Following up on last week's post about the SSL security flaw in Mac OS-X 10.9.1 Mavericks, an OS-level point update was issued that apparently addresses and fixes the issue. If you are currently using 10.9.1, this is certainly not the time to "remind me later" when the update dialog pops up on your screen. Hopefully the update contains fixes for some of the other minor gripes I have with Mavericks.
Mac 10.9 SSL Vulnerability
Article
Sunday, March 2, 2014
Sunday, February 23, 2014
Mac 10.9 SSL Vulnerability
After upgrading to Mavericks a while back, I've suffered much grief. It's full of frustrating little bugs that add up to a really insufferable user experience. Today I was searching for fixes for some of the more persistent issues, and I came across something a lot scarier than scrolling and graphics issues. Apparently there is a security vulnerability with SSL in Mavericks that could allow hackers to intercept private data (thought ought to be encrypted via SSL). Scary business. Anyway, an OS update is speculated to be just around the corner that will address this issue (and hopefully some of the other annoyances).
Reuters article
********************************
3/2/14 Update
Reuters article
********************************
3/2/14 Update
Sunday, February 16, 2014
Target Credit Card Hack Follow-Up
Here's an interesting follow up to something that was in the news a few weeks ago. I originally posted about it here. Apparently, the criminals were able to gain access through exploits in connections with vendors. There's some really interesting stuff in this article, and it seems clear that these are issues that should be given more concern.
Article Source
Article Source
Sunday, February 9, 2014
BGP: More Panic-Inducing Data Theft
Regarding Wired's article, "Someone’s Been Siphoning Data Through a Huge Security Hole in the Internet."
What's so crazy about stories like this is that they are so common. The fact that researchers were warning about this very type of vulnerability us far back as 6 years ago (and yet, here we are), is crazy. The article brings up two points that are individually threatening, but combined are pretty terrifying.
1: "The stakes are potentially enormous, since once data is hijacked, the perpetrator can copy and then comb through any unencrypted data freely — reading email and spreadsheets, extracting credit card numbers, and capturing vast amounts of sensitive information."
2: this was largely government and corporate data being hijacked. This means that potential crimes could range from large-scale credit card theft, to potential national security risks. That is to say, it all depends on who was doing the re-routing and what their intentions are. Scary stuff.
Source.
What's so crazy about stories like this is that they are so common. The fact that researchers were warning about this very type of vulnerability us far back as 6 years ago (and yet, here we are), is crazy. The article brings up two points that are individually threatening, but combined are pretty terrifying.
1: "The stakes are potentially enormous, since once data is hijacked, the perpetrator can copy and then comb through any unencrypted data freely — reading email and spreadsheets, extracting credit card numbers, and capturing vast amounts of sensitive information."
2: this was largely government and corporate data being hijacked. This means that potential crimes could range from large-scale credit card theft, to potential national security risks. That is to say, it all depends on who was doing the re-routing and what their intentions are. Scary stuff.
Source.
Sunday, February 2, 2014
Shields Up!
We did an activity in class that I thought would be worth sharing for anyone who happens to stumble across this blog. Gibson Research Corporation has a webtool that allows you to test all of your TCP ports, and reports which are close, stealth, or open. It's graphical and really easy to understand. At first I didn't realize, but you can mouse-hover over each individual block (representing a port) and it will give some information about it including the port number and name, and what services are provided. Sounds fun, right?
Click here, then click the 'proceed' button. When the next page loads, click the grey button that reads 'All Service Ports', and let it do it's thing. When it finishes, you'll have a very readable report. Make sure to scroll down and read through the rest of the information on the page as well, it's informative and fairly "noob-friendly."
Click here, then click the 'proceed' button. When the next page loads, click the grey button that reads 'All Service Ports', and let it do it's thing. When it finishes, you'll have a very readable report. Make sure to scroll down and read through the rest of the information on the page as well, it's informative and fairly "noob-friendly."
Sunday, January 26, 2014
An Open Letter from US Researchers in Cryptography and Information Security
I saw this posted on Wired a couple of days ago and thought it was worth sharing. I'll post the full text after the jump, and the link to the source.
I really appreciate the tone that this letter takes. Rather than shouting about civil rights and privacy, this letter makes it's prerogative to communicate the grave security concerns about the U.S. governments mass surveillance. It does mention privacy - which is important, no doubt - but the focus is on the dangers of software engineers building backdoors and other exploitable aspects into their products. Not everyone is going to care about (or understand) the scale of privacy invasion. I've talked to some people that maintain the good old "You've nothing to hide if you're innocent" philosophy, but maybe shifting the focus on the dangers of exploitable (ubiquitous) software will change some minds.
