy about refusing!
  • Dispose of sensitive information safely – shred it with a micro-cut shredder.
  • Know your tax preparer.
Check the status of your refund after filing at www.irs.gov/refunds. If you think someone filed a fraudulent refund with your information, call the IRS Identity Theft line at 800-908-4490. To learn more, visit www.ftc.gov/taxidtheft.

Kristin Keckeisen
Fraud Watch Network

P.S. Spotted a scam?  Tell us about it.  Our scam-tracking map gives you information about the latest scams targeting people in your state.  You’ll also find first-hand accounts from scam-spotters who are sharing their experiences so you know how to protect yourself and your family.

Source: Webinar for Consumers on Tax Identity Theft | Federal Trade Commission

Beware! This Is The Smartest Gmail Phishing Attack You’ll Ever Encounter

Gmail phishing is one of most common methods used by hackers to compromise the online security of naive users. But, a recent Gmail phishing attack, uncovered by Wordfence, mimics your past conversations and succeeds in fooling the tech-savvy netizens.

….

How does this scary Gmail phishing attack work?

This phishing attack first compromises a victim’s Gmail account and starts sniffing the contact list. Then, it sends fake emails, which look very much legitimate, to everyone.

Now comes the smart part — the attack scans the user’s Gmail history and finds the file names of the sent attachments. Then, it applies the same name to the new attachments that appear to be PDFs. However, they are images that send the user to phishing web pages. To make the overall scheme more convincing, the attack steals subject lines from previous emails.

Read the entire article including how to defeat this phishing attack…

Source: Beware! This Is The Smartest Gmail Phishing Attack You’ll Ever Encounter

Rule 41 — FBI Gets Expanded Power to Hack any Computer in the World

You just think this doesn’t apply to you.  It will in the very near future…  Are you LGBT, a person of color, have a religious preference other than Christianity, an advocate, a social reformer, a community leader, in the government, or ???  You will be losing your privacy rights.

Hacking multiple computers across the world just got easier for the United States intelligence and law enforcement agencies from today onwards.

The changes introduced to the Rule 41 of the Federal Rules of Criminal Procedure by the United States Department of Justice came into effect on Thursday, after an effort to block the changes failed on Wednesday.

The change grants the FBI much greater powers to hack into multiple computers within the country, and perhaps anywhere in the world, with just a single warrant authorized by any US judge (even magistrate judges). Usually, magistrate judges only issue warrants for cases within their jurisdiction.

Read the entire article

Rule 41 — FBI Gets Expanded Power to Hack any Computer in the World | The Hacker News

Dangerous Rootkit found Pre-Installed on nearly 3 Million Android Phones

Luckily, not many US Android phones.  Just a matter of time before manufacturers install rootkits as a matter of course.

Nearly 3 Million Android devices worldwide are vulnerable to man-in-the-middle (MITM) attacks that could allow attackers to remotely execute arbitrary code with root privileges, turning over full control of the devices to hackers.

According to a new report from security rating firm BitSight, the issue is due to a vulnerability in the insecure implementation of the OTA (Over-the-Air) update mechanism used by certain low-cost Android devices, including BLU Studio G from US-based Best Buy.

Read the article…

Source: Dangerous Rootkit found Pre-Installed on nearly 3 Million Android Phones

iPhone Secretly Sends Your Call History to Apple Even If iCloud Backups are Turned Off

In the fight against encryption, Apple has positioned itself as a staunch defender of its user privacy by refusing the federal officials to provide encryption backdoors into its products, as well as implementing better encryption for its products.

However, a new report from a security firm suggests Apple’s online syncing service iCloud secretly stores logs of its users’ private information for as long as four months — even when iCloud backup is switched off.

Read more…

Source: iPhone Secretly Sends Your Call History to Apple Even If iCloud Backups are Turned Off

Shadow Brokers reveals list of Servers Hacked by the NSA

Please take note of the following line:  “A  few target domains were based in Russia, and at least nine domains include .gov websites.

Yes, the NSA is hacking our own government…  At what point is an agency deemed out of control?

The hacker group calling itself the Shadow Brokers, who previously claimed to have leaked a portion of the NSA’s hacking tools and exploits, is back with a Bang!

The Shadow Brokers published more files today, and this time the group dumped a list of foreign servers allegedly compromised by the NSA-linked hacking unit, Equation Group, in various countries to expand its espionage operations.

