Internet’s security bug tracker faces its ‘Y2K’ moment

From Cnet.com’s Seth Rosenblatt (Twitter, Facebook, Google Plus)
Unless you spent the first part of the year under a rock or offline, you’ve probably heard of Heartbleed. But chances are you don’t know the devastating vulnerability by its proper name: CVE-2014-0160.

The three letters stand for Common Vulnerabilities and Exposures, 2014 refers to the year, and the last four digits tick up each time a new bug is reported.

That number is inching ever closer to 9,999 — and the alphanumeric combo is about to face a Y2K moment.

There’s a good chance the bug number will skate perilously close to the uncharted waters of five digits this year for the first time in the nearly 15-year history of the system. And as with many 15-year-old computer systems forced to suddenly upgrade, the situation could get messy.

The CVE is both more than and less than another vulnerability database. Created in 1999 by the federal government and now under the Department of Homeland Security to help security sleuths, the database provides a way to share information about bugs and the tools used to fix them. But it lacks specifics like the risks posed by a vulnerability, or detailed technical information.

Although part of the government, the CVE is maintained by Mitre, a not-for-profit group that runs numerous federally-funded research and development centers.

Steve Christey Coley, a principal information security engineer at Mitre, said that even Mitre doesn’t know “all the different products” that use CVEs.

“In 1999, we assigned four digits [to the CVE] because we couldn’t imagine a situation where [the CVE database] would have to cover 10,000 vulnerabilities in a single year,” Coley said.

A bit ruefully, he added: “Famous last words.”

The CVE is governed by a 24-member editorial board that Coley moderates, and voted in May 2013 to expand the CVE syntax from four to five digits dynamically, so that when six or seven digits become required, the number could grow as necessary. It was the board’s first formal vote in 12 years.

Perhaps not too surprisingly, the collection of brainiacs tasked with guiding the CVE initially couldn’t agree on a solution. Three finalist options were voted on, with a tie between the top two, necessitating a run-off and resulting in what Coley called “passionate” language between some board members.

“I felt like I was watching a cage match,” he said. “For a dry, technical issue, things sure got personal sometimes.”

But once the board made its decision on a 15-to-3 vote — with five voting members not participating and Coley not eligible to vote — the hard work and the nature of the CVE’s Y2K moment suddenly lay ahead.

Companies, nonprofits, and government organizations from around the world have relied on a four-digit CVE, and it isn’t clear how their systems will handle five digits.

Coley explained some of the potential bad outcomes — buffer overflows, major bug identifiers getting overwritten by minor ones — as leading to security risks.

“A major flaw could be replaced by a minor open-source bug if these tools are not updated,” Coley said, making it difficult — if not impossible — to track serious bugs.

Much like Y2K’s shift on the eve of the new century from using two digits to four digits to track years in computer programs, the CVE switchover to longer identifiers is happening regardless of whether CVE’s users have adapted to the new paradigm. Mitre has promised that by January 13, 2015, it will have tested at least one five-digit CVE — and that might actually happen before the end of the year.

The problem that Coley is wrestling with is that some organizations that use CVE’s still don’t know about the potentially impending doom and so haven’t checked for compatibility between their software and the new identifier system.

“People are still surprised to hear about this syntax change,” he said.

Some are onboard, though, such as Oracle, Red Hat, IBM, Microsoft, Symantec, NIST, China’s NSFocus, Security Tracker and CERT in the US, Japan and France.

“The big thing is,” Coley said, that “time is running out, and we know stuff will break. I hope that things will break quietly.”

Heartbleed may have been turned into a successful educational and warning campaign because of its ubiquity — a fact that earned its CVE more than 30 times the traffic of the next top 10 CVEs combined. But without a universal, functional tracking system behind it, the people who fight security bugs may suddenly have a much harder time getting their job done.

 

 

PC Repair Kansas City, PC Repair Kansas City, PC Repair Kansas City, PC Repair Kansas City, PC Repair Kansas City, Mac Repair Kansas City, Mac Repair Kansas City, Mac Repair Kansas City, Mac Repair Kansas City, Mac Repair Overland Park, Mac Repair Overland Park, Mac Repair Overland Park, Mac Repair Overland Park, PC Repair Overland Park, PC Repair Overland Park, PC Repair Overland Park, PC Repair Overland Park

Comcast Is Threatening to Cut Off Customers Who Use Tor, a Private Web Browser

Multiple users of anonymous Web browser Tor have reported that Comcast has threatened to cut off their Internet service unless they stop using the legal software.

