Leaderboard
Popular Content
Showing content with the highest reputation on 10/23/17 in all areas
-
Dear Dr.d3v1l The vulnerabilities you reported has been fixed. As a token of our appreciation we would like to offer you a t-shirt. If you would like a t-shirt please provide us with your preferred t-shirt size (S/M/L/XL/XXL) and on what address you would like to receive the t-shirt. Thanks in advance for your reply and thanks again for your report. Sincerely,4 points
-
Attack of the Hack Back The worst idea in cybersecurity is back again. By Josephine Wolff At its heart this bill would just serve as an excuse to let anyone access anyone else’s computer systems with impunity. Alexander Ryumin/TASS If there were a prize for the worst cybersecurity policy idea that just won’tdie, it would have to go to “hacking back,” or making it legal for people to attack the computers that are attacking them. This idea has been around foryears, which means that for years, people have been warning that this is a verybad idea—it’s not the first time I’ve written about this topic myself. But it’s astrangely persistent piece of policy, regardless of the fact that it’s been condemned by just about everyone, including law enforcement, and openly endorsed by almost no one. Just last week Reps. Tom Graves, R-Georgia, and Kyrsten Sinema, D-Arizona, introduced a revised version of the Active Cyber Defense Certainty Act (anupdate of a bill discussion draft that Graves proposed back in March). It’s nice to see some bipartisan teamwork on an issue in these highly partisan times, buta pity to see it wasted on such a foolhardy endeavor. The ACDC Act (please, go ahead and eye-roll that initialism) attempts to carve out some exceptions to the Computer Fraud and Abuse Act, the U.S. anti-hacking statute, which essentially makes it illegal to access computers that don’t belong to you without permission (or “authorization”). The bill would roll back that restriction to allow companies to access computers that don’t belongto them in the name of self-defense or, as the bill calls it, “active defense.”(Active defense, for those not familiar with cybersecurity euphemisms, is thepolite term for offense. It’s meant to convey that you’re just protecting yourself,not attacking anyone, even though, of course, you are attacking someone—that’s what makes it so “active.”) Most people have interpreted the CFAA to mean that companies (and individuals) are allowed to protect their computers and data only by taking measures confined within the boundaries of their own network. So it’s fine to monitor unusual traffic patterns, or encrypt data, or implement strong authentication systems—those are all things that only require accessing yourown servers and data. But going outside the boundaries of the computers and data that you own to target people who have stolen your data, or are trying tosteal your data, could be considered illegal hacking under the CFAA. Enter the ACDC Act. Get Future Tense in your inbox. The ACDC Act clarifies “the type of tools and techniques that defenders can use that exceed the boundaries of their own computer network.” In particular, it specifies that people facing criminal charges under the CFAA for illegal hacking can defend themselves by claiming that their activities were just “active cyberdefense measures.” According to the bill’s text, the accused would have to showthat they were the victims of a “persistent unauthorized intrusion” directed at their computers. In short, if someone has compromised your computers and stolen some of your data or is bombarding your servers with a denial-of-service attack, the ACDC would make it legal for you to access their servers and delete the files that they stole from you, or bombard their servers to interrupt the ongoing attack. What’s really incredible about the ACDC Act is that Congress is still taking this idea seriously. There are also some limitations placed on what can be considered an “active cyber defense measure.” To be active defense, the measure has to either help establish attribution of the attack, disrupt an ongoing attack, or “monitor the behavior” of the attacker in order to help develop better defensive methods. Things that do not qualify as active defense include: creating a threat to public health or safety, recklessly causing physical injury or financial harm, deliberately accessing an intermediary’s computer, or destroying information that does not belong to the victim stored on the attackers’ computers. (This can get a little confusing to write about because the terms “victim” and “attacker” lose all meaning when we’re talking about hacking back. If A hacks B and then B hacks A back, then, according to the language of the ACDC