Friday, May 30, 2014

Faster LTE???

A Little Fancy Math Could Make Mobile Networks Five Times Faster

jcondliffe

Jamie Condliffe

Profile
Jamie Condliffe
Filed to: NETWORKS
5/30/14
A Little Fancy Math Could Make Mobile Networks Five Times Faster
LTE might be fast, but it sure ain't fast enough. Enter new research from MIT and Caltech, which suggests that a little fancy math could boost mobile data transmission rates—by as much as 400 percent.
Network World reports that the collaboration has given rise to a new data transmission method which used something called Random Linear Network Coding. Unlike usual transmission techniques, RLNC—as its best buddies call it—encodes each packet of data being sent using information from the previously sent packages, and a few randomly generated coefficient thrown in for good luck, using some linear algebra.
That may sound uninspiring, but what's clever about it is that it can recover from errors without the sender or receiver ever retaining transmission information or having to request packets to be resent. How? Well, it simply works out what the missing packet contained from a later-sequenced packet—that, by definition, includes earlier-sequenced packets and the coefficients used to encode the packet.
Big deal, huh. But remember that a big reason for slow mobile data is the way the networks deals with missing and corrupt data. With RLNC that's just not a problem, despite the fact that packets are necessarily a little larger than usual—and it's borne out in testing. Pitting conventionally encoded Wi-Fi with RLNC-coded Wi-Fi, researchers looked to see how quickly a four-minute video could be downloaded when it had a 3 percent error rate, which is not uncommon. RLNC encoding was five times faster than normal Wi-Fi. Five. Times. Faster.
Excited? You should be. RLNC has the added benefit of allowing the use of 4G LTE and Wi-Fi data streams in channel bonding applications—in other words, it can double up data streams to use them both, for the same data transfer, at the same time. And because it's all math, it can implemented entirely in software, with no need to upgrade hardware.
The only bad news is that it's still lab-based. Hopefully MIT and Caltech change that soon. [Network World]
Posted by at 1 comment:

Wednesday, May 28, 2014

Half of All Americans Have Been Hacked

Report: Almost Half Of American Adults Were Hacked In The Last Year
Consumerist by Mary Beth Quirk  /  5/28/14
cathackohno2If you’ve felt like there hasn’t been a day in the last year without a warning of some new hack on big businesses and services you use and have had to change your passwords and keep an eye on your accounts as a result, you’re not alone — not by a long shot. A new report says about half of American adults were the victims of hackers in the last 12 months.
Hackers have dipped their fingers into the personal info of about 110 million Americans, reports CNNMoney, citing numbers from Ponemon Institute researchers. That all adds up to a total of 432 million accounts hacked, when taking into account all the various accounts held by the hacked.
It’s worth pointing out that saying exactly how many accounts have been hit by hackers is a tricky thing, and might not even be possible. That’s because many companies don’t want to fess up and reveal all the details of each breach.
But one thing we do know is that the hacks keep company, accessing names, addresses, email addresses, credit card information, phone numbers, passwords and basically anything you’ve got out there online.
It’s that very prevalence that presents a new danger, experts warn, from something called “data-breach fatigue.” It’s that feeling of “another day, another hack, shrug.”
Now is not the time to let your vigilance slip, however, because the hacks won’t stop. The more we move our lives online, the more open we are to villains seeking to crack the system. Keep your software updated for all apps and make sure you always change your password when a service you use has been hacked. Because saying it can’t happen to you just doesn’t make sense with odds like these.
(Photo credit: Pixteca | Len & Pix【ツ】)
Half of American adults hacked this year [CNNMoney]
Posted by at No comments:

TrueCrypt Unsafe?!?

