mundy.

resolved..

Milionarilor

Intel Security (fomerly McAfee) has announced a security platform designed to protect both new and legacy infrastructure within the electric power grid. Dubbed Intel Security Critical Infrastructure Protection (CIP), the solution was developed in collaboration with the Department of Energy-funded Discovery Across Texas smart grid project including deployment at Texas Tech University, and is a joint project of Intel Security and Wind River. Intel Security CIP works by separating the security management functions of the platform from the operational applications, allowing the operational layer to be secured, monitored and managed, the company explained. According to Intel Security, the security platform can be applied with little or no changes to business processes or application software, and can be retrofitted onto many existing systems. Features include protection such as device identity, malware protection, data protection and resiliency. Intel believes the solution can be leveraged beyond the power grid and could be equally effective for departments of defense, oil and gas firms, medical applications, and other areas. According to a study sponsored by Intel, “In the Dark: Crucial Industries Confront Cyberattacks,” of the 200 CIP executives surveyed globally, 32% had not adopted special security measures for smart grid controls. Yet 33% anticipated a major cybersecurity incident within 12 months. Related: Learn More at the 2015 ICS Cyber Security Conference “The risk of cyberattacks on critical infrastructure is no longer theoretical, but building security into the grid is challenging due to the amount of legacy infrastructure and the importance of availability of service,” Lorie Wigle, Vice President of Internet of Things Security Solutions for Intel Security, said in a statement. “Traditional security measures such as patching and rebooting are often inappropriate for the grid, so we set out to design something entirely different that could be non-invasive but simultaneously robust “From December 2013 to January 2015, the Intel Security CIP was in a field trial at Texas Tech University, where it performed as required by NIST standards and withstood penetration testing, as well as protected the synchrophasor applications during the Heartbleed vulnerability and Havex attacks,” said Milton Holloway, President & COO, Center for the Commercialization of Electric Technologies. “This project was an outstanding example of a successful public-private partnership in that it produced technologies that are market-ready. What could be a better outcome of a demonstration project?” Sursa: securityweek.com

A new Android Trojan spotted by researchers at Kaspersky Lab uses some clever techniques to silently subscribe victims to premium services. The threat, detected by Kaspersky as Trojan-SMS.AndroidOS.Podec, is still under development, but it’s already capable of carrying out a wide range of tasks. Cybercrooks can use the malware to send SMS messages, set a filter on incoming messages and calls, display ads, delete messages and call records, upload the HTML source code of specified webpages to a remote server, perform DDoS attacks, make outgoing calls, subscribe the victim to paid content, delete apps, and export incoming messages based on instructions received from the command and control (C&C) server. The Trojan is capable of signing up victims to premium services that use both the pseudo-subscription and MT subscription models. In the case of pseudo-subscription, users must send an SMS message for payment each time they want to access the service. In the case of MT subscription, users enter a validation code received via SMS on a website to show that they accept terms and conditions. Once this is done, they will be charged on a regular basis. For example, one of the services used by Podec is called RuMaximum, which allows internauts to take personality and other tests online. Users are first required to fill out an online form. Once the page is submitted, they are asked to enter their phone number in order to get the test results. The website sends a verification code to the provided phone number, and the user must enter the code and solve a CAPTCHA in order to see the results. The malware uses a GET request to fill out the online form. Then, it enters the victim’s phone number, intercepts the SMS containing the validation code, and enters the code on the website. As for the CAPTCHA, the malware leverages an online image-to-text decoding service called Antigate. Antigate doesn’t use sophisticated algorithms to solve the CAPTCHAs. Instead, it employs people from all over the world to complete the task. According to the company’s website, most workers are based in India, but the list of countries also includes Pakistan, Vietnam, Ukraine, Indonesia, Russia, the United States, China, Japan, and the Philippines. The service offers to decode CAPTCHAs for as little as $0.7 per 1,000 images, with an average decoding speed of 15 seconds. Podec uses Antigate’s API to send the CAPTCHA images and then waits for the result. Another interesting aspect of this Trojan is that it’s capable of bypassing the Advice of Charge feature, which provides the user with information on any applicable charges before he/she subscribes to a service. The Trojan’s DDoS capabilities are likely not designed for disrupting Web services. Instead, they help cybercrooks ramp up website visitor counters, and generate a profit from advertising and affiliate programs, Kaspersky said. To prevent users and security solutions from removing it, the Trojan requests device administrator privileges when first launched. The request is displayed on the screen until the victim accepts. According to researchers, there is indication that future versions of the threat will include a payload designed to exploit super-user privileges. In order to prevent researchers from analyzing the Trojan’s source code, its authors have obfuscated the code, introduced some “garbage” classes, and leveraged an expensive code protector application. The Podec Trojan is distributed through the Russian social network Vkontakte and several other websites with names such as Apk-downlad3(dot)ru and minergamevip(dot)com. The malware is usually disguised as cracked versions of Android games and applications. The design and management of the Vkontakte groups that advertise the malicious games and apps suggest that blackhat SEO (search engine optimization) specialists are involved in the distribution of the malware, Kaspersky said. The security firm has detected more than 4,000 Podec infections, most of which are in Russia. Infected devices have also been spotted in Kazakhstan, Ukraine, Belarus, and Kyrgyzstan. Sursa: securityweek.com

