Displaying items by tag: Hacking

To say I am leery of The Cloud would be to make a very mild understatement. Ever since the first true cloud services hit the market (and were hacked) I have been concerned with the continued push to get more people onboard while little attention is paid to actually securing these services and the user data they contain. In a conversation I recently had, I brought up the fact that we are only in June and already have had 7 major breaches. Security (or the lack of) is a big issue, yet we do not see the companies building and selling “The Cloud” making the changes needed to protect what is already out there.

A couple of days ago Google started pushing encryption for e-mail. No, we are not talking about the typical https connection required for Gmail. We are talking about actually encryption of email as it moves from server to server using TLS (Transport Layer Security). In simplest terms this method creates connections between servers using a secure tunnel to each other for the purposes of transmitting the message. Once the message has been passed to the destination server the tunnel closes. However, despite the length of time TLS has been around not many companies use.

This morning as I was cursing through the internet news sites I noticed a trend. I saw multiple articles about the state of security all of them claiming that the bad guys a winning or lamenting about the increase in cyber-attacks. Both of these themes are very true, we are seeing an increase in the number of attacks per day (in 2012 it was roughly 1 per day) and the “bad guys” seem to be able to penetrate security with ease. So if this is the case, why do we see more and more efforts to move data and services into the cloud?

Global auction service eBay was hacked. The company began sending alerts to its users to change their passwords. The attack compromised the personal data of eBay users - names, (encrypted) passwords, email addresses, and phone numbers. However, the company assures that the financial information of users are safe, and there is no indication that the PayPal was hacked too.

Popular web service for shortening URLs, Bitly, sent an urgent warning about a possible compromise of user accounts on the service. Although it has not yet been discovered whether the attackers managed to seize the accounts of users, there is a possibility that their email addresses, encrypted passwords, API keys and OAuth tokens were compromised.

There is no such thing as a secure operating system; it is as simple as that. Despite years and years of hearing about how this OS or that OS is secure it is simply not true. We have watched as each new contender has fallen to either security researchers or to the “bad guys” out there in the shadowy places on the internet. Today we hear about an issue with Microsoft’s vaunted EMET toolkit.

Smartphone and digital device theft is a pretty big deal according to many statistics out there. It is a pretty easy crime when you think about it: grab someone’s phone and run. Even if they wipe all their personal data you can always sell the phone to someone that can reactivate it. There have been many suggestions for how to combat this type of crime, some more effective than others. However, the one that now seems to be rearing its ugly head more frequently is the concept of a kill-switch embedded into all smartphones that would allow a device to be permanently disabled by remote command and all personal data wiped.

Linksys has always had a name as a cost effective product for the consumer and even for small business. In the industry they have also been known to have some security issues. Not that long ago it was reported that a CGI script flaw in many of their E series routers allowed someone to bypass the requirement for admin credentials and gain unrestricted access to these products. Is if to add insult to injury malware has been identified in the wild that exploits the vulnerability.

In March of this year during the CanSecWest security conference, fourth consecutive Pwnium competition organized by Google will take place. The aim of the competition is to find vulnerabilities in the Chrome OS, and gather and reward hackers who found mistakes that will not be used in criminal purposes, but their knowledge will help Google to build a more secure operating system. Terms of winning cash prizes are pretty strict, which means that to win the award, founder's failure must be original, which means it must not be previously known or partially published or used in other competitions.

One of the largest US retail chains, Target, founded in 1902 admitted that unknown attackers stolen encrypted PINs from their system. Alienated data contained the names of customers, credit and debit card and CCV numbers that are used to activate the card on Target's webpage.