Let’s Encrypt hits a major milestone, F-Secure publishes their investigation into “The Dukes” & we dig into Tarsnap’s email confirmation bypass.

Plus a great batch of your questions, a rocking round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Let’s Encrypt goes live

• “Let’s Encrypt, a movement to issue free and automated HTTPS certificates, today hit a major milestone when its first cert went live”
• It is hoped that free, automatically generated SSL certificates will allow the web to move to HTTPS everywhere
• “A coalition of technology companies, including Mozilla, Cisco, Akamai, Automattic and IdenTrust, joined the EFF and the University of Michigan late last year in getting Let’s Encrypt off the ground; the initiative is open source and overseen by a California non-profit called Internet Security Research Group (ISRG)”
• Let’s Encrypt has done all of the setup, paperwork, and audits required to become a regular trusted Certificate Authority
• The big difference is, they will give the certificates away for free
• “IdenTrust is providing Let’s Encrypt with the cross-signature it needs in order to become a CA for existing browsers and software”
• “Eventually, webmasters will merely have to run a client to authenticate their server. They’ll also be able to enable features on their site like HTTP Strict Transport Security (HSTS), OCSP stapling and making sure that visitors to the old HTTP version of their site are redirected to the new HTTPS version”
• The cross signature is not yet in place, so Let’s Encrypt issued certificates are not trusted by existing browsers. This is expected to be in place in about a month

F-Secure publishes their investigation into “The Dukes”, a Russian APT team

• “We believe that the Dukes are a well-resourced, highly dedicated, and organized cyber-espionage group that has been working for the Russian government since at least 2008 to collect intelligence in support of foreign and security policy decision-making”
• The same group is also tracked by FireEye, where they are known as just APT29
• By combining their new research, and that of other researchers like Kaspersky, FireEye and ICDS, then going back over historical research and data from as far back as 7 years, the F-Secure researchers were able to “connect the dots” and attribute 2 older malware campaigns to this same group, and better understand the objectives of that malware
• The Dukes are known to employ a wide arsenal of malware toolsets including MiniDuke, CosmicDuke, OnionDuke, CozyDuke, SeaDuke, CloudDuke (aka MiniDionis), and HammerDuke (aka HAMMERTOSS).
• “The Dukes rapidly react to research being published about their toolsets and operations. However, the group (or their sponsors) value their operations so highly that though they will attempt to modify their tools to evade detection and regain stealth, they will not cease operations to do so, but will instead incrementally modify their tools while continuing apparently as previously planned.”
• These campaigns utilize a smash-and-grab approach involving a fast but noisy breakin
  followed by the rapid collection and exfiltration of as much data as possible. If the
  compromised target is discovered to be of value, the Dukes will quickly switch the
  toolset used and move to using stealthier tactics focused on persistent compromise
  and long-term intelligence gathering.
• In some of the most extreme cases, the Dukes have been known to engage in
  campaigns with unaltered versions of tools that only days earlier have been brought
  to the public’s attention by security companies and actively mentioned in the
  media. In doing so, the Dukes show unusual confidence in their ability to continue
  successfully compromising their targets even when their tools have been publicly
  exposed.
• This suggests they do not fear getting caught. They may have been promised protection by the Russian government
• The story of the Dukes, as it is currently known, begins with a malware toolset that F-Secure call PinchDuke.
• This toolset consists of multiple loaders and an information-stealer trojan. Importantly, PinchDuke trojan samples always contain a notable text string, which we believe is used as a campaign identifier by the Dukes group to distinguish between multiple attack campaigns that are run in parallel.
• Their first campaign appears to have in 2008, against Chechnya
• The first time the group targeted a Western government was 2009
• In 2013 the group shifted targets to the Ukraine, and also started working against drug dealers inside Russia
• On the 12th of February 2013, FireEye published a blogpost alerting readers to a combination of new Adobe Reader 0-day vulnerabilities, CVE-2013-0640 and CVE-2013-0641, that were being actively exploited in the wild. 8 days after FireEye’s initial alert, Kaspersky spotted the same exploit being used to spread an entirely different malware family from the one mentioned in the original report.
• On the 23rd of October 2014, Leviathan Security Group published a blog post describing a malicious Tor exit node they had found. They noted that this node appeared to be maliciously modifying any executables that were downloaded through it over a HTTP connection. Executing the modified applications obtained this way would result in the victim being infected with unidentified malware. On the 14th of November, F-Secure published a blog post naming the malware OnionDuke and associating it with MiniDuke and CosmicDuke, the other Duke toolsets known at the time.
• Based on the presented evidence and analysis, F-Secure believe, with a high level of confidence, that the Duke toolsets are the product of a single, large, well-resourced organization (which F-Secure identify as the Dukes) that provides the Russian government with intelligence on foreign and security policy matters in exchange for support and protection.
• The evidence seem to be pretty compelling, but it is hard to know anything for certain
• FireEye PDF — Hammertoss
• F-Secure PDF — The Dukes

