Topic security

Google plans to replace passwords with biometrics and environment readings

Anonymous Coward
in security on (#20ZHW)
In the latest attempt to remove the need to use passwords Google is planning on using body location and environmental cues to log a person into their phone or lock a person out. How much power and storage this requires is not currently available.

Subgraph OS - Secure Linux Operating System for Non-Technical Users

Anonymous Coward
in security on (#1XX2X)
story imageFriday, March 04, 2016 Swati Khandelwal

Article in Full w/ Screenshots:

"Subgraph OS[1] is a feather weighted Linux flavor that aims to combat hacking attacks easier, even on fairly low-powered computers and laptops.

Subgraph OS comes with all the privacy and security options auto-configured, eliminating the user's manual configuration."

"Subgraph OS offers more than just kernel security. The Linux-based operating system comes with a slew of security and privacy features that its developers believe will be more accessible to non-technical users.

The OS also includes several applications and components that reduce the user's attack surface. Let's have a close look on important features Subgraph OS provides."

1. Automated Enhanced Protection with Application Sandboxing using Containers
2. Mandatory Full Disk Encryption (FDE)
3. Online Anonymity - Everything through Tor
4. Advanced Proxy Setting
5. System and Kernel Security
6. Secure Mail Services
7. Package Integrity

"Subgraph OS also provides an alternative way to trust the downloaded packages. The packages are to be matched against the binaries present in the operating system's distributed package list, thus becoming a finalizer.

Recently Backdoored Linux Mint hacking incident is an example to this.

Thus, Subgraph OS eliminates the usage of any tampered or malicious downloaded packages."

"How to Download Subgraph Os?

Subgraph Os will be available for download via its offical website. Let's wait for the operating system to get unveiled in Logan CIJ Symposium conference in Berlin on March 11-12 to experience the Cyber Isolation!!!"


FSF suggests getting rid of Intel Management Engine to improve security and privacy

Anonymous Coward
in security on (#1S1GX)
Ask most people what happens when they boot their PC and they will respond with a range of answers from I don't know to The BIOS starts the boot process etc. Very few people realize that modern PCs have a hidden subsystem that lurks behind the main OS with full access to the computer even when it is in sleep mode. This system is called the Intel Management Engine. Given that it can access any part of the OS, memory or storage and has a range of capabilities which includes communication via ethernet the FSF has nominated the Intel ME system should be ditched. Given that the owner of the hardware has no control over the ME and can't even see it, and that the ME is a viable attack vector for completely taking over a PC "It is a threat to freedom, security, and privacy that can't be ignored." The only question we have is: Can we get rid of it?

'Faceless Recognition System' can identify you even with your face hidden

in security on (#1PWJ5)
In a new paper uploaded to the ArXiv pre-print server, researchers at the Max Planck Institute in Saarbrücken, Germany demonstrate a method of identifying individuals even when most of their photos are un-tagged or obscured. The researchers' system, which they call the “Faceless Recognition System,” trains a neural network on a set of photos containing both obscured and visible faces, then uses that knowledge to predict the identity of obscured faces by looking for similarities in the area around a person's head and body.

The accuracy of the system varies depending on how many visible faces are available in the photo set. Even when there are only 1.25 instances of the individual's fully-visible face, the system can identify an obscured faced with 69.6 percent accuracy; if there are 10 instances of an individual's visible face, it increases to as high as 91.5 percent.

In other words, even if you made sure to obscure your face in most of your Instagram photos, the system would have a decent chance identifying you as long as there are one or two where your face is fully visible.

America’s electronic voting machines are scarily easy targets

in security on (#1PAA1)
story imageMost people remember the vote-counting debacle of the 2000 election, the dangling chads that resulted in the Supreme Court breaking a Bush-Gore deadlock. What people may not remember is the resulting Help America Vote Act (HAVA), passed in 2002, which among other objectives worked to phase out the use of the punchcard voting systems that had caused millions of ballots to be tossed.

In many cases, those dated machines were replaced with electronic voting systems. The intentions were pure. The consequences were a technological train wreck. The list of those problems is what you’d expect from any computer or, more specifically, any computer that’s a decade or older. Most of these machines are running Windows XP, for which Microsoft hasn’t released a security patch since April 2014. Though there’s no evidence of direct voting machine interference to date, researchers have demonstrated that many of them are susceptible to malware or, equally if not more alarming, a well-timed denial of service attack.

“When people think that people think about doing something major to impact our election results at the voting machine, they think they’d try to switch results,” says Brennan Center’s Lawrence Norden, referring to potential software tampering. “But you can do a lot less than that and do a lot of damage… If you have machines not working, or working slowly, that could create lots of problems too, preventing people from voting at all.”

