Tuesday, July 21, 2015

Exclusive: Visa application portal closed following SC Magazine investigation

An SCMagazineUK.com investigation was able to access the editable Schengen visa application forms of three totally random people, some FOUR DAYS after operating company VFS Global said a vulnerability had been fixed and the system was now secure. Visit the VFS Global website and it not only celebrates having handled 100 million visa applications but also boasts of being the world's largest outsourcing and technology services specialist for governments and diplomatic missions worldwide. It specialises in "visa and passport issuance-related administrative and non-judgemental tasks" for client governments, of which there are 45 around the world. What you won't find any mention of is what appear to be systemic failures when it comes to security. A vulnerability which first hit the media courtesy of SCMagazineUK.com contributor and veteran security journalist Davey Winder back in 2007, and led to an independent enquiry ordered by the UK Foreign Secretary, has re-emerged last week some eight years on.

Is it time to blame the messenger for security training failures?

People in your organisation are probably sharing passwords, using unauthorised devices and applications to access corporate data, and unauthorised cloud stores for good measure. Some won’t know this breaches company security policy, others will and won’t care. Some of the perpetrators will be on the shop floor, others around the boardroom table; this wilful disregard for secure best practice knows no pay grade boundary. Truth be told, the chances are high that people just don’t care about your carefully considered ‘security posture’ or really give one, let alone two, hoots for the day-to-day security message on a personal level whether it’s out in the field or up the executive level. Security-TrainingNow that you’ve read that admittedly somewhat ‘paint it black’ introductory paragraph, I urge you to go back and read it again.

Thursday, July 02, 2015

Can Bitcoin-based Enigma encryption succeed where HE has failed?

Enigma is the brainchild of a couple of Bitcoin entrepreneurs who, together with a MIT Media Lab researcher, have used features from the decentralized Bitcoin network architecture including an external blockchain to create what they reckon will be the ultimate peer-to-peer network for storing and running computations on data whilst keeping it completely private at the same time. Enigma will break your data up into tiny chunks and then randomly distributes meaningless bits of those to nodes in the network where the calculations are performed on each discrete lump before being returned to the user where they are put back together to form an unencrypted whole again. Obviously there is some maths involved to enable each node to do whatever computational task is required on just that miniature piece of data. Equally obviously, the more nodes there are the quicker the computing is and, importantly, the more secure this thing is as the pieces will be smaller. The Bitcoin blockchain keeps track of who has what and where by way of a metadata store, unforgeable courtesy of being copied to thousands of computers.

GoPro rides into Tour de France 2016 with new security faux pas

Action video camera vendor GoPro has announced that it is riding into the Tour de France with a promotional video to celebrate being named the official camera of the world's largest annual sporting event with a worldwide television audience of some 4 billion people, but not before the BBC reported how GoPro cameras could be used to spy on their owners. But it gets worse for GoPro, as now Pen Test Partners has also explained in a blog posting how the GoPro Studio editing software was making update requests using an unencrypted HTTP connection which could enable an attacker on public Wi-Fi to inject a potential fake malicious download code update instead. "It's fairly easy to add malicious code into pre-existing binaries and therefore we could abuse this to introduce backdoors to the victim whilst also letting them update their GoPro Studio software at the same time" the post warns.

Wednesday, June 24, 2015

Dear Adobe Flash, why won't you DIE, DIE, DIE?

Earlier this month, security outfit FireEye's 'FireEye as a Service' researchers out in Singapore discovered and reported on a phishing campaign that was found to be exploiting a zero-day in Adobe Flash Player vulnerability (CVE-2015-3113). That campaign has been well and truly active for a while now, with attacking emails including links to compromised sites serving up benign content if you are lucky and a malicious version of the Adobe Flash Player complete with the exploit code if you are not. I'm with Brian Krebs who, just the other week, wrote about how he has "spent the better part of the last month running a little experiment to see how much I would miss Adobe's buggy and insecure Flash Player software if I removed it from my systems altogether. Turns out, not so much." C'mon folks, be honest now, do you really need Flash, do you really you it and would you really miss it? Let's all do the decent thing and shoot this sick beyond belief monstrosity in the head...

In other news, Dell brings Greek malware into view

A couple of decades ago, in another life, I wrote a little script which would capture keystrokes and then store that data within the 'white space' of an image file. It was pretty crude, but it was also twenty years ago and to be honest nobody was really looking for stuff which was effectively hidden in plain sight that way. That way being the use of something called steganography, from the Greek steganos which means covered and graphie which means writing; so literally covered writing. I used it to good effect during my period as an explorer of networks belonging to other people, most notably when sysadmins would stay at my apartment and login to their networks in order to do a bit of housekeeping and, unknown to them at the time, give me root. Things have moved on a lot since then, and steganography has become a much more complex tool being deployed by cybercriminals.