Tarsnap email confirmation bypass

• Colin Percival of Tarsnap has posted a blog entry describing a flaw in the Tarsnap signup process that he recently fixed
• This provides some interesting insight into how easy it is to make a small mistake when building an application, that ends up having real world repercussions
• Because of the Tarsnap bug bounty program, a lot of fake signups are attempted against Tarsnap, to try to ‘fuzz test’ the forms on the site
• For this, and other reasons, Tarsnap requires an email verification before creating an account
• “so I wasn’t concerned when I received an email last week telling me that someone was trying to create an account as admin@tarsnap.com”
• “Five minutes later, I was very concerned upon receiving an email telling me that the registration for admin@tarsnap.com had been confirmed and the account created.”
• “This should not have happened, so I immediately started running down a list of possibilities. Was it a forged email? No, the headers showed it being delivered from the CGI script to the tarsnap web server’s qmail to the tarsnap mail server’s qmail to my inbox. Was a copy of the confirmation email — which should never have gotten past the mail server — being misdelivered somehow? No, the mail logs showed that the email to admin@tarsnap.com went from CGI script to the web server’s qmail to the mail server’s qmail and then was dropped. Was one of the CGI scripts on the tarsnap web server compromised? There was nothing in the logs to suggest a malformed request of the sort which might have been used to exploit a bug; nor, for that matter, anything to suggest that someone had been probing for bugs, so if a CGI script had been exploited, it was done completely blindly. Nevertheless, I disabled the CGI scripts just in case.”
• “Had someone managed to compromise the web server or mail server? unlikely”
• “The mystery was solved a few minutes later when an email arrived from Elamaran Venkatraman: He hadn’t compromised any servers or exploited any bugs in my C code; rather, he had found a dumb mistake in tarsnap’s account-creation process.”
• “For most people to create a Tarsnap account, only a few things are required: An email address, a password, and checkbox confirming that you agree to the Tarsnap legal boilerplate. You submit those to the Tarsnap server; it generates a registration cookie; it sends that cookie to you as part of a URL in the confirmation email; and when you click through that link and re-enter your password your account is created. So far so good — but some people need a bit more than that. Tarsnap is a Canadian company, and as such is required to remit sales tax for its Canadian-resident customers. Moreover, Tarsnap is required to issue invoices to its Canadian-resident customers — invoices which show the customers’ physical mailing addresses — so if a registrant identifies themself as being a Canadian resident, they are taken to a second page to provide their name and mailing address.”
• “But what of that confirmation email? Well, I didn’t want someone who self-identified as a Canadian resident to create an account without providing the legally-mandated information, so I couldn’t send out that email until they submitted the second page. On the other hand, they having provided their email address and password once already, I didn’t want to ask for those again. And so, when I finally got all the paperwork sorted and started accepting Canadian customers in July 2012, I took the option which was simple, obvious and completely wrong: I passed the registration cookie as a hidden variable in the second-page form, to be echoed back to the server.”
• “This of course is what Elamaran had found. To be clear, the registration cookie didn’t reveal any server internals; the only thing it could be used for was to confirm an email address. But because it was being sent in the HTML response, anyone could “confirm” any email address, simply by claiming to be a Canadian resident and viewing the page source. Oops. The fix for this was easy: Use two cookies, one for email confirmation and one for the Canadian-address-obtaining continuation. More importantly, I’ve moved the cookie-generation to where it belongs — within the routine which generates and sends the confirmation email — and I’ve added a comment to remind myself that the cookie must never be exposed via any channel other than an email destined for the address being confirmed.”
• “That last part is ultimately the most important lesson from this: Comments matter! I don’t know what I was thinking three years ago when I reused that cookie; but unless my memory was much better then than it is now, I almost certainly wasn’t thinking about my original design from four years prior. While this was hardly a fatal bug — while I’ll never know for certain, I doubt anyone exploited this email confirmation bypass, and the impact would not be severe even if someone did — it’s a reminder of the importance of writing useful comments. I often see solo developers excuse a lack of comments in their code on the basis that they understand their code and nobody else will be touching it; this misses an essential point: I am not the same person as I was three years ago, nor do I understand everything I understood three years ago. People make mistakes, and people edit code without fully understanding how and why it works. Leave breadcrumbs behind, even if you don’t intend for anyone to follow you: When you try to retrace your steps, you might get lost without them.”