An Open Letter from US Researchers in Cryptography and Information Security
January 24, 2014
Media reports since last June have revealed that the US government conducts domestic and international surveillance on a massive scale, that it engages in deliberate and covert weakening of Internet security standards, and that it pressures US technology companies to deploy backdoors and other data-collection features. As leading members of the US cryptography and information-security research communities, we deplore these practices and urge that they be changed.
Indiscriminate collection, storage, and processing of unprecedented amounts of personal information chill free speech and invite many types of abuse, ranging from mission creep to identity theft. These are not hypothetical problems; they have occurred many times in the past. Inserting backdoors, sabotaging standards, and tapping commercial data-center links provide bad actors, foreign and domestic, opportunities to exploit the resulting vulnerabilities.
The value of society-wide surveillance in preventing terrorism is unclear, but the threat that such surveillance poses to privacy, democracy, and the US technology sector is readily apparent. Because transparency and public consent are at the core of our democracy, we call upon the US government to subject all mass-surveillance activities to public scrutiny and to resist the deployment of mass-surveillance programs in advance of sound technical and social controls. In finding a way forward, the five principles promulgated at http://reformgovernmentsurveillance.com/ provide a good starting point.
The choice is not whether to allow the NSA to spy. The choice is between a communications infrastructure that is vulnerable to attack at its core and one that, by default, is intrinsically secure for its users. Every country, including our own, must give intelligence and law-enforcement authorities the means to pursue terrorists and criminals, but we can do so without fundamentally undermining the security that enables commerce, entertainment, personal communication, and other aspects of 21st-century life. We urge the US government to reject society-wide surveillance and the subversion of security technology, to adopt state-of-the-art, privacy-preserving technology, and to ensure that new policies, guided by enunciated principles, support human rights, trustworthy commerce, and technical innovation.
Martín Abadi
Professor Emeritus, University of California, Santa Cruz
Hal Abelson
Professor, Massachusetts Institute of Technology
Alessandro Acquisti
Associate Professor, Carnegie Mellon University
Boaz Barak
Editorial-board member, Journal of the ACM1
Mihir Bellare
Professor, University of California, San Diego
Steven Bellovin
Professor, Columbia University
L. Jean Camp
Professor, Indiana University
Ran Canetti
Professor, Boston University and Tel Aviv University
Lorrie Faith Cranor
Associate Professor, Carnegie Mellon University
Cynthia Dwork
Member, US National Academy of Engineering
Joan Feigenbaum
Professor, Yale University
Edward Felten
Professor, Princeton University
Niels Ferguson
Author, Cryptography Engineering: Design Principles and Practical Applications
Michael Fischer
Professor, Yale University
Bryan Ford
Assistant Professor, Yale University
Matthew Franklin
Professor, University of California, Davis
Juan Garay
Program Committee Co-Chair, CRYPTO2 2014
Shai Halevi
Director, International Association for Cryptologic Research
Somesh Jha
Professor, University of Wisconsin – Madison
Ari Juels
Program Committee Co-Chair, 2013 ACM Cloud-Computing Security Workshop1
M. Frans Kaashoek
Professor, Massachusetts Institute of Technology
Hugo Krawczyk
Fellow, International Association for Cryptologic Research
Susan Landau
Author, Surveillance or Security? The Risks Posed by New Wiretapping Technologies
Wenke Lee
Professor, Georgia Institute of Technology
Anna Lysyanskaya
Professor, Brown University
Tal Malkin
Associate Professor, Columbia University
David Mazières
Associate Professor, Stanford University
Kevin McCurley
Fellow, International Association for Cryptologic Research
Patrick McDaniel
Professor, The Pennsylvania State University
Daniele Micciancio
Professor, University of California, San Diego
Andrew Myers
Professor, Cornell University
Vern Paxson
Professor, University of California, Berkeley
Jon Peha
Professor, Carnegie Mellon University
Thomas Ristenpart
Assistant Professor, University of Wisconsin – Madison
Ronald Rivest
Professor, Massachusetts Institute of Technology
Phillip Rogaway
Professor, University of California, Davis
Greg Rose
Officer, International Association for Cryptologic Research
Amit Sahai
Professor, University of California, Los Angeles
Bruce Schneier
Fellow, Berkman Center for Internet and Society, Harvard Law School
Hovav Shacham
Associate Professor, University of California, San Diego
Abhi Shelat
Associate Professor, University of Virginia
Thomas Shrimpton
Associate Professor, Portland State University
Avi Silberschatz
Professor, Yale University
Adam Smith
Associate Professor, The Pennsylvania State University
Dawn Song
Associate Professor, University of California, Berkeley
Gene Tsudik
Professor, University of California, Irvine
Salil Vadhan
Professor, Harvard University
Rebecca Wright
Professor, Rutgers University
Moti Yung
Fellow, Association for Computing Machinery1
Nickolai Zeldovich
Associate Professor, Massachusetts Institute of Technology
This letter can be found at: http://MassSurveillance.info
Institutional affiliations for identification purposes only. This letter represents the views of the signatories, not necessarily those of their employers or other organizations with which they are affiliated.
