Qubes OS 3.1 Overview/Demo

March 20, 2016 – 10:26 AM

Here is an excellent overview of Qubes OS, which I am mostly converting over to for my everyday operating system.

What is Qubes OS?  From it’s own website:

Qubes is a security-oriented operating system (OS). The OS is the software which runs all the other programs on a computer. Some examples of popular OSes are Microsoft Windows, Mac OS X, Android, and iOS. Qubes is free and open-source software (FOSS). This means that everyone is free to use, copy, and change the software in any way. It also means that the source code is openly available so others can contribute to and audit it.

More information:
https://www.qubes-os.org/

Pwn2Own 2016: Chrome, Edge, and Safari hacked, $460,000 awarded in total

March 19, 2016 – 11:14 AM

Once again, major browsers fell at the two-day security contest Pwn2Own. Security flaws in Google Chrome, Microsoft Edge, and Apple Safari were all successfully exploited. A total of $460,000 was awarded for 21 vulnerabilities across the three browsers as well as Windows, OS X, and Flash. Last year’s total was $557,500.

Pwn2Own has been held annually since 2007 at the CanSecWest security conference. The goal is to exploit widely used software and mobile devices with vulnerabilities that have not yet been publicly disclosed, in exchange for the device in question and cash prizes. The name is derived from the fact that contestants must “pwn” (another way to say “hack”) the device in order to “own” it (win it).

Of the trio, Chrome fared the best. Two attempts were made to hack Google’s browser: One failed and one was deemed a partial success. The successfully exploited vulnerability in Chrome had already been independently reported to Google, so it wasn’t given full points.

Source:
http://venturebeat.com/2016/03/18/pwn2own-2016-chrome-edge-and-safari-hacked-460k-awarded-in-total/

Google Security Expert Criticizes Meaningless Antivirus Excellence Awards

March 15, 2016 – 7:50 PM

Over the weekend, one of Google’s top security researchers, Tavis Ormandy, published a blog post in which he criticized antivirus certification programs that award meaningless prizes to flawed security products.

His problem came from the fact that at this year’s RSA security conference held at the start of March, Verizon’s ICSA Labs awarded Comodo the 2016 Excellence in Information Security Testing Award.

The irony of this award wasn’t lost on him, nor us, if we take into account that since last December, Mr. Ormandy has been unearthing security flaws in Comodo’s Antivirus products on a regular basis.

Source:
http://news.softpedia.com/news/google-security-expert-criticizes-meaningless-antivirus-excellence-awards-501784.shtml

First Mac-targeting ransomware hits Transmission users

March 6, 2016 – 2:30 PM

A security research firm announced Sunday its discovery of what is believed to be the world’s first ransomware that specifically goes after OS X machines.

“This is the first one in the wild that is definitely functional, encrypts your files and seeks a ransom,” Ryan Olson, of Palo Alto Networks, told Reuters.

The KeRanger malware, which imposes a 72-hour lockout window unless the victim pays 1 bitcoin ($410 as of this writing), appears to have been first discovered via a rogue version of Transmission, a popular BitTorrent client.

For some time now, ransomware has primarily targeted Windows machines—threatening total data destruction if the ransom isn’t paid. Recently, even a Los Angeles hospital was infected, which resulted in the payment of a $17,000 ransom. In June 2015, the FBI said it had been contacted by 992 victims of CryptoWall, a similar ransomware scheme, who have sustained combined losses totaling over $18 million.

On Saturday evening, some Transmission users noticed the strange activity on a discussion board—users concluded that the 2.90 version of Transmission was infected with the ransomware. It appears that somehow the Transmission website may have been compromised as it was served via HTTP rather than the primary HTTPS Transmission website.

Source:
http://arstechnica.com/security/2016/03/first-mac-targeting-ransomware-hits-transmission-users-researchers-say/

New attack steals secret crypto keys from Android and iOS phones

March 5, 2016 – 1:05 PM

Researchers have devised an attack on Android and iOS devices that successfully steals cryptographic keys used to protect Bitcoin wallets, Apple Pay accounts, and other high-value assets.

The exploit is what cryptographers call a non-invasive side-channel attack. It works against the Elliptic Curve Digital Signature Algorithm, a crypto system that’s widely used because it’s faster than many other crypto systems. By placing a probe near—or attaching a special cable to—a vulnerable mobile device while it performs cryptographic operations, an attacker can measure enough electromagnetic emanations to fully extract the secret key that decrypts and authenticates data traveling to and from an end user.

“An attacker can non-invasively measure these physical effects using a $2 magnetic probe held in proximity to the device, or an improvised USB adapter connected to the phone’s USB cable, and a USB sound card,” the researchers wrote in a blog post published Wednesday. “Using such measurements, we were able to fully extract secret signing keys from OpenSSL and CoreBitcoin running on iOS devices. We also showed partial key leakage from OpenSSL running on Android and from iOS’s CommonCrypto.”

Source:

http://arstechnica.com/security/2016/03/new-attack-steals-secret-crypto-keys-from-android-and-ios-phones/