Information Security News
5 Problems that Plague Federal InfoSec Hiring
That the federal government struggles to recruit and train qualified cybersecurity personnel isn't new. But a just-published report details the challenges agencies face to build and maintain an IT security workforce and offers recommendations on what ...
Ars recently reviewed two "Tor routers", devices that are supposed to improve your privacy by routing all traffic through the Tor anonymity network. Although the initial release of Anonabox proved woefully insecure, the basic premise itself is flawed. Using these instead of the Tor Browser Bundle is bad: less secure and less private than simply not using these "Tor Routers" in the first place. They are, in a word, EPICFAIL.
There are four possible spies on your traffic when you use these Tor "routers", those who can both see what you do and potentially attack your communication: your ISP, the websites themselves, the Tor exit routers, and the NSA with its 5EYES buddies.
Now it's true that these devices do protect you against your ISP. And if your ISP wants to extort over $30 per month for them to not spy on you, this does offer protection. But if you want protection from your ISP, just use a VPN service or run your own VPN using Amazon EC2 ($9.50/month plus $.09/GB bandwidth for a t2 micro instance). These services offer much better performance and equal privacy. At the same time, if your ISP wants to extort your privacy, choose a different ISP.
An April Fool's prank Google pulled two weeks ago inadvertently broke some of the site's security, an error that briefly allowed so-called click-jacking exploits that trick users into performing undesired actions such as changing their user preferences.
Google's April Fool's pranks have become a favorite pastime on the Internet. This year, people who visited the site on April 1 found the entire contents of Google's iconic home page displayed backwards. Web developing nerds also found a comment in the web page itself that read "!sLooF LIRPA YPPAH," which spells "Happy April Fool's" backward. According to a blog post published Friday by researchers from Netcraft, the prank also caused Google's homepage to omit a crucial header that's used to prevent click-jacking attacks.
Attackers could have seized on the omission of the X-Frame-Options header to change a user's search settings, including turning off SafeSearch filters. The chief reason for using X-Frame-Options is to prevent the use of HTML iframe tags to display Google's homepage on third-party Web pages. With that protection bypassed, attackers were free to stitch the Google page into their own site and embed hidden code that changed the function of certain links. As the Netcraft blog post explained: