En blogg om IT-säkerhet och relaterade ämnen för dem som arbetar inom IT

OSVDB Most Recent Stable Entries

This feed is no more! Please see osvdb.org for more info.

OSVDB has completed a major redesign, and this feed has been replaced with more customizable feeds. Please visit osvdb.org for more information on how to use our new services.

Inlägget kommer från OSVDB Most Recent Stable Entries den localtime

Cyber War News

Lebanese Yellow Pages Website hacked

Lebanese hackers Mad Hackerz have started a campagin agasint there own country starting out with a defacing and then a data leak from the world wide known directory websites, yellow pages.

Inlägget kommer från den localtime

Naked Security – Sophos

Megaupload’s Kim Dotcom bursts the jail bubble

File sharing entrepreneur Kim Dotcom, the larger-than-life figure who was controversially busted by the cops hiding in a panic room in his $30 million mansion in New Zealand, has finally convinced a court to grant him bail.

Inlägget kommer från den localtime

SANS Internet Storm Center, InfoCON: green

ISC Feature of the Week: Handler Diaries, (Wed, Feb 22nd)

Overview
Internet Storm Center features daily handler diaries with summarizing and analyzing new threats to networks and internet security events. Diaries range from 0day vulnerability announcements to the latest software update releases. If it’s security related, we’ll probably put up a diary about it!
The ISC homepage https://isc.sans.edu always displays the last 24 hours of diaries. The top and bottom of every diary, wherever it is listed, contains a previous/next navigation link that will iterate through all the diaries in order. You can click the title to view the full diary page.
What’s in a Diary?
A Diary title is always an active link so you can right-click and copy to send to a friend or co-worker you think would be interested in the information. Alternatively, there is a Share menu to the right of the title if you want to publicly share on any number of social networking sites!!
Under the title you will see the original published date and the last updated date if any changes have been logged to the diary. Below that you will see the name of the handler that authored the diary and version number. The Rate this diary is currently disabled but should be back soon.
The number of comments displays how many comments have been added and is a link that will take you straight to the comments section below the diary. You can leave a comment if you are logged to your ISC/DShield account. Not logged in? No worries, just click the link, login and you should be brought right back to leave your comment. The Alias will default to what you have set in Your Information https://isc.sans.edu/myinfo.html but you can change it to whatever you want. Every comment is vetted by the handlers and inappropriate or blatant ads are removed.
The diary content will vary. It can contain anything from just a few lines of text, sometimes with web links, to a full tutorial with illustrated graphics. A handler will have their own custom signature at the end of every diary posted. If an announcement is short and doesn’t require a lot of detail, a handler may post a oneliner which is highlighted with a different background/border and generally just one sentence.
A Keywords list follows the diary content. This is a individually linked list that will take you to a page displaying a table of all the diaries that contain that same keyword, along with the date published and author.
How can I find past dairies?
The easiest way to find past diaries is to search for keywords as explained here https://isc.sans.edu/diary/ISC+Feature+of+the+Week+ISC+Search/12496. ALL the diaries can be listed by date on the Diary Archives page https://isc.sans.edu/diaryarchive.html. This is useful if you know the general timeframe or title text of a specific diary or just want to skim titles as an entire month is shown at once.
The site footer always contains some of the most recent Diary Archives in the center as well as a link to all the archives page. The homepage also lists some more of the most recent diaries as well as a link to the Diary Archives page https://isc.sans.edu/diaryarchive.html. There is also a link to the archives after every comment section on the diary page.
How can I get these diaries you speak of?
Well, you can make https://isc.sans.edu your default browser page so you don’t miss anything.
You can also receive full or title only diaries by subscribing in your favorite RSS reader. The links can be found here https://isc.sans.edu/xml.html#rss

Let us know in the section below if you have suggestion or feeback about our diaries or send us any questions or comments in the contact form at https://isc.sans.edu/contact.html
–

Adam Swanger, Web Developer (GWEB)

Internet Storm Center (http://isc.sans.edu)

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Inlägget kommer från SANS Internet Storm Center, InfoCON: green den localtime

SecurityTracker Vulnerability Headlines

Blackberry PlayBook Samba File Sharing Lets Remote Users Execute Arbitrary Code

Inlägget kommer från SecurityTracker Vulnerability Headlines den localtime

Cyber War News

University of Central Florida Hacked by @b4lc4nh4ck

The target website was http://www.getinvolveducf.com University of Central Florida Office of Student Involvement and the leaked information was announced to us via twitter.

