Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Tech News


Self-taught hackers rule

High-Tech Bridge CEO: Better cybersecurity depends on better white-hat hackers and on governments worldwide upping the consequences for flouting rigorous security standards. Ilio Kolochenko, CEO of High-Tech Bridge, a Swiss information security company, gave the keynote address on governments role in cybersecurity this past Sunday at the Regional cybersecurity Summit in Oman. Before his speech, he talked with CSO about why self-taught hackers are generally superior to those who go through a formal certification program, and why compliance with cybersecurity standards will remain low unless governments make it very painful to ignore it. A recent story in The Independent said the UK Governments Communications Headquarters (GCHQ), through approval of certain Masters programs, had created, "the first certified degrees for spies." Is it accurate to call a degree in cybersecurity a degree in spying? I would say not. Obviously some governments activities may be reasonably called "spying", but we should not forget that national security experts are required to use intrusive techniques to protect the nations interests.

AOL Mail hacked, dont open that iffy-looking email you got from an AOL account

If youve received any strange looking emails, you might want to refrain from touching them. AOL Mail has been compromised by hackers, and people are getting tainted emails, according to PCMag. However, this isnt your run-of-the-mill case of hackers taking control of peoples accounts and using them for nefarious purposes. The cyber criminals are employing a method called spoofing to fool people into opening these messages. Heres how AOL describes spoofing, according to this official blog post "Spoofing is when a spammer sends out emails using your email address in the From: field. The idea is to make it seem like the message is from you – in order to trick people into opening it."

Bank of England to employ hackers

The Bank of England is set to employ ethical hacking and penetration testing in an effort to strengthen cyber security of banks and other financial institutions. The scheme, as reported by The Financial Times, is known as cyber threat and vulnerability management and will be overseen by the Bank of Englands director of the UKs special resolution unit, Andrew Gracie. The purpose is to test the defences of more than 20 major banks against the types of attack theyre likely to experience from hackers and other cyber criminals. Ethical hackers will therefore use the latest methods employed by hackers working for criminal gangs, terrorist cells and rogue states in order to examine the defensive capabilities of banks when it comes to protecting against cyber attacks. Financial services firms likely to participate in the scheme reportedly include Royal Bank of Scotland and the London Stock Exchange.

If You Used This Secure Webmail Site, the FBI Has Your Inbox

While investigating a hosting company known for sheltering child porn last year the FBI incidentally seized the entire e-mail database of a popular anonymous webmail service called TorMail. Now the FBI is tapping that vast trove of e-mail in unrelated investigations. The bureau’s data windfall, seized from a company called Freedom Hosting, surfaced in court papers last week when prosecutors indicted a Florida man for allegedly selling counterfeit credit cards online. The filings show the FBI built its case in part by executing a search warrant on a Gmail account used by the counterfeiters, where they found that orders for forged cards were being sent to a TorMail e-mail account: “platplus@tormail.net.” Acting on that lead in September, the FBI obtained a search warrant for the TorMail account, and then accessed it from the bureau’s own copy of “data and information from the TorMail e-mail server, including the content of TorMail e-mail accounts,” according to the complaint (.pdf) sworn out by U.S. Postal Inspector Eric Malecki. The tactic suggests the FBI is adapting to the age of big-data with an NSA-style collect-everything approach, gathering information into a virtual lock box, and leaving it there until it can obtain specific authority to tap it later. There’s no indication that the FBI searched the trove for incriminating evidence before getting a warrant. But now that it has a copy of TorMail’s servers, the bureau can execute endless search warrants on a mail service that once boasted of being immune to spying.

Silk Road bust gave a bitcoin windfall to US agencies

The founder of the Silk Road underground website has forfeited the site and thousands of bitcoins, worth around $28 million at current rates, to the U.S. government. The approximately 29,655 bitcoins were seized from the Silk Road website when the FBI moved to close it in late September. The site served as an underground marketplace for drugs and other illegal items, relying on bitcoins for transactions because such payments are much more difficult to trace, the government says. Ross Ulbricht, also known as “Dread Pirate Roberts,” operator of the site, was arrested on October 1 in a San Francisco public library while allegedly logged into the site, according to court papers. He was subsequently charged with one count of narcotics conspiracy, one count of conspiracy to commit computer hacking, and one count of money-laundering conspiracy. The government had argued that the bitcoins were used to facilitate money laundering and thus should be forfeited along with the website. A site described as a reurrection of Silk Road launched late in the year by other parties, although did not claim to be fully operational. ”The United States Marshals Service shall dispose of the Silk Road Hidden Website and the Silk Road Server Bitcoins according to law,” wrote Judge J. Paul Oetken, of the U.S. District Court for the Southern District of New York, in a court order that was issued late last week. The ruling represents the largest-ever forfeiture of bitcoins.

Cisco

In the first week of this year, we have reported about a critical vulnerability found in more than 2000 Routers that allow attackers to reset the admin panel password to defaults. Recently, Cisco has released a security advisory, detailed about the similar vulnerability affecting their three networking products. Cisco has rated the flaw highly critical and marked it as 10.0 on the Common Vulnerability Scoring System (CVSS). A security researcher found a secret service listening on port 32764 TCP, allowed a remote user to send unauthenticated commands to the device and reset the administrative password. Successful exploitation of the vulnerability allows the hacker to execute arbitrary commands on the device with escalated privileges. Vulnerable Cisco products are: WAP4410N Wireless-N Access Point, Cisco WRVS4400N Wireless-N Gigabit Security Router, and the Cisco RVS4000 4-port Gigabit Security. "This vulnerability is due to an undocumented test interface in the TCP service listening on port 32764 of the affected device. An attacker could exploit this vulnerability by accessing the affected device from the LAN-side interface and issuing arbitrary commands in the underlying operating system. An exploit could allow the attacker to access user credentials for the administrator account of the device, and read the device configuration. The exploit can also allow the attacker to issue arbitrary commands on the device with escalated privileges." Similar backdoor is also present in multiple devices from Cisco, Netgear, Belkin and other manufacturers, according to the security researcher, Eloi Vanderbeken. He has also released a Python based exploit script to automate the exploitation. This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2014-0659. Cisco has not yet patched the bug, but it is promising to do so by the end of this month. Submited by: Vandal