Source: Shadow Brokers reveals list of Servers Hacked by the NSA

Why We Should All Dump Yahoo Now

If you still have a yahoo account, security experts strongly recommend that you delete it today.  Recently it was leaked that Yahoo compromised the security and privacy of hundreds of millions of users by installing a secret program that searched all incoming emails at the request of US intelligence officials.

“The order issued to Yahoo appears to be unprecedented and unconstitutional. The government appears to have compelled Yahoo to conduct precisely the type of general, suspicionless search that the Fourth Amendment was intended to prohibit,” said ACLU Staff Attorney Patrick Toomey.

….

There have been conflicting reports about what kind of program was installed, with initial reports stating it was probably just a modified version of Yahoo’s existing scanning system that searches all incoming email for malware, spam and images of child pornography. But sources have since told Motherboard that the program was more like a “rootkit,” or a piece of malware that grants a hacker nearly complete and undetectable control over the infected system.

Source: Why We Should All Dump Yahoo Now

Here’s Why You Should Delete Your Yahoo Account Right Now

Yahoo’s troubles don’t seem to be ending anytime soon. A Reuters’s report has just dropped a massive bombshell on the company, suggesting that Yahoo complied with a U.S. government request and implemented a secret software to scan all the emails. CEO Marissa Mayer gave green signal without any counsel with company’s security head Alex Stamos. Later, in protest, Stamos left the company.

Source: Here’s Why You Should Delete Your Yahoo Account Right Now

Yahoo Confirms 500 Million Accounts Were Hacked by ‘State Sponsored’ Hackers

“State-sponsored actor”? This is what happens when privacy and personal information is stepped on: the people paid to protect you are the perps…

500 million Yahoo accounts have been compromised and company believes a “state-sponsored actor” was behind this data breach

Source: Yahoo Confirms 500 Million Accounts Were Hacked by ‘State Sponsored’ Hackers

Cisco finds new Zero-Day Exploit linked to NSA Hackers

If it wasn’t for hackers, you would have no idea what your government is doing to erode your privacy and security. How secure do you feel now?

Network equipment vendor Cisco is finally warning its customers of another zero-day vulnerability the company discovered in the trove of NSA’s hacking exploits and implants leaked by the group calling itself “The Shadow Brokers.”

Last month, the Shadow Brokers published firewall exploits, implants, and hacking tools allegedly stolen from the NSA’s Equation Group, which was designed to target major vendors including, Cisco, Juniper, and Fortinet.

….

Now Cisco has found another zero-day exploit, dubbed “Benigncertain,” which targets PIX firewalls.

Cisco analyzed the exploit and noted that it had not identified any new flaws related to this exploit in its current products.

But, further analysis of Benigncertain revealed that the exploit also affects Cisco products running IOS, IOS XE and IOS XR software.

Read the article…

Source: Cisco finds new Zero-Day Exploit linked to NSA Hackers

Google makes 2-Factor Authentication a lot Easier and Faster

Two-Factor Simplicity!

Two-factor authentication is important & necessary, but a real pain in the butt.  This new process by Google is a breeze! I enabled and in a few seconds had authenticated with a press of a button on my phone. Get on it people!

When it comes to data breaches of major online services like LinkedIn, MySpace, Twitter and VK.com, it’s two-factor authentication that could save you from being hacked.

Two-factor authentication or 2-step verification is an effective way to secure online accounts, but many users avoid enabling the feature just to save themselves from irritation of receiving and typing a six-digit code that takes their 10 to 15 extra seconds.

Now, Google has made the 2-Step Verification (2FV) process much easier for its users, allowing you to login with just a single tap instead of typing codes.

Previously, you have had to manually enter a six-digit code received via an SMS or from an authenticator app, but now…

Google has introduced a new method called “Google Prompt” that uses a simple push notification where you just have to tap on your mobile phone to approve login requests.

Read the article …

Source: Google makes 2-Factor Authentication a lot Easier and Faster

Top Phishing Scams on Social Media

For older people just getting into technology, the “imposter customer care” scam seems to be the most prevalent. So many have casually remarked to me how the “nice man on the phone fixed all their computer problems.” The worst thing is that they actually paid for the service, a double pay day for the scammers.

Phishing attempts on social media have more than doubled over the past year as scammers find new ways to trick people into providing personal and financial information.

During the first quarter of 2016, ploys to glean log-in credentials, credit card and other ID-worthy information soared 150 percent over the same period in 2015, according to Proofpoint, which provides social media security services to leading companies and nearly 225 million of their individual followers on Facebook, Twitter, LinkedIn, Google+, Instagram and Pinterest.