TrueCrypt's Web Site Updates with Ominous Warning, Details Unknown

alanhenry

Alan Henry

Profile
Alan Henry
Filed to: TRUECRYPT
5/28/14 2:05pm
TrueCrypt's Web Site Updates with Ominous Warning, Details Unknown
TrueCrypt, one of our favorite file encryption tools, has abruptly changed its homepage to a warning that the tool may not secure, and a detailed guide on how to migrate your encrypted data to BitLocker instead. P
The update appeared earlier today, and while we haven't been able to confirm that it's authentic, it has set off a storm in security circles, on Hacker News, and over at Ars Technica. Even though the encryption tool hasn't seen a major uplift in ages, TrueCrypt had recently just passed the first stage of a comprehensive security audit without issue. The sudden warning came as a surprise—one that a number of commenters around the web have assumed must be the work of a compromised SourceForge account or a rogue site admin. If the warning is legitimate, it might be time to migrate your encrypted files to another service or tool.P
Either way, do not download the version of TrueCrypt listed on the site right now. It was compiled yesterday, according to security researcher Runa Sadvik, using a questionable DSA key. It may be compromised along with the TrueCrypt Sourceforge page. P
UpdateMatthew Green, one of the security researchers involved with the TrueCrypt audit, notes that while he had no prior knowledge of the abrupt change, he believes that the announcement is legitimateP
Similarly, the posted version of TrueCrypt appears to be heavily modified, with critical features removed and a heavy dose of "INSECURE_APP" sprinkled through the code. Even so, it was certified with the official TrueCrypt signing key, which leads us to believe this might be the real thing. Ars Technica notesP
The SourceForge page, which was delivered to people trying to view truecrypt.org pages, contained a new version of the program that, according to this "diff" analysis, appears to contain changes warning that the program isn't safe to use. Significantly,TrueCrypt version 7.2 was certified with the official TrueCrypt private signing key, suggesting that the page warning that TrueCrypt isn't safe wasn't a hoax posted by hackers who managed to gain unauthorized access. After all, someone with the ability to sign new TrueCrypt releases probably wouldn't squander that hack with a prank. Alternatively, the post suggests that the cryptographic key that certifies the authenticity of the app has been compromised and is no longer in the exclusive control of the official TrueCrypt developers.P
As more information comes to light, we'll update this post with additional details. 
Posted by at No comments:

Simplicity and Security

Complexity as the Enemy of Security
Krebs on Security by BrianKrebs  5/27/14
Late last month, hackers allied with the Syrian Electronic Army (SEA) compromised the Web site for the RSA Conference, the world’s largest computer security gathering. The attack, while unremarkable in many ways, illustrates the continued success of phishing attacks that spoof top executives within targeted organizations. It’s also a textbook example of how third-party content providers can be leveraged to break into high-profile Web sites.
A message left for Ira Winkler by the SEA.A message left for Ira Winkler by the SEA.
The hack of rsaconference.com happened just hours after conference organizers posted several presentation videos from the February RSA Conference sessions, including one by noted security expert Ira Winkler that belittled the SEA’s hacking skills and labeled them “the cockroaches of the Internet.”
Shortly after that video went live, people browsing rsaconference.com with JavaScript enabled in their browser would have seen the homepage for the conference site replaced with a message from the SEA to Winkler stating, “If there is a cockroach in the internet it would definitely be you”.
The attackers were able to serve the message by exploiting a trust relationship that the RSA conference site had with a third-party hosting provider. The conference site uses a Web analytics package called “Lucky Orange,” which keeps track of how visitors use and browse the site. That package contained a Javascript function that called home to a stats page on a server hosted by codero.com, a hosting firm based in Austin, Texas.
According to Codero CEO Emil Sayegh, the attackers spoofed several messages from Codero executives and sent them to company employees. The messages led to a link that prompted the recipients to enter their account credentials, and someone within the organization who had the ability to change the domain name system (DNS) records for Codero fell for the ruse.
Sayegh said the attackers followed the script laid out in Winkler’s talk, almost to the letter.
“Go look at minute 16 from his talk,” Sayegh said. “It’s phenomenal. That’s exactly what they did.”

Amit Yoran, senior vice president of products and sales at RSA, said the SEA often finds success by exploiting trust relationships between content providers on large Web sites. In short: targets are only as strong as their weakest link.
“Unfortunately, complexity is very often the enemy of security,” said Yoran, emphasizing that he was speaking for RSA and not for the RSA conference Web site, which is a separate entity. “If it’s a content-rich and interactive Web site, it only takes one simple slip for the site to be hacked.”
The SEA has had great success by spoofing the boss and by targeting weaknesses in third-party content providers. Last year, the group claimed credit for defacing the Web sites ofTimeCNN and The Washington Post after gaining administrative access to Outbrain, a third-party system that provides “Other stories from around the Web” recommendations at numerous sites. Outbrain later acknowledged that the incident was the result of a phishing attack sent to Outbrain employees that spoofed the company’s CEO.
From my perspective, what’s truly remarkable about these attacks from the SEA is that they could be so much more damaging, and yet this group appears to do little more than use each attack to spread a propagandist message. Unfortunately, malware purveyors don’t care about propaganda, and frequently abuse trust relationships between and among Web sites to spread malicious software.
That so many high-profile Web sites are potentially vulnerable to being hacked thanks to all of the third-party content they serve is the primary reason I advise users not to browse the Web with JavaScript enabled by default. For tips on how to manage JavaScript in the browser, check out my Tools for a Safer PC primer.
Posted by at No comments:

