ShatterDOC Original Material

Monday, June 30, 2014

Perils of key management, Android edition

Serious Android crypto key theft vulnerability affects 86% of devices
 
Researchers have warned of a vulnerability present on an estimated 86 percent of Android phones that may allow attackers to obtain highly sensitive credentials, including cryptographic keys for some banking services and virtual private networks, and PINs or patterns used to unlock vulnerable devices.

The vulnerability resides in the Android KeyStore, a highly sensitive region of the Google-made operating system dedicated to storing cryptographic keys and similar credentials, according to an advisory published this week by IBM security researchers. By exploiting the bug, attackers can execute malicious code that leaks keys used by banking and other sensitive apps, virtual private network services, and the PIN or finger patterns used to unlock handsets. The advisory said Google has patched the stack-based buffer overflow only in version 4.4, aka KitKat, of Android. The remaining versions, which according to Google figures run 86.4 percent of devices, have no such fix.

Thanks Dr. W : Blog Team
 


Posted by at No comments:

How to choose between custom and commodity clouds


How to choose between custom and commodity clouds
INFOWORLD | JUNE 26, 2014
Dramatic price drops have helped popularize cloud computing. But as Brent Bensten of Carpathia observes, big enterprise workloads often require more configurability and control
Blog Team
Posted by at No comments:

Germany drops Verizon internet contract over NSA spying fears


Germany drops Verizon internet contract over NSA spying fears
ENGADGET | JUNE 26, 2014
Germany is irked that the NSA spied on its officials (including its Chancellor), and today it responded by hitting the US where it really hurts: the pocketbook.
http://www.engadget.com/2014/06/26/germany-drops-verizon-contract/

The world runs on trust. NSA and the US government destroyed that trust. The ramifications will reverberate for years damaging US companies perhaps fatally in the International market place.

Blog Team
Posted by at No comments:

Supreme Court understands that "papers" include "electronic data storage"


Finally there is a glimmer of light that lawyers - at least the Supremes understand that technology has changes the meaning of "papers" to include "data stored electronically".

Police can no longer search your phone without a warrant, rules Supreme Court

 Extending the Fourth Amendment, the Supreme Court ruled today that police need a warrant to access the content on your smartphone.
http://venturebeat.com/2014/06/25/the-supreme-court-just-ruled-that-police-cant-search-your-phone-without-a-warrant/

ShatterDOC Web Team
Posted by at No comments:

Microsoft predicts a grim future if the government keeps collecting data illegally

Microsoft predicts a grim future if the government keeps collecting data illegally
VENTUREBEAT | JUNE 24, 2014

Above: Microsoft's Brad Smith. Image Credit: Microsoft The future looks "bleak" if more isn't done to protect individual's private data. That's what...
Blog Team

Update from CBS Seattle affiliate:

"[Brad Smith, Microsoft's top lawyer] comments came as the tech giant is pushing back against a U.S. demand that Microsoft hand over data from a customer in Ireland.

“We are in a business that relies on people’s trust,” said Smith. “We’re offering a world where you should feel comfortable about storing (your information) in the cloud. You need to have confidence that this information is still yours.”

One of the solutions he offered was a sort of information dashboard, where each individual could see where private information was stored and who had access to it.
http://seattle.cbslocal.com/2014/06/24/microsoft-future-bleak-if-government-continues-unlawful-data-collection/

Thanks MW for finding this local source & info: Blog Team
Posted by at No comments:

This company sells software that lets governments & law enforcement hack your phone

This company sells software that lets governments & law enforcement hack your phone
VENTUREBEAT | JUNE 25, 2014

Researchers have discovered how governments buy off-the-shelf software to hack citizens' mobile phones and track their location, behavior, and communications...
http://venturebeat.com/2014/06/24/this-company-sells-software-that-lets-governments-law-enforcement-hack-your-phone/

Blog Team

Posted by at No comments:

Security Researchers Uncover The Tools Governments Use To Spy On Our Phones

Security Researchers Uncover The Tools Governments Use To Spy On Our Phones
TECHCRUNCH | JUNE 24, 2014
Edward Snowden, whistleblower of the decade, has made it consistently clear that he didn't trust cellphones. While he never described the methods gove...
http://techcrunch.com/2014/06/25/security-researchers-uncover-the-tools-governments-use-to-spy-on-our-phones/
Surprise! It's Italian commercial software sold to anyone.


