Categories
privacy security

Ransomware Spreading Onto Smart TVs, Is A Pain To Fix

Oh yes. Smart TVs. We should really be looking at it as a computer with a large screen – which happens to be running Android OS most of the time. Needless to say malware/ransomware that “works” for existing Android devices will seamlessly work in the Smart TV.

Streaming TV has been a boon for consumers. Programming is everywhere, right at our fingertips, as soon as we get our screens online. But that connectivity comes with a big…

Source: Ransomware Spreading Onto Smart TVs, Is A Pain To Fix

Categories
privacy security

Online databases dropping like flies, with >10,000 falling to ransomware

The first story of ransomware in 2017. We’re likely to see more stories about ransomware given its lucrativeness – people/organizations are quite willing to pay a “small” fee to get their data back. This in turns encourages more cybercriminals to turn to ransomware. The rise of cryptocurrencies like Bitcoin also helps to facilitate this as it makes it hard to trace the perpetrators.

More than 10,000 website databases have been taken hostage in recent days by attackers who are demanding hefty ransoms for the data to be restored, a security researcher said Friday.

Source: Online databases dropping like flies, with >10,000 falling to ransomware

Categories
privacy security

PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass

The fragile PHP ecosystem continues to break down with holes like this. To be fair, this is a PHPMailer vulnerability. However this is likely to affect a large chunk of PHP sites as “PHPMailer continues to be the world’s most popular transport class, with an estimated 9 million users worldwide”.

An independent research uncovered a critical vulnerability in PHPMailer that could potentially be used by (unauthenticated) remote attackers to achieve remote arbitrary code execution in the context of the web server user and remotely compromise the target web application.

Source: PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass

Categories
privacy security

How is NSA breaking so much crypto?

It has long been speculated that NSA is able to eavesdrop on even encrypted traffic. Researchers think they have figured out how.

The Snowden documents also hint at some extraordinary capabilities: they show that NSA has built extensive infrastructure to intercept and decrypt VPN traffic and suggest that the agency can decrypt at least some HTTPS and SSH connections on demand.

It shows that the agency’s budget is on the order of $10 billion a year, with over $1 billion dedicated to computer network exploitation, and several subprograms in the hundreds of millions a year.
How is NSA breaking so much crypto?

In order words, really expensive and dedicated hardware. Something only state actors can afford.

Categories
privacy security

Yahoo Says 1 Billion User Accounts Were Hacked

Haven’t I heard this before, you may ask. No, this is a different hack from the earlier one. It’s deja vu all over again.

Back in the days Yahoo was like Google or Facebook now. It’s hard to imagine how a company in such a superior position can end up in this state. Yahoo’s story serves as a cautionary tale for the current Internet darlings.

The company says the attack was separate from the breach that led to an earlier disclosure that 500 million accounts were hacked.

Source: Yahoo Says 1 Billion User Accounts Were Hacked

Categories
privacy security

How a Grad Student Found Spyware That Could Control Anybody’s iPhone from Anywhere in the World | Vanity Fair

A long form article on the earlier story about NSO Group’s iPhone Zero-Days. Pretty long but easy to follow.

Last summer, Bill Marczak stumbled across a program that could spy on your iPhone’s contact list and messages—and even record your calls. Illuminating shadowy firms that sell spyware to corrupt governments across the globe, Marczak’s story reveals the new arena of cyber-warfare.

Source: How a Grad Student Found Spyware That Could Control Anybody’s iPhone from Anywhere in the World | Vanity Fair

Categories
security

Bruce Schneier: ‘The internet era of fun and games is over’

Cybersecurity expert Bruce Schneier’s take and warning of the current state of the Internet, particularly IoT. While he is coming from a neutral position, some fear that people with agenda will use this to create regulations that restrict freedom and make the current situation worse.

As the chairman pointed out, there are now computers in everything. But I want to suggest another way of thinking about it in that everything is now a computer: This is not a phone. It’s a computer that makes phone calls. A refrigerator is a computer that keeps things cold. ATM machine is a computer with money inside. Your car is not a mechanical device with a computer. It’s a computer with four wheels and an engine… And this is the Internet of Things, and this is what caused the DDoS attack we’re talking about.

Source: Bruce Schneier: ‘The internet era of fun and games is over’

Categories
security

New security camera compromised by worm within minutes of installation (twitter.com)

The IoT botnet is gaining both speed as well as volume. A security researcher had a CCTV hacked within minutes of setup. The worm was also smart enough to close the loophole to prevent other worms from infecting it.

Categories
security

Surveillance Self-Defense

Survival skills in the modern digital world. Someone should turn this into a mandatory course in school.

Tips, Tools and How-tos for Safer Online Communications

Source: Surveillance Self-Defense

Categories
security

IoT Goes Nuclear: Creating a ZigBee Chain Reaction

IoT is increasingly becoming a dirty word for botnet.

Researchers have found ways to hijack a specific type of IoT device – the popular Philips Hue lamp – via ZigBee to do what they want, and make the attack spread wirelessly.

The worm spreads by jumping directly from one lamp to its neighbors, using only their built-in ZigBee wireless connectivity and their physical proximity. The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDOS attack.

– IoT Goes Nuclear: Creating a ZigBee Chain Reaction