Jump to content
The CHANI Project Conspiracy Forum

Cyber-security 101 Information thread

Recommended Posts

The FireFox AdOn Dark Side of the Prisom's Creator's Page for it

I have just tried to use it....and turned it off straight away to save my sanity.

There are 7 reviews made on already, most of them talking about the same issue and wanting to get rid of the music. .....Though that was a part of the creator's cool intention in the beginning....

I guess he didn't think there would be 2 or more watched SECTIONS appearing on one page, either, when he created it in 4 hours...the music starts to have delay effect and if you have different routes to be tracked by Prism, it plays different tunes so start sounding insanely busy and messy. But in my case, just sheer too many webpages which were picked up by Prism being opened.

"  "Dark Side of the Prism" is a Firefox Add-on that provides a soundtrack for our surveilled internet meanderings.

The public recently learned that the US National Security Agency's on-going internet surveillance program, Prism, collects data from users of major websites.

Many of us already know that any data we might share-- not just Facebook posts, but our search and click pathways and histories-- could be compromised, but we do so anyway. We have normalized this ubiquitous surveillance.

"Dark Side of the Prism" uses Pink Floyd's aural prism (Dark Side of the Moon) as a playlist to the NSA's tracking efforts, serving as an auditory reminder of how our online activities are surveilled. What hypochondriac questions do you Google in the middle of the night; who do you cyberstalk? Consider those missives the lyrical component to our soundtrack.

Download the add on from Mozilla:


Grab the code and/or download the Add-on on Github:

https://github.com/jblinder/DarkSideOfThePrism  "


Share this post

Link to post
Share on other sites

Soooo, I promised a few that one day once I drank enough I would be a lil more forthcomming with some info...sorry for the delay (da wife has been really pushing for clean living lol) I don't even remember the thread ...thin it was the one nex was a tad tipsy and info was a flowing:

Let me start by saying that i persoanly think this thread should be pinned due to its valuable info and I deserve a pinned thread, im a pretty stand up guy and one pinned thread isn't asking to much is it? Where is the luv?

Anywho, down to da nitty gritty:

Some background about moi (I deny anything once I post this BTW) i work for a Global major telecomm/ISP. My actual  job title is (recently updated) says Coordinator Network Security for Legal/Privacy and compliance. In actuallity its cyber Security/Network Intelligence (pay attention to that last part kids) I have a Security +, CCNA, CISSP (in progress) CEH, CHFI, and BS in IT (emphasis on Security-in progress), And several courses that the dont have certs but are in line with the others. A VIP/Exec once asked what I we do and I responded "we catch the stupid".  Bassically smart or dumb ppl doing stupid stuff basically. We have several high end expensive systems that do the mechanical/bulk filter of events. Whats left I and my team review. Everything from Email to file transfers (FTP).

This is all primarily internal...however with a short script command to the company routers we can see customer data. (usually bussiness) but personal individual stuff too.

This happens when (usually) an FBI special agent put in a written request. No friggin court order just a special agent warrant. NSA doesnt do it, they request te FBI do it, and they do.

I have cought mostly ppl vilating company code of conduct, insustrial espionage (spys), pissed employees posting stuff, porn addicts and in the last 4 years 3 cases of child porn (yes they were convicted and servinf thte MAX penalty (sorry wont discuss this one further)

We have taps all thru out our network and so does every other telecomm/ISP in the world!

We have everyones content, not just employees which is my departments main focus verifiy. We CALEA requests i am able to read them.

Recently the FBI found out that my dept monitors EVERYTHING going out that the system flags and guess what? The recent NSA flap with data request? Well we determined that since our records go back 12mo. at this time that we sawyou may not  NSA/FBI/DOJ request for phone records EVERY 60 days on the same numbers. I'll give ya 3 guess's WHO's #'s and the 1st 2 dont count.

<sorry need a refill lol>

here is another lil tidbit know, All the info tis snowden guy has released.....not only is it no bit breach but ALOT of people in my line of work already knew (not assumed but knew) that the NSA was already doing it, specially since they need the cooperation of the telecomms and ISP companies. He actually hasn't released NOTHING but a distraction! Sure we got names like PRISM and....crap i forgot the other one, but  it comes down to the fact that the info he has release USLESS!

Use ya'lls commen t fricken sense here! They dont need the phone company to supply the contents opf ever phone call, since as a SGNALS intel agency tehy already have it! all they need is the date/time/number and BAM they got u by the short and curlies!!