Feedback

• Apple Keychain

• FreeBSD Network Troubles

• ZFS snapshots instead on the FreeNAS server?

• Can’t get enough Allan? Was recently interviewed by the BSDTalk Podcast, episode 256

Round Up:

• Ashley Madison Lawsuit: Former CTO sues security researcher for libal and more coverage
• Oracle releases fix for Virtualbox, won’t disclose what the bug was
• Malicious Cisco router backdoor found on 79 more devices, 25 in the US
• AT&T offering $250,000 USD reward for leading to the capture of the “fiber ripper”
• Dutch police arrest alleged authors of CoinVault ransomware
• Bug in iOS and OS X allow anyone within Airdrop range to overwrite arbitrary files on your system or phone
• How I created a fake business and got many positive reviews
• Cryptome announces his PGP keys have been compromised. All prior communications at risk of disclosure
• Justice Department Releases Letters to Congress about breach risk, just before Snowden
• Intel launches the Automotive Security Review Board (ASRB)
• Survey finds users need atleast 10mbps to feel like they have “broadband”
• A journey through the Yahoo bug bounty program
• Bug Bounties are a privilege, not a right
• An IT themed set of Cards Against Humanity cards

The post Dukes of Cyber Hazard | TechSNAP 233 first appeared on Jupiter Broadcasting.

The Internet suffers from some growing pains, we explain how some old assumptions have come back to haunt us, victims of a cyberheist go after the bank that failed them, and we go deep on the Synology crypto-malware.

Then it’s a great big batch of your emails and much more!!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

Internet suffers growing pains as global routing table exceeds 500,000 entries

• High end routers use a special system called TCAM Ternary Content-Addressable Memory to store the routing tables for faster lookups
• CAM memory works different than regular memory, basically working like an associative array, or hash, where the information can be looked up based on a ‘key’ or ‘tag’. Rather than the data living at a specific address in memory, and the application having to keep track of that address, the application can simply ask for the data stored with a specific key
• A TCAM works similar, except it is ternary, meaning it has three possible states. Similar to binary, except in addition to on and off bits, it has a ‘do not care’ bit. This makes it perfect for storing routing information, because network addresses are binary addresses split into two parts, the network part (that the router cares about), and the host part (that the router does not care about)
• So using a TCAM, a router can lookup the destination address for any network by simply requesting the data stored with the key of the destination network address
• Because of the way TCAMs work, they have to be of a fixed size. The default on some older internet core routers is too small to hold the current global routing table
• On some routers, if the TCAM gets full, the router can callback to software routing mode, where it has to search the entire routing table in regular memory for the most specific matching network address. This is much slower, and uses a lot of CPU time, which most core routers have very little of
• To resolve this issue, the size of the TCAM must be changed (if there is enough memory in the device to support a larger size), and the router must be reloaded, causing downtime
• This issue is further complicated by a manufacturing defect with the memory in the routers and on the line cards, which can fail catastrophically during a reboot, leaving the device unbootable or unable to access the network via the line card. Cisco: Memory Component Issues page
• This issue was brought up at NANOG – North American Network Operators Group on May 6th
• Heads Up on the FreeBSD mailing list
• Cisco announced the problem ahead of time
• Cisco: How to adjust the TCAM allocation on Catalyst 6500 and 7600