The extent of vulnerability isn’t just hypothetical; late last summer, Virginia decertified thousands of insecure WinVote machines. As one security researcher described it, “anyone within a half mile could have modified every vote, undetected” without “any technical expertise.” The WinVote systems are an extreme case, but not an isolated one.

Ransomware is targeting the enterprise at an increasing pace

in security on (#1P8DF)
Enterprise-targeting cyber enemies are deploying vast amounts of potent ransomware to generate revenue and huge profits – nearly $34 million annually according to Cisco’s Mid-Year Cybersecurity Report out this week.

Ransomware, Cisco wrote, has become a particularly effective moneymaker, and enterprise users appear to be the preferred target. One of the main reasons is that corporations have access to (and can afford) ransom money whereas individual users may not.

Problems include faster and more effective propagation methods that maximize the impact of ransomware campaigns, exploit kits, which make ransomware easy to deploy, and vulnerabilities in the enterprise application software JBoss, which is providing attackers with a new vector that they can use to launch ransomware campaigns with.

Another very troubling issue is that a small but growing number of malware samples show that bad actors are using Transport Layer Security (TLS), the protocol used to provide encryption for network traffic, to hide their activities. This is a cause for concern among security professionals, since it makes deep-packet inspection ineffective as a security tool.

KeySniffer malware exploits cheap wireless keyboards

in security on (#1P52K)
A vulnerability in inexpensive wireless keyboards lets hackers steal private data, security company Bastille reported this week. The vulnerability lets a hacker use a new attack the firm dubbed "KeySniffer" to eavesdrop on and capture every keystroke typed from up to 250 feet away.

Affected keyboards are made by eight companies: HP, Toshiba, Kensington, Insignia, Radio Shack, Anker, General Electric and EagleTec.

The vulnerable keyboards are easily detected because the USB dongles they use are always transmitting synchronization packets to let the keyboard find them, whether or not they're in use. The synchronization packets contain the unique identifier for the keyboard or dongle. Once a vulnerable keyboard is identified, the hacker uses the identifier to filter wireless transmissions for the keystrokes sent by the target keyboard.

Hackers not only can steal data, but also can inject keystrokes to type remotely on a vulnerable computer, installing malware or stealing data.

None of the affected keyboards can be patched, and the safest option is to switch out to a Bluetooth keyboard -- or better yet, a wired keyboard, Bastille's Marc Newlin said.

Serious limitations In Samsung Galaxy Note 7 Iris Scanner

in security on (#1NS07)
The iris scanner in the Samsung Galaxy Note 7 is a welcome step forward in device security, but according to Samsung it comes with a long list of caveats. The iris recognition system uses three lenses to capture the image signal, but iris scanner may not work if you wear glasses or contacts, use it in low light conditions, if you've had eye surgeries such as LASIK, LASEK, intraocular lens implants or if you've had iris scar treatment. The performance of the iris scanner may also be affected if the user has an eye disease that affects the irises. You also need to be able to position the phone "25 to 30 centimeters from your face" with your eyes in the on-screen circles so the front-facing scanner can register your iris, something that may be awkward to do in a moving vehicle or while walking.

Ransomware that knows where you live

in security on (#1A2NN)
A widely distributed scam email that quotes people's actual postal addresses, links to a dangerous form of ransomware called Maktub. The phishing emails told recipients they owed hundreds to businesses and that they could print an invoice by clicking on a link - but that leads to malware. "It's incredibly fast and by the time the warning message had appeared on the screen it had already encrypted everything of value on the hard drive - it happens in seconds. This is the desktop version of a smash and grab - they want a quick payoff."

Maktub doesn't just demand a ransom, it increases the fee - which is to be paid in bitcoins - as time elapses. During the first three days, the fee stands at 1.4 bitcoins, or approximately $580. This rises to 1.9 bitcoins, or $790, after the third day.

It's still not clear how scammers were able to gather people's addresses and link them to names and emails. The data could have come from a number of leaked or stolen databases. For some individuals without backups, paying the ransom might be the only way to retrieve their data. "However, every person that does that makes the business more valuable for the criminal and the world worse for everyone."

Amazon Quietly Removes Encryption Support from its devices in Fire OS 5

in security on (#16AP6)
Amazon has deprecated full disk encryption in Fire OS 5:
The tech giant has recently deprecated support for device encryption on the latest version of Fire OS, Amazon’s custom Android operating system, which powers its tablets and phones. In the past, privacy-minded users could protect data stored inside their devices, such as their emails, by scrambling it with a password, which made it unreadable in case the device got lost or stolen. With this change, users who had encryption on in their Fire devices are left with two bad choices: either decline to install the update, leaving their devices with outdated software, or give up and keep their data unencrypted.