Posted by at No comments:

Tuesday, June 24, 2014

THE EVOLUTION OF THREATS AGAINST KEYS AND CERTIFICATES

THE EVOLUTION OF THREATS AGAINST
                                                   KEYS AND CERTIFICATES


Threats specifically against keys and certificates go back to 2009 and 2010, where Stuxnet and Duqu provided the virtual blueprint to the cyber criminal communities around the world by using stolen certificates to make the malware infection payload look legitimate.

[Mark: Once again we see that government has worsened the problem. By creating malware to attack Iran what ever State created it also created a template for hackers and other State actors to injure ordinary folks and businesses.]

https://blog.cloudsecurityalliance.org/2014/06/05/the-evolution-of-threats-against-keys-and-certificates/

Thanks Mark - BLOGTeam
Posted by at No comments:

The British Government Just Set a Dangerous Precedent for Online Spying

The British Government Just Set a Dangerous Precedent
for Online Spying


"Today, the British government revealed its justification for surveilling [SIC] its citizens' every move on Facebook, Twitter, and other social networks."

The suspicion is that many other governments are using this same rational to spy on their own citizens. Certainly the US is using a similar argument to hover up all email traffic.

ShatterDOC Information Team
"Cyndie"  
Posted by at No comments:

Chinese cloud provider UCloud brings in $50M to expand into North America

Chinese cloud provider UCloud brings in $50M
to expand into North America

The data center in the North America is expected to serve users of Chinese games in that region. The company management told TechNode earlier this year that UCloud eventually go IPO in the U.S.

Posted by: ShatterDOC WebTeam
Posted by at No comments:

Murder in the Amazon cloud | Data Center - InfoWorld


Murder in the Amazon cloud | Data Center - InfoWorld

A cautionary real world story of attempted cloud ransom leading to the death of a company - and possibly their customers.
Or why backup, redundancy, and ShatterDOC security is needed as a shield against today's barbarians.

Thanks Dr.T - BlogTeam
Posted by at No comments:

More cloud insecurity news

More Cloud INsecurity News


Cracks emerge in the cloud: Security weakness of cloud storage services
 
The A*STAR-led researchers analyzed the security of three well-known cloud service providers -- Dropbox, Google Drive and Microsoft SkyDrive -- and found that all three had vulnerabilities many users might encounter. They uncovered several risks related to the sharing of secret URLs. Because URLs are saved in various network-based servers, browser histories and Internet bookmarks, frequent opportunities exist for third parties to access private data. Furthermore, the URL recipient may send the link to others without the data owner's consent.

Another danger lies in the practice of URL shortening -- reducing long web addresses to brief alphanumeric sequences for easier sharing on mobile devices. Although the original URL may point to a privately shared file, shortening changes this address into plain text unprotected by encryption. Zhou also notes that because short URLs have very limited lengths, they are susceptible to brute-force attacks that can dig out supposedly secret files.


Thanks Dr.W. for this posting - BlogTeam



Posted by at No comments:

Got Insurance?

Think you've got insurance so you can ignore security?
Think again:

Insurer Sues Michaels Over Breach Expenses
Seeks to Avoid Covering Lawsuit Costs


By Jeffrey Roman, June 19, 2014

"An insurance company that provided general liability coverage to Michaels Stores is asking a court to rule that it's not responsible for covering any of the retailer's breach-related lawsuit expenses.

