Threat Level: green Handler on Duty: Didier Stevens

SANS ISC Information Security News


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Popular News

2 hours ago Do not count on password checkers to get you to a secure password

IT Toolbox Blogs View Synopsis+1
Most sites or programs now show some kind of meter trying to tell you if the password you are entering is secure. Turns out that many are wrong and there?s not a lot of consistency in rating them. No way ?Password1? is strong! Many password stre...

53 minutes ago Brute-Forcing iPhone PINs

Schneier blog View Synopsis+1

This is a clever attack, using a black box that attaches to the iPhone via USB:

As you know, an iPhone keeps a count of how many wrong PINs have been entered, in case you have turned on the Erase Data option on the Settings | Touch ID & Passcode screen.

That's a highly-recommended option, because it wipes your device after 10 passcode mistakes.

Even if you only set a 4-digit PIN, that gives a crook who steals your phone just a 10 in 10,000 chance, or 0.1%, of guessing your unlock code in time.

But this Black Box has a trick up its cable.

Apparently, the device uses a light sensor to work out, from the change in screen intensity, when it has got the right PIN.

In other words, it also knows when it gets the PIN wrong, as it will most of the time, so it can kill the power to your iPhone when that happens.

And the power-down happens quickly enough (it seems you need to open up the iPhone and bypass the battery so you can power the device entirely via the USB cable) that your iPhone doesn't have time to subtract one from the "PIN guesses remaining" counter stored on the device.

Because every set of wrong guesses requires a reboot, the process takes about five days. Still, a very clever attack.

More details.

5 hours ago Unlimited stolen Uber accounts flogged for $5

The Register View Synopsis+1
Accounts 100 percent valid, fraudsters claim

Fraudsters are flogging an 'unlimited' number of stolen Uber accounts containing personal details and limited credit card data for less than $5.

4 hours ago New .bank Domains For Sale Soon

Forbes View Synopsis+1
Sitting on the sofa in my house sipping coffee this morning and reading the news I saw a gem that leapt of the screen at me. First off, remember the good old days when we just had domains that were .com, .org and .net? Yeah, good times. Now, there is [...]

4 hours ago David Cameron's Passport number emailed to footy-head

The Register View Synopsis+1
Outlook autocomplete SNAFU sees world leaders' particulars leaked during G20 summit

Last week, Australia passed mandatory metadata retention laws, over objections that personal data should only be accessible by a very small number of people under very secure circumstances because it is is bound to leak and cause embarrassment.

Top News

1 hour ago US Used Zero-Day Exploits Before It Had Policies for Them

WIRED View Synopsis+1

A a new document sheds light on the backstory behind the development of the government's zero-day policy and offers some insight into the motivations for establishing it.

The post US Used Zero-Day Exploits Before It Had Policies for Them appeared first on WIRED.

1 hour ago GitHub battles "largest DDoS" in site's history, targeted at anti-censorship tools

ArsTechnica View Synopsis+1
HTTP hijacking is being used to redirect Baidu search engine traffic into a massive DDoS.

1 hour ago New threat intelligence report skewers industry confusion, charlatans

ZDNet View Synopsis+1
Are you getting threat intel -- or just antivirus software? A government-backed report designs a framework for threat intelligence that can be scaled to different sectors, sizes of organization, and organizational goals.

35 minutes ago PCI Council updates penetration testing guidance for merchants

SC Magazine View Synopsis+1
A recent Verizon study found that regular testing of security systems was a compliance weak point for merchants.

4 hours ago PCI Issues Penetration Test Guidance

InfoRiskToday View Synopsis+1
Experts Debate Whether Advice Goes Far EnoughExperts debate the value of new PCI guidance for how businesses should use penetration testing to identify network vulnerabilities that could be exploited for malicious activity. Does the new advice go far enough?

1 day ago Nigerian Electoral Commission Website Hacked

SecurityWeek View Synopsis+1

Nigeria's electoral commission admitted on Saturday that its website had been hacked, as the country's crucial presidential and parliamentary elections were hit by technical problems.

Latest News

2 hours ago GitHub jammed by injected JavaScript, servers whacked by DDoS

The Register View Synopsis+1
Users unwittingly add to chronic traffic congestion

GitHub's servers are being hammered by web traffic from an army of unwitting cyber-foot-soldiers.

3 hours ago Surveillance And The Encryption Boogeyman

Forbes View Synopsis+1
In January of this year, British Prime Minister David Cameron let it be known that he intended to dumb down encryption so that law enforcement could monitor all of the information streaming across the country. A direct attempt to capitalize on the Paris attacks. This was an unfortunate overture against encryption [...]

6 hours ago "‹Puush calls for password change after malware hit

ZDNet View Synopsis+1
Online screenshot-sharing service Puush is warning its users to change their passwords after it emerged that the platform had been infected with malware.

6 hours ago Starry-eyed hackers stuff Eurovision's voting app

The Register View Synopsis+1
It's only rock and roll but hackers like it

The Eurovision Song Contest has been targeted by obsessed hackers who stuffed the voting ballots during the final qualifier song performance.

7 hours ago Jailed Brit con phishes prison, gets bail

The Register View Synopsis+1
'Hi this is < name > please release < prisoner >'

A convicted British fraudster used a fake Web site and and fake identities to trick prison officers into releasing him.

8 hours ago Encrypted communication 'biggest problem' in tackling terrorism, Europol warns

ZDNet View Synopsis+1
The European agency says tracking and monitoring terrorist suspects is increasingly difficult in a world where encryption is becoming commonplace.

10 hours ago British Airways confirms frequent flyer hack

ZDNet View Synopsis+1
The airline has confirmed thousands of frequent flyer accounts have been accessed.