1 The Association for Computing Machinery (ACM) is the premier organization of computing professionals.
2 CRYPTO is an annual research conference sponsored by the International Association for Cryptologic Research.
source.
I really appreciate the tone that this letter takes. Rather than shouting about civil rights and privacy, this letter makes it's prerogative to communicate the grave security concerns about the U.S. governments mass surveillance. It does mention privacy - which is important, no doubt - but the focus is on the dangers of software engineers building backdoors and other exploitable aspects into their products. Not everyone is going to care about (or understand) the scale of privacy invasion. I've talked to some people that maintain the good old "You've nothing to hide if you're innocent" philosophy, but maybe shifting the focus on the dangers of exploitable (ubiquitous) software will change some minds.
An Open Letter from US Researchers in Cryptography and Information Security
January 24, 2014
Media reports since last June have revealed that the US government conducts domestic and international surveillance on a massive scale, that it engages in deliberate and covert weakening of Internet security standards, and that it pressures US technology companies to deploy backdoors and other data-collection features. As leading members of the US cryptography and information-security research communities, we deplore these practices and urge that they be changed.
Indiscriminate collection, storage, and processing of unprecedented amounts of personal information chill free speech and invite many types of abuse, ranging from mission creep to identity theft. These are not hypothetical problems; they have occurred many times in the past. Inserting backdoors, sabotaging standards, and tapping commercial data-center links provide bad actors, foreign and domestic, opportunities to exploit the resulting vulnerabilities.
The value of society-wide surveillance in preventing terrorism is unclear, but the threat that such surveillance poses to privacy, democracy, and the US technology sector is readily apparent. Because transparency and public consent are at the core of our democracy, we call upon the US government to subject all mass-surveillance activities to public scrutiny and to resist the deployment of mass-surveillance programs in advance of sound technical and social controls. In finding a way forward, the five principles promulgated at http://reformgovernmentsurveillance.com/ provide a good starting point.
The choice is not whether to allow the NSA to spy. The choice is between a communications infrastructure that is vulnerable to attack at its core and one that, by default, is intrinsically secure for its users. Every country, including our own, must give intelligence and law-enforcement authorities the means to pursue terrorists and criminals, but we can do so without fundamentally undermining the security that enables commerce, entertainment, personal communication, and other aspects of 21st-century life. We urge the US government to reject society-wide surveillance and the subversion of security technology, to adopt state-of-the-art, privacy-preserving technology, and to ensure that new policies, guided by enunciated principles, support human rights, trustworthy commerce, and technical innovation.
Martín Abadi
Professor Emeritus, University of California, Santa Cruz
Hal Abelson
Professor, Massachusetts Institute of Technology
Alessandro Acquisti
Associate Professor, Carnegie Mellon University
Boaz Barak
Editorial-board member, Journal of the ACM1
Mihir Bellare
Professor, University of California, San Diego
Steven Bellovin
Professor, Columbia University
L. Jean Camp
Professor, Indiana University
Ran Canetti
Professor, Boston University and Tel Aviv University
Lorrie Faith Cranor
Associate Professor, Carnegie Mellon University
Cynthia Dwork
Member, US National Academy of Engineering
Joan Feigenbaum
Professor, Yale University
Edward Felten
Professor, Princeton University
Niels Ferguson
Author, Cryptography Engineering: Design Principles and Practical Applications
Michael Fischer
Professor, Yale University
Bryan Ford
Assistant Professor, Yale University
Matthew Franklin
Professor, University of California, Davis
Juan Garay
Program Committee Co-Chair, CRYPTO2 2014
Shai Halevi
Director, International Association for Cryptologic Research
Somesh Jha
Professor, University of Wisconsin – Madison
Ari Juels
Program Committee Co-Chair, 2013 ACM Cloud-Computing Security Workshop1
M. Frans Kaashoek
Professor, Massachusetts Institute of Technology
Hugo Krawczyk
Fellow, International Association for Cryptologic Research
Susan Landau
Author, Surveillance or Security? The Risks Posed by New Wiretapping Technologies
Wenke Lee
Professor, Georgia Institute of Technology
Anna Lysyanskaya
Professor, Brown University
Tal Malkin
Associate Professor, Columbia University
David Mazières
Associate Professor, Stanford University
Kevin McCurley
Fellow, International Association for Cryptologic Research
Patrick McDaniel
Professor, The Pennsylvania State University
Daniele Micciancio
Professor, University of California, San Diego