Anyways back to me, in a nutshell I read employee's email and file rransfers. if they use the corporate email its a piece of cake. If  they use something like google using https...still a piece of cake since we use IronPort email routers that temporarily strip the encryption to read the destination header then re-encrpyt to send it on its way....guess were our taps are?

Does the NSA have a direct connection into our system? nope, im 98% sure of that. They just ask us to supply the information since WE already have the taps and can see the data (phone or intardnet). They have the same deal with all other US telecoms/ISP and even worldwide. The ones they dont well, they installl their own taps somewhere in the system..

As do most Gubymints.

There is more, oh so much more.

The reason im drinking on a Wensday night? I stumbled upon a employee uploading and downloading childporn. I

gathered the evidence in accordance with procedure and turned it over to the authorities. Not only did this piece of genetic defective evil scum of the earth worm LOOK at CP he also was a child molester. Fortuanatly the SAIC (FBI) was sympathetic and understanding and let me vent for 2 hrs about all the slow and painful ways i wanted to make him pay, all off the record I guess you could say (the agent was impressed with my creativity and a little shocked as well)

The POS was arrested and had a few umm accidents going from the office to the jail :)

(Sorry just needed to vent the lat paragraph)

I; have seen soo much and at times I am so very tired, I hold very little hope for humanity...

So until i pass out or have to go to work tomarrow, i will answer any questions you have that  I actually know the answer to. Sorry but once at work tomarrow I cant answer anything regarding most of the above... but, until then, ask and you will recieve (you may not like the answer tho)

And can I get a pin?!! even for just a short while? is it toooo much to ask?  8)

Share this post

Link to post
Share on other sites

interesting reading


But as The Wall Street Journal points out, the NSA actually turned to Hadoop precisely because it couldn't out-innovate the open-source community. So while it may change the Hadoop code to make it more applicable to the NSA's needs, doing so establishes a fork that takes it beyond the mainline community code, making it harder for these government agencies to leverage the apparently superior efforts of the open-source community.

That said, the U.S. government hasn't been content to sit back and wait for the open-source community to build out Hadoop. In-Q-Tel, the Central Intelligence Agency's (CIA) investment arm, is an investor in Hadoop vendor Cloudera. (Disclosure: In-Q-Tel is also an investor in my company, 10gen.)



(BTW these are Israeli companies AKA a foreign power!)...just a FYI






Share this post

Link to post
Share on other sites

Well, im sleepy....and gotta a great buzz going so ill answer any general questions tomarrow ....mores specific ones ill try to address tomarrow night...central daylight time....you guys do the math its just to much for me ATM LOL  :-\ 8) :P

Share this post

Link to post
Share on other sites

Thank you wildcard for all the great info you have provided on this thread, and for your willingness to help or advise those who don't understand the inner workings of some things as well as you do.  Sorry to hear you had such a bad day yesterday, and sincerely hoping you had no leftovers this am.

Share this post

Link to post
Share on other sites



Is your employer, school, or Internet provider

eavesdropping on your secure connections?

Secure browser connections can be intercepted and decrypted

by authorities who spoof the authentic site's certificate. But

the authentic site's fingerprint CANNOT be duplicated!


Visit the link above follow instructions...

Share this post

Link to post
Share on other sites

Im putting this here since I dont want to start a whole new thread, This is how the IT security profession (and yes FYI I am one) views the whole NSA data collection practice


A majority of Americans who don't understand security find the National Security Agency's use of secret court orders to collect phone and email data acceptable. IT professionals, however, see things differently.

When the Washington Post published the results of a Pew Research poll on the subject last month, it concluded that most Americans (56%) accept NSA data collection, even at the expense of privacy, as a defense against terrorism. But it didn't characterize its 1,004 survey respondents as ignorant about computer security.

Stu Sjowerman, CEO of security training firm KnowBe4.com, did so indirectly. He posed the same survey questions, via SurveyMonkey, to more than 1,500 IT professionals — people who do understand computer security — and came to the opposite conclusion. In Sjowerman's survey, some 70% said the NSA's actions were unacceptable, compared to 41% in the Washington Post-Pew survey.

[ Learn more about the role major companies have in NSA surveillance. Read Microsoft Helped NSA Siphon Hotmail, Skype User Data. ]

Sjowerman, in a phone interview, said he decided to replicate the Post-Pew survey because he "didn't think that people really understand the implications [of the NSA's data gathering], especially long term."