Inlägget kommer från den localtime

Threat Level

DOJ Urges Supreme Court to Halt Challenge to Warrantless Eavesdropping

The Obama administration is urging the Supreme Court to halt a legal challenge weighing the constitutionality of a once-secret warrantless surveillance program targeting Americans’ communications that Congress eventually legalized in 2008.

The FISA Amendments Act (.pdf), the subject of the lawsuit brought by the American Civil Liberties Union and others, allows the government to electronically eavesdrop on Americans’ phone calls and e-mails without a probable-cause warrant so long as one of the parties to the communication is outside the United States. The communications may be intercepted “to acquire foreign intelligence information.”

The administration is asking the Supreme Court to review an appellate decision that said the nearly 4-year-old lawsuit could move forward. The government said the ACLU and a host of other groups don’t have the legal standing to bring the case because they have no evidence they or their overseas clients are being targeted.

The case arrives at the high court’s inbox after having two different outcomes in the lower courts. It marks the first time the Supreme Court has been asked to review the eavesdropping program that was secretly employed in the wake of 9/11 by the George W. Bush administration, and eventually largely codified into law four years ago.

A lower court had ruled the ACLU, Amnesty International, Global Fund for Women, Global Rights, Human Rights Watch, International Criminal Defence Attorneys Association, The Nation magazine, PEN American Center, Service Employees International Union and other plaintiffs did not have standing to bring the case, because they could not demonstrate that they were subject to the eavesdropping.

The groups appealed to the 2nd U.S. Circuit Court of Appeals, arguing that they often work with overseas dissidents who might be targets of the National Security Agency program. Instead of speaking with those people on the phone or through e-mails, the groups asserted that they have had to make expensive overseas trips in a bid to maintain attorney-client confidentiality.

The plaintiffs, some of them journalists, also claim the 2008 legislation chills their speech, and violates their Fourth Amendment privacy rights.

Without ruling on the merits of the case, the appeals court agreed in March with the plaintiffs that they have ample reason to fear the surveillance program, and thus have legal standing to pursue their claim.

The government disagreed.

“Respondents’ inability to show an imminent interception of their communications cannot be cured by the asserted chilling effect resulting from their fear of such surveillance,” the government wrote (.pdf) the Supreme Court.

But even if the Supreme Court rejects the petition by Solicitor General Donald B. Verrilli Jr., that does not necessarily mean the constitutionality of the FISA Amendments Act will be litigated.

The lawsuit would return to the courtroom of U.S. District Court Judge John G. Koeltl in New York, where, if past is prologue, the Obama administration likely would play its trump card: an assertion of the powerful state secrets privilege that lets the executive branch effectively kill lawsuits by claiming they threaten to expose national security secrets.

The courts tend to defer to such claims. But in a rare exception in 2008, a San Francisco federal judge refused to throw out a wiretapping lawsuit against AT&T under the state secrets privilege. The AT&T lawsuit was later killed anyway, because the same FISA Amendments Act also granted the phone companies retroactive legal immunity for their participation in the NSA program.

The FISA Amendments Act — which passed with the support of then-senator Barack Obama of Illinois — generally requires the Foreign Intelligence Surveillance Act Court to rubber-stamp terror-related electronic surveillance requests. The government does not have to identify the target or facility to be monitored. It can begin surveillance a week before making the request, and the surveillance can continue during the appeals process if, in a rare case, the secret FISA court rejects the surveillance application.

Inlägget kommer från den localtime

Infosec Island Latest Articles

McAfee Report: No Immunity from Targeted Attacks

Security provider McAfee unveiled the Threats Report: Fourth Quarter 2011 assessment which provides a summary of the threat landscape from data collected in in the latter part of 2011.

The report covers a variety of security issues, including breaches, the prevalence of spam operations, breach reports, internet threats and malware related data – which the report indicates saw levels beyond the company’s previous estimate of 75 million unique variants.

The report also noted that targeted attacks present a problem that no organization can expect to be immune to regardless of the level of effort and resources dedicated to securing critical systems, a refreshingly honest admission from a security vendor.

“The threat landscape continued to evolve in 2011, and we saw a significant shift in motivation for cyber attacks. Increasingly, we’ve seen that no organization, platform or device is immune to the increasingly sophisticated and targeted threats,” said Vincent Weafer, senior vice president of McAfee Labs.

Of continued concern is the rapid pace of malware targeting mobile devices, according to the report. The proliferation of smartphones and tablets as a primary interface for individuals, government, and the private sector has made them a focal point for the development of malicious agents.

“On a global basis, we are conducting more of our personal and business transactions through mobile devices, and this is creating new security risks and challenges in how we safeguard our commercial and personal data,”  Weafer said.

The following is a summary of the McAfee report’s content as provided by the company:

Malware

The overall growth of PC-based malware actually declined throughout Q4 2011, and is significantly lower than Q4 2010. The cumulative number of unique malware samples in the collection still exceeds the 75 million mark. In total, both 2011 and the fourth quarter were by far the busiest periods for mobile malware that McAfee has seen yet, with Android firmly fixed as the largest target for writers of mobile malware.

Contributing to the rise in malware were rootkits, or stealth malware. Though rootkits are some of the most sophisticated classifications of malware, designed to evade detection and “live” on a system for a prolonged period, they showed a slight decline in Q4. Fake AV dropped considerably from Q3, while AutoRun and password-stealing Trojan malware show modest declines. In a sharp contrast to Q2 2011, Mac OS malware has remained at very low levels the last two quarters.

Web Threats

In the third quarter McAfee Labs recorded an average of 6,500 new bad sites per day; this figure shot up to 9,300 sites in Q4. Approximately one in every 400 URLs were malicious on average, and at their highest levels, approximately one in every 200 URLs were malicious. This brings the total of active malicious URLs to more than 700,000.

The vast majority of new malicious sites are located in the United States, followed by the Netherlands, Canada, South Korea and Germany. Overall, North America housed the largest amount of servers hosting malicious content, at more than 73 percent, followed by Europe-Middle East at more than 17 percent and Asia Pacific at 7 percent.

Spam

At the end of 2011, global spam reached its lowest point in years, especially in areas such as the United Kingdom, Brazil, Argentina and South Korea. Despite the drop in global levels, McAfee Labs found that the present spearphishing and spam are highly sophisticated.

Overall botnet growth rebounded in November and December after falling since August, with Brazil, Columbia, India, Spain and the United States all seeing significant increases. Germany, Indonesia and Russia declined. Of the botnets, Cutwail continues to reign supreme, while Lethic has been on a steady decline since last quarter. Grum made a significant comeback after a long decline, surpassing Bobax and Lethic by the end of Q4.

Data Breaches

The number of reports of data breaches via hacking, malware, fraud and insiders more than doubled since 2009, according to privacyrights.org, with more than 40 breaches publicly reported this quarter alone. The leading network threat this quarter came via vulnerabilities in Microsoft Windows remote procedure calls. This was followed closely by SQL injection and cross-site scripting attacks. These remote attacks can be launched at selected targets around the globe.

Source:  http://www.businesswire.com/news/mcafee/20120221005928/en/McAfee-Q4-Threats-Report-Shows-Malware-Surpassed

Copyright 2010 Respective Author at Infosec Island

Inlägget kommer från Infosec Island Latest Articles den localtime

A Security Resolution for Developers

Article by Maureen Robinson

People often believe that if a developer is capable of creating clean, functional code that they will by default be writing secure code.

Unfortunately, this is not always the case.

Security vulnerabilities can result from poor code, functional bugs can be security bugs too, but the trickiest security issues result from code that does more than you expect…

The application may test all of its functional tests but in addition it may have additional unintended functionality that can result in a vulnerability. For instance, a web site with a SQL Injection vulnerability could work perfectly well for a normal user and then work a little too well for a malicious user.

It’s important to think of abuse cases, not just use cases. Consider what are threats to this application? How would an attacker visualize (and subsequently attack) it? How do I code defensively against these threats?

Although there are many skills and abilities that may be on your personal development wish-list, if you want to write secure code, consider adding the following skills to your repertoire:

• Ability to create a mental threat model

• Should include all assets worth protecting and possible threats

• Sound knowledge of secure coding standards (known good patterns that work)

• Ideally this takes the form of both a repository of best practices and a library of secure routines you can call into

• Understand and map input paths and trust boundaries

• Enables you to make decisions on how much to trust the data your code is processing

• Know (or have a reference of) patterns of bad code and checklists to check against

• These are useful to keep in mind while coding as well as to check during a review. In pair programming the second developer can keep these in mind while the first developer is writing code

• Know how your application functions and interacts with its environment

• You can’t understand how they’d be attacked if you don’t know how they work. Applications ultimately transmit data and operate on hardware, in a network, etc. So you need to understand protocols, dependencies, communications (encryption), etc.

