DailyTech - Japanese Researchers Crack Supposedly Hack-Proof Cryptography

Or, as Scooby Doo usta say "Rut Rho!"

"Researchers who developed standard claimed it would take "thousands of years to crack", but it took only 148 days

"We're living in either a dark, dysmal time for cryptographers or a golden, glorious age for hackers depending on how you look at it.  Casual hackers are making short work of supposedly modestly-secure older hashing standards like MD5, and even supposedly-super-secure "strong" encryption techniques are falling to novel attacks."

This article is not for the faint of heart or those adverse to the icky innards of cryptology. But it has a lot of insight into why computer security is in so much trouble. A great nerd read.

http://www.dailytech.com/Japanese+Researchers+Crack+Supposedly+HackProof+Cryptography/article24965.htm

Consumer Cloud Security Is an Oxymoron

After some mental rummaging around this article reaches the startling conclusion that "There is still no framework for modernizing and standardizing security at every level of our cloud infrastructure. It is hodgepodge of things that do not work very well and still manage to leave gaping holes."

As we've been trying to tell folks for years!

http://www.alleywatch.com/2015/06/consumer-cloud-security-is-an-oxymoron/

A history of Internet security - Washington Post

This is a kewl article for everyone. Those of us old enough to remember that glorious day when Al invented the Internet can revisit the good ol' days. Those who were born this century can see what the olden days were like. In either case it's an interesting sequential list of what the authors think were the important events leading to today's insecure network.

http://www.washingtonpost.com/graphics/national/security-of-the-internet/history/

Compromised Routers: Who's Responsible?

by Mathew J. Schwartz Data Breach Today
An army of 40,000 small office/home office routers have been exploited by automated malware. But who's responsible for devices being vulnerable: vendors for using well-known defaults; or distributors and IT managers for not locking them down?

http://www.databreachtoday.com/router-hacks-whos-responsible-a-8233?

If you haven't done it - CHANGE THE DEFAULT PASSWORD!

How to turn your embarrassing Google searches into a hack-proof password

 "We have a password problem. Each year, millions of our accounts are broken into, and no matter how many times we're told to make our PINs more secure, the most common passwords last year were almost willfully obvious: "123456," "password," and "12345".

"There must be a better way.

"Imagine if, when logging in to check your email, you were prompted with a personal question like, "What new song did you download yesterday?" or "Who was the first person to text you this morning?""

This article proposes a new way to have security without having to remember complex passwords.

http://theweek.com/articles/552300/how-turn-embarrassing-google-searches-into-hackproof-password

Speaking just for myself, I have no idea who the first person who texted me this morning was!

LogJam Exposed: 575 Cloud Services Potentially Vulnerable to Man-in-the-Middle Attacks

CLOUD SECURITY ALLIANCE | MAY 21, 2015

By Sekhar Sarukkai, VP of Engineering, Skyhigh Networks 

LogJam, the latest in a spate of web vulnerabilities, was exposed on Tuesday evening by a team including Mathew Green, assistant research professor at Johns Hopkins University, experts from University of Michigan and the University of Pennsylvania, and researchers from Microsoft Research and INRA, who were part of the team that initially discovered the FREAK vulnerability. The vulnerability is derived from an encryption flaw, essentially created by USGov requirements. Specifically, any servers that support export grade DHE cipher suits are vulnerable to LogJam.

 

https://blog.cloudsecurityalliance.org/2015/05/21/logjam-exposed-575-cloud-services-potentially-vulnerable-to-man-in-the-middle-attacks/

Until websites convert to Hackproof Technologies new server technology these security issues will continue. 

The Main Cyber Threats to Web Sites and Visitors

Based on and quotes from an article by Symantec - CSO | The Resource for Data Security Executives

"Cyber attackers are leapfrogging defenses in ways companies don't even have the insight to anticipate"

Phishing attacks and their highly targeted siblings spear-phishing attacks involve targeted messages being sent to individuals, But there are attacks on websites instead of people that affect every visitor. And you may not be aware your website is spreading malicious infections!

"In a watering hole attack attackers infiltrate places people go. For example, they might inject a vulnerability into a website they know their visits. This bypasses the measures put in place to block malicious email.

"A variation of this is bad actors infiltrating software used in specific industries with malicious payloads. For example, if a mining company uses a specific application, a hacker could infect that software at the developer’s site so that the malicious payload enters the mining company through a seemingly legitimate channel." [Key chain attack]

http://www.cso.com.au/article/574103/defence-key-living-modern-threat-environment-symantec/

Because GPUs can NEVER be completely protected website owners will ALWAYS be playing catch-up and endangering their visitors (Paraphrase from Dr.M)

There IS a solution on the way...

Just-released WordPress 0day makes it easy to hijack millions of websites [Updated] | Ars Technica

Just-released WordPress 0day makes it easy to hijack millions of websites

Exploit code lets attackers gain administrative control sans authorization

http://arstechnica.com/security/2015/04/27/just-released-wordpress-0day-makes-it-easy-to-hijack-millions-of-websites/

Update - apparently fixed.