There are two major issues. "One, if you do this kind of dragnet long-term," said Sjowerman, "you're creating a profile of everyone in the U.S. That is totally, as far as I'm concerned, violating the Fourth Amendment. Two, the U.S. government doesn't have a very good record of keeping everything secure. There will be data breaches."

Some 654 respondents offered a written explanation of their thoughts on the matter. Their answers for the most part echo Sjowerman's views.

"Too many law enforcement agencies have demonstrated they cannot be trusted and often put themselves above the law to achieve their goals," said respondent #4. "Those goals are not always in the best interests of citizens, but more often seem to favour large corporations or the rich and powerful."

Respondent #231 wrote, "Law enforcement officials do have a legitimate need to access some private information and communication, but such access must always be authorized beforehand by a properly executed warrant, limited to a very specific scope and duration, conducted under the oversight of the judge who issued that warrant, and cannot be done off record under a veil of secrecy. The rights of the people must not be trampled under a stampede towards security."

There are other viewpoints too, some who gladly surrender their privacy for what they perceive as security and others who see negligence in the intelligence community and its contractors for allowing Edward Snowden, the 29-year-old fugitive whistleblower responsible for exposing the scope of the NSA's activities, access to so much information.

But the takeaway here is that all surveys are not created equal. It's doubtful anyone would seek surgical advice from bar patrons, parachuting instruction from preschoolers or nautical knowledge from those who shun the sea. Asking average Americans their views on NSA data collection just isn't good enough. Some domain experience is necessary to reach an informed conclusion.

And not all questions are created equal. Consider this question, posed both by Pew and Sjowerman: "As you may know, it has been reported that the National Security Agency has been getting secret court orders to track telephone call records of MILLIONS of Americans in an effort to investigate terrorism. Would you consider this access to telephone call records an acceptable or unacceptable way for the federal government to investigate terrorism?"

The problem is that once you throw "terrorism" into the mix, the discussion ends. Only terrorists support terrorism, right? But as others have noted, the chance of being killed in a terrorist attack is extremely low. Reason in 2011 put it at one in 20 million, noting that in the past five years a person would be four to five times more likely to be killed by lightning than by a terrorist. (The recent Boston bombing may have shifted the odds a tiny bit.)

Would the average American be as accepting of the NSA's data gathering if the stated reason were to protect people from a bolt from above? Or imagine a much more hostile U.S. administration. Recall that President Nixon kept an enemies list. With the data squirreled away on NSA servers, imagine what one could do.

Then again, imagination is the real problem here. We imagine a fearful world. We might be better served if we imagined less and listened more to people with real-world privacy experience. To understand the relationship between security and privacy, we should pay more attention to IT professionals and spend less time asking loaded questions. We can find a balance without throwing away the Constitution

  • Like 1

Share this post

Link to post
Share on other sites

And Here is some more insight....

NOTE: I put in bold some very important part that you should all understand.


"Your privacy is our priority." So goes the tagline for Microsoft's marketing campaign launched in April.

While it's a worthy sentiment, leaked National Security Agency (NSA) documents show that the U.S. government agency has a different priority: Direct access to all Hotmail and Outlook.com emails, as well as all audio and video communications handled by Skype, which has an estimated 663 million global users.

The documents, which were leaked by former NSA contractor Edward Snowden, were first cited Friday -- but not published in full -- by the Guardian.

The leaked information shows the extent to which Microsoft -- and by extension other technology giants, including Google and Facebook -- have worked with the FBI, which serves as a liaison between technology companies and the NSA. One result has been to give the NSA and CIA direct access to their systems, as part of the so-called Prism program, amongst other court-ordered U.S. surveillance efforts.

[ Hackers tell the feds, "it's not us, it's you." Read NSA Fallout: No Feds At Def Con. ]

The documents demonstrate that access to Microsoft's systems by U.S. intelligence agencies isn't superficial. Indeed, an internal NSA memo cited by the Guardian said that Microsoft's switch to a new Outlook.com encryption system in February wouldn't interrupt the agency's free access to encrypted emails or chat sessions. "For Prism collection against Hotmail, Live and Outlook.com, emails will be unaffected because Prism collects this data prior to encryption," it said. A similar system now also appears to be in place for Microsoft's SkyDrive cloud storage service.