Tennessee based company sues bank over cyberheist

• Tennessee Electric was the target of a cyberheist, where Russian or Ukrainian based mal-actors took over their corporate bank account and proceeded to siphon $327,804 out of the companies accounts at TriSummit Bank
• The company had an agreement with their bank, that the bank would phone and verify all transfers of funds
• The company only became aware that they had been the victims of a heist when they were called by Brian Krebs
• “According to the complaint, the attackers first struck on May 8, after Tennessee Electric’s controller tried, unsuccessfully, to log into the bank’s site and upload that week’s payroll batch (typically from $200,000 to $240,000 per week). When the controller called TriSummit to inquire about the site problems, the bank said the site was probably undergoing maintenance and that the controller was welcome to visit the local bank branch and upload the file there. The controller did just that, uploading four payroll batches worth $202,664.47”
• “On May 9, Tennessee Electric alleges, TriSummit Bank called to confirm the $202,664.47 payroll batch — as per an agreement the bank and the utility had which called for the bank to verbally verify all payment orders by phone. But according to Tennessee Electric, the bank for some reason had already approved a payroll draft of $327,804 to be sent to 55 different accounts across the United States — even though the bank allegedly never called to get verification of that payment order.”
• “Tennessee Electric alleges that the bank only called to seek approval for the fraudulent batch on May 10, more than a day after having approved it and after I contacted Tennessee Electric to let them know they’d been robbed by the Russian cyber mob.”
• Tennessee Electric’s account appears to have been compromised using a Man-in-the-Browser attack
• Malware on the computer changed what was displayed to the user when they visited the online banking site
• “the controller for the company said she was asked for and supplied the output of a one-time token upon login.”
• The man-in-the-browser virus will then return either a modified version of the regular account balance page (only, showing the amount the user expects there to be in the account, basically adding back the stolen monies)
• In this case, the virus returned a “down for maintenance” page
• Asking the user to try again in a few minutes may allow the attacker access to a series of one-time tokens, allowing them to complete more transactions
• TriSummit Bank was able to get back $135,000 of the stolen funds, leaving the company out almost $200,000.
• The company is now suing the bank for that money and the interest they would have earned on it
• Unlike personal accounts, corporate bank accounts do not enjoy the same liability protection from unauthorized transactions that personal accounts do
• Krebs also mentions his Online Banking Best Practises for Businesses

Synolocker for sale, plus in-depth look at how it works

• F-Secure does an in-depth look at how Synolocker encrypts your files
• F-Secure was looking to see if there were many similarities between CryptoLocker and SynoLocker, but found that there were not
• It appears that SynoLocker may be using better encryption, and uses a unique key pair per victim, which will most likely prevent an online service like the one that is rescuing the files on CryptoLocker victims
• SynoLocker appears to take additional steps to ensure that the original file is only destroyed
• It appears the author of the Synolocker virus is looking to get out of the business
• Posted online that the website will be closing soon, and if you want the keys to decrypt your data you better pay soon
• If you updated DSM software to try to fix the vulnerability, then you’ll need to use a custom tool to decrypt your data
• The author is also willing to sell the remain ~5500 decryption keys to someone else for 200 bitcoins
• It seems he wants to get out before he gets caught, but is willing to let someone else attempt to continue selling the decryption keys (which sold for 0.6 bitcoin previously)

Feedback:

• Allan’s Firefox OS phone

• Job possibilities and lack of a college degree

• Building a private cloud for IaaS

• HP takes OpenVMS off deathrow

Round Up:

• Google spends a ton of money just to keep sharks from eating its underwater cables
• Researchers at French graduate school Eurecom find firmware plagued by poorly implemented encryption and badly hidden backdoors, find 38 unique vulnerabilities across 123 different devices – Paper from USENIX – Available Monday Aug 18th
• Snowden: The NSA, not Assad, took Syria off the Internet in 2012
• Why spam and scam emails are so poorly written
• Microsoft Black Tuesday Patches Bring Blue Screens of Death
• Biggest security risk for your iPhone is connecting it to a computer or enabling wifi sync
• Russia PM’s Twitter hacked, posts ‘I am resigning’
• Chinese smartphone steals your data
• Password guessing bots fall for a spam trap
• Understanding Targeted malware attacks by looking at those against NGOs by the Chinese government

The post The Day the Routers Died | TechSNAP 175 first appeared on Jupiter Broadcasting.

Amazon has gone to war on multiple fronts, and is asking for you to enlist. But we’ll cut through the crap and discuss what’s really at play. Plus Xiaomi gets caught red handed spying on their users, the Bitcoin hijack that’s super impressive & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Xiaomi phones send user data to remote servers: F-Secure

At first, F-Secure did not configure an Mi Cloud (Xiaomi’s equivalent of Apple’s iCloud that stores user data) account and simply inserted a sim card, connected the phone to Wi-Fi, turned on GPS, added a contact and made and received a call and exchanged messages. The company found that the phone number of contacts added to the phone book and from SMS messages received were also forwarded. The phone follows a similar pattern even when one configures an Mi Cloud account.