Security flaw leaves 25,000 iPhone and iPad apps vulnerable to attack - V3.co.uk

SSL flaw in at least 25,000 iOS applications is leaving iPhone and iPad users open to man-in-the-middle attacks, according to researchers at SourceDNA.

http://m.v3.co.uk/v3-uk/news/2405825/security-flaw-leaves-25-000-iphone-and-ipad-apps-vulnerable-to-attack

Secure Your Website So Your Customers Don't Get Mugged

Secure Your Website So Your Customers Don't Get Mugged

PCMAG | APRIL 23, 2015

"You don't expect to get mugged when you walk into a store," said Tom Kellerman, Trend Micro's Chief Cybersecurity Office, "You expect facility security."

""We've seen a 25 percent increase in watering hole attacks globally," said Kellermann, "Half are in the U.S., and 45 million appeared in the first half of the year." A watering hole attack is a seemingly innocuous website that can automatically infect visiting browsers, without any interaction by the user. Just as the jungle predator waits for prey and then leaps, the malicious code activates when a likely victim arrives. And any website with insufficient security can be injected with code that turns it into a watering hole."

http://www.pcmag.com/article2/0,2817,2482393,00.asp/?utm_medium=referral&utm_source=shatterdoc.com

Cyber warfare experts know a dirty little secret: It is mathematically impossible to prevent cyber attacks on a general purpose computer. Fortunately there's a new technology being developed that will forever stop website hijacking and watering hole attacks. Watch this blog for an announcement!

Citigroup Report Chides Law Firms for Silence on Hacking

By MATTHEW GOLDSTEIN
MARCH 26, 201

NYTimes

Every month it seems another American company reports being a victim of a hacking that results in the theft of internal or customer information. But the legal profession almost never publicly discloses a breach.

http://mobile.nytimes.com/2015/03/27/business/dealbook/citigroup-report-chides-law-firms-for-silence-on-hackings.html?_r=0&referrer=shatterdoc.blogspot.com

And it's not that they're just embarrassed either!

Clouds Are Not Really Very Safe! – Here are 9 Security Threats Everyone Needs to Understand | Internet, Information Technology & e-Discovery BlogInternet, Information Technology & e-Discovery Blog

A report explained from the  Cloud Security Alliance (CSA) explained how the cloud is not as safe as many people think it is based on "nine major categories of threats that face cloud technologies" which organizations "must weigh these threats as part of a rigorous risk assessment, to determine which security controls are necessary." CDW issued a White Paper entitled "Playbook: Overcoming Cloud Security Concerns" which explained how to deal with the 9 CSA threats and explained the difference between data loss and data breach...

http://www.vogelitlawblog.com/2015/04/articles/ecommerce/clouds-are-not-really-very-safe-here-are-9-security-threats-everyone-needs-to-understand/

A nice top level set of definitions.
Thanks DrT

Some US Passenger Jets Hackable?

With this architecture (se links) it sure looks dangerous:

https://sophosnews.files.wordpress.com/2015/04/gao-network-1000.png?w=500&h=450

https://nakedsecurity.sophos.com/2015/04/17/could-a-hacker-really-bring-down-a-plane-from-a-mobile-phone-in-seat-12c/

Just when you thought your were safe 'cause they take away box cutters...

The Cloud Guide to RSA

The Cloud Guide to RSA
CLOUD SECURITY ALLIANCE | APRIL 10, 2015

What you missed at RSA

https://blog.cloudsecurityalliance.org/2015/04/10/the-cloud-guide-to-rsa/

FBI warns of ISIS-sympathetic hackers attacking and defacing WordPress sites

FBI warns of ISIS-sympathetic hackers attacking and defacing WordPress sites
VENTUREBEAT | APRIL 7, 2015

"The Federal Bureau of Investigation (FBI) issued a warning today about an ongoing spree of website defacements (sic) allegedly perpetrated by hackers sympathetic to the Islamic Islamic State of Iraq and Syria (ISIS). The attacks have affected a variety of websites, including news organizations, commercial entities, religious institutions, U.S. federal/state/local governments, foreign governments, and a variety of other domestic and international websites. Targets appear to be random: They are not linked by name or business type."

http://venturebeat.com/2015/04/07/fbi-warns-of-isis-sympathetic-hackers-attacking-and-defacing-wordpress-sites/

2015 Bitglass Cloud Security Report : Security Still Cloud’s Achilles Heel

2015 Bitglass Cloud Security Report : Security Still Cloud's Achilles Heel
CLOUD SECURITY ALLIANCE | MARCH 12, 2015

By Christopher Hines, Product Marketing Manager, Bitglass The cloud. 

"Companies want it, but can they secure it? Moving to cloud applications like Salesforce, Office 365 and Box, can be beneficial for business but companies must first answer the question of security.

[They] "announced the findings from the 2015 Bitglass Cloud Security Report. The report was the result of a survey done with 1,010 IT securers working across the globe."

https://blog.cloudsecurityalliance.org/2015/03/12/2015-bitglass-cloud-security-report-security-still-clouds-achilles-heel/

And it's not pretty...