According to the referenced documents, Microsoft's work with the NSA to allow it to intercept Skype communications began in November 2010. The company was then ordered on Feb. 4, 2011, in a directive signed by the attorney general, to comply with the program. Two days later, the NSA began collecting Skype communications, although technical challenges appeared to prevent the agency from being able to reliably record video. By July 2012, however, that challenge had been surmounted, and the volume of intercepted video rapidly increased.

In Microsoft's defense: Legally speaking, there's little, if anything, it could have done differently. Furthermore, Microsoft officials are legally prohibited from discussing the contents of Foreign Intelligence Surveillance Court orders, with which they must comply or risk going to jail.

A Microsoft spokeswoman, in an emailed statement, said: "We take our commitments to our customers and to compliance with applicable law very seriously, so we provide customer data only in response to legal processes."

Microsoft also said its participation was contingent on the law enforcement and national security information requests being legally sound as well as targeted. "We only ever comply with orders about specific accounts or identifiers, and we would not respond to the kind of blanket orders discussed in the press over the past few weeks, as the volumes documented in our most recent disclosure clearly illustrate." That disclosure refers to Apple, Facebook, Microsoft and Yahoo having detailed the number of requests they've received for customer data from the U.S. government, after requesting and receiving permission to do so from the Department of Justice.

Intelligence officials emphasized that U.S. businesses have a legal responsibility to comply with court-ordered requests to furnish information on their customers and users. "The articles describe court-ordered surveillance -- and a U.S. company's efforts to comply with these legally mandated requirements," said Shawn Turner, the director of public affairs for the Director of National Intelligence, and Judith Emmel, the director of public affairs for the NSA, in a joint emailed statement. "The U.S. operates its programs under a strict oversight regime, with careful monitoring by the courts, Congress and the Director of National Intelligence. Not all countries have equivalent oversight requirements to protect civil liberties and privacy."

"In practice, U.S. companies put energy, focus and commitment into consistently protecting the privacy of their customers around the world, while meeting their obligations under the laws of the U.S. and other countries in which they operate," they said.

But Microsoft's hands remain tied when it comes to the company being able to explain exactly how it must comply with law enforcement and national security information requests. Accordingly, Microsoft and Google, working with a number of privacy and civil liberties groups, Monday filed an amicus brief with the Foreign Intelligence Surveillance Court, seeking to lift the gag order that prevents them from discussing how they furnish data to the NSA. Yahoo, meanwhile, demanded in a Foreign Intelligence Surveillance Court filing that the court publish its legal argument against a key 2008 case in which Yahoo was compelled to participate, saying it would show the technology company "objected strenuously" to the NSA's data-capture demands.

Microsoft's statement also suggested that the company hasn't been able to tell its side of the story. "There are aspects of this debate that we wish we were able to discuss more freely. That's why we've argued for additional transparency that would help everyone understand and debate these important issues," it said.

FYI- If you encrypt BEFORE you send your email out (like in outlook) then they cant read it but, as stated above in the bolded section if you rely on https (s being a secure connection) then they can read it since they collect BEFORE the encryption happens

Share this post

Link to post
Share on other sites

Your all points are good and help us alote who don't know more about computers.


Without physically going thru the logs on your PC/laptop I can only make educated guess. Most likely you got some malicious software from a website. Possibly due to a re-direct or cross site scripting. Also you seem to have either had remote desktop software maybe bundled on your laptop or it was a drive by install, this can happen on some websites where you don't see anything but in the background software is being installed, or it could have come in a email....these ae just guess's but, in truth that was then what you need to do is protect yourself NOW.
I have no doubt that your healer is awesome and their blessing help especially with the spirit world however when it comes to cyber security you need to take a proactive LAYERED approach...actually even with things beyond the "normal" world we see you should do this but, thats another discussion.

I put together a little list that will help and strongly encourage EVERYONE to use or use something similar.

PC/Laptop protection:
Anti-virus protection!  don't matter who you use (I use AVG paid version but free is just as good) you absolutely positively MUST keep the virus definition files up to date AND actually let the AV software run its scans...DAILY full scans not the short lil quick scans!

Anti spyware: windows defender, spybot search and destroy (awesome), spyware blaster, Adaware (good but can block stuff you want to get thru so might need tinkering). BTW not one of these but SEVERAL since no anti spyware catches 100%. Again run regularly and if using spybot make sure to use the immunize feature.