“Next we connected to and logged into Mi Cloud, the iCloud-like service from Xiaomi. Then we repeated the same test steps as before. This time, the IMSI details were sent to api.account.xiaomi.com, as well as the IMEI and phone number,” writes F-Secure in its blog.

Xiaomi Makes its iMessage-Like Service Optional

Xiaomi is making the cloud messaging service that is automatically activated on its devices optional for user

• As a Google+ update from Hugo Barra, the former Google executive who is Xiaomi’s Global VP, explained:

These concerns refer to the MIUI Cloud Messaging service described above. As we believe it is our top priority to protect user data and privacy, we have decided to make MIUI Cloud Messaging an opt-in service and no longer automatically activate users. We have scheduled an OTA system update for today (Aug 10th) to implement this change.

After the upgrade, new users or users who factory reset their devices can enable the service by visiting “Settings > Mi Cloud > Cloud Messaging” from their home screen or “Settings > Cloud Messaging” inside the Messaging app — these are also the places where users can turn off Cloud Messaging.

Amazon wants you to ask Hachette’s CEO for lower e-book prices

• An Important Kindle request

Amazon Gets Increasingly Nervous

John Scalzi on Amazon/Hachette

John Scalzi:

Amazon is not your friend. Neither is any other corporation. It and they do what they do for their own interest and are more than willing to try to make you try believe that what they do for their own benefit is in fact for yours. It’s not. In this particular case, this is not about readers or authors or anyone else but Amazon wanting eBooks capped at $9.99 for its own purposes. It should stop pretending that this is about anything other than that. Readers, authors, and everyone else should stop pretending it’s about anything other than that, too.

Disney Disc Preorders Disappear From Amazon

Hacker Redirects Traffic From 19 Internet Providers to Steal Bitcoins

Researchers at Dell’s SecureWorks security division say they’ve uncovered a series of incidents in which a bitcoin thief redirected a portion of online traffic from no less than 19 Internet service providers, including data from the networks of Amazon and other hosting services like DigitalOcean and OVH, with the goal of stealing cryptocurrency from a group of bitcoin users.

Though each redirection lasted just 30 second or so, the thief was able to perform the attack 22 times, each time hijacking and gaining control of the processing power of a group of bitcoin miners, the users who expend processing power to add new coins to the currency’s network.

The attacker specifically targeted a collection of bitcoin mining “pools”

The redirection technique tricked the pools’ participants into continuing to devote their processors to bitcoin mining while allowing the hacker to keep the proceeds. At its peak, according to the researchers’ measurements, the hacker’s scam was pocketing a flow of bitcoins and other digital currencies including dogecoin and worldcoin worth close to $9,000 a day.

The Dell researchers believe the bitcoin thief used a technique called BGP hijacking, which exploits the so-called border gateway protocol, the routing instructions that direct traffic at the connection points between the Internet’s largest networks. The hacker took advantage of a staff user account at a Canadian internet service provider to periodically broadcast a spoofed command that redirected traffic from other ISPs, starting in February and continuing through May of of this year.

In fact, the BGP bitcoin-stealing exploits represent less of a new vulnerability in bitcoin than the persistent fragility of the internet itself, Dell’s researchers say. If one Canadian ISP can be used to redirect large flows of the Internet to steal a pile of cryptocurrency, other attackers could just as easily steal massive drifts of Internet data for espionage or pure disruption. The Dell researchers suggest that companies set up monitoring through a service like BGPmon, which can detect BGP hijacking attacks. B

Dutch government funds safe Dorpbox alternative Localbox

submitted by clementl

This links to a page where you can download the server. It’s written in PHP with Symfony.

The downside is that there are only clients for Windows, Android and iOS. They are planning to release the source of those in this fall.

The post Amazon's Strongarm | Tech Talk Today 41 first appeared on Jupiter Broadcasting.

The NSA chilling effect is in full force, and you can probably guess where many companies are feeling too.

Then hidden problem facing IT security and why users expect magic.

Plus it’s a great batch of your questions, and our answers.

All that and more, on this week’s TechSNAP!

