Security

    “None of the claims of what comsec works is to be taken saltless: Tor, OTR, ZTRP are lures.” —Cryptome [3], Dec. 30, 2014

For most of the year, employees of leading cyber-security firm Symantec work toward securing and managing their customers’ information.

This week, they took a break from that. They got to be the bad guys.

Four years ago, Symantec launched its annual CyberWar Games, an internal event that challenges employees to walk in the shoes of an attacker. The Games simulates an information security breach modeled after a high profile incident reported in the media, and employees experience the attack from start to finish as the malicious party.

D-Link routers have several unpatched vulnerabilities, the worst of which could allow an attacker to gain total control over a device, according to a systems engineer in Canada.

Peter Adkins, who does security research in his free time, released details of the flaws on Thursday. Adkins said in a phone interview that he has been in intermittent contact with D-Link since Jan. 11 on the issues, but the company has not indicated when it might patch.

Security specialist Kaymera – based in Herzliya, Israel – has launched a mobile security platform aimed at paranoid corporations.

The Kaymera 360° software consists of a secure build of Android and accompanying MDM functions. The company describes it as a three-layer approach of protection, prevention and detection.

An unnamed scientific researcher walks out to her mailbox, shuffles through some bills and advertisements, and pulls out an envelope containing a CD of pictures from a recent scientific conference the researcher had attended in Houston. Excited – though maybe a bit nervous – to see the candid photos of herself and her colleagues snapped by an excitable event photographer, the researcher walks inside, casually drops the unopened bills on the kitchen table, opens up her laptop, and slides in the CD. Windows asks if she’d like to open the pictures to view them.

Gemalto, the Dutch maker of billions of mobile phone SIM cards, confirmed this morning that it was the target of attacks in 2010 and 2011—attacks likely perpetrated by the NSA and British spy agency GCHQ. But even as the the company confirmed the hacks, it downplayed their significance, insisting that the attackers failed to get inside the network where cryptographic keys are stored that protect mobile communications.

Lenovo.com has been hacked. Starting at 4PM ET, users visiting the site saw a slideshow of disaffected youths, set to the song "Breaking Free" from High School Musical. At 4:17, the site seemed to have reverted to its normal self, although HTML problems persist and in some instances, the song continued to play in the background. The hacked version has reappeared intermittently as cached versions work through the system, although by 5:30pm, the site appeared to be back to normal.

A total of 17 security holes have been addressed by Mozilla with the release of Firefox 36. The latest version of the Web browser also includes support for the HTTP/2 protocol.

While the number of fixed vulnerabilities is higher than usual, only four of the flaws have been rated critical.

Following the release of a report by a news website on February 19, 2015, Gemalto (Euronext NL0000400653 GTO), has conducted a thorough investigation, based in particular on two elements: the purported NSA and GCHQ documents which were made public by this website, and our internal monitoring tools and their past records of attempts of attacks.

On Friday Lenovo is going to tell the world about how it plans to regain the trust of its users in the wake of the Superfish clusterfuck – and may even launch an independent security audit of its products.

"Our goal, in the end, is to make this right," Lenovo's CTO Peter Hortensius told The Register on Tuesday. "It's going to take a long road to earn trust back."