Act, B is the victim and A is the attacker. But once the hacking back—I mean, the active defense—starts, then the reverse is also, of course, true.) This might all seem reasonable at first glance, but it’s a highway to hell. I am thunderstruck by how terrible it is. At its heart it would just serve as an excuse to let anyone access anyone else’s computer systems with impunity. Want to go after a competitor? Stage an attack directed at yourself coming from their servers, and then hack back! Or plant some of your sensitive files on their computers and then go in and delete them and monitor their behavior while you’re at it (all in the name of building better defenses). Of course, once that company realizes what’s going on, it may decide to take matters into its own hands and indulge in a little active defense directed at you. What could go wrong? But don’t worry, Congress has anticipated all these problems (maybe because people have been pointing them out, repeatedly, for the better part of a decade). The bill’s authors include this incredibly vague safeguard in its text: “Congress holds that active cyber defense techniques should only be used by qualified defenders with a high degree of confidence in attribution, and that extreme caution should be taken to avoid impacting intermediary computers or resulting in an escalatory cycle of cyber activity.” It’s unclear what constitutes a qualified defender in Congress’ view, much less a “high degree of confidence in attribution.” Attribution is really, really hard. Not to mention that part of the bill’s explicit purpose is legalizing hacking intended to help gather information about attribution. Why would anyone hack back to gather information about attack attribution if hacking back is only legal when victims are absolutely, 100 percent positive they know who the perpetrator is in the first place? I could go on and talk about how legalizing this type of activity under U.S. law doesn’t mean that people who practice active defense won’t be breaking laws in other countries. (Don’t worry, Congress has thought of that too; the bill warns that defenders should “exercise extreme caution to avoid violating the law of any other nation.” That’ll fix it!) Or how this would make the work of law enforcement harder, not easier—a point the FBI has already made. But what’s really incredible about the ACDC Act is not how terrible its proposals are, but that Congress is still taking them seriously after years of people pointing out how terrible they are and in the absence of any clear demand. The ACDC Act authors have clearly heard all these concerns, but their only response seems to have been inserting tepid language into the draft advising active defenders to exercise “extreme caution.” The rationale behind hacking back is supposed to be that the U.S. is full of highly sophisticated technical companies with the ability to do much more advanced and effective cybermaneuvers than the slow, bureaucratic law enforcement agencies. But if those sophisticated tech companies are eager to be doing active defense, they certainly haven’t been vocal about that desire or publicly endorsing proposals like the ACDC. When I last wrote about hacking back legislation, I spoke with Greg Nojeim, the director of the Freedom, Security, and Technology Project at the Center for Democracy and Technology, and asked him who he thought was lobbying for this kind of regulation. Nojeim, who has been working on cybersecurity policy in Washington for years, told me: “I haven’t heard from particular companies that they want to have that activity authorized. I just have not heard the proponents of that position other than some academics, one or two think tanks, and Stewart Baker.” Baker is a lawyer and former homeland security assistant secretary under George W. Bush who is probably the most vocal supporter of hacking back. No one wants this law. Or, at the very least, almost no one, except Stewart Baker, is willing to admit they want this law, which is pretty damning in itself. And yet, even though the companies that would presumably be hacking back, were it legal, have not publicly expressed any need for such a statute, it turns out to be the rare issue that Congress members from both parties can rally around right now. In fairness to Graves and Sinema, there are some reasonable things in the ACDC Act text: It still allows for civil suits against active defenders, and it permits “beaconing” tools that help defenders locate their stolen data, after it has been stolen. Though it’s not at all clear that attaching “beacon” code to your sensitive data while it’s stored on your system was illegal in the first place. But at its core, the ACDC Act is a bill that would open the door for much more misbehavior online and even greater obstacles to trying to charge the offenders and hold them responsible. Hells bells. It’s hard to fathom why, in 2017, Congress is taking up this idea, unless members are so completely out of ideas for cybersecurity that they’re stuck recycling the worst ones over and over again. This article is part of Future Tense, a collaboration among Arizona State University, New America, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, follow us on Twitter and sign up for our weekly newsletter. Sursa: http://www.slate.com/articles/technology/future_tense/2017/10/hacking_back_the_worst_idea_in_cybersecurity_rises_again.html2 points
-
2 points
-
1 point
-
1 point
-
APT28 threat group is moving fast in the hope that targets haven't yet installed a recently released patch to fix the recently uncovered exploit State-backed hackers are looking to use the exploit before organisations have patched against it. Hackers are rushing to exploit a zero-day Flash vulnerability to plant surveillance software before organisations have time to update their systems to patch the weakness. Uncovered by researchers at Kaspersky Lab on Monday, the CVE-2017-11292 Adobe Flash vulnerability allows attackers to deploy a vulnerability which can lead to code execution on Windows, Mac, Linux, and Chrome OS systems. The exploit enables the delivery of malicious Word documents bundled with malware for example to allows attackers to snoop on communications, eavesdrop on video messages and calls, and steal files. Adobe Flash Player Desktop Runtime, Adobe Flash Player for Google Chrome, Adobe Flash Player for Microsoft Edge, and Internet Explorer 11 are all affected by the vulnerability and organisations are urgently told to install the critical update. As a result, attackers are moving quickly to exploit it while they can and researchers at Proofpoint have attributed a campaign designed to spread trojan malware using the vulnerability to APT28 - also known as Fancy Bear - a Russian hacking group with links to the Kremlin. The campaign to exploit the Flash vulnerability has been sent to government offices in Europe and the US specialising in foreign relations - researchers liken them to "entities equivalent to the State Department" - as well as private businesses in the aerospace industry. The widespread nature of the campaign - compared with other APT28 attacks - is likely an attempt by the attackers to get as much as they can from exploiting the Flash vulnerability before organisations get around to patching it. In this instance, the malicious payload is delivered in a Word document titled "World War 3.docx" which contains text lifted from an article by a UK newspaper on North Korea, first published on Tuesday. The Fancy Bear decoy document used in the campaign. Within the document is 'DealersChoice' an attack framework previously attributed to Russian hackers, which has now been bundled with the Flash vulnerability, in a similar way to which the group has done so with previous campaigns. Once installed on the system, the malware can be used as an effective espionage tool. Researchers found that the exploitation was effective on systems using Windows 7 with Flash 27.0.0.159 and Microsoft Office 2013 and Windows 10 build 1607 with Flash 27.0.0.130 and Microsoft Office 2013. Unlike the previously uncovered campaign exploiting the vulneraliity, Mac OS doesn't seem to be targeted in these attacks. It's therefore critical that the patches are applied in order to protect against these attacks. "APT28 appears to be moving rapidly to exploit this newly documented vulnerability before the available patch is widely deployed," said researchers. "Because Flash is still present on a high percentage of systems and this vulnerability affects all major operating systems, it is critical that organizations and end users apply the Adobe patch immediately," Proofpoint have also warned how other threat actors are likely to follow in attempting to exploit this relatively fresh vulnerability while they still can. Via zdnet.com1 point
-
"In the grand scheme of things".. treaba cu NSA-ul si Krack e oarecum irelevanta, o picatura mica intr-un ocean foarte mare de unelte si metode. De la interceptarea direct de la producator/ISP/tool si/sau service provider cu gag judecatoresc, amenintare cu parnaie si/sau plati mari din banii contribuabililor (carrot & stick concept) pana la exploiturile de toate felurile dezvoltate si/sau cumparate sau sharuite intre agentii interne si externe. Nu e nici o teorie a conspiratiei: daca vor sa te agate online si au prioritate (resurse), sunt zeci de metode prin care o pot face, nu stau intr-o singura metoda. Problema e mai mult pentru firme si muritorii de rand.1 point