pune ss-uri cum ca detii contul

merge, merge

Not Found The requested URL /index.php was not found on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

Mersi, dar unde as putea gasi beneficiile pachetului pro a acestui program?

Cine imi explica pas cu pas cum sa-l folosesc?

Are un design foarte intuitiv , felicitarile mele.

Bine ai venit printre rst-isti

qbittorrent xD

Hai ca testez si eu acum mspy, sa vad de ce e bun

Salut, stiu ca nu is foarte vechi aici, dar, daca te rog frumos, ma poti ajuta cu primul script ? Cel cu forma de contact, iti raman dator daca doresti.

are 3 fps ma.

Imi cer scuze, n-am observat. Data viitoare promit sa folosesc search, eram sigur ca un topic din toate cele facute de mine va fi deja facut

Firmware poate fi modificat intr-un mod foarte simplu, bineinteles, daca ai cunostintele necesare. Iti recomand sa nu comanzi o asemenea prostie, iauzi, stick de 2 tb.

One of the best things about modern cryptography is the beautiful terminology. You could start any number of punk bands (or Tumblrs) named after cryptography terms like 'hard-core predicate', 'trapdoor function', ' or 'impossible differential cryptanalysis'. And of course, I haven't even mentioned the one term that surpasses all of these. That term is 'zero knowledge'. In fact, the term 'zero knowledge' is so appealing that it leads to problems. People misuse it, assuming that zero knowledge must be synonymous with 'really, really secure'. Hence it gets tacked onto all kinds of stuff -- like encryption systems and anonymity networks -- that really have nothing to do with true zero knowledge protocols. This all serves to underscore a point: zero-knowledge proofs are one of the most powerful tools cryptographers have ever devised. But unfortunately they're also relatively poorly understood. In this series of posts I'm going try to give a (mostly) non-mathematical description of what ZK proofs are, and what makes them so special. In this post and the next I'll talk about some of the ZK protocols we actually use. Origins of Zero Knowledge The notion of 'zero knowledge' was first proposed in the 1980s by MIT researchers Shafi Goldwasser, Silvio Micali and Charles Rackoff. These researchers were working on problems related to interactive proof systems, theoretical systems where a first party (called a 'Prover') exchanges messages with a second party ('Verifier') to convince the Verifier that some mathematical statement is true.* Prior to Goldwasser et al., most work in this area focused the soundness of the proof system. That is, it considered the case where a malicious Prover attempts to 'trick' a Verifier into believing a false statement. What Goldwasser, Micali and Rackoff did was to turn this problem on its head. Instead of worrying only about the Prover, they asked: what happens if you don't trust the Verifier? The specific concern they raised was information leakage. Concretely, they asked, how much extra information is the Verifier going to learn during the course of this proof, beyond the mere fact that the statement is true? It's important to note that this is not simply of theoretical interest. There are real, practical applications where this kind of thing matters. Here's one: imagine that a real-world client wishes to log into a web server using a password. The standard 'real world' approach to this problem involves storing a hashed version of the password on the server. The login can thus be viewed as a sort of 'proof' that a given password hash is the output of a hash function on some password -- and more to the point, that the client actually knows the password. Most real systems implement this 'proof' in the absolute worst possible way. The client simply transmits the original password to the server, which re-computes the password hash and compares it to the stored value. The problem here is obvious: at the conclusion of the protocol, the server has learned my cleartext password. Modern password hygiene therefore involves a good deal of praying that servers aren't compromised. What Goldwasser, Micali and Rackoff proposed was a new hope for conducting such proofs. If fully realized, zero knowledge proofs would allow us to prove statements like the one above, while provably revealing no information beyond the single bit of information corresponding to 'this statement is true'. A 'real world' example So far this discussion has been pretty abstract. To make things a bit more concrete, let's go ahead and give a 'real' example of a (slightly insane) zero knowledge protocol. For the purposes of this example, I'd like you to imagine that I'm a telecom magnate in the process of deploying a new cellular communications network. My network structure is represented by the graph below. Each vertex in this graph represents a cellular radio tower, and the connecting lines (edges) indicate locations where two cells overlap, meaning that their transmissions are likely to interfere with each other. Pentru mai multe informatii, intrati aici: A Few Thoughts on Cryptographic Engineering: Zero Knowledge Proofs: An illustrated primer