Firewall: software version, Windows firewall (IMNSHO just isn't beefy enough) get one and use it (I use AVG)
Firewall: Hardware, most routers have a built in firewall...USE it! When it comes to firewalls its like Ian Mcshane...ya just cant have enough Ian!! (great actor BTW)

File and or hard drive encryption. I encrypt my main harddrive, I use a seperate SDD drive for gamming and browsing with encrpted files on it.

Email scan: scan ALL incoming email BEFORE you open it, even if its from a trusted source since they may have been compromised!

Passwords: Personally I keep all my passwords in keypass safe (free to use). It encrypts passwords using 256 bit encryption, I only have to remember 1 master password and it has some really cool features like password generator, and login shortcuts where it fills in your login info for you using a certain keystroke command that you can specify.

Best practice security stuff: Keep financial and personal info on a separate drive  (even a usb drive), make backups and keep them encrypted and stored somewhere other than you Harddrive I dont use carbonite but I hear good things.

I use either Firefox and or Chrome...I got burned to many times with IE so I simply dont use it.
You should get some very helpful extensions and use them in both browsers-
Adblock plus (cant live without it!) I know Aco has ads on here but, the only time ever saw one was when I turned this off..when on ...no ads (sorry Aco!)
Lastpass: I use this in conjunction with lastpass, it stores your passwords on a secure server. I use this for forum logins, news sites ect. NOT for banking or financial...yeah I trust them to a point..im still paranoid and that can be a good thing, my shink told me soo!!
WOT: helps you find trustworthy websites with user participation. Really nice when doing those deep web searches
NoScript: STOP those nasty scripts BEFORE they can run in your browser
Ghostery: Protect your privacy. See who's tracking your web browsing and block them

That should help, when you start looking at the various addons for your browsers its always gonna be a tradeoff between performance and security.
here is the link to firefox's addon page for security:

Chrome Extensions 9sorry no security direct links, ya gotta search:

Always remember no security no matter how advanced is 100% so come at it with a layered approach, if they get past one layer then hopefully the next layer will either stop them or slow them down enough to give you time to take action. Hope some of this helps


Share this post

Link to post
Share on other sites

Wilcard, can you recommend an email provider given recent developments? Ixquick and Startpage are both developing email services, any thoughts on these two as possible providers?

Share this post

Link to post
Share on other sites

You think you are safe?...you are NOT

From- http://searchsecurity.techtarget.com/news/2240203039/Black-Hat-2013-Experts-urge-elliptical-curve-cryptography-adoption (sorry ya gotta sign up for free to view)




Crypto experts speaking at the Black Hat USA 2013 conference yesterday said there's a real -- though perhaps not overwhelming -- possibility that much of the Internet's encryption will soon become completely unraveled. This grand unveiling of secrets, they contended, could arrive within a handful of years. To avoid what they jokingly called a "Cyber Pompei," they strongly encouraged a switch from algorithms based on the Diffie-Hellman and RSA systems to elliptical curve cryptography.

All of a sudden RSA and Diffie-Hellman fall immediately all over the world.

Alex Stamos,

chief technology officer, Artemis Internet Inc.

The Diffie-Hellman scheme, first published in 1976, allows for secure exchange of secret keys -- a step critical for broad use of symmetric-key cryptography -- and is based on the computational difficulty of solving the discrete logarithm problem (DLP). The RSA algorithm in turn derives its secrecy from the difficulty of factoring the products of very large prime numbers.

Noting that many "surprises" to the general security community where crypto is concerned are presaged by papers appearing in academic journals several years prior, Alex Stamos, chief technology officer of San Francisco-based Artemis Internet Inc., pointed out that there have been important breakthroughs in solving the DLP problem over the course of this year. These breakthroughs come following roughly thirty years of relative stagnation, and the sudden increase in the speed at which DLP solutions can be processed has galvanized the academic cryptography community.

Tom Ritter, a researcher with San Francisco-based iSEC partners, explained there are four basic steps to solving a discrete log equation, and improvements have been made in all four. While solving this sort of problem is not the same as factoring the product of two large primes, there are enough similarities that it's reasonable to suppose a significant further breakthrough in DLP would lead to corresponding breakthroughs in the factoring problem. "When we improve one," Ritter said, "we tend to improve the other in short order."