According to a report on DeepDotWeb, Comcast customer representatives have branded Tor “illegal” and told customers that using it is against the company’s policies.

Tor is a type of Web browser that, in theory, makes all your Internet activity private. The software routes traffic through a series of other connected Internet users, making it difficult for governments and private companies to monitor your Internet usage. Up to 1.2 million people use the browser, which became especially popular after Edward Snowden leaked information showing that the NSA was eavesdropping on ordinary citizens. Prior to that, Tor had been popular among people transacting business on Silk Road, the online market for drugs and hit men.

The problem is that downloading or using Tor itself isn’t illegal. Plenty of people might have legitimate reasons to want to surf the Web in private, without letting others know what they were looking at. But Tor has been pretty popular with criminals.

Comcast has reportedly begun telling users that it is an “illegal service.” One Comcast representative, identified only as “Kelly,” warned a customer over his use of Tor software, DeepDotWeb reports:“Users who try to use anonymity, or cover themselves up on the Internet, are usually doing things that aren’t so-to-speak legal. We have the right to terminate, fine, or suspend your account at any time due to you violating the rules. Do you have any other questions? Thank you for contacting Comcast, have a great day.”
Comcast customers, speaking to DeepDotWeb, claimed that Comcast repeatedly asked them which sites they were accessing using Tor.
In a statement to DeepDotWeb, Comcast defended its actions, seemingly asserting that it needs to be able to monitor Internet traffic in case it receives a court order:
“We respect customer privacy and security and would only investigate the specifics of a customer’s account with a valid court order. And if we’re asked by a court to provide customer information, then we ask for a reasonable amount of time to notify the customer so they can decide if they would like to hire a lawyer and if they do, then we turn the case over to them and they proceed with the judge directly and we step away.”
UPDATE: Comcast also said in a later statement that the report was “wildly inaccurate” and that it has no “stated policy” against its customers using Tor.
Computer Repair Overland Park, Computer Repair Kansas City, PC Repair Overland Park, PC Repair Kansas City, Computer Repair Overland Park, Computer Repair Kansas City, PC Repair Overland Park, PC Repair Kansas City, Computer Repair Overland Park, Computer Repair Kansas City, PC Repair Overland Park, PC Repair Kansas City, Computer Repair Overland Park, Computer Repair Kansas City, PC Repair Overland Park, PC Repair Kansas City,

Verizon pays $7.4 million to settle FCC privacy investigation

As reported by CNET.com’s Marguerite Reardon ( @Maggie_reardon)

Verizon Communications has agreed to pay the Federal Communications Commission $7.4 million to settle an investigation into the company’s use of consumers’ personal information for marketing purposes.

This is the largest such payment the FCC has ever received in an investigation related solely to the privacy of telephone customers’ personal information.

The settlement comes as the FCC is trying to look like it’s being tough on wireless phone companies. In late July, the commission sent Verizon a strongly worded letter in which Chairman Tom Wheeler said he was “deeply troubled” by Verizon’s decision to expand its network-management policy that targets customers of its unlimited data plans.

Chairman Wheeler has come under fire from fellow Democrats on Capitol Hill, as well as consumer groups and even comedians like John Oliver, for bowing too much to the will of big broadband companies, as his agency attempts to redraft new Net neutrality rules. The rules are designed to replace regulation that a federal court threw out earlier this year. Critics have been especially unhappy with the chairman for drafting a proposal to reinstate Open Internet rules that they claim would allow broadband companies to pay for priority access to networks, creating so-called Internet fast lanes.

Net neutrality is the principle that Internet service providers, such as AT&T, Comcast, Time Warner Cable and Verizon, and governments around the world, should treat all Internet traffic the same. This means Internet service providers (ISPs) shouldn’t block or slow down traffic on their local broadband networks based on individual users. And they shouldn’t modify their services based on the type of traffic those users are accessing or on the type of service that’s sending the content.