Read more…

Source: Top Phishing Scams on Social Media

Windows 10 Wi-Fi Sense Explained: Actual Security Threat You Need to Know

Another older article, but because of the recent Win10 updates, it is still relevant. Learn why.

Just one day after Microsoft released its new operating system, over 14 Million Windows users upgraded their PCs to Windows 10. Of course, if you are one of the Millions, you should aware of Windows 10’s Wi-Fi Sense feature that lets your friends automatically connects to your wireless network without providing the Wi-Fi password. Smells like a horrible Security Risk! It even triggered a firestorm among some security experts, who warned that Wi-Fi Sense is a terrible and dangerous feature and that you should

disable it right away.
Even some researchers advised Windows 10 users to rename their Wi-Fi access points.
Before discussing the risks of Wi-Fi Sense, let’s first know how it works.
Read the rest of the article…

Source: Windows 10 Wi-Fi Sense Explained: Actual Security Threat You Need to Know

Reminder! If You Haven’t yet, Turn Off Windows 10 Keylogger Now

This is an older article, but one you may have missed. Simple instructions on how to turn off the keylogger and why you should.

Do you know? Microsoft has the power to track every single word you type or say to its digital assistant Cortana while using its newest operating system, Windows 10.Last fall, we reported about a ‘keylogger’ that Microsoft openly put into its Windows 10 Technical Preview saying the company ‘may collect voice information’ as well as ‘typed characters.’It was thought that the company would include the keylogger only within the Technical Preview of Windows 10, just for testing purpose. But, the thought was Wrong!

 

Read the rest…

Source: Reminder! If You Haven’t yet, Turn Off Windows 10 Keylogger Now

Kaspersky Researcher Shows How He Hacked His Hospital While Sitting In His Car – fossBytes

Please note that he noticed the potential security risks inherent in the hospital’s system and medical equipment and got permission to run tests to expose the vulnerabilities.

When we visit a hospital, we put our complete trust in our doctor and the medical equipment that he/she uses. With advancement in technology, these equipment have become more complex and interconnected. Sadly, ensuring standard cybersecurity measures is not a top priority of the medical professionals. This fact was recently outlined by a Kaspersky security researcher who hacked a hospital while sitting in his car.

Source: Kaspersky Researcher Shows How He Hacked His Hospital While Sitting In His Car – fossBytes

HTTPS provides more than just privacy

So why do you need HTTPS for your site? You don’t sell stuff. You don’t ask users for any information. Here’s why you need a TLS Certificate (formerly SSL Certificate). There are two(?) types of TLS Certificates: EV (Extended Validation Certificate) and DV (Domain Validated Certificate). The typical website holder uses the DV certificate.

HTTPS can provide identity, SEO, access to HTML5 powerful features and even keep network carriers from messing with your site’s content. Read on for how.

Source: HTTPS provides more than just privacy

Uber tests out using smartphones to monitor driver behavior | Ars Technica

So, what could possibly go wrong? Is anyone else weirded out by this?

Uber announced today that it will monitor some of its drivers’ behavior for things like excessive speeding or distracted driving. Starting with a trial in Houston, the program will use Uber drivers’ own smartphones to provide data to the company.

The company will use a phone’s gyroscopes, accelerometers, and GPS to record whether drivers break speed limits or play with their phone while the vehicle is in motion. But in this trial, Uber will only access that data if a customer has a complaint about driving standards.

Always-on monitoring of driving standards may come later, according to Uber Chief Security Officer Joe Sullivan. For now, the initiative is about being able to fact-check complaints and keep the company’s rating system on the rails.

Distracted driving is a serious problem, and it’s responsible for much of the push toward self-driving cars in the US. As companies like Zendrive have shown, the sensors in smartphones today are very capable of assessing whether a phone is being used while traveling in a car.

Source: Uber tests out using smartphones to monitor driver behavior | Ars Technica

Apple Can Still Read Your End-to-End Encrypted iMessages | The Hacker News

Apple Can Still Read Your End-to-End Encrypted iMessages | The Hacker News

path of apple servers to reading all of your messages

If you are backing up your data using iCloud Backup, then you need you watch your steps NOW!

In government fight against encryption, Apple has positioned itself as a staunch defender of its user privacy by refusing the federal officials to provide encryption backdoors into its products.

When it comes to Apple’s iMessage service, the company claims that it can’t read messages sent between its devices because they use end-to-end encryption, which apparently means that only you and the intended recipient can read it.

Moreover, in case, if the federal authorities ask Apple to hand over messages related to any of its users, there is nothing with Apple to offer them.