There's a story on Hacker News asking what the hell is going on with the Truecrypt audit. I think that's a fair question, since we have been awfully quiet lately. To everyone who donated to the project, first accept my apologies for the slow pace. I want to promise you that we're not spending your money on tropical vacations (as appealing as that would be). In this post I'd like to offer you some news, including an explanation of why this has moved slowly. For those of you who don't know what the Truecrypt audit is: in late 2013 Kenn White, myself, and a group of advisors started a project to undertake a crowdfunded audit of the Truecrypt disk encryption program. To the best of my knowledge, this is the first time anyone's tried this. The motivation for the audit is that lots of people use Truecrypt and depend on it for their security and safety -- yet the authors of the program are anonymous and somewhat mysterious to boot. Being anonymous and mysterious is not a crime, but it still seemed like a nice idea to take a look at their code. We had an amazing response, collecting upwards of $70,000 in donations from a huge and diverse group of donors. We then went ahead and retained iSEC Partners to evaluate the bootloader and other vulnerability-prone areas of Truecrypt. The initial report was published here. That initial effort was Part 1 of a two-part project. The second -- and much more challenging part -- involves a detailed look at the cryptography of Truecrypt, ranging from the symmetric encryption to the random number generator. We had some nice plans for this, and were well on our way to implementing them. (More on those in a second.) Then in late Spring of 2014, something bizarre happened. The Truecrypt developers pulled the plug on the entire product -- in their typical, mysterious way. This threw our plans for a loop. We had been planning a crowdsourced audit to be run by Thomas Ptacek and some others. However in the wake of TC pulling the plug, there were questions. Was this a good use of folks' time and resources? What about applying those resources to the new 'Truecrypt forks' that have sprung up (or are being developed?) There were a few other wrinkles as well, which Thomas talks about here -- although he takes on too much of the blame. It took us a while to recover from this and come up with a plan B that works within our budget and makes sense. We're now implementing this. A few weeks ago we signed a contract with the newly formed NCC Group's Cryptography Services practice (which grew out of iSEC, Matasano and Intrepidus Group). The project will evaluate the original Truecrypt 7.1a which serves as a baseline for the newer forks, and it will begin shortly. However to minimize price -- and make your donations stretch farther -- we allowed the start date to be a bit flexible, which is why we don't have results yet. In our copious spare time we've also been looking manually at some portions of the code, including the Truecrypt RNG and other parts of the cryptographic implementation. This will hopefully complement the NCC/iSEC work and offer a bit more confidence in the implementation. I don't really have much more to say -- except to thank all of the donors for their contributions and their patience. This project has been a bit slower than any of us would like, but results are coming. Personally, my hope is that they'll be completely boring. Sursa: A Few Thoughts on Cryptographic Engineering: Another update on the Truecrypt audit