Cross-posted from CIOZone

Copyright 2010 Respective Author at Infosec Island

Inlägget kommer från Infosec Island Latest Articles den localtime

Exploit-DB updates

[webapps] – DFLabs PTK <= 1.0.5 Multiple Vulnerabilities (Steal Authentication Credentials)

Inlägget kommer från den localtime

Infosec Island Latest Articles

IPv6 Protocol Implementation is Not a Security Panacea

The advent of the IPv6 protocol had produced some enthusiastic hopes for bolstering internet security over the past few years, and while it does offer a significant improvement in many respects over the languishing IPv4 protocol, many of the current problems will likely persist.

“One of the frequent rallying points for IPv6 was that it was more secure than IPv4. One network security group within a large US government organization went so far as to declare that since IPv6 is more secure, that the group decided to disband because they alleged that the next generation Internet protocol’s inherent security capabilities would address their security concerns,” writes Arbor Networks’ Bill Cerveny.

That may have been too optimistic of an assessment.

A report issued by researchers at Arbor Networks has revealed the first documented cases of distributed denial of service (DDoS) attacks, a favorite among hacktivist groups where a large amount of information is sent to a web server at such high frequency that it overwhelms the processing capacity or causes the system to shut down.

“For the first time, respondents to Arbor Networks 7th annual Worldwide Infrastructure Security Report indicated they had observed IPv6 DDoS attacks on their networks. This marks a significant milestone in the arms race between attackers and defenders,” said Cerveny.

Another aspect of DDoS vulnerabilities where IPv6 is concerned is the vastly increased number of IP addresses attackers will have at their disposal for conducting the disruptive operations, making it more difficult for mitigation by means of blocking the offending sources.

The full implementation of IPv6 will undoubtedly be accompanied by an increased level of attacks, which should not be surprising to most given the innovative nature of assailants.

“The same thing that has made the IPv6-enabled Internet ‘valuable’ has also made it an increasingly valuable venue for attacks. While the frequency of attacks is relatively modest on IPv6 today, we expect that accelerated adoption will be followed in-kind by an accelerated pace of attacks,” Cerveny said.

Other researchers have similarly been finding vulnerabilities in IPv6. Last year a group produced a proof of concept that demonstrated how new features in the Microsoft Windows operating system which enable IPv6 network access could potentially be exploited by a man-in-the-middle (MITM) attack.

The researchers found that default settings in the OS protocol would allow attackers to redirect information in an exploit utilizing the Stateless Address Auto Configuration (SLAAC) standard to reroute data through networks controlled by the attackers, exposing potentially sensitive data.

The one saving grace was that in order to carry out the exploit attackers would need to successfully install some hardware into the target network, making the possibility of such an event is highly improbable, yet nonetheless possible.

While IPv6 will not be the all-encompassing remedy to many security problems as some had hoped early on, it will for the most part represent an improvement over its predecessor.

“Much of the early thinking around IPv6 security being better than IPv4 security was based on the RFC requirement that IPv6 stacks include IPsec support, but that is clearly too simplistic a view (and that strict requirement has been removed in recently-released RFC 6434) . Even though IPv6 shares many security vulnerabilities with IPv4, and has some unique vulnerabilities unique to IPv6, secure network-centric service provisioning is about much more than protection for data in-flight. As always, employing a team of trained security specialists, knowledgeable about IPv6, applying proven best-practices and working methodically to counter evolving threats, is the key to protecting service availability and integrity,” said John Spence of Nephos6.

Source:  http://ddos.arbornetworks.com/2012/02/a-milestone-in-ipv6-deployment/

Copyright 2010 Respective Author at Infosec Island

Inlägget kommer från Infosec Island Latest Articles den localtime

Krebs on Security

Feds Request DNSChanger Deadline Extension

Extradition of Accused Masterminds Moves Forward

Millions of computers infected with the stealthy and tenacious DNSChanger Trojan may be spared a planned disconnection from the Internet early next month if a New York court approves a new request by the U.S. government. Meanwhile, six men accused of managing and profiting from the huge collection of hacked PCs are expected to soon be extradited from their native Estonia to face charges in the United States.