"We are not saying this is definite," Stamos said. "What we're saying is that if you look at things right now, this is kind of like we're at the movie and the general has just run up the stairs into the Oval Office and has given Morgan Freeman the picture of an asteroid that has a 10% chance of hitting the Earth. This is the crypto equivalent of the asteroid hitting the earth."

"Our conclusion is that there's a small, but definite chance that RSA [and similar cryptosystems] will not be useful for security purposes within the next two to five years."

And it could happen fast. "One of these guys could be sitting at a whiteboard, have a breakthrough, throw it out over the crypto mailing list … and all of a sudden RSA and Diffie-Hellman fall immediately all over the world. The moment that breakthrough happens, there's very little implementation work that needs to be done."

The solution, the team said, is to jump ship and move to elliptical curve cryptography (ECC) before the actual fall of RSA and Diffie-Hellman. This is doable: ECC is implemented on most desktop and mobile platforms, the speakers noted. But many of the implementations are quirky and not well exercised, because in almost every case where ECC might be used in normal scenarios, the software defaults to use RSA. Furthermore, there are some patent issues that might create licensing issues for some ECC adopters: Stamos made a direct call to BlackBerry to "do the right thing for the world" and issued a statement that they would not make patent infringement claims against ECC implementers and adopters.

The NSA has blessed a collection of encryption algorithms called "Suite B" that includes several standards based on ECC. Notably missing are RSA and Diffie-Hellman, suggesting that perhaps the NSA sees the writing on the wall where those two are concerned. "A very interesting data point," Stamos said, "is that when it was time to sign .RU, the Russian government refused to allow RSA to be used."

After the session, both Ritter and Stamos acknowledged that it was at least possible that either the NSA or Russia had already made the breakthroughs this talk predicted. And there's a precedent for that, too. Though this wasn't mentioned in the session presentation, the Diffie-Hellman key exchange protocol, while published by Diffie and Hellman in 1976, had previously and independently been discovered by researchers at Government Communications Headquarters (GCHQ), the British equivalent of the NSA. One of the British researchers, Clifford Cocks, also discovered the RSA algorithm prior to the RSA crypto team. GCHQ kept it all under wraps.

Share this post

Link to post
Share on other sites

Wilcard, can you recommend an email provider given recent developments? Ixquick and Startpage are both developing email services, any thoughts on these two as possible providers?

Sorry for the late reply, with a couple of companies that provided encrypted email services shutting down due to refusal of NSA demands it stands to reason that the ones that are still open ffor bussiness are cooperating with NSA or other gubymint agencies and WILL hand over your encrypted emails sooo at this time I cant endorse ANY email service. The best you can hope to do is encrypt it yourselfe before sending it off into the wild blue yonder

  • Like 1

Share this post

Link to post
Share on other sites

Wildcard, do you have any thoughts on Safari?

When I do I get a Headache! :rolleyes:

honestly tho it is not so much MORE secure than chrome or Firefox. It's that it is less prevalient than those 2 and therfore has not been targeted as much. personally I use chrome at home and FF at work (alsways keep em current and patched! )

(NOTE: I didnt even mention IE...) ;)

Share this post

Link to post
Share on other sites




LAS VEGAS–The Black Hat conference is one of the best opportunities each year to see new and innovative research, commune with some of the smartest folks in the industry and generally get a sense of where things stand and where they’re going. This year’s conference was one of the larger in history, both in terms of number of attendees and volume of presentations, and there was a lot to see and hear. With 11 research tracks, keynotes and press conferences happening from morning till night, it was impossible to see it all, even for the most motivated and caffeinated person.

But, we saw a lot of great talks and spoke with plenty of interesting folks, so we tried to boil down the most compelling, important and interesting bits and pieces from the conference for easy digestion. A comprehensive list of all the cool stuff from Black Hat would be almost impossible, so think of this as a tapas menu of the best stuff from last week. Enjoy.