Even though the FCC says the Verizon investigation has nothing to do with the rewrite of the Net neutrality rules, it’s clear the commission wants to look as though it can take a tough stand against the phone companies.

The investigation

The Communications Act requires phone companies to protect the privacy of customers’ information, such as sensitive personal information like billing and location data. But some of this data can be used by a phone company for marketing additional services to consumers. The main restriction is that customers must provide phone companies with their approval through either an “opt in” or “opt out” process. When that process isn’t working properly, the company must report the problem to the FCC within five business days.

Verizon typically uses an opt-out process. It sends notices to new customers in a welcome letter asking them if they don’t want their information used by Verizon to send them marketing information about other Verizon services they might be interested in.

The FCC’s Enforcement Bureau said it discovered that, beginning in 2006 and continuing for several years, Verizon had failed to notify about 2 million new customers of their privacy rights, which would have let them opt out. In addition to the $7.4 million payment, Verizon has agreed to notify customers of their opt-out rights on every bill for the next three years.

“In today’s increasingly connected world, it is critical that every phone company honor its duty to inform customers of their privacy choices and then to respect those choices,” Travis LeBlanc, Acting Chief of the FCC’s Enforcement Bureau, said in a statement. “It is plainly unacceptable for any phone company to use its customers’ personal information for thousands of marketing campaigns without even giving them the choice to opt out.”

Verizon didn’t become aware of the issue until September 2012, the FCC said in its statement. And the company failed to notify the FCC of the problem until January 18, 2013 — 126 days after becoming aware of it — which is way beyond the 5 days the FCC requires.

Verizon said in a statement that it takes seriously the obligation to comply with all FCC rules. It also noted that the issue didn’t involve a security breach:

“The issue here was that a notice required by FCC rules inadvertently was not provided to certain of Verizon’s wireline customers before they received marketing materials from Verizon for other Verizon services that might be of interest to them,” the company said in a statement. “It did not involve a data breach or an unauthorized disclosure of customer information to third parties.”

 

Smarthome Overland Park, Home Automation Overland park, Smarthome Kansas City, Home Automation Kansas City, Smarthome Overland Park, Home Automation Overland park, Smarthome Kansas City, Home Automation Kansas City, Smarthome Overland Park, Home Automation Overland park, Smarthome Kansas City, Home Automation Kansas City, Smarthome Overland Park, Home Automation Overland park, Smarthome Kansas City, Home Automation Kansas City

Hackers Transform a Smartphone Gyroscope into an Always-On Microphone

From  Engadget.com’s Steve Dent

Apps that use your smartphone’s microphone need to ask permission, but the motion sensors? No say-so needed. That might not sound like a big deal, but security researchers from Stanford University and defense firm Rafael have discovered a way to turn Android phone gyroscopes into crude microphones. They call their app “Gyrophone” and here’s how it works: the tiny gyros in your phone that measure orientation do so using vibrating pressure plates. As it turns out, they can also pick up air vibrations from sounds, and many Android devices can do it in the 80 to 250 hertz range — exactly the frequency of a human voice.

By contrast, the iPhone’s sensor only uses frequencies below 100Hz, and is therefore useless for tapping conversations. Though the researchers’ system can only pick up the odd word or the speaker’s gender, they said that voice recognition experts could no doubt make it work better. They’ll be delivering a paper next week at the Usenix Security conference, but luckily, Google is already up on the research. “This early, academic work should allow us to provide defenses before there is any likelihood of real exploitation.”

For more information check out Stanford University’s Security Research page HERE

 

Computer Repair Overland Park, Computer Repair Kansas City, PC Repair Overland Park, PC Repair Kansas City, Computer Repair Overland Park, Computer Repair Kansas City, PC Repair Overland Park, PC Repair Kansas City, Computer Repair Overland Park, Computer Repair Kansas City, PC Repair Overland Park, PC Repair Kansas City, Computer Repair Overland Park, Computer Repair Kansas City, PC Repair Overland Park, PC Repair Kansas City,

iOS Scores As Most Secure Mobile OS in Spyware Report

From Cnet.com’s Lanc Whitney (@lancewhit)

Apple’s iOS has emerged as the most spyware-proof mobile operating system in a test conducted by a surveillance software and hardware vendor.

Detailed in a leaked document apparently from the Gamma Group, a piece of its spyware called FinSpy was used to determine whether various mobile platforms could withstand snooping attempts on phone calls, contacts, and other data. In the document seen by the Washington Post and noted by Cult of Mac, FinSpy is “designed to help Law Enforcement and Intelligence Agencies to remotely monitor mobile phones and tablet devices.”

FinSpy can gain full access to phone calls, text messages, the address book, and even the microphone via silent phone calls. It can also trace a device to determine its location. Used by law enforcement and government agencies, FinSpy has earned a reputation for itself as a powerful but controversial tool for sneaking into mobile devices. That’s why iOS’s ranking in the Gamma Group’s document from April is a nod to Apple security.

Among the major mobile platforms cited in a chart in the document, all of them were susceptible to FinSpy. The spyware was able to bully its way into andorid (all versions from 2.x.x to 4.4.x), BlackBerry (versions 5.x, 6.x., and 7.x), Symbian, and Windows Mobile 6.1 and 6.5 (Windows Phone 8 is not yet supported by the software).

And what of iOS? Apple’s mobile OS did make the list but only in jailbroken mode. According to the Gamma team, iOS versions 4.3.x, 5.x, 6.x, and 7.0.x are vulnerable to FinSpy but an untethered jailbreak is required. As the document explains: “The iOS target (meaning the FinSpy software itself) can be installed only under iOS jailbroken devices.”

Smarthome Overland Park, Home Automation Overland park, Smarthome Kansas City, Home Automation Kansas City, Smarthome Overland Park, Home Automation Overland park, Smarthome Kansas City, Home Automation Kansas City, Smarthome Overland Park, Home Automation Overland park, Smarthome Kansas City, Home Automation Kansas City, Smarthome Overland Park, Home Automation Overland park, Smarthome Kansas City, Home Automation Kansas City,

Yahoo and Google Working Together on Unified Encrypted Email For 2015

In light of the recent Mega Hack pulled of by Russian Cyber groups, it only seems intelligent for encryption to become more prevalent and looks who’s leading the way for email security: Google, no big shock there, and Yahoo! (insert collective gasp) and their working together. If your feeling dizzy by the news at this point be sure to place your head between your knees and take deep breathes because its really happening.

From Gizmodo.com’s Jamie Condliffe:

“Google has been working towards offering end-to-end encryption for Gmail. But now, it’s teaming up with Yahoo to make both webmail services encrypted in such a way that they both work together.

Yahoo has been a little slower to the encryption party than Google. But yesterday Alex Stamos, Yahoo’s chief information officer, announced at the Black Hat security conference in Las Vegas that Yahoo Mail will be encrypted end-to-end by some time in 2015. Not just that, it’ll be done in such a way as to make it compatible with Gmail’s, too.

Yahoo’s encryption, then, will mean that all email sent between the two services will be fully encrypted, end-to-end. Given that more than 425 million people use Gmail, and Yahoo Mail usage estimated at 273 million, that’s a lot of extra security.

When two such large organizations join forces on something like this, you know it’s important, and Yahoo has “the hope is that this is open and will be adopted by many others in the email ecosystem.” Which sounds like a great idea; let’s hope end-to-end soon becomes the norm. [WSJ, CNET] “

Russian Hackers Amass Over a Billion Internet Passwords

Excerpt from the NYTIMES.COM’s article by Nicole Perlroth and David Gelles August 5, 2014
Click HERE to read the full Article.

A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses, security researchers say.

The records, discovered by Hold Security, a firm in Milwaukee, include confidential material gathered from 420,000 websites, including household names, and small Internet sites. Hold Security has a history of uncovering significant hacks, including the theft last year of tens of millions of records from Adobe Systems.

Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable. At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic. Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information.

Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites,” said Alex Holden, the founder and chief information security officer of Hold Security. “And most of these sites are still vulnerable.”