DNSChanger modifies settings on a host PC that tell the computer how to find Web sites on the Internet, hijacking victims’ search results and preventing them from visiting security sites that might help detect and scrub the infections. The Internet servers that were used to control infected PCs were located in the United States, and in coordination with the arrest of the Estonian men in November, a New York district court ordered a private U.S. company to assume control over those servers. The government argued that the arrangement would give ISPs and companies time to identify and scrub infected PCs, systems that would otherwise be disconnected from the Internet if the control servers were shut down. The court agreed, and ordered that the surrogate control servers remain in operation until March 8.

But earlier this month, security firm Internet Identity revealed that the cleanup process was taking a lot longer than expected: The company said more than 3 million systems worldwide — 500,000 in the United States — remain infected with the Trojan, and that at least one instance of the Trojan was still running on computers at 50 percent of Fortune 500 firms and half of all U.S. government agencies. That means that if the current deadline holds, millions of PCs are likely to be cut off from the Web on March 8.

In a Feb. 17 filing with the U.S. District Court for the Southern District of New York, officials with the U.S. Justice Department, the U.S. Attorney for the Southern District of New York, and NASA asked the court to extend the March 8 deadline by more than four months to give ISPs, private companies and the government more time to clean up the mess. The government requested that the surrogate servers be allowed to stay in operation until July 9, 2012. The court has yet to rule on the request, a copy of which is available here (PDF).

Not everyone thinks extending the deadline is the best way to resolve the situation. In fact, security-minded folks seem dead-set against the idea. KrebOnSecurity conducted an unscientific poll earlier this month, asking readers whether they thought the government should give affected users more time to clean up infections from the malware, which can be unusually difficult to remove. Nearly 1,400 readers responded that forcing people to meet the current deadline was the best approach. The overwhelming opinion (~9:1) was against extending the March 8 deadline.

In related news, the six Estonian men arrested and accused of building and profiting from the DNSChanger botnet are expected to be extradited to face computer intrusion and conspiracy charges in the United States.  According to the Baltic Business News, an Estonian court ruled last week that the country can extradite four of the six (two were already cleared for extradition). The story notes that the final decision on the extradition will be made by the Estonian government after the court’s ruling has entered into force, but sources close to the investigation say the extraditions are all but assured.

Among those facing certain extradition is the alleged ringleader of the group, Vladimir Tsastsin, who for many years ran a domain registration firm called EstDomains that was heavily favored by cybercriminals. In 2008, ICANN, the nonprofit organization that oversees the domain registration industry, revoked EstDomains’s contract to sell new domain names, citing Tsastsin’s prior criminal convictions for forgery, money laundering and credit card fraud.

Tsastsin and the five others are alleged to have made at least $14 million selling hijacked search traffic from infected PCs to advertisers, and by swapping ads displayed on popular sites with their own ads. The government says Tsastsin laundered the ill-gotten gains by purchasing dozens of cars and real estate properties, including a number of empty lots. The infographic above, published by Eesti Päevaleht — Estonia’s largest daily news outlet — shows some of the properties Tsastsin (bottom right) and his compatriots were alleged to have purchased with the funds earned from the DNSChanger Trojan activities.

A copy of the indictments returned against Tsastsin and others is available here (PDF).

Inlägget kommer från den localtime

Infosec Island Latest Articles

The CISO as a Capable Catalyst

The last post opened up the idea that Gene Kim started me on while we recorded Episode 10 of the “Down the Rabbithole” podcast (released 2/6/12 here) which is How does a CISO become a catalyst for change, with not only responsibility – but also capability? 

Today’s post seeks to provide clues and hints (there aren’t really any answers) on how a CISO can gain capability (or earn it) by becoming a catalyst for positive change in his or her organization. 

This is a difficult topic because it often involves a lot of you should, and you could types of ideas – but rest assured the things I’m talking about here I’ve either tried myself or have had others tell me they work. 

This post also draws upon the collective ideas from the LinkedIn “SecBiz” group which has become a favorite place for many to discuss this, and I encourage you to join and participate that group as well.