IBM Servers Kicked Out of China

Report: China Wants Its Banks to Stop Using IBM Servers

jcondliffe

Jamie Condliffe

Profile
Jamie Condliffe
Filed to: CHINA
5/28/14 3:45am
Report: China Wants Its Banks to Stop Using IBM Servers
Chinese and U.S. digitial policies don't always see eye-to-eye, but now China's government agencies, including the People's Bank of China and the Ministry of Finance, are asking the nation's banks to remove the IBM servers over security fears.
Bloomberg reports that the Chinese government is worried that IBM's high-end servers could compromises the nation's financial security. The concerns are rooted in the ongoing dispute with the U.S. over spying claims. The Chinese government is instead reported to be asking banks to remove IBM servers and replace them with new one manufactured by a local brand as part of a trial program.
Jeff Cross, a spokesman for IBM, explained that "IBM is not aware of any Chinese government policy recommending against the use of IBM servers within the country's banking industry." But the report does align with news over the weekend from the FInancial Times, which suggested that China was to order state-owned companies to cut ties with U.S. consulting firms, and the fact that the country is to vet technology companies operating in China.
Really, it amounts to a slightly schoolyard tit-for-tat argument. Let's see how far it can go. [Bloomberg]
Image by Dan Farber under Creative Commons license.
Posted by at No comments:

Thursday, May 22, 2014

eBay Password Change Notice Gets Buried

eBay buries its own advisory to change passwords following database hack

Seven hours on, users still not warned that hackers obtained their personal data.

by  - May 21 2014, 5:35pm EDT
67
eBay officials are taking flak for burying news of the password reset issued in response to a hack on the company's corporate network that exposed sensitive data for millions of users.
More than seven hours after eBay published an advisory that was five clicks removed from end users, the company still made no mention of the breach, said to affect 145 million customers, in e-mails, on its front page, or when users log in to their accounts. The bare-bones post disclosed a breach in February or March that allowed attackers to make off with cryptographically protected passwords. It advised users to change their login credentials. The breach also exposed customers' names, e-mail addresses, home addresses, phone numbers, and dates of birth in a human readable format.
Given the magnitude of the breach, it's surprising to see an Internet-based company like eBay take so long to directly notify customers and inform them of what steps they should take to protect themselves. The burying of such an important advisory didn't escape the scrutiny of security bloggers such as Graham Cluley or Paul Roberts. Asked to comment on the lack of disclosure, an eBay spokeswoman wrote: "An updated password reset process is currently being rolled out to all our users. It will be available shortly."
eBay users should be wary of anyone contacting them claiming to be eBay or any other company. They should also anticipate an increase in phishing e-mails. That means they should avoid clicking links in e-mails or discussing anything sensitive over the phone. People who use their eBay password on other sites or services should immediately change it.
The lack of timely disclosure comes two weeks after eBay's discovery that "a small number of employee log-in credentials" had been compromised. If eBay wants to restore trust, it should explain why it took so long to directly notify customers that they should change their passwords. It should also provide a more thorough timeline about exactly what it knew and when, and what the process is for making such information known to users. Plus, officials should explain what they meant in their advisory by "encrypted passwords." If that means that passwords were converted to one-way cryptographic hashes, eBay should say how resistant the underlying algorithm is to the types ofpassword cracking techniques that have grown so common that they're now a pastime among script kiddies.

MTC - I can say that, yesterday, when I went into my account to change my password I was surprised that there was NO notice on the eBay home page about this, nor anywhere else that I could see. I did not have the problems discussed below:

READER COMMENTS 67
Posted by at 2 comments:
Subscribe to: Posts (Atom)