“If the government laid a subpoena to get iMessages, we can’t provide it,” Apple CEO Tim Cook told Charlie Rose back in 2014. “It is encrypted, and we do not have a key.”

But Wait!

There are still hundreds of Millions of Apple users whose data are stored on Apple’s servers in plain text even after Apple’s end-to-end encryption practice.

Read the rest of the article…

Source: Apple Can Still Read Your End-to-End Encrypted iMessages | The Hacker News

Apple’s Mac OS X Still Open to Malware, Thanks Gatekeeper

Apple’s Mac OS X Still Open to Malware, Thanks Gatekeeper – The Hacker News

Apple Mac Computers are considered to be much safer than Windows computers at keeping out the viruses and malware, but the new Exploit discovered by researchers again proves it indeed quite false.
Last year, The Hacker News reported a deadly simple exploit that completely bypassed one of the core security features in Mac OS X known as Gatekeeper.

Apple released a patch in November, but now the same security researcher who discovered the original Gatekeeper bypass vulnerability said he found an equally obvious workaround.

Patrick Wardle, ex-NSA staffer and head of research at security intelligence firm Synack, said the security patch released by Apple was “incredibly weak” and that the update was “easy to bypass” in minutes.

Gatekeeper’s Failure Once Again

Introduced in July of 2012, Gatekeeper is Apple’s anti-malware feature designed to block untrusted, dodgy apps from running, keeping Mac OS X systems safe from malware.

Read More…

Source: Apple’s Mac OS X Still Open to Malware, Thanks Gatekeeper – The Hacker News

Password secrets: Your Passwords Aren’t As Secure As You Think

Password secrets: Your Passwords Aren’t As Secure As You Think – Technotification

There is one thing that make us so vulnerable is ignorance. Today, everything is going to be depended on the internet. Yes, and you know it better! and a concept that we use to secure our internet accounts and all is our passwords. but is it enough to set password and feel that we are secure? are you really aware about of how to use passwords?

Our lack of understanding about passwords is allowing crooks to spy on us, steal from us, and deceive us into thinking nothing ever happened. Despite the volumes of texts that have already been written about them, how many of us have ever read a single chapter paragraph about the nitty-gritty of passwords?

That’s why i have compiled the following three short lists which outline the most common misconceptions about passwords; the ways in which our passwords can be stolen; and the tools you need to make sure it doesn’t happen to you.

Each of these sections can be read in less than two minutes. But once you’re done, you will have acquired enough information to deal safely and confidently with your passwords.

Password Myths You Should Stop Believing

  1. A file, folder, computer, or account protected by a password is safe.
    Read the rest of the article and learn why that statement is no longer true.

Read More…

Source: Password secrets: Your Passwords Aren’t As Secure As You Think

Pioneer In Internet Anonymity Hands FBI A Huge Gift In Building Dangerous Backdoored Encryption System | Techdirt

Rockin’ Encryption, Open Back Door…

Few doubt Chaum’s cryptography skills or pedigree. He was instrumental in the early days of computer cryptography and what anonymity we have online today owes a lot to Chaum. But his latest plan is… troubling:

At the Real World Crypto conference at Stanford University today, Chaum plans to present for the first time a new encryption scheme he calls PrivaTegrity. Like other tools Chaum has spent his long career developing, PrivaTegrity is designed to allow fully secret, anonymous communications that no eavesdropper can crack, whether a hacker or an intelligence agency.

That part sounds good, right? But then there’s this:

That ambitious privacy toolset aside, Chaum is also building into PrivaTegrity another feature that’s sure to be far more controversial: a carefully controlled backdoor that allows anyone doing something “generally recognized as evil” to have their anonymity and privacy stripped altogether.

Whoever controls that backdoor within PrivaTegrity would have the power to decide who counts as “evil”—too much power, Chaum recognizes, for any single company or government. So he’s given the task to a sort of council system. When PrivaTegrity’s setup is complete, nine server administrators in nine different countries would all need to cooperate to trace criminals within the network and decrypt their communications. The result, Chaum argues, is a new approach that “breaks the crypto wars,” satisfying both the law enforcement agencies who argue that encryption offers a haven for criminals, and also those who argue that it’s necessary to hobble mass spying.

Unfortunately, Chaum is both totally missing the point and playing right into the FBI’s hands. The argument of basically every other cryptographer is that building any encryption system is incredibly difficult — and introducing any sort of backdoor opens up massive and dangerous vulnerabilities — whether the original creators recognize it or not. The second you introduce a backdoor — even using Chaum’s weird “nine people in nine countries” system — you have introduced a vulnerability. A vulnerability that can and will be abused by others. You are introducing a security flaw. And that’s a massive security problem.