-
da! ... defective by design si acum update-uri care aduc in "legalitate" vulnerabilitatea, fara insa a oferi solutia "backdoor free" datorita specificatiilor tehnice ale patentului... "[...] in order for the government to legislate a mechanism that would no longer meet the definition of a backdoor, they must disclose to the owner that the government can install functionality through auto-update (the third prong), or disclose that functionality that can introduce code deemed objectionable by the owner (the second prong). If the user chooses to still update their software, then this is not a backdoor because it’s been disclosed, and either its intent or its origins have been fully stated. It is, in fact, much worse than a backdoor at this point; it is a surveillance tool and should be treated as such in law. [...] In today’s legal landscape, secret court orders are a possibility. In such scenarios, we are no longer discussing disclosed actors or intent, but rather secret orders such as those going through a FISA court, such as section 702 orders or secret orders under the All Writs Act. In these cases, our hypothetical software update service could unwittingly become a backdoor if the government chose to quietly control it without any disclosure to the user. In the same way, for the manufacturer to be ordered to keep such capabilities a secret would be to turn the manufacturer into an arm of government for the express intent of creating a backdoor, and the manufacturer could be considered partially liable for the consequences of doing so. Those that control the mechanism dictate the intent, and so if the government is partially in control of the mechanism, then their intentions must become part of the overall test. In such a case, the functionality of the software would likely subvert the intent disclosed to the user. Consent would similarly become invalidated, resulting in a software update mechanism that qualifies as a backdoor by definition. " citatele sint de aici , facute intr-un context diferit, insa aplicabile topivului de fata.1 point
-
La cate lucruri s-au aflat la acel moment, faptul ca ar avea acces la acest "krack" e unul dintre lucrurile minore.1 point
-
Interesting article about the subject http://securityaffairs.co/wordpress/64601/hacking/krack-attack-nsa.html1 point
-
1 point
-
Tastatura Razer Ornata - 299 Lei https://pricezone.ro/product/tastatura-gaming-razer-ornata0 points
-
Casti Mad Catz Freq 3 - 144 Lei https://pricezone.ro/product/casti-gaming-mad-catz-freq-3-stereo-35-mm-negru Mouse Mad Catz Rat Pro S - 155 Lei https://pricezone.ro/product/mouse-gaming-mad-catz-rat-pro-s-5000dpi-optic-negru-galben-1 points
-
Casti Beats urBeats Monster - 150 Lei https://pricezone.ro/product/casti-in-ear-beats-urbeats-monster-redwhite-1 points
-
Smartwatch Motorola Moto 360 Generatia a 2-a - 600 Lei https://pricezone.ro/product/smartwatch-motorola-moto-360-generatia-a-2-a-45-mm-unisex-curea-silicon-orange-1 points
-
Samsung Gear 360 - 500 Lei http://www.f64.ro/samsung-gear-360-camera-video-foto-vr-splashproof-alb.html-1 points
-
Tastatura Logitech G413 - 270 Lei https://pricezone.ro/product/tastatura-gaming-logitech-g413-carbon-red-led-mecanica-1 points
-
We are a group comprised of certified hackers, crackers and developers. we guarantee succcess in the job done as fast as possible and we provide of the job done ...we have an office and a return policy..all information will be giving to u ...Contact us Lulzsekshitinc@outlook.com or ICQ: 703232629 or WhatsApp: +14626660829 Skype:Lulzsekshitinc@outlook.com-1 points
-
eVTOLs — flying vehicles with electric engine and vertical take-off and landing. Like drones, but bigger and capable to carry people. 18 companies are working on them. 3 have prototypes. Daimler Ventures, Boeing, Geely/Volvo, Tencent and Atomico Ventures are investing in the eVTOL production. Also there are other sides of the industry: chargers, landing pads, maintenance, mobile apps. We are going to make unified platform for all elements of this chain. Powered by blockchain and free for everyone. The problem appears, when you realize, that there are no standarts for interaction of all elements. What charger will support my eVTOL? Am I able to pay for them with USD? How much do I pay for the usage of landing pad? And what if I want to buy an eVTOL and use it as a taxi? McFly.aero makes all interactions between all elements transparent, simple and accessable for all. We will open the huge new market for entrepreneurs and passengers. At first we are going to spread eVTOLs in big cities — urbaners hate traffic jams and ready to use any method to avoid them. You can get more info here http://blockchain.aero/-1 points