Andrew Myers
Professor, Cornell University
Vern Paxson
Professor, University of California, Berkeley
Jon Peha
Professor, Carnegie Mellon University
Thomas Ristenpart
Assistant Professor, University of Wisconsin – Madison
Ronald Rivest
Professor, Massachusetts Institute of Technology
Phillip Rogaway
Professor, University of California, Davis
Greg Rose
Officer, International Association for Cryptologic Research
Amit Sahai
Professor, University of California, Los Angeles
Bruce Schneier
Fellow, Berkman Center for Internet and Society, Harvard Law School
Hovav Shacham
Associate Professor, University of California, San Diego
Abhi Shelat
Associate Professor, University of Virginia
Thomas Shrimpton
Associate Professor, Portland State University
Avi Silberschatz
Professor, Yale University
Adam Smith
Associate Professor, The Pennsylvania State University
Dawn Song
Associate Professor, University of California, Berkeley
Gene Tsudik
Professor, University of California, Irvine
Salil Vadhan
Professor, Harvard University
Rebecca Wright
Professor, Rutgers University
Moti Yung
Fellow, Association for Computing Machinery1
Nickolai Zeldovich
Associate Professor, Massachusetts Institute of Technology
This letter can be found at: http://MassSurveillance.info
Institutional affiliations for identification purposes only. This letter represents the views of the signatories, not necessarily those of their employers or other organizations with which they are affiliated.
1 The Association for Computing Machinery (ACM) is the premier organization of computing professionals.
2 CRYPTO is an annual research conference sponsored by the International Association for Cryptologic Research.
source.
Sunday, January 19, 2014
"The single most important credit card hack."
I caught part of an episode of Marketplace Money on NPR in the car today. They were talking about the recent credit card information leak that happened at Target, calling it the single most important credit card hack. I had heard that Target customers recently had personal information stolen, but there were a few things mentioned in the radio show that were new to me and really put it into perspective.
First of all, a reported 1 in 5 U.S. citizens have had their information compromised due to the hack. That's staggering, and definitely puts into perspective (among other things) how massive this issue really is. It makes their "...most important..." claim seem a lot less like hyperbole.
Another thing, I guess it wasn't just Target, but Target's parent company who was hacked. This means that not only Target shoppers, but customers elsewhere were affected as well. At first Target was pretty tight-lipped, avoiding making a statement but have recently come around and have been offering free credit monitoring as well as personally emailing each affected customer. This is all great, but Marketplace Money brought up a good point: customers are now expecting email from Target, and may be more susceptible to phishing attacks. Truly insult to injury.
I reckon some people would see an email from Target and their spider senses would start tingling, due to the recent hack. Unfortunately, I imagine they wouldn't be the majority. Another example of information security (or lack thereof) affecting a large number of people. So what's the lesson here? It's not as if those shoppers could have (or even reasonably SHOULD have) mistrusted Target, and I don't think we should fear some type of Orwellian state, but I do think we ought to be more aware as a society of the information we offer freely whether on the web / site registrations, via email, or even the stores we shop in.
First of all, a reported 1 in 5 U.S. citizens have had their information compromised due to the hack. That's staggering, and definitely puts into perspective (among other things) how massive this issue really is. It makes their "...most important..." claim seem a lot less like hyperbole.
Another thing, I guess it wasn't just Target, but Target's parent company who was hacked. This means that not only Target shoppers, but customers elsewhere were affected as well. At first Target was pretty tight-lipped, avoiding making a statement but have recently come around and have been offering free credit monitoring as well as personally emailing each affected customer. This is all great, but Marketplace Money brought up a good point: customers are now expecting email from Target, and may be more susceptible to phishing attacks. Truly insult to injury.
I reckon some people would see an email from Target and their spider senses would start tingling, due to the recent hack. Unfortunately, I imagine they wouldn't be the majority. Another example of information security (or lack thereof) affecting a large number of people. So what's the lesson here? It's not as if those shoppers could have (or even reasonably SHOULD have) mistrusted Target, and I don't think we should fear some type of Orwellian state, but I do think we ought to be more aware as a society of the information we offer freely whether on the web / site registrations, via email, or even the stores we shop in.
Subscribe to:
Comments (Atom)