"Safety National Casualty Corp. has filed a lawsuit against Michaels, which faces a consolidated class action lawsuit in the wake of a recent data breach that potentially exposed 3 million payment cards."

http://www.databreachtoday.com/insurer-sues-michaels-over-breach-expenses-a-6971

ShatterDOC Information Team
"Cyberist"
Posted by at No comments:

OpenSSL CCS Injection Vulnerability Countdown

OpenSSL CCS Injection Vulnerability Countdown

CLOUD SECURITY ALLIANCE | JUNE 16, 2014
https://blog.cloudsecurityalliance.org/2014/06/16/openssl-ccs-injection-vulnerability-countdown/
By Krishna Narayanaswamy, Netskope Chief Scientist
On June 5, researchers discovered an OpenSSL vulnerability (CVE-2014-0224)

Should be "... discovered another OpenSSL vulnerability..." 
Sending unprotected data over the Internet even with SSL is just foolish.

ShatterDOC Information Team
"Cyberist"

Posted by at No comments:

Hackers Reverse-Engineer NSA Spying Tools Using Snowden Leaks

Hackers Reverse-Engineer NSA Spying Tools Using Snowden Leaks

Besides exposing all of the not-so-good things the NSA and other clandestine agencies around the world were up to, the documents leaked by Edward Snow provided a road-map for hackers everywhere.

Commercialization
Mike


Posted by at No comments:

Encrypted Web Traffic and Apple’s Mobile Messaging Vulnerable to Statistical Snooping | MIT Technology Review

Encrypted Web Traffic and Apple's Mobile Messaging Vulnerable to Statistical Snooping | 
MIT Technology Review

Old-fashioned encryption just isn't good enough anymore.


ShatterDOC Information Team
"Crypto"

Posted by at No comments:

95% of successful security attacks are the result of human error

95% of successful security attacks are the result of human error
VENTUREBEAT | JUNE 19, 2014

It's all your fault. At least it is to security researchers at IBM, who just released a rather comprehensive and compelling Cyber Security Intelligence report...

You can download the original report here. But you have to log in first.

ShatterDOC Information Team
"Cyndie"


Posted by at No comments:

The Race To Ubiquitous, Free Cloud Storage

The Race To Ubiquitous, Free Cloud Storage
TECHCRUNCH | JUNE 23, 2014

"Two interesting things happened today in the realm of cloud storage: Microsoft cut its prices for OneDrive and gave out more free gigabytes, and Box took its editing tool Box Notes mobile."

"Within two years, consumers will have several options for unlimited, free cloud storage. That's to say that they will have a few terabytes to play with from a number of providers. The idea that consumers should only have access to a few gigabytes of free storage will quickly become as silly as the idea that an email account only needed a few megabytes of capacity."


ShatterDOC Information Team
"Cyndie"
Posted by at No comments:

The quantum cryptography arms race has begun

The quantum cryptography arms race has begun
INFOWORLD | JUNE 24, 2014

Quantum computing may be taking its time to arrive, but when it does, encryption won't be the same again
http://www.infoworld.com/d/security/the-quantum-cryptography-arms-race-has-begun-244907

Why wait on pie in the sky quantum encryption? ShatterDOC provides a creative novel replacement for conventional encryption right now and its technology is proven!

Mike
Commercialization
Posted by at No comments:

TweetDeck — Just another hack or a missed opportunity to tighten cloud security?

TweetDeck — Just another hack or a missed opportunity to tighten cloud security?
CLOUD SECURITY ALLIANCE | JUNE 13, 2014
June 12, 2014 By Harold Byun, Senior Director of Product Management, Skyhigh Networks
"The recent TweetDeck hack on Twitter presents a common cloud dilemma for information security teams." 
"This shift not only drives home the importance of gaining in-depth visibility into cloud usage, but also emphasizes that the role of information security is transforming in terms of remediation strategies and user education.  As the TweetDeck hack exemplifies, there are two alternate scenarios of response that security teams can take."