  • The web is thoroughly broken. That may sound like hyperbole, but it’s not. There were a number of presentations at Black Hat that demonstrated serious new attacks on the Web’s underlying infrastructure and few of them seem to have a simple solution. The BREACH attack, which expanded upon the CRIME TLS attack from last year, essentially gives an attacker the ability to read encrypted messages under certain conditions. That sort of defeats the security model of SSL, the protocol that protects the majority of sensitive Web traffic. There have been similar attacks in the past that had more restrictions, but this is perhaps the most practical and easy to implement. In the words of US-CERT: “We are currently unaware of a practical solution to this problem.” And that’s just one piece of it. The other half of the coin is the research done by Paul Stone, who found a new technique for using JavaScript-based timing attacks to force a victim’s browser to reveal the source code of any page he’s on, which could include user IDs and other sensitive data. The technique also enables him to reconstruct anything that’s in a given iframe on a targeted site. As one other Web security researcher said about this attack, “It’s crazy. There’s no real way to fix it.”
  • Your car is just a rolling PC waiting to be hacked. And in some cases, it’s already been hacked. Researchers Charlie Miller and Chris Valasek spent months working on a ways to attack the electronic control units (ECU) that are the brains of modern vehicles. What they found is methods to take over the ECUs and reprogram them to do essentially whatever they wanted. Miller and Valasek were able to disable the brakes, take over the steering and perform various other actions on their research vehicles, a Toyota Prius and Ford Escape. These likely aren’t the only vehicles vulnerable to these attacks; just the ones Miller and Valasek got their hands on. “Automobiles have been designed with safety in mind. However, you cannot have safety without security. If an attacker (or even a corrupted ECU) can send CAN packets, these might affect the safety of the vehicle,” they said in their paper, which they presented at DEF CON 21.
  • Hackers don’t like feds. This would seem to be self-evident, but in recent years the security community (or at least parts of it) have gradually warmed up to some of the federal agents, government investigators and other various members of the khaki-and-polo crowd. Feds have been easy to spot at both Black Hat and DEF CON for several years now, perhaps thanks in part to the influence of Jeff Moss, who founded both conferences, and works closely with the government now on various projects. But that era of detente ended quickly in the wake of the Edward Snowden revelations, so when Gen. Keith Alexander, the director of the NSA, delivered his opening keynote on July 31, it was in front of an initially polite crowd that soon turned restless and hostile. Alexander was determined to show that the collection programs the NSA runs are both legal and effective, but some of the attendees weren’t having it, and began heckling him. Alexander stood his ground and got through the speech, but it may be the last one we see at Black Hat from a top government official for a while.
  • Mobile security isn’t. Researchers have been banging away at the various mobile platforms for years now, and usually with quite a bit of success. Android has been the favorite target, but the other platforms are getting their share of attention now, as well. Ralf-Phillip Weinmann did a complete breakdown of the BlackBerry 10 security model and found that while there are some nice features, the OS isn’t as secure as it could be. He was unimpressed by the concept of work-personal partitioning as a security feature and said that an attacker would find it relatively easy to maintain persistence on a BlackBerry 10 device. Meanwhile. Karsten Nohl dug into the hardware side of things, and showed off his method for rooting SIM cards, the tiny computers inside mobile phones that serve as their brains and identifiers. He found a way to send commands to the SIM cards and get root access to them, something that gives him complete control of a targeted phone.

That may be a pretty bleak picture, but the good thing about Black Hat and other conferences like it is that vendors and manufacturers now pay close attention to the research presented there and use it to learn and do better the next time. Rather than threatening researchers with legal action–which used to be the norm–they are now sitting in the audience looking for ways to harden their products and work with the researchers to improve their security models. That’s progress.

Image courtesy of Black Hat USA 2013.

  • Like 1

Share this post

Link to post
Share on other sites

NSA masqueraded as Google to spy on web users


The NSA used ‘man in the middle’ hack attacks to impersonate Google and fool web users, leaks have revealed. The technique circumvents encryption by redirecting users to a copycat site which relays all the data entered to NSA data banks.


Brazilian television network Globo News released a report based on classified data divulged by former CIA worker Edward Snowden on Sunday. The report itself blew the whistle on US government spying on Brazilian oil giant Petrobras, but hidden in amongst the data was information the NSA had impersonated Google to get its hands on user data.


more here:



now look at the bottom of the page to see who is reading this thread and all threads, you will most probaby find Google


i appologise to you all for not using the like button here...

  • Like 1

Share this post

Link to post
Share on other sites

Sorry for the late reply, with a couple of companies that provided encrypted email services shutting down due to refusal of NSA demands it stands to reason that the ones that are still open ffor bussiness are cooperating with NSA or other gubymint agencies and WILL hand over your encrypted emails sooo at this time I cant endorse ANY email service. The best you can hope to do is encrypt it yourselfe before sending it off into the wild blue yonder

No worries, thanks for the reply.

