One of the key applications for this system is for authenticating to medical devices worn on patients’ bodies. Devices such as wearable glucose monitors typically use wireless protocols such as Bluetooth to communicate, and those signals can be intercepted by attackers without much effort. The on-body transmission system can send credentials or encryption keys through the user’s body rather than over the air, making them less accessible to attackers.

Source: Your Body is a Wonderland–For Sending Passwords | On the Wire

A study from Cambridge University documents an immense drop in complaints against police officers when their departments began using body cameras. But even more surprising is that the data suggests everyone is on their best behavior whether the cameras are present or not. The data was collected in seven police departments in the UK and US, and represents over 1.4 million hours logged by 1,847 officers in 2014 and 2015
[…]
In the year before the study, 1,539 complaints in total were filed against officers; at the end of the body camera experiment, the year had only yielded 113 complaints
[…]
Against all expectations, there was no significant difference in complaints between officers wearing cameras that week and those going without.

Source: Police complaints drop 93 percent after deploying body cameras | TechCrunch

Android/iOS: “Free Airport Wi-Fi” is almost always slow, a security nightmare, or expensive—but it’s likely not all that’s available in the airport. Luckily, WiFox is packed with tons of network names and passwords for airports around the globe, so you can surf happily—and safely.

Source: WiFox Puts Thousands of Airport Wi-Fi Networks and Their Passwords On Your Phone

The new system, developed by Oberthur Technologies, is called Motion Code, and it changes the security code on the back of the credit card every hour. That way even if a thief does steal the info, it will be useless in less than an hour, preventing nearly all fraudulent transactions.Other than a small screen on the back, the card is identical to the ones you already own. It’s durable and waterproof, and the same size and thickness of a regular credit card. The small lithium battery that powers the screen will last three years, at which point the card will expire.

Source: This Credit Card Has a Screen So Its Security Code Can Change Every Hour

Australian researchers have laid waste to the Federal Government’s plan to criminalise the decryption of anonymised state data sets, just a day after it was announced, by ‘easily’ cracking government-held medical data.

Source: Researchers crack Oz Govt medical data in ‘easy’ attack with PCs

Again it is surprising how governments try to criminalise that which they don’t understand, even when it’s pretty clear that putting your head in the sand is not a working model.

The documented D-Link DWR-932 vulnerabilities affect the latest available firmware. Kim first responsibly disclosed them to the D-Link Security Incident Response Team in June, but after the company said early this month that they don’t have a schedule for a firmware release, he decided to go public with the details about some of the flaws.

In short, the firmware sports:

Two backdoor accounts with easy-to-guess passwords that can be used to bypass the HTTP authentication used to manage the router
A default, hardcoded Wi-Fi Protected Setup (WPS) PIN, as well as a weak WPS PIN generation algorithm
Multiple vulnerabilities in the HTTP daemon
Hardcoded remote Firmware Over The Air credentials
Lowered security in Universal Plug and Play, and more.

Source: D-Link DWR-932 router is chock-full of security holes – Help Net Security

This was reported in June but still not fixed

Assistant Professor Matthew Green has asked US courts for protection so that he can write a textbook explaining cryptography without getting sued under the Digital Millennium Copyright Act.

Green, who teaches at Johns Hopkins University in Maryland, is penning a tome called Practical Cryptographic Engineering that examines the cryptographic mechanisms behind the devices we use every day, such as ATM machines, smart cars, and medical devices. But this could lead to a jail sentence if the manufacturers file a court case using Section 1201 of the DMCA.

Section 1201 prohibits the circumvention of copyright protection systems installed by manufacturers, and comes with penalties including heavy fines and possible jail time. As such, the Electronic Frontier Foundation (EFF) has taken up Green’s case, and that of another researcher, to try to get the provision ruled illegal by the courts.

“If we want our communications and devices to be secure, we need to protect independent security researchers like Dr Green,” said EFF staff attorney Kit Walsh.

Source: Crypto guru Matt Green asks courts for DMCA force field so he can safely write a textbook

It’s ridiculous that a textbook writer could be jailed for copyright infringement. Good luck taking down the DMCA!

Microsoft Azure is wobbling all around the world at the moment, especially Azure DNS.

According to a status update on Microsoft’s site, the issues began around lunchtime, although there is no mention of when they are likely to be fixed.

Customers using Azure DNS in multiple regions are experiencing difficulties connecting to their goodies at the moment due to the mysterious issues affecting Microsoft’s cloud computing and infrastructure platform.

