The new #security guard smiles back at me as I sneak through a backdoor while not showing any ID badge. He knows how useless he is, but hey - security theater pays the rent.
The new #security guard smiles back at me as I sneak through a backdoor while not showing any ID badge. He knows how useless he is, but hey - security theater pays the rent.
Egyptian #police: In Service of the Regime
▻http://english.al-akhbar.com/node/23422
Four years ago, the Egyptian police were at the height of their power, manifested in teargas bombs, weapons, and an iron grip. Then they were overpowered by the people in less than 72 hours. Despite promises to restructure the police apparatus, the violent security policies against demonstrations have not changed.
#Articles #Egypt #January_25_revolution #Mohammed_Ibrahim #repression #security_forces #Shaima_Sabbagh #Mideast_&_North_Africa
Some observations on #race and #security in #South_Africa
▻http://africasacountry.com/some-observations-on-race-and-security-in-south-africa
When it rains the whole area goes tick-tick as drops fall on the electric fences. Visitors are greeted with a sign saying ”Warning criminals you are entering a Blue Zone.....
“The fact that NSA/CSS makes cryptographic modifications to commercial or indigenous cryptographic information security devices or systems in order to make them exploitable” - can’t be any clearer
▻http://m.spiegel.de/media/media-35546.pdf
#NSA #cryptography #security
“A pair of jeans containing material that blocks wireless signals is being developed in conjunction with anti-virus firm Norton.”
C’est que les poches !
Et c’est pas donné…
The trousers are intended to stop thieves hacking into radio frequency identification (RFID) tagged passports or contactless payment cards.
According to security experts this type of theft is a growing problem.
The jeans are designed by online clothing company Betabrand and use a silver-based material to block signals.
They are due to go on sale in February.
Security software maker Norton teamed up with San Francisco-based Betabrand in October to make the jeans and a blazer. The jeans will retail at $151 (£96) and the blazer at $198.
The rules of engagement: How militarized police units enforce the law around the world
The series below takes a closer look at law enforcement around the world and their respective tactics.
#photo
“Signal Authentication in Trusted Satellite Navigation Receivers” by Markus G. Kuhn
Very good technical paper about how a #GPS receiver can authenticate the signals it receives, finding out if they come from the proper satellites or from a nearby spoofer.
#HomePlugAV powerline communication LAN devices - practical attacks & backdooring:
▻http://www.nosuchcon.org/talks/2014/D1_03_Sebastien_Dudek_HomePlugAV_PLC.pdf #PLC #security
Smoking is dangerous: Now e-cigarettes can give you malware
Many e-cigarettes can be charged over USB, either with a special cable, or by plugging the cigarette itself directly into a USB port. That might be a USB port plugged into a wall socket or the port on a computer – but, if so, that means that a cheap e-cigarette from an untrustworthy supplier gains physical access to a device.
[...]
“The made in China e-cigarette had malware hardcoded into the charger, and when plugged into a computer’s USB port the malware phoned home and infected the system.”
▻http://hackread.com/beware-of-malware-planted-in-chinese-e-cigarettes
To avoid such risks, it is advised to disable data pins on the USB and keep only cable charge to prevent any information exchange between the devices it connects.
Alternatively, use a USB Condom, a gadget that connects to USB and makes data pins ineffective.
Internal Internet traffic routed outside Russia by a Chinese operator
The Russian Internet traffic in several circumstances has been re-routed outside the country, the incidents seem to be caused by routing errors made by China Telecom.
The news has been published by the Internet monitoring service Dyn in a blog post, which also reports that domestic traffic was re-routed apparently due to a networking fault caused by a weakness in the Border gateway protocol (#BGP).
However, as can often happen with these [peering] relationships, one party can leak the routes received from the other and effectively insert itself into the path of the other party’s Internet communications. This happened over a dozen times in the past year between these two providers. This is a general phenomenon that occurs with some regularity but isn’t often discussed in BGP security literature. In this blog post, we’ll explore the issue via the lens of this single example. In a follow-on blog, we’ll explore several additional examples.
The original article below gives a fairly comprehensive explanation of peering and what can go wrong. It also explains the #Vimpelcom and #China_Telecom peering agreement and shows how it went wrong on several occasions. (eg China Telecom announcing full tables)
▻http://research.dyn.com/2014/11/chinese-routing-errors-redirect-russian-traffic
The above article also references the following very good and self-explanatory read that explains BGP prefix hijacking, and available security measures:
Why Is It Taking So Long to Secure Internet Routing?
People have been aware of BGP’s security issues for almost two decades and have proposed a number of solutions, most of which apply simple and well-understood cryptography or whitelisting techniques. Yet, many of these solutions remain undeployed (or incompletely deployed) in the global Internet, and the vulnerabilities persist. Why is it taking so long to secure BGP?
▻http://queue.acm.org/detail.cfm?id=2668966
Thus, while we continue to make progress toward protocol-based defenses for routing security, the next frontier in routing security could very well be hardening the software and hardware used in Internet routers.
email encryption downgrade attack :
ISPs that remove #STARTTLS flag and as a result break email encryption
▻https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks
This type of STARTTLS stripping attack has mostly gone unnoticed because it tends to be applied to residential networks, where it is uncommon to run an email server
[...]
