iPhone ATM PIN code hack

There is now a way from people to steal your ATM PIN code. All it takes is a add on to your phone. What this add on does is that it makes your camera on your phone inferred. This means that you can now see the heat signature’s of things through your camera. How this is a problem is that after someone types their PIN in a ATM if you walk up and take a picture of the keypad with this inferred camera you can see what keys they pressed before they left. You can also tell for the most part in what order the keys where pressed by how bright the color that is left. There is only 2 ways that you can protect yourself from this. One thing that would make this difficult would be if the PIN had the same number in it 2 or more times. The other would be rub you hand on the keypad after you are done putting in you PIN so that the heat of your hand would get on all of the keys making it impossible to know which ones you really used. There is a 80% accuracy if the image was taken right after the PIN was typed in. After 1 minute there is about a 50% of getting the PIN right. The case that has the infrared camera on it is only about 200$ and you can get it at any Apple store. Also this does not work on metal keypads because it reflects and dissipates the heat to fast. Rubber and plastic keypads work the best for retaining the heat signature.

Google to Begin Phasing Out SHA-1

On September 5th, Google announced that it will begin ‘sunsetting’ the SHA-1 cryptographic hash algorithm.  This algorithm was designed almost a decade ago in 2005 and Google is now telling the world that it has not withstood the test of time.  SHA-1 is currently used in SSL encrypted certificate signatures for HTTPS.  This allows a website to encrypt your connection to the site and verify that the site you are connecting to is genuine.

In its statement, Google cites the ease and affordability of collision attacks against SHA-1 for the decision to phase out the algorithm.  Basically, this means that Google is worried that nefarious individuals will engineer certificates that produce the same SHA-1 hash as the legitimate HTTPS certificates.  This would allow these individuals to pose as a legitimate site, such as facebook.com, in order to scam, phish, or infect users.

How will this problem be fixed?  In the short term, Google will soon be changing the visual security indicator for HTTPS in Chrome to alert users of the issue.  Additionally, Google is looking towards the successor of SHA-1, SHA-2, to replace the outdated cryptographic hash algorithm.  SHA-2 provides substantially more security and is supported by nearly every current operating system and browser.  Google also is not alone in this fight: both Microsoft and Mozilla have announced plans to move away from SHA-1 in the future.

-Tyler Zimmermann

Sources:

http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html

https://konklone.com/post/why-google-is-hurrying-the-web-to-kill-sha-1

Chinese Authority Intercepts Information Between Google and CERNET

        In China they have many large websites / search engines blocked for the use of their citizens such as Google. But seeing the value that Google presents the Government set up a nation wide system called CERNET (Chinese Education and Research Network) to allow students, teachers and researchers to access the resources Google can provide. In recent weeks students and teachers that use CERNET have reported that their searches have returned with errors such as “Invalid SSL certification”. The company in charge of CERNET’s security is called GreatFire. After they had shared their findings with another security based software company named Netresec, they concluded that these attacks are similar if not identical to the Man in the Middle attacks the Chinese government used on GitHub (A developer site) last winter. Upon looking into the mater with more detail they have found that the Chinese government was using these “MitM” attacks to get into the CERNET system and block “Harmful” search inquires.

Here is the article where I got my Information:

http://thehackernews.com/2014/09/government-accused-of-intercepting.html

Twitter pays bounties for vulnerabilities

Recently Twitter has stated on HackerOne that they will pay people a fee for finding vulnerabilities in there website, their app, or anything that could threaten Twitter. People have to register with HackerOne and submit their vulnerability so it can be reviewed to see if it will qualify as a legitimate threat. The minimum bounty is 140$, there is no maximum and bounties will be determined based on the significance of the vulnerability. 

This a good move by the company to help keep there business safe, people can do this legally and get paid for it, so it helps take away some of the motive for people doing it beforehand. It’s still in its beginning stage, so there’s no telling if this will turn out to be a good or a bad thing. We will have to sit back and watch. 

https://hackerone.com/twitter

 

posted by,

Cameron Clark

 

Business and Enterprise Security Concerns with Remote Users/Workers

In this new modern age remote users are be becoming more and more popular.  It now only takes a few short clicks and you can be logged into a system anywhere in the world. But with new access and convince for employees comes new access and accessibility for attackers.  Having remote users effectively increases the “attack radius” and probability of being attacked as employees, information, and devices are spread across the globe requiring an increase in security policies, training and reviews to ensure maximum protection against threats.

Full Article:

http://smallbusiness.yahoo.com/advisor/addressing-enterprise-security-concerns-remote-workers-193011960.html