First up is trying to understand whether capability should be something that a CISO is expected to have walking in the door.  More often than not, even in the age of Anonymous and non-stop cyber threats to every business, the answer is still no.  Jared Bird’s[1] take is that:

“Capability will always have to be achieved (earned). If a CISO initially receives any capability when starting the position, that was capability that was left over from their predecessor. It is now the CISO’s responsibility to earn more capability and solidify what may already exist.” 

In a way I completely agree.  You never quite know what you’re walking in to and it makes sense to make your own way.

Let me take a step back and define what I mean by capability for you first… it’s the ability to catalyze positive change in the area of security and risk management in your organization (as a CISO or equivalent). 

Should the CISO have the ability to catalyze positive change walking in the door?  Sure, in a perfect world.  But look around you, this is far from a perfect world and that is far from a reasonable expectation even in today’s risk climate. 

What a CISO can expect is that he or she will have to make their business value felt… that’s about the only thing I think you can count on.  As a CISO you should expect that you’ll be challenged to not only provide better risk abatement for the organization but also improve the overall business’ ability to achieve goals.  Let’s start from that premise.

Uncovering Ground Zero

Walking in (or starting fresh) in a new organization as the CISO or security leader means that you have a chance to, hopefully, define what it is you’ll want to accomplish.  Most of the time, however, the organization that hired you already has some pre-conceived notions either based on the previous person in that role or other industry definitions (or *gasp* an executive head-hunter). 

Your first and only goal should be to uncover what your role really is.  If you think you’re there to keep the organization free of malware, keep the security appliances humming, and keep the company ‘secure’ you’re probably not going to last very long.

Start your digging by meeting people who probably ordinarily sit on the opposing side of the table from you.  We’ll call these the delegates.  Every effective leader must always win over the delegates of his constituency… you’re no different.  Find out what they care about. 

My guess is that the VP of Applications (maybe called the CTO?) probably cares about release cycles, downtime, failure rates, and streamlining effort with over-worked resources. 

Note that down.  Next go to the key stake-holders of the business.  Maybe the board of directors isn’t a great place to start …but the other C-levels definitely are. 

If you don’t hold a C-level title, this tells you something immediately because if they call you the “security leader” then you have a slightly different task ahead of you, and a more monumental march to capability.  Your colleagues will be able to tell you what the organization cares to accomplish, and what its goals are. 

You’ll hear things like cost reduction, productivity (remember this?), agility and other terms you should familiarize yourself with.  Here’s the thing, you should probably be taking near-perfect notes right now in these meetings because you’ll absolutely need this shortly.

Mapping Your Success

Once you’ve uncovered why you’ve really been hired … and it doesn’t hurt to know why the previous CISO left, or maybe that there was never one to begin with! …it’s now time to start thinking about how your security skills match up against the needs of the business.  What I recommend is taking some time to do mapping exercise.  The mapping should (and here I base this on personal experience) have 3 levels goals. 

The first level should be the business objectives, the second level should be the management objectives, and the final level should be your level, the SRM (security and risk management) objectives.  I’ve done a sample for you based on the highlighted terms from above, right here in Figure A.

 Figures A.

 

Mapping like this is a forcing function which makes you mentally justify your activities, or your proposed activities, against the goals of the business.  If you find yourself filling in this grid right to left you’re doing it wrong. 

You should absolutely fill this grid starting in the left-most boxes at the business objectives level and moving right.  This is a many : many : many type of mapping… and sometimes if you have a mind-mapping tool like FreeMind, or Mind Manager it’s even easier than spreadsheets.

Looking at the overall business goals on the left column forces you to understand the high-level goals you’re trying to help the organization meet.  They’re high-level, and probably fairly easy to “fit” things into, which is why the middle level exists.  The middle management objectives level exists to help you understand the goals of those around you. 

Each manager, executive has their own objectives that will get them promoted and help them meet their commitments to the organization.  Why do you care?  Because if your activities can positively map to their goals it’s simple to show how you’re helping them, not fighting them.  You’ve just taken a positive step in the direction of keeping a healthy relationship with the rest of your colleagues in the organization.  This is much better than the adversarial relationships security leaders normally have.

See, this type of mapping has many great benefits.  You can build better personal relationships, understand the organization better, and on and on… so how does this give you the capability you need to be a catalyst for positive risk management change? 

Elementary my good Watson… once you’ve got a good understanding of your organization, its goals and have a solid helpful relationship with your colleagues the capability comes almost naturally.  You’re no longer doing things for the sake of security, but for the sake of business productivity, cost reduction, or agility – and you’re someone people respect rather than fear.

