Edward Snowden received a prestigious CHAMPION OF FREEDOM REWARD at EPIC. Bruce Schneier had the honor of presenting the award at the EPIC dinner... continue reading
Vodafone, one of the world's largest mobile phone groups, has revealed the existence of secret wires that allow government agencies to listen to all conversations on its networks, saying they are widely used in some of the 29 countries in which it operates in Europe and beyond.
The company has broken its silence on government surveillance in order to push back against the increasingly widespread use of phone and broadband networks to spy on citizens, and will publish its first Law Enforcement Disclosure Report on Friday. At 40,000 words, it is the most comprehensive survey yet of how governments monitor the conversations and whereabouts of their people.
A new and dangerous variant of the original CRYPTOLOCKER (which brought an estimated $23 million to the bad actors) is on the loose. This malicious software is infecting machines through advertisements found on major sites such as Facebook, Disney, The Guardian and many others. The software gains final entry to a system via UNPATCHED software such as Flash, Internet Explorer, Java or Silverlight. Once infected, your most commonly used documents become encrypted/useless until you pay a ransom....get the full story here.
As part of our Systems Management Program, we automatically patch 3rd party software, this being only one layer in our multiple layer approach to managing systems and network security. With Cryptowall exploiting unpatched software, this is yet another reminder of the importance of updating/patching your software and having a reliable backup solution in place.
Ever visit a website and receive a popup "ONLY SECURE CONTENT IS DISPLAYED" or a broken padlock next to the URL of the site? This occurs when visiting a site using SSL (usually defined by the HTTPS in the beginning of the URL) and not all of the content on the site/page is being delivered through SSL. Unfortunately this is common place and usually a result of negligence on the site owners end, however it has also been noted that when a users browser/system is "infected", the malicious software will inject advertisements into the websites being viewed also resulting in a MIXED CONTENT WARNING. In any case, this breaks the SSL connection between you and the website, defeating the purpose of using SSL to begin with. Should you ever receive these warnings while visiting a financial website or your email providers "webmail", DO NOT PROCEED! Most if not all banking sites will never deliver content via HTTP but strictly HTTPS. It is advised to check your system for malware. A non HTTPS connection means that everything between you and the website is being sent in the clear, including passwords/usernames, personal information, etc.
A recent article posted at Qualys Security Labs suggests this "problem" being the easiest way to break SSL.
Are you a site owner trying to fix this? The first step is to determine exactly which content is being delivered via HTTP rather than HTTPS. A very useful site for showing non https links being loaded can be found here. Simply enter your sites URL and all the links on that page will be displayed. This will narrow down exactly which link(s) are causing the problem. If you require assistance, please contact us.
We believe ALL internet websites should implement SSL. The E.F.F (Electronic Frontier Foundation) started an HTTPS campaign back in 2011. By implementing SSL (regardless if your collecting personal information on your site or not), you are helping to protect users privacy and freedom. Begin by purchasing an SSL certificate. We can assist in converting your current site over to FULL TIME SSL
Other useful tools:
It seems everywhere you go to purchase something whether online or onsite, there is a request for your personal information. While some information such as your payment details are obviously required (unless paying cash), much of the requested information is not. Many business's use this information to keep you informed of store sales etc. While it is nice to stay "informed" on any potential money savings, much of the information requested has nothing to do with keeping you informed. Data is big business, the more accurate data a business has, the more it is worth. It is surprising that most people give this information up without question, all under the guise that you will save money. Do you get a lot of junk mail? How about email spam? You can blame your willingness to provide your information without question.
Many small business's are venturing into email campaigns etc, with no intention of spamming you or "selling" your information, they simply want to better their bottom line. Many larger business's have ventured into data brokering, buying and selling your information. It is one thing to simply provide an email address, but your phone number, your physical address, your full name?
With all of the data breaches or "hacks" occurring (large company breaches), one must question small business's. Many small business's do not have a dedicated IT team or professional, but instead a DIY (do it yourself type) which opens the door for all kinds of problems. Of course many small business's do not have a budget to dedicate towards their IT infrastructure, they have gone this long, why start. One example of a small local business we dealt with fell victim to a "virus" which gave the perpetuator unfettered access to confidential customer information. This small business has been in business for many years with a lot of confidential customer information
The very popular software used by millions for encrypting data has apparently halted development and is advising users to migrate to something different due to "potential security concerns". While this is breaking news, at this time it is hard to believe for many. Some are guessing a defacement of their website www.truecrypt.org has occurred, some suggest a disgruntled developer. An analysis of the software version (mysteriously released yesterday) has shown the same key being used as previous software releases. The latest software release does not allow you to encrypt anything, only decrypt.
Worth noting:
At this time, it is advised not to download or use the latest version found at truecrypt.org. It is also advised not yet to migrate away from any existing instance you may be running. Until a "tool" is released, or the audit finds a big hole that exploits Truecrypt making it almost useless, it remains one of the best encryption tools out there. If however they were forced to insert a backdoor of sorts (via court order) and this is his/her/their way of letting everyone know (explains the bizarre recommendations), than by all means we will stop using it. Until more info is released, we are staying still.
More info: Arstechnica | Slashdot | Krebs on Security | Reddit | Cory Doctrow
Latest US-CERT Released Warnings