Share this post

Link to post
Share on other sites

Here is something to really ponder....and get shivers down your spine



Close the N.S.A.'s Back Doors By THE EDITORIAL BOARD
The New York Times
Sun, 22 Sep 2013
517 words
Copyright 2013 The New York Times Company. All Rights Reserved.
In 2006, a federal agency, the National Institute of Standards and Technology, helped build an international encryption system to help countries and industries fend off computer hacking and theft. Unbeknown to the many users of the system, a different government arm, the National Security Agency, secretly inserted a ''back door'' into the system that allowed federal spies to crack open any data that was encoded using its technology.

Documents leaked by Edward Snowden, the former N.S.A. contractor, make clear that the agency has never met an encryption system that it has not tried to penetrate. And it frequently tries to take the easy way out. Because modern cryptography can be so hard to break, even using the brute force of the agency's powerful supercomputers, the agency prefers to collaborate with big software companies and cipher authors, getting hidden access built right into their systems.

The New York Times, The Guardian and ProPublica recently reported that the agency now has access to the codes that protect commerce and banking systems, trade secrets and medical records, and everyone's e-mail and Internet chat messages, including virtual private networks. In some cases, the agency pressured companies to give it access; as The Guardian reported earlier this year, Microsoft provided access to Hotmail, Outlook.com, SkyDrive and Skype. According to some of the Snowden documents given to Der Spiegel, the N.S.A. also has access to the encryption protecting data on iPhones, Android and BlackBerry phones.

These back doors and special access routes are a terrible idea, another example of the intelligence community's overreach. Companies and individuals are increasingly putting their most confidential data on cloud storage services, and need to rely on assurances their data will be secure. Knowing that encryption has been deliberately weakened will undermine confidence in these systems and interfere with commerce.

The back doors also strip away the expectations of privacy that individuals, businesses and governments have in ordinary communications. If back doors are built into systems by the N.S.A., who is to say that other countries' spy agencies -- or hackers, pirates and terrorists -- won't discover and exploit them?

The government can get a warrant and break into the communications or data of any individual or company suspected of breaking the law. But crippling everyone's ability to use encryption is going too far, just as the N.S.A. has exceeded its boundaries in collecting everyone's phone records rather than limiting its focus to actual suspects.

Representative Rush Holt, Democrat of New Jersey, has introduced a bill that would, among other provisions, bar the government from requiring software makers to insert built-in ways to bypass encryption. It deserves full Congressional support. In the meantime, several Internet companies, including Google and Facebook, are building encryption systems that will be much more difficult for the N.S.A. to penetrate, forced to assure their customers that they are not a secret partner with the dark side of their own government.

Share this post

Link to post
Share on other sites

Turn off Windows Location Provider in Windows 8


The Windows Location Provider feature in Windows allows applications to find your geographical location. This feature can make use of GPS hardware in your computer directly or it can make use of IP address resolution, Wi-Fi or cellphone tower triangulation methods to locate you geographically. This feature in Windows 8 makes sure that no matter if you have GPS hardware or not, all apps can still detect your geographical location. While the Windows Location Provider feature is great because it lets application and websites provide you with local content, yet some people might find it invasion of privacy. If you want, then you can turn off the Windows Location Provider feature in Windows 8. Here is how :

Note : The following steps require your user account to have Administrator privileges.

Method 1
  1. Click on the Desktop tile in the Metro UI interface to switch to the Desktop mode. Alternatively, just hit the Windows logo key on your keyboard.
  2. Press the Windows logo key + R to open the Run dialog. Type gpedit.msc in the Run dialog and press Enter to start the Group Policy Editor.
  3. In the Group Policy Editor, navigate to Computer Configuration → Administrative Templates → Windows Components → Location and Sensors → Windows Location Provider on the right side treeview. You would find a setting named Turn off Windows Location Provider as shown.
  4. Double-click on this setting to open its properties. In the properties window, select Enabled option and click on the OK button to save the setting.
  5. Restart Windows for the changes to take effect.

Method 2

  1. Press the Windows logo key + R to open the Run dialog. Type regedit.exe in the Run dialog and press Enter to start the Windows Registry Editor.
  2. In the Registry Editor, navigate to the following key :
  3. Right-click on the right-side pane and create a new DWORD value by selecting New → DWORD (32-bit) Value from the context menu. Give the newly created value a name of DisableWindowsLocationProvider and set its value to 1 as shown in the picture below.
  4. Restart Windows for the changes to take effect.


  • Like 2

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now