Source: Pioneer In Internet Anonymity Hands FBI A Huge Gift In Building Dangerous Backdoored Encryption System | Techdirt

FBI Chief Asks Tech Companies to Stop Offering End-to-End Encryption | Motherboard

Sure, we should just open all information to all governments, right? Who needs a warrant? Who needs due process? Because all of those politicians — with their hands in the pockets of special interests — only have the citizens best interests at heart, right? I mean when has our government ever been corrupt and/or morally bankrupt? Actually, today. When has law enforcement ever overreached? Oh, yeah. Every day this year…

Today, FBI Director James Comey thinks tech companies that offer encryption should “change their business model.”
Despite there still being no solid evidence the attackers benefited from or even used encryption (in at least one case, they coordinated via distinctly unencrypted text messages) law enforcement and national security hawks have used the tragedies to continue pressing tech companies to give the US government access to encrypted communications—even if that means rolling back security and changing the nature of their businesses.

Source: FBI Chief Asks Tech Companies to Stop Offering End-to-End Encryption | Motherboard

Get A Glimpse Of The Cyber Threat Landscape For 2016 And Beyond | Hacked

Here’s a rundown of the cyber threat landscape for 2016 and beyond, courtesy of a report from Intel security.
Coming In 2016

The 2016 predictions covers threats from ransomware, infrastructure attacks, attacks on automobile systems and the sale and warehousing of stolen data.

• Hardware: Attacks on hardware and firmware will continue while the market for the tools that facilitate them will increase. System firmware toolkits could target virtual machines.

• Ransomware: Ransomware is a growing threat that could anonymize payment methods and networks. More inexperienced cybercriminals will use ransomware-as-a-service.

• Wearables: Most wearable devices store only small amounts of information, but cybercriminals could target them to undermine the smartphones that manage them. The industry will have to protect attack surfaces like networking and wi-fi software, operating system kernels, memory, user interfaces, storage systems and local files, web apps, virtual machines and security and access control software.

• Employee systems: Attackers are likely to target organizations through their employees, including their home security systems, to access corporate networks. Organizations will have to stay vigilant by implementing new security technologies, create effective policies and hire experienced people.

• Cloud services: Attackers could exploit vulnerable security policies that protect cloud services. These services could undermine business strategy, financials, portfolio strategies, next-generation innovations, employee data, acquisition and divestiture plans, and other data.

• Automobiles: Connected automobile systems that lack security capabilities will be potential scenarios for exploitation. Automakers and IT vendors will partner to provide standards and solutions to protect attack surfaces like engine and transmission engine control units (ECUs), remote key systems, advanced driver assistance system ECUs, passive keyless entry, USBs, OBD IIs, V2X receiver, smartphone access and remote link type apps.

• Warehouses of stolen data: The dark market for stolen, personally-identifiable information and user names and passwords will increase in 2016. Big data warehouses that link together stolen, personally-identifiable information sets make combined records more valuable to attackers.

• Integrity attacks: Selective compromises to systems and data mark one of the most significant new attack vectors. Such attacks seize and modify transactions or data to favor perpetrators. An attacker can change direct deposit settings for a victim’s paychecks and direct the deposit to a different account. Cyber thieves could steal millions of dollars in an integrity attack in the financial sector in 2016, McAfee Labs predicts.

• Sharing threat intelligence: Enterprises and security vendors will increasingly share intelligence. Legislative action could allow governments and companies to share threat intelligence. Best practices in this area will increase, allowing success metrics to emerge and quantify protection improvement. Threat intelligence cooperatives among vendors will grow.

Source: Get A Glimpse Of The Cyber Threat Landscape For 2016 And Beyond | Hacked

FBI admits it uses stingrays, zero-day exploits | Ars Technica

FBI admits it uses stingrays, zero-day exploits

Yeah, these are the guys that want to put an end to encryption because: criminals. But without the ability to protect oneself, everyone is subject to these invasions. As a note, others have gone to jail (almost forever) for doing what the FBI is doing. How is their bending of the law any different than those in prison?

stingrays generally intercept all cell phone communications in a given area, not just those of a drug or kidnapping suspect. Paying large sums of money to buy zero-days, meanwhile, creates powerful incentives for governments to keep the underlying vulnerabilities secret

Source: FBI admits it uses stingrays, zero-day exploits | Ars Technica