The Tor Project is getting its very own bug bounty program to help keep the wild onion nice and fresh in the face of increasing threats.
The new bug bounty program was announced at their State of the Onion address that occurred at the annual Chaos Communication Congress security conference that's held in Germany. It's part of the Tor's continuing commitment to privacy and the realization that the more talented people that get their hands in the code-base, the better. "We are grateful to the people who have looked over our code over the years, but the only way to continue to improve is to get more people involved." Nick Mathewson, the co-founder and chief architect of the Tor Project said.
They've teamed up with the Open Technology Fund to help fund the all the the good citizens that help the project.
Samsung has just introduced a new three-layered approach to security for their SmartTV ecosystem to better secure any stored information, such as account details, payment details or any data being sent between it and the Internet.
This comes right after Samsung announced that they'd move more towards making their SmartTV's more of a hub for all of your IoT connected devices throughout your house. With that much data flowing between their TV's and being able to control your security system, lights and more, it's definitely a good idea to at least have a little encryption. Thankfully they're doing more than just a healthy dose of AES 256. Because of that centralized nature, security is important, Samsung said that "Protecting consumers' personal information is of the utmost importance to Samsung, both in terms of the company's values and what's needed for the continued growth and success of the IoT ecosystem."
GAIA works in three ways. First it separates the main operating system, the Tizen OS, from a secure space that can house all the important and personal bits of information and core services that's logically segmented in memory. This'll work in a similar way to how ARM's TrustZone and Intel's TXT works. The second piece is a built-in anti-malware service that can scan incoming and outgoing data, it'll also encrypt all traffic to and from the TV. The third part is much the same as the first, segmenting the OS in memory so that even if there is malware, it won't be able to touch the actual personal information.
One of AVG's Chrome addons, Web TuneUP had a security hole that your could drive a tank into, something that could potentially let websites with malicious code in their CSS take control of your PC, though only in a trivial manner.
The exploit was originally found by Google, who reported it to AVG to have fixed. The initial fix wasn't quite good enough, so they just pushed out a new fix that seems to solve the issue. That being said, it still seems to be vulnerable to XSS attacks, though that should be fixed soon as well.
One generally thinks that antivirus companies are a bit more scrupulous and careful when designing their applications, but this mistake, and a mostly glaring one, calls to question the type of quality control and examination goes on before things go live. But it's best to fly without any addons, because all addons can potentially be security risks. Browse safe!
It looks like some enterprising business people approached the Raspberry Pi Foundation with an odd business proposal, to pre-install their malware on the Raspberry Pi mini-computer.
Amazing. This person seems to be very sincerely offering us money to install malware on your machines. pic.twitter.com/1soL0MIc5Z— Raspberry Pi (@Raspberry_Pi) December 23, 2015
In an email to the Foundation, a company, whose name was obviously redacted, was asking them to make available an exe file for installation (which wouldn't run on Linux anyway) in exchange for a sum of money for the amount of installations they detect.
This kind of tactic is surprising given the sheer audacity of asking a well-known organization, that prides itself on the many security applications of its minuscule box, outright to cheat its customers. It goes without saying that the Raspberry Pi Foundation didn't go along with their idea. It's even more hilarious that these peddlers of malware didn't seem to understand the platform being run on those devices. Maybe they'll ask Microsoft or Apple next?
The Hyatt chain of hotels just yesterday found malware running on their systems that operate the payment processing for their hotels.
In their statement they said that they've launched a full-scale investigation and are cooperating with some of the leading cyber-security experts in order to get the issues resolved. In the meantime, if you happen to have stayed at a Hyatt owned hotel within the past six months, be sure to keep an eye out on your bank accounts just in case something suspicious happens to show up.
How does one get malware onto a payment processing system? It's not terribly hard but there are best practices in place to make sure that it's difficult to do. Segmenting the network used and keeping it separate from other networks used for browsing the web, making sure that a proper IDS is in place to detect weird activity and limiting any IP addresses that actually access those systems processing card data to those on a whitelist. But those don't make it impossible, just harder and more likely to scare away all but the most seasoned and prepared of individuals.
In an effort to bolster account security, tech giant Google has confirmed that it's testing a new login system that doesn't require passwords.
Google is currently testing a new authentication method that could pave the way to password-free accounts in the near future. Google's method is very much like Yahoo's Account Key logins, which uses smartphone push notifications instead of manual passwords to log into Google accounts. The company's new sans password login method with a small batch of users, and one Reddit user has shared a few details on the new system.
According to an early access tester, the new method is pretty simple and is very much like linking a smartphone to a Roku to use a remote, or tethering a phone to an Xbox One to use Smartglass. Once your phone is linked and authorized to login to your Google account, the app sends a code that's shown on both screens, and users must type the same code to link the devices. Once that's done, users are logged in and can freely use their accounts. Basically Google's new method hinges on syncing, meaning you'll be matching digital pairs rather than typing in a per-session password.
While we wrote that relatively small 'Western Nations' such as Australia are under possible infrastructure hacker threat due to low-security measures, news has come to light that a New York dam was infiltrated by Iranian hackers back in 2013.
With the dam being located no more than 20 miles from New York City, this Iranian hack likely came around thanks to Leon Panetta, ex-Defense Secretary, calling out Iran's hacking prowess in October 2012, putting Governments on high alert for possible hacker threats. With this hack taking place and being kept under the covers until recently, it's just one example of how infrastructure infiltration is a very real threat.
This classified dam is one of the very few public accounts of infrastructure control loss, with all major suppliers of electricity, sewage, water and more all linked to the internet.
sanriotown.com is as a massive Hello Kitty community database and contains around 3.3 million accounts, with Gizmodo reporting that this website has been breached, leaking sensitive member information online.
The data stolen from 'sanriotown' includes first and last names, encoded birthdays, member country of origin, email addresses, passwords, password hints and answers, plus various "other data points," says Chris Vickery , researcher from CSO online.
In addition to this hacked database, information from official Hello Kitty websites has also been spotted, including the original .com website, plus .sg, .my, .th and finally mymelody.com. If you beleive you have been involved in this hack it is advised that you change your password immediately.
Juniper Networks has had quite the week. On Thursday it seems that some unauthorized code was found to have been inserted into their ScreenOS, which forms the basis for their hardware filewalls. This malicious code would allow a backdoor into the firewall, letting potential attackers decrypt VPN traffic with the keys found inside.
The fun doesn't stop there, however. Now the FBI has now gotten involved and will be investigating the possibility of whether foreign governments had been involved with inserting the malicious code for the purposes of intercepting encrypted communications from government employees.
It looks like some Linux distributions have a considerable security hole, with security researchers from the Cybersecurity Group at Polytechnic University of Valencia (UPV) in Spain finding an incredibly easy way to hack into numerous Linux distributions.
The researchers found that by using the Grub2 bootloader, immediately bypasses the lock screen, initiates the "Grub rescue shell" and then grants users the ability to access the system for whatever they need. The team found that pressing the backspace key 28 times triggers a memory error, which then displays the rescue shell. This isn't a massive threat as it means someone has to have physical access to your Linux-based machine, but still - this is quite serious, and considering the security hole wasn't found until now, is shocking to say the least.
Ubuntu, Red Hat, and Debian have all released security patches - so these Linux distributions should now be safe.