Thanks to:

— Show Notes: —

Companies start moving data and jobs to Canada to avoid the NSA

• “U.S. industry stands to lose billions as companies spooked by security leaks seek to store banks of personal data outside U.S.”
• “It’s also a question of perception. The Europeans want to say to their clients that their information is not in the United States even though it stays in North America.”
• Canada is also attractive due to the availability of skilled labour, the cooler climate (requiring less air conditioning) and cheap electricity
• Compared to moving data to Europe, the latency to Canada is much lower because of its proximity and diversity of fibre paths
• “No one will say which companies have decided to flee the U.S., but they are said to vary from European banking and insurance firms with operations in the U.S. to American oil and gas companies and retail outlets, according to Canadian industry representatives interviewed by the Star”
• Cisco has chosen Ontario as the destination of a $4 billion investment that will create 1700 engineering and tech jobs
• The 10 year deal will see more than half of the $4 billion spent on salaries
• The number of jobs could grow as high as 5000

• FreeNAS Mini on Amazon

Some speakers quit RSA conference and call for boycott

• After the revelation that RSA received $10 million from the NSA to make a flawed algorithm the default in their BSafe product, a number of speakers and panel participants have pulled our of the yearly conference run by RSA
• RSA denies it entered into a contract for the purpose of weaking its products
• RSA issued a warning against using the flawed algorithm in September when NIST issued a similar warning after the Snowden documents were leaked
• Researchers who have pulled out of the conference include:
• Mikko Hypponen – F-Secure’s Chief Researcher – Talk: Governments as Malware Authors
• Adam Langley – Google Security Expert
• Chris Palmer – Google Chrome security engineer
  • Christopher Soghoian – researcher with the American Civil Liberties Union
  • Marcia Hoffman – privacy attorney and former Electronic Frontier Foundation lawyer
    
  • Alex Fowler – Mozilla privacy and public policy expert
  • Josh Thomas – “Chief Breaking Officer” at security firm Atredis
  • Jeffrey Carr – Taia Global
• Taia Global is developing a product called Chimera, a commercial database of “rival state research and development projects” on the basis that knowing what the attackers are working on, lets you know which of your assets they may be out to steal
• “Organisers have said that next month’s conference in San Francisco will host 560 speakers, and that they expect more participants than the 24,000 who showed up last year”
• Additional Coverage

The hidden threat to network security? Management

• A survey and study by Stroz Friedberg called Information Security Risk in American Business was recently released
• The study shows much what you would expect, few people take security seriously, although everyone claims to care about it
• Most people expect the IT experts to somehow magically keep everything security, while end users go around sprinkling sensitive files all over the Internet and clicking the link in every spam email they get, and opening every attachment
• “Insiders are by far the biggest risk to the security of a company’s sensitive information, whether it’s a careless executive or a disgruntled employee”
• The horrible stats:
  • 87% of senior managers frequently or occasionally send work materials to a personal email or cloud account in order to work remotely
  • 58% of Senior management have accidentally sent sensitive information to the wrong person (compared to 25% of workers overall)
  • 51% of Senior management, and 37% of mid-level management have taken files with them after leave a job
    +45% of senior management say that C-level leadership are responsible for protecting companies against cyber-attacks
  • “Yet, 52% of this same group indicated they are falling down on the job, rating corporate America’s ability to respond to cyber-threats at a “C” grade or lower.”
  • Employees disagree, 54% say IT professionals should be responsible for cyber security
  • 73% of Employees fears their personal details such as Social Security numbers, birth date, banking information and home address could be stolen
  • “Only 35% of respondents reported receiving regular training and communications on mobile device security from their employers”
• “BYOD and the use of personal online accounts have become prevalent in American businesses, as workers use their personal smartphones, tablets, and preferred cloud providers to stay productive while at work and out of the office. This is opening the door for businesses to encounter new and emerging threats from hackers, malware, and viruses.”
• Full Study

Feedback:

• VPN’s: A developer’s nightmare
• FAQ – Microsoft’s PPTP Implementation
• Free and Open Source Support and FreeNAS Mirroring
• Nginx Client side SSL limiting
• Hows my SSL?
• Low-end server hardware prices

Round Up:

• Yahoo malware turned European computers into bitcoin slaves
• Humourous USENIX article about password security
• openSUSE forums defaced, emails leaked
• Poem about hacking the truth machine
• Zimbra 8 remote exploit
• How a simple screwup lead to a compromise and a $500 amazon bill
• Intel renames its ‘tainted’ McAfee brand to ‘Intel Security’
• Reading this May Harm Your Computer: The Psychology of Malware Warnings
• Not Cool: MPAA Joins The W3C
• OpenSSL site defaced – Official Statement
• The US Federal Election Commission is highly vulnerable to intrusions and data breaches
• Asprox botnet pushes KrebsOnSecurity themed malware

The post Firewalls Aren't Magic | TechSNAP 144 first appeared on Jupiter Broadcasting.