ShatterDOC Information Team
"Cyndie"




Posted by at No comments:

Friday, June 13, 2014

Friday's Internal Distro




Cloud Computing and Cloud Security: Tech Trends Cheat Sheet, Part 2
What are the pros, cons, and cloud security musts? By Jude Chao | Posted Jun 12, 2014. Page of | Back to Page 1. Print Article · Email Article.
AT&T's Amoroso: Perimeter Security No Longer Enough
Amoroso goes on to discuss further mobile cloud security and analytics issues with his colleagues Gus De Los Reyes, executive director, security R&D ...


Black Press USA

What is the Hitch in the Newfound Speed & Convenience of Cloud Services? Security
... home or at the neighborhood Starbucks. READ MORE · Amazoncloud computingcloud securitycloud servicesDropboxGoogleRackspaceSoftLayer ...
Hybrid Cloud vs. Human Error
cloud adoption · cloud computing · cloud security · cloud strategy · enterprise · hybrid · hybrid cloud strategy · hybrid computing. PREVIOUS:
JumpCloud CEO Comments In the New York Times on Growing Security Concerns in the Cloud
"There's no more debate," said Rajat Bhargava, co-founder of JumpCloud, a cloud security start-up. "When you don't own the network, it's open to the ...
how to convince your boss or your grandmother to join the Cloud
Carol: "I am not sure … remind me, where is 'the cloud'?" This is the typical lack of understanding around the Cloud: security, price, property.…
Companies undeterred by their cloud data security woes
Many companies say they don't trust their data to cloud security, but that...
Cloud suppliers call for clearer guidelines over revised security classifications
A group of cloud suppliers have raised concerns over the lack of guidance surrounding the government's latest security classifications. At a roundtable ...
ShatterDOC Information Team
"Cyndie"


Posted by at No comments:

The 12 biggest, baddest, boldest software backdoors of all time

The 12 biggest, baddest, boldest software backdoors of all time

INFOWORLD | JUNE 12, 2014

These 12 historically insidious backdoors will have you wondering what's in your software -- and who can control it ...

ShatterDOC Information Team
"Cyberist"


Posted by at No comments:

Thursday, June 12, 2014

An Overview of Cryptography

This white paper is an excellent - and highly detailed - discussion of Cryptology.  Not for the faint of heart or mathematically challenged,it delves deeply into the mysteries of encryption and decryption. An excellent reference to and history of an arcane art.
An Overview of Cryptography by Gary C. Kessler (updated 2 May 2014).
Posted by at No comments:

ShatterDOC BLog: The latest in Document security

ShatterDOC is being developed by a small group of computer scientists and engineers to repair the damage done to encryption by state actors and provide inexpensive protection against information thieves.

While we sell software and hardware solutions, we believe that everyone who uses the Internet and Internet connected computers should be knowledgeable about threats to them and their information.

The cognoscenti already read several of the daily publications, RSS feeds, blogs, and news articles. They aren't the target audience for this blog. And, we don't read nearly all of these sources either. We do, however, read a fair subset of this material. We identify articles relevant to our sector of the cyber security environment and distribute them internally. We decided to share these articles with our customers and the general public.

Our products are designed to protect digital information storage, sharing, and transmission. So, articles about these activities, the cloud industry, data breaches, and encryption problems are our focus.

We don't claim to post everything - that's practically impossible! - but we do hope you will find links to articles about the major issues in the store & share sector useful.

We welcome comments, links to related articles, and insider tricks.

Please no commercials or product placement posts.

So, lets go!

ShatterDOC Blog Staff

Private comments or business inquires? Email us: blog at shatterdoc.com
Posted by at No comments:

Heartbleed still matters, and we're all partly to blame


Heartbleed still matters, and we're all partly to blame

INFOWORLD | JUNE 12, 2014
http://www.infoworld.com/d/security/heartbleed-still-matters-and-were-all-partly-blame-244186

Extremely weak passwords make us vulnerable, but there are ways to create passwords you'll remember and yet are hard to crack read more

Posted by at No comments:
Subscribe to: Posts (Atom)