Apple and Android Apps STILL Vulnerable to FREAK

Article by: Pierluigi Paganini
Pierluigi Paganini is Chief Information Security Officer at Bit4Id,

"FireEye firm has published the report  that reveal a disconcerting reality,  despite vendors issued patched for Android and iOS, several apps are still vulnerable to FREAK attacks when connecting to servers that accept RSA_EXPORT cipher suites. Many iOS apps are still vulnerable to FREAK attack despite Apple has recently the iOS 8.2 version for its mobile devices."

http://securityaffairs.co/wordpress/35052/hacking/mobile-apps-vulnerable-freak.html

Snowden-approved: The ‘Citizenfour’ hacker’s toolkit

Snowden-approved: The 'Citizenfour' hacker's toolkit

EXTREMETECH | MARCH 20, 2015

http://www.extremetech.com/extreme/201636-snowden-approved-the-citizenfour-hackers-toolkit?utm_medium=referral&utm_source=shatterdoc.com

The end credits of Citizenfour, the recent Academy Award-winning documentary about Edward Snowden, gave thanks to various security software programs.  If you've wanted to take steps to secure your own information, but were uncertain where to start, this article should get you headed in the right direction.

Are Your Beliefs Sabotaging You? | Nerd Fitness

Are Your Beliefs Sabotaging You?

This article is a bit off the document security topic but our resident psychologist sent it out to our entire staff.

Read it here:

http://www.nerdfitness.com/blog/2015/03/12/why-self-limiting-beliefs-are-bs-and-how-to-crush-them/

The article has great advice.  I'm gonna paste in on my fridge.  It takes just one even little victory to change a life,  give hope,  make the seemingly impossible possible.  

Create that little victory today.  

Then celebrate it. You've started at new life!

And now back to our regularly scheduled blogging - document security!

Premera hit by massive hack that took sensitive data for up to 11M people

Premera hit by massive hack that took sensitive data for up to 11M people

GEEKWIRE | MARCH 17, 2015
http://www.geekwire.com/2015/premera-hit-by-massive-hack-that-took-sensitive-data-for-up-to-11m-people/?utm_medium=referral&utm_source=shatterdoc.com

Premera Blue Cross revealed today that its networks suffered a massive security breach last year that gave attackers access to personal information from up to 11 million of its customers. The insurance company first found evidence of the attack on January 29, though evidence shows that the initial attack against Premera's systems took place on May 5, 2014.

-------------------

And if that doesn't make you a bit nervous....

2015 Bitglass Cloud Security Report : Security Still Cloud’s Achilles Heel

2015 Bitglass Cloud Security Report : Security Still Cloud's Achilles Heel
CLOUD SECURITY ALLIANCE | MARCH 12, 2015

By Christopher Hines, Product Marketing Manager, Bitglass The cloud. 

Companies want it, but can they secure it?

"65% of respondents said that data encryption topped the list of the most effective security technology for data protection. It’s also important to note that due to the proliferation of data that is now moving outside of the firewall, 68% of companies believe that a perimeter-based approach to security is no longer the correct strategy for securing data."

---

https://blog.cloudsecurityalliance.org/2015/03/12/2015-bitglass-cloud-security-report-security-still-clouds-achilles-heel/?utm_medium=referral&utm_source=shatterdoc.com

24 Hours After FREAK, 766 Cloud Providers were Still Vulnerable

24 Hours After FREAK, 766 Cloud Providers were Still Vulnerable
CLOUD SECURITY ALLIANCE | MARCH 6, 2015

The Average Company Uses 122 FREAK-vulnerable services 

Article by Sekhar Sarukkai, Co-founder and VP of Engineering, Skyhigh Networks

"[Last] week a group of researchers at INRA, Microsoft Reseach, and IMDEA discovered a widespread vulnerability in OpenSSL that has rendered millions of Apple and Android devices vulnerable to man-in-the-middle attacks when they visited supposedly secure websites and cloud services. You can read the detailed description of the vulnerability from the discovering researchers here.

The researchers have dubbed this the “FREAK” vulnerability (CVE-2015-0204) or Factoring Attack on RSA-EXPORT Keys, and it enables attackers to force clients to use older, weaker encryption , known as the “export-grade” key or 512-bit RSA keys."

This is a serious problem folks!

---

https://blog.cloudsecurityalliance.org/2015/03/06/24-hours-after-freak-766-cloud-providers-still-vulnerable/?utm_medium=referral&utm_source=shatterdoc.com

The Cyber Security Developer Bundle (88% off)

No, we're not taking advertising money. This looks like an interesting deal. This deal comes via one of our folk's email feeds: Android Community Deals (hi@stacksocial.com).
The Cyber Security Developer Bundle: Steer Clear Of Online Miscreants With 60 Hours Of Hacking & Secure Development Training.

Less than $50 through Jan 4.

https://deals.androidcommunity.com/sales/the-cyber-security-developer-bundle?utm_source=shatterdoc.com