 

CTP Locker

CTP-LOCKER: The Hits Keep Coming

Yet another Ransomware virus is out called CTP-Locker. Sold on the Deep Web as a turnkey business available for purchase for a paltry $3000 USD. CTP works like other Ransomware it encrypts all of your data on both internal and external hard drives including mapped network drives. Unlike the crypto family of virus/malware that “deletes” the key after its 72 hour timer expires, CTP instead doubles the ransom as to punish its victims for not paying immediately. As of this article, the recommended cost to decrypt data is .5 bitcoins or $320USD.

Currently CTP is only impacting the world of Windows but Android may be next on the target list as we have seen previous Ransomware make its way to handheld devices. It would seem that this is only the beginning of Android user community’s headaches.

Unfortunately CTP-Locker is very new and there aren’t a lot of reports on how it spreads and from what analysts can tell there isn’t just one way it does attack your PC so user beware. As we have said in previous posts always have a backup of your data and NEVER PAY THE RANSOM!

For more in-depth information about CTP is available HERE

 

Smarthome Overland Park, Home Automation Overland park, Smarthome Kansas City, Home Automation Kansas City, Smarthome Overland Park, Home Automation Overland park, Smarthome Kansas City, Home Automation Kansas City, Smarthome Overland Park, Home Automation Overland park, Smarthome Kansas City, Home Automation Kansas City, Smarthome Overland Park, Home Automation Overland park, Smarthome Kansas City, Home Automation Kansas City,

 

 

Chinese Hackers Targeting Top-Secret Federal Employee Records

Chinese Hackers Targeting Top-Secret Federal Employee Records
Original Gizmodo article by Jamie Condliffe HERE

Earlier this year, Chinese hackers broke into U.S. government computer networks in order to gain access to the personal information of thousands of employees with top-secret security clearances.

The New York Times reports that the hackers gained access to databases of the Office of Personnel Management in March. Federal authorities identified the intrusion and blocked their access—but it remains unclear how deeply the hackers penetrated and how much information they were privy to. Sources have told the Times that the attack was traced to China, but it’s unclear if the perpetrators were connected with the government or not. Either way, it’s the latest in a long line of hacks against the U.S. mastermind from China.

The records held in the database contain detailed information about federal employees who apply for security clearance—from foreign contacts and previous jobs, to personal information like drug use and relationship history. Not the kind of data you want in the wrong hands.
NY Times Original Story HERE

1Computer Repair Overland Park, Computer Repair Kansas City, PC Repair Overland Park, PC Repair Kansas City,Computer Repair Overland Park, Computer Repair Kansas City, PC Repair Overland Park, PC Repair Kansas City,Computer Repair Overland Park, Computer Repair Kansas City, PC Repair Overland Park, PC Repair Kansas City,Computer Repair Overland Park, Computer Repair Kansas City, PC Repair Overland Park, PC Repair Kansas City,

Android’s phone wiping fails to delete personal data

Android’s Phone Wiping Fails to Delete Personal Data

A new study from security software vendor, Avast calls into question the effectiveness of Android’s factory reset option, which many people have relied upon to delete personal data from their old smartphones before reselling or making a charitable donation with the old device.

Avast, known for its security software on Windows, Mac, and Android , purchased 20 Android smartphones from eBay, which has around 80,000 used smartphones for sale at any given time. Among the data that Avast employees recovered from the phones were more than 40,000 photos, including 250 nude male selfies, along with 750 emails and text messages, 250 contacts, the identities of four phones’ previous owners, and one completed loan application. The problem, as Avast mobile division president Jude McColgan told CNET, is that people still aren’t used to considering the implications of all the personal data stored on a smartphone. “Users thought they were doing a clean wipe and factory reinstall,” he said, but the factory reinstall is cleaning phones “only at the application layer.”

To read the full CNET article by Seth Rosenblatt Click HERE

1

Computer Repair Overland Park, Computer Repair Overland Park, Computer Repair Overland Park,Computer Repair Overland Park, Computer Repair Kansas City, Computer Repair Kansas City, Computer Repair Kansas City, Computer Repair Kansas City, PC Repair, Overland Park, PC Repair Kansas City, Repair, Overland Park, PC Repair Kansas City, Repair, Overland Park, PC Repair Kansas City, Repair, Overland Park, PC Repair Kansas City,