Azure proudly advertises itself as a global network of name servers using Anycast routing to provide “outstanding performance and availability” though such is not visible at the moment.

Engineers had only managed to identify “a possible underlying cause” as of the update and “are working to determine mitigation options.”

Azure DNS, which currently is still in preview, and is supported through community forums, allows customers to host their DNS domain in Azure, so they can manage their DNS records using the same credentials, billing and support contract as their other Azure services.

Also affected are users of SQL Database, App Service/Web Apps, API Management, Service Bus and Visual Studio Team services. ®

Source: Azure is on fire, your DNS is terrified

Over the past year or two, someone has been probing the defenses of the companies that run critical pieces of the Internet. These probes take the form of precisely calibrated attacks designed to determine exactly how well these companies can defend themselves, and what would be required to take them down. We don’t know who is doing this, but it feels like a large a large nation state. China and Russia would be my first guesses.
[…]

Recently, some of the major companies that provide the basic infrastructure that makes the Internet work have seen an increase in DDoS attacks against them. Moreover, they have seen a certain profile of attacks. These attacks are significantly larger than the ones they’re used to seeing. They last longer. They’re more sophisticated. And they look like probing. One week, the attack would start at a particular level of attack and slowly ramp up before stopping. The next week, it would start at that higher point and continue. And so on, along those lines, as if the attacker were looking for the exact point of failure.

https://www.lawfareblog.com/someone-learning-how-take-down-internet

To accomplish the mammoth task of informing about 50 different vendors and various ISPs we teamed up with CERT/CC (VU#566724). We would really like to report that our efforts were successful, but as it turns out the number of devices on the web using known private keys for HTTPS server certificates has gone up by 40% in the last nine months (3.2 million in November 2015 vs. 4.5 million now). There are many explanations for this development. The inability of vendors to provide patches for security vulnerabilities including but not limited to legacy/EoL products might be a significant factor, but even when patches are available, embedded systems are rarely patched. Insufficient firewalling of devices on the WAN side (by users, but also ISPs in case of ISP-supplied customer premises equipment, CPE) and the trend of IoT-enabled products are surely a factor as well.

Source: SEC Consult: House of Keys: 9 Months later… 40% Worse

This means it’s quite easy to listen in and interfere with these devices as well.

Several Inteno routers do not validate the Auto Configuration Server (ACS) certificate (CWE-295). An attacker in a privileged network position can Man-in-the-Middle the connection between the device and the Auto Configuration Server (ACS). If ACS has been preconfigured by the ISP (this is usually the case) no user actions are required for exploitation.

Impact
——

The attacker who can intercept the network traffic between the affected
device (CPE) and the Auto Configuration Server (ACS) gains full
administrative access to the device. The attacker can perform arbitrary
administrative operations on the device, such as flashing the device
firmware.

Interno refuses to fix the problem.

advisory here

Microsoft and a team of concerned engineers from across the security sector have joined forces to suggest a major re-write of the arms control pact the Wassenaar Arrangement, as they fear the document’s terms are a threat tot he information security industry.

The pitch is the result of brainstorming by the group to redefine the core aims of the Arrangement, which aims to restrict export of both weapons and “dual-use” items that have military potential beyond their main functions. The Arrangement was negotiated and signed behind closed doors in 2013, without the infosec industry’s participation.

Source: Microsoft and pals re-write arms control pact to save infosec industry

When a team of hackers discovered that St. Jude Medical Inc.’s pacemakers and defibrillators had security vulnerabilities that could put lives at risk, they didn’t warn St. Jude. Instead, the hackers, who work for cybersecurity startup MedSec, e-mailed Carson Block, who runs the Muddy Waters Capital LLC investment firm, in May. They had a money-making proposal.

MedSec suggested an unprecedented partnership: The hackers would provide data proving the medical devices were life-threatening, with Block taking a short position against St. Jude. The hackers’ fee for the information increases as the price of St. Jude’s shares fall, meaning both Muddy Waters and MedSec stand to profit. If the bet doesn’t work, and the shares don’t fall, MedSec could lose money, taking into account their upfront costs, including research. St. Jude’s shares declined 4.4 percent to $77.50 at 1:40 p.m. in New York with more than 25 million shares traded.

Source: Carson Block’s Attack on St. Jude Reveals a New Front in Hacking for Profit

This is a very clever way to make money off hard security research. If it seems a bit mercenary, the hackers say that they took this extreme step for the following reasons:

“We were worried that they would sweep this under the rug or we would find ourselves in some sort of a hush litigation situation where patients were unaware of the risks they were facing,” said Bone, an experienced security researcher and the former head of risk management for Bloomberg LP, the parent of Bloomberg News. “We partnered with Muddy Waters because they have a great history of holding large corporations accountable.”