There are several weak points in the STARTTLS protocol, however. The first weakness is that the flag indicating that a server supports STARTTLS is not itself encrypted, and is therefore subject to tampering, which can prevent that server from establishing an encrypted connection. That type of tampering is exactly what we see today. EFF is working on a set of improvements to STARTTLS, called STARTTLS Everywhere, that will make server-to-server encryption more robust by requiring encryption for servers that are already known to support it.
RFC 3270 : SMTP Service Extension for Secure SMTP over Transport Layer Security
▻http://www.bortzmeyer.org/3207.html
A citizen’s guide to U.S. security and defense assistance
▻http://securityassistance.org
#Security_Assistance_Monitor documents all publicly accessible information on U.S. security and defense assistance programs throughout the world, including arms sales, military and police aid, training programs, exercises, exchanges, and deployments.
Présenté par Jim Lobe ▻http://www.ips.org/blog/ips/new-resource-for-tracking-us-military-and-police-aid
How to safely store a #password
►http://codahale.com/how-to-safely-store-a-password #security
Why encryption (unbreakable by the police) on the smartphone is necessary:
▻http://www.sfgate.com/crime/article/CHP-officer-charged-in-theft-of-women-s-cell-5861964.php
Are you aware of what your mobile network operator can do to your terminal over the air ? And how frighteningly vulnerable it is ?
▻https://ruxconbreakpoint.com/assets/2014/slides/bpx-solnik-BreakPoint2014-Final.pdf #mobile #network #security
Contemporary malware not only checks whether it runs inside a debugger but also if the session’s username is a known security researcher:
▻http://thestack.com/mimicry-in-malware-giovanni-vigna-081014
#security #malware
Protect your email the German way:
After seeing off the police, Berlin #email provider @Posteo wants to expand user #security and #anonymity
▻http://www.theguardian.com/technology/2014/aug/24/posteo-protect-email-the-german-way-patrik-lohr
Sprint, Windstream traffic routing errors hijacked other ISPs
It is not always longer far away countries such as India or Pakistan which make these mistakes but also Mr. USA himself can made erroneous announcements (#BGP #route_hijacking).
In simple words, it is like putting road signs on the Internet where Sprint and Windstream say to the world:
“Hey guys, send all traffic for the following networks to us: Telesmart, Macedonia, Saoudinet, Saoudi Arabia, a network from Gaza, one from Iceland, and three from China”
(all their traffic are belong to us ...)
The effect is that the traffic does not reach its destination, or that it transits via another network as was the case for Telesmart.
Quotes from ▻http://www.renesys.com/2014/09/latest-isps-to-hijack :
From 13:56 UTC on Tuesday (9-September) to 15:56 UTC on Wednesday (10-September), US wireless carrier #Sprint (AS1239) started hijacking a prefix (95.128.184.0/22) from Telesmart, an ISP in Macedonia. What was interesting was that once traffic arrived at Sprint, it continued onto Cogent and finally onto its intended destination at Telesmart in Skopje. Was this an accidental #man-in-the-middle (#MITM) or something else?
[...]
The same day #Windstream (AS7029) began announcing 212.118.142.0/24 (SaudiNet), which is normally announced by Saudi Arabian incumbent, Saudi Telecom. Unlike the previous Sprint example, traceroutes to this prefix along the Windstream route died within Windstream, effectively knocking this network off the Internet for anyone accepting the bogus route. Then on Wednesday, Windstream announced a handful of strange routes for about 10 hours including one from Gaza, one from Iceland, and three from China — all more-specifics of existing routes, ensuring their global propagation and acceptance.
[...]
There is a potentially innocent explanation to this example. Perhaps, these address ranges were ones that Windstream deemed to be sources of bad traffic and so was “blackholing” them internally, a relatively common practice. In this scenario, we could have simply witnessed Windstream inadvertently leaking internal routes to the global Internet for 10 hours.
PS: Also interesting reference in a larger context, at this year’s #Defcon 22 conference, Luca Bruno and Mariano Graziano from eurecom.fr ("a leading teaching and research institution in the fields of information and communication technologies") gave a talk about the vulnerabilities of some ISPs’ public #looking_glass utilities that would allow an attacker to remotely modify #router configurations.
white paper:
▻https://www.defcon.org/images/defcon-22/dc-22-presentations/Bruno-Graziano/DEFCON-22-Luca-Bruno-Mariano-Graziano-looking-glass-WP-UPDATED.pdf
presentation:
▻https://www.defcon.org/images/defcon-22/dc-22-presentations/Bruno-Graziano/DEFCON-22-Luca-Bruno-Mariano-Graziano-looking-glass-Updated.pdf
Previous recent hijacks this year:
bitcoin theft ▻http://seenthis.net/messages/283266 @Stephane
indosat ▻http://seenthis.net/messages/2435467 @erratic
“And then, one day, everything clicked. I became enlightened when I mistakenly typed in a password that I had unsuccessfully requested at one time in the past: instead of a invalid credentials message, I found ... "
The #Dyson 360 Eye™ autonomous vacuum cleaner roams your home with Wi-Fi access and a 360° video camera… But don’t worry, I’m sure you have nothing to hide !
▻http://www.dyson360eye.com #privacy #security
Security for journalists, part two: threat modeling
▻https://source.opennews.org/en-US/learning/security-journalists-part-two-threat-modeling
#journalisme #sécurité #security
Security that acknowledges goals and limitations is the only workable one.
What do you want to keep private ?
Who wants to know ?
What can they do to find out ?
What happens if they succeed ?