The information security news today is all about Lenovo’s default installation of a piece of adware called “Superfish” on a number of laptops shipped before February 2015. The Superfish system is essentially a tiny TLS/SSL “man in the middle” proxy that attacks secure connections by making them insecure — so that the proxy can insert ads in order to, oh, I don’t know, let’s just let Lenovo tell it: “To be clear, Superfish comes with Lenovo consumer products only and is a technology that helps users find and discover products visually,” the representative continued. “The technology instantly analyses images on the web and presents identical and similar product offers that may have lower prices, helping users search for images without knowing exactly what an item is called or how to describe it in a typical text-based search engine.” Whatever. The problem here is not just that this is a lousy idea. It’s that Lenovo used the same certificate on every single Laptop it shipped with Superfish. And since the proxy software also requires the corresponding private key to decrypt and modify your web sessions, that private key was also shipped on every laptop. It took all of a day for a number of researchers to find that key and turn themselves into Lenovo-eating interception proxies. This sucks for Lenovo users. If you’re a Lenovo owner in the affected time period, go to this site to find out if you’re vulnerable and (hopefully) what to do about it. But this isn't what I want to talk about in this post. Instead, what I’d like to discuss is some of the options for large-scale automated fixes to this kind of vulnerability. It’s quite possible that Lenovo will do this by themselves — pushing an automated patch to all of their customers to remove the product — but I'm not holding my breath. If Lenovo does not do this, there are roughly three options: Lenovo users live with this and/or manually patch. If the patch requires manual effort, I’d estimate it’ll be applied to about 30% of Lenovo laptops. Beware: the current uninstall package does not remove the certificate from the root store! Microsoft drops the bomb. Microsoft has a nuclear option themselves in terms of cleaning up nasty software — they can use the Windows Update mechanism or (less universally) the Windows Defender tool to remove spyware/adware. Unfortunately not everyone uses Defender, and Microsoft is probably loath to push out updates like this without massive testing and a lot of advice from the lawyers. Google and Mozilla fix internally. This seems like a more promising option. Google Chrome in particular is well known for quickly pushing out security updates that revoke keys, add public key pins, and generally make your browsing experience more secure. It seems unlikely that #1 and #2 will happen anytime soon, so the final option looks initially like the most promising. Unfortunately it's not that easy. To understand why, I'm going to sum up some reasoning given to me (on Twitter) by a couple of members of the Chrome security team. The obvious solution to fixing things at the Browser level is to have Chrome and/or Mozilla push out an update to their browsers that simply revokes the Superfish certificate. There's plenty of precedent for that, and since the private key is now out in the world, anyone can use it to build their own interception proxy. Sadly, this won't work! If Google does this, they'll instantly break every Lenovo laptop with Superfish still installed and running. That's not nice, or smart business for Google. A more promising option is to have Chrome at least throw up a warning whenever a vulnerable Lenovo user visits a page that's obviously been compromised by a Superfish certificate. This would include most (secure) sites any Superfish-enabled Lenovo user visits -- which would be annoying -- and just a few pages for those users who have uninstalled Superfish but still have the certificate in their list of trusted roots. This seems much nicer, but runs into two problems. First, someone has to write this code -- and in a hurry, because attacks may begin happening immediately. Second, what action item are these warnings going to give people? Manually uninstalling certificates is hard, and until a very nice tool becomes available a warning will just be an irritation for most users. One option for Google is to find a way to deal with these issues systemically -- that is, provide an option for their browser to tunnel traffic through some alternative (secure) protocol to a proxy, where it can then go securely to its location without being molested by Superfish attackers of any flavor. This would obviously require consent by the user -- nobody wants their traffic being routed through Google otherwise. But it's at least technically feasible. Google even has an extension for Android/iOS that works something like this: it's a compressing proxy extension that you can install in Chrome. It will shrink your traffic down and send it to a proxy (presumably at Google). Unfortunately this proxy won't work even if it was available for Windows machines -- because Superfish will likely just intercept its connections too So that's out too, and with it the last obvious idea I have for dealing with this in a clean, automated way. Hopefully the Google team will keep going until they find a better solution. The moral of this story, if you choose to take one, is that you should never compromise security for the sake of a few bucks -- because security is so terribly, awfully difficult to get back. Sursa: A Few Thoughts on Cryptographic Engineering: How to paint yourself into a corner (Lenovo edition)

Am pus eu numarul postat de tine, si nu merge, imi apare casuta cu rosu. A da, si un numar postal ?

Bine ai venit printre noi !

Bine ai venit printre noi !

hai ca e tare fraza spusa de catre tine =)

Radware, a provider of application delivery DDoS attack protection solutions, this week unveiled its latest attack mitigation platform designed to help carriers and cloud providers protect against high volume DDoS attacks. According to Radware, its new attack mitigation platform provides up to 300Gbps of mitigation capacity and can help protect against volumetric DDoS attacks such as UDP reflection attacks, fragmented and out-of-state floods. Radware’s DefensePro x4420 has the ability to handle 230 million packets per second of attack traffic and was designed for multi-tenant environments with the ability to support up-to 1,000 active policies, separate processing capabilities and customized management & reporting per tenant, the company said. “Cyber-attacks have evolved and reached a tipping point in terms of quantity, length, complexity and targets,” says Carl Herberger, vice president of security solutions for Radware. “In 2014, one in seven cyber-attacks were larger than 10Gbps and we’ve seen attacks 100+Gbps in size. The attack landscape is changing and cyber-attackers are getting more and more aggressive with their tactics. It’s not uncommon for mobile carriers and cloud providers to experience extra-large attacks.” “Soon enough, DDoS attacks will eventually reach the 1Tbs level, placing manufacturers in a frenzy to keep up with future volumetric cyberattacks,” Dan Thormodsgaard, vice president of solutions architecture for FishNet Security, said in a statement. More information on the platform is available online. Sursa: securityweek.com