“As far as we can tell, St. Jude Medical has done absolutely nothing to even meet minimum cybersecurity standards, in comparison to the other manufacturers we looked at that have made efforts,” Bone said. There are steps St. Jude can take relatively quickly to protect patients, including changing the programming of implanted pacemakers and defibrillators through a method that would involve a doctor’s visit, she said.

Microsoft’s update for version 1607 doesn’t fix two widespread problems with Windows 10 Anniversary Update, and it causes problems with PowerShell DSC operations

Source: Windows 10 cumulative update KB 3176934 breaks PowerShell

This update contained a fix for the borked update below:

The Windows 10 Anniversary Update has reportedly broken millions of webcams. If your webcam has been affected, there’s a workaround to get it back if you don’t mind tweaking your registry a bit.

Source: Windows 10 Anniversary Update Broke Millions of Webcams, Here’s How to Fix It

​Exactly a year ago, attackers used an advertisement on Yahoo to redirect users to a site infected by the Angler exploit kit. Just weeks before, users were exposed to more malicious software through compromised advertisements that showed up across the web. In total, at least 910 million users were potentially exposed to malware through these attacks. The common thread? The malware was hidden from firewalls by SSL/TLS encryption.
[…]
Companies can stop SSL/TLS attacks, however most don’t have their existing security features properly enabled to do so. Legacy network security solutions typically don’t have the features needed to inspect SSL/TLS-encrypted traffic. The ones that do, often suffer from such extreme performance issues when inspecting traffic, that most companies with legacy solutions abandon SSL/TLS inspection.

Source: Can Good Encryption be a Double-Edged Sword for Security in Australia?

Report: Penetration testers’ five most reliable methods of compromising targets include four different ways to use stolen credentials, but zero ways to exploit software.

Playing whack-a-mole with software vulnerabilities should not be top of security pros’ priority list because exploiting software doesn’t even rank among the top five plays in the attacker’s playbook, according to a new report from Praetorian.
[…]

Tweet
Attacker’s Playbook Top 5 Is High On Passwords, Low On Malware
Report: Penetration testers’ five most reliable methods of compromising targets include four different ways to use stolen credentials, but zero ways to exploit software.

Playing whack-a-mole with software vulnerabilities should not be top of security pros’ priority list because exploiting software doesn’t even rank among the top five plays in the attacker’s playbook, according to a new report from Praetorian.

Organizations would be far better served by improving credential management and network segmentation, according to researchers there.

Over the course of 100 internal penetration tests, Praetorian pen testers successfully compromised many organizations using the same kinds of attacks. The most common of these “root causes” though, were not zero-days or malware at all.

The top five activities in the cyber kill chain — sometimes used alone, sometimes used in combination — were:

1. abuse of weak domain user passwords — used in 66% of Praetorian pen testers’ successful attacks
2. broadcast name resolution poisoning (like WPAD) — 64%
3. local admin password attacks (pass-the-hash attacks) — 61%
4. attacks on cleartext passwords in memory (like those using Mimikatz) — 59%
5. insufficient network segmentation — 52%

The top four on this list are all attacks related to the use of stolen credentials, sometimes first obtained via phishing or other social engineering. Instead of suggesting how to defend against social engineering, Praetorian outlines mitigations to defend against what happens after a social engineer gets past step one.

Source: Attacker’s Playbook Top 5 Is High On Passwords, Low On Malware

Popular online cosmetics site Strawberrynet has asked customers if a function that allows anyone to retrieve its customers names, billing addresses, and phone numbers with nothing more than an email address is a bug or a feature
[…]
The feature means customers are able to checkout quickly by just putting their email address into a text entry box. Doing so returns personal information in cleartext, if the email address entered is already in Strawberrynet’s records.
[…]
The mail explains the company’s stance as follows:

Please be advised that in surveys we have completed, a huge majority of customers like our system with no password. Using your email address as your password is sufficient security, and in addition we never keep your payment details on our website or in our computers.

Source: Beauty site lets anyone read customers’ personal information

For anyone wondering, this is incredibly stupid behaviour.

Two hackers were able to steal email addresses and easily crackable passwords from three separate forums in this latest hack.

Two hackers carried out attacks on three separate game-related forums in July and August. One forum alone accounted for almost half of the breached data — a little under 13 million records; the other two forums make up over 12 million records.

