Santander 'hackers' attempt to rob bank with £10 device - Telegraph: " . . . “It sounds like an inside job, and I guess the attraction of using a KVM (keyboard video mouse) is it makes it a lot less obvious what’s going on,” said Ferguson. “If the computer in question is in the data centre – or a server room even – it’s not the kind of place where you’d see people standing around tapping away on keyboards. So installing the KVM means you can go back to your desk and look like you’re just going about your normal business.” The only way to prevent this kind of attack is to step up the amount of physical security in the building. However, if the person in question is authorised to access the data centre and install KVMs, then there is very little the organisation can do. . . ." (read more at link above)
Why fingerprints make lousy authentication tokens - Boing Boing: "This is the paradox of biometric authentication. The biometric characteristics of your retinas, fingerprints, hand geometry, gait, and DNA are actually pretty easy to come by without your knowledge or consent. Unless you never venture into public without a clean-room bunny-suit, mirrorshades, and sharp gravel in your shoes, you're not going to be able to stop dedicate strangers from capturing these measurements. And as with Schauble's fingerprints, you can't revoke your DNA and replace it with new DNA once a ripoff artist has used it to clean out your bank-account or break into your workplace."
How to foil NSA sabotage: use a dead man's switch | Technology | theguardian.com: " . . .It doesn't really matter if you trust the "good" spies of America and the UK not to abuse their powers (though even the NSA now admits to routine abuse, you should still be wary of deliberately weakened security. It is laughable to suppose that the back doors that the NSA has secretly inserted into common technologies will only be exploited by the NSA. There are plenty of crooks, foreign powers, and creeps who devote themselves to picking away patiently at the systems that make up the world and guard its wealth and security (that is, your wealth and security) and whatever sneaky tools the NSA has stashed for itself in your operating system, hardware, applications and services, they will surely find and exploit. . . . "
Spooks break most Internet crypto, but how? | Ars Technica: "...The short answer is almost certainly by compromising the software or hardware that implements the encryption or by attacking or influencing the people who hold the shared secrets that form one of the linchpins of any secure cryptographic system. The NYT alludes to these techniques as a combination of "supercomputers, technical trickery, court orders, and behind-the-scenes persuasion." The paper went on to refer to technologies that had been equipped with backdoors or had been deliberately weakened. Snowden put it slightly differently when he said: "Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around" encryption. Exploiting the implementations or the people behind these systems can take many forms. What follows are some of the more plausible scenarios...."
Latest Snowden revelation: NSA sabotaged electronic locks - latimes.com: "In short, the implication of the mass of documents leaked thus far is that the NSA is not just monitoring seemingly every utterance on the planet, it is planting weaknesses in the security technology that protects legitimate online communications for the sake of decrypting illegitimate ones."
The NSA Isn’t the Only One Tracking You | McManis Faulkner - JDSupra: "ReadNotify is a paid service. There are similar services, like SpyPig and WhoReadMe, offered at no cost. Once you sign up, you create an email that is sent to the service’s server and then sent to your recipient. The emails appear to the recipient as if they are coming directly from you, but they are actually processed through ReadNotify, Spypig, WhoReadMe, etc. The service provides the sender a report that lets the sender know the date and time the recipient opened the email. In addition, the service can also report if the recipient forwarded the email and the approximate location where the email was opened. " (read more at link above)
Exclusive: How An Army Computer Security Flaw Got Swept Under The Rug: "...Big private tech companies like Google, Facebook, and Microsoft routinely seek out and sometimes pay people like Mark who expose security flaws. Some have set up bounty systems giving any member of the public who finds and reports a bug up to $20,000. The military has no such system. If reporting to a superior goes nowhere, then in reality, there is little recourse for soldiers who discover computer security problems. They could report a bug to the Department of Defense Inspector General, which handles complaints about fraud, waste, and abuse. But that’s not an obvious avenue for computer issues. Moreover, if their superiors found out, they could face retaliation...." (more at link above)
Researchers reverse-engineer the Dropbox client: What it means - TechRepublic: "In their paper Looking inside the (Drop) box, Dhiru and Przemyslaw get right to the point: "We describe a method to bypass Dropbox’s two-factor authentication and hijack Dropbox accounts. Additionally, generic techniques to intercept SSL data using code injection techniques and monkey patching are presented."" (read more at link above)
A redacted version of a lawsuit Amazon filed against the federal government became public, offering a look at the company’s effort to block rebidding of its lucrative CIA deal.
Amazon blasts GAO and IBM over $600 million CIA contract | Business & Technology | The Seattle Times: ". . . So when AWS won the contract to build the Web-based infrastructure for the CIA in January, IBM, a losing bidder, protested. IBM took its case to the GAO, which can review contract-bidding processes at government agencies. The GAO agreed, in part, with IBM in June. The GAO found that Amazon’s bid was technically superior, even though IBM’s bid to build the technology was significantly lower. But the GAO also agreed with IBM that the CIA did not properly evaluate IBM’s bid in a few narrow, technical matters. The CIA decided to follow the GAO’s recommendations. “In response to the GAO decision, the CIA has taken corrective action and remains focused on awarding a cloud contract for the intelligence community,” said agency spokesman Christopher White. That determination triggered Amazon’s suit against the United States last month, a suit that was sealed until Tuesday. Amazon’s central argument is that IBM’s complaints regarding the Agency’s evaluation of its pricing on one piece of the contract were untimely. And Amazon argues that IBM doesn’t have the capability to deliver the type of Web-based computing that the CIA seeks. So even if IBM’s arguments had merit, they wouldn’t affect the outcome of the contract. For its part, IBM said, Amazon had its chance to defend its bid before the GAO and lost. . . ." (read more at link above) more news below
White House Taps McAfee CTO for Cybersecurity Post - Digits - WSJ: "Phyllis Schneck, a vice president and chief technology officer for the public sector at McAfee, a unit of Intel, will start in early September as the deputy undersecretary for cybersecurity, a DHS official said. Homeland Security takes a leading role in protecting U.S. networks from foreign and domestic hackers. She steps into a position that has had an active revolving door lately. Her predecessor, cybersecurity veteran Mark Weatherford, stayed in the job for less than 18 months and left in April. His interim replacement, Bruce McConnell, announced his departure in July."