The databases were stolen in early August, according to breach notification site LeakedSource.com, which obtained a copy of the databases.

The hackers’ names aren’t known, but they used known SQL injection vulnerabilities found in older vBulletin forum software to get access to the databases.

Source: Millions of accounts stolen after Russian forums hacked

secureboot is a part of the uefi firmware, when enabled, it only lets stuff run that’s signed by a cert in db, and whose hash is not in dbx (revoked). As you probably also know, there are devices where secure boot can NOT be disabled by the user (Windows RT, HoloLens, Windows Phone, maybe Surface Hub, and maybe some IoTCore devices if such things actually exist — not talking about the boards themselves which are not locked down at all by default, but end devices sold that may have secureboot locked on). But in some cases, the “shape” of secure boot needs to change a bit. For example in development, engineering, refurbishment, running flightsigned stuff (as of win10) etc. How to do that, with devices where secure boot is locked on?

Source: Secure Golden Key Boot: (MS16-094 / CVE-2016-3287, and MS16-100 / CVE-2016-3320)

This kind of golden key is what the FBI is pushing for. Now the cat is out of the bag, we can’t put it back in, though.

“We believe that online voting, especially online voting in large scale, introduces great risk into the election system by threatening voters’ expectations of confidentiality, accountability and security of their votes and provides an avenue for malicious actors to manipulate the voting results,” Neil Jenkins, an official in the Office of Cybersecurity and Communications at the Department of Homeland Security, said at a conference of the Election Verification Network this spring.

Thirty-two states have some form of electronic transmission of ballots over the Internet, compared with no states with online voting in 2000. In Alaska, for example, all voters can submit an absentee elections ballot online from computers in their own homes.

Missouri offers electronic ballots for members of the military who are serving in a “hostile zone” overseas. North Dakota permits overseas citizens or military members deployed overseas to vote online. And in 20 other states and the District of Columbia, certain voters living abroad will be allowed to return their absentee ballots via email or fax in the upcoming presidential election.

Source: More than 30 states offer online voting, but experts warn it isn’t secure – The Washington Post

Well, it isn’t secure and it can’t be made to be. However, is showing up to vote that secure? Is handcounting that secure? In the US, Florida has consistently shown that the current process is corrupt and unreliable. How do the risks weigh up?

Shapeways. In a statement, it said that some email addresses, usernames, and shipping addresses were exposed, but that the hackers didn’t get a full run of their servers and no 3D printing plans were stolen.

“The intruders did not access credit card information because Shapeways does not store such information on their systems,” said a spokeswoman.

Source: 3D print biz Shapeways hacked, home and email addresses swiped

The passwords were hashed. So not much useful stuff got taken. They are recommending customers change their passwords anyway. Shapeways apparently takes security seriously. Not often you see that everything is being done properlyh.

These nodes — ordinary nodes, not exit nodes — sorted through all the traffic that passed through them, looking for anything bound for a hidden service, which allowed them to discover hidden services that had not been advertised. These nodes then attacked the hidden services by making connections to them and trying common exploits against the server-software running on them, seeking to compromise and take them over.

The researchers used “honeypot” .onion servers to find the spying computers: these honeypots were .onion sites that the researchers set up in their own lab and then connected to repeatedly over the Tor network, thus seeding many Tor nodes with the information of the honions’ existence. They didn’t advertise the honions’ existence in any other way and there was nothing of interest at these sites, and so when the sites logged new connections, the researchers could infer that they were being contacted by a system that had spied on one of their Tor network circuits.

boingboing

These nodes — ordinary nodes, not exit nodes — sorted through all the traffic that passed through them, looking for anything bound for a hidden service, which allowed them to discover hidden services that had not been advertised. These nodes then attacked the hidden services by making connections to them and trying common exploits against the server-software running on them, seeking to compromise and take them over.

The researchers used “honeypot” .onion servers to find the spying computers: these honeypots were .onion sites that the researchers set up in their own lab and then connected to repeatedly over the Tor network, thus seeding many Tor nodes with the information of the honions’ existence. They didn’t advertise the honions’ existence in any other way and there was nothing of interest at these sites, and so when the sites logged new connections, the researchers could infer that they were being contacted by a system that had spied on one of their Tor network circuits.

boingboing

Polish security consultancy Exatel warns [PDF] that Maxthon is phoning home information such as the computer’s operating system and version number, the screen resolution, the CPU type and speed, the amount of memory installed, the location of the browser’s executable, whether ad-block is running, and the start page URL.

Source: Maxthon web browser blabs about your PC all the way back to Beijing