Jared Bird  says that one of the most important things a CISO can do to earn capability in an organization is “helping the other executives recognize the value of security” and that the big requirement is to “keep things simple.”

Folks, this isn’t magic, but great advice I’ve picked up from fantastic mentors.  I pass it on, freely to anyone who wants to listen, because we need less ‘security says’ and more ‘the business needs’ discussions in the security circles if we’re ever going to get our heads above water.

Good luck, I hope this helps!

[1] Jared Bird currently works as a consultant with the technology risk advisory services group at McGladrey. He specializes in network security assessments and security reviews. Jared has over 10 years of experience in information technology with positions ranging from network administration to information security management roles.

Cross-posted from Following the White Rabbit

Copyright 2010 Respective Author at Infosec Island

Inlägget kommer från Infosec Island Latest Articles den localtime

NIST Pursues Health Record System Usability Testing

The National Institute of Standards and Technology (NIST) seeks manufacturers of electronic health record (EHR) systems to participate in a research effort to develop methods for assessing the usability of health information systems.

Usability is broadly defined by information technology professionals as a measure of how well a system can be applied by its intended users to achieve specified goals with effectiveness, efficiency and satisfaction.

All software systems developers strive for usability, but it is particularly important in health information systems. The usability of a health IT system can be the difference between a good and bad outcome for the patient.

The Healthcare Information and Management Systems Society (HIMSS)* has argued that usability may be the single biggest obstacle to widespread adoption and use of electronic health records in clinical settings. EHR systems must present and record often complex medical information, in a wide variety of formats, so that it can be easily accessed and used by clinicians and other users.

Accurately assessing usability involves more than simple surveys of user satisfaction. NIST is working to develop a basic framework for assessing the usability of health information technology systems and ultimately recommending performance-oriented user interface design guidelines for EHRs.

As part of this effort, NIST seeks system manufacturers willing to provide EHR systems for use in lab-based usability testing. NIST will provide a secure computing environment to safeguard the software and equipment during the course of the research, and the EHR software and equipment will be removed from all computers on which it is installed and returned to the manufacturer at the end of the testing period.

The results of the usability testing of each EHR system will be reported to its manufacturer and used to support NIST research. Individual systems will not be identified and linked to test results in any NIST reports. The systems are for research purposes only; no actual patient data will be used or accepted.

NIST anticipates that it will take approximately one year to conduct all necessary research.

Full details of intellectual property protections for the research program are in the formal Letters of Understanding that NIST will execute with participating manufacturers. To participate in the program, manufacturers must submit a request and an executed Letter of Understanding by 5 p.m. Eastern time on March 15, 2012.

Interested parties should consult the Feb. 14, 2012, Federal Register notice, “Evaluating the Usability of Electronic Health Record (EHR) Systems” (Docket No.: 120123059-2058-01) available at www.gpo.gov/fdsys/pkg/FR-2012-02-14/pdf/2012-3415.pdf for details of the program and the required Letter of Understanding.

* See, for example, the Healthcare Information and Management Systems Society (HIMSS) 2009 report, Defining and Testing EMR Usability: Principles and Proposed Methods of EMR Usability Evaluation and Rating at www.himss.org/content/files/HIMSS_DefiningandTestingEMRUsability.pdf.

The National Institute of Standards and Technology (NIST) is an agency of the U.S. Department of Commerce.

Source:  http://www.nist.gov/itl/iad/nist-seeks-health-record-system-manufacturers-to-assist-in-usability-testing.cfm

Copyright 2010 Respective Author at Infosec Island

Inlägget kommer från Infosec Island Latest Articles den localtime

The Official Lookout Blog

Lookout Super User: How Lookout Saved the Party!

Lookout Super User: Neil Stocks

Occupation: Contractor

Location:  United Kingdom

Lookout User Since: 2010

Favorite Lookout Feature: Backup

Moral of the Story: “I will never own a phone without Lookout!”

How Lookout Saved the Day for Neil: “I had spent almost an entire year organizing my wife’s surprise 30th birthday party. I had compiled a guest list of nearly 200 people, and I had spent hours collecting the phone numbers for distant relatives and friends whom I hadn’t seen in years.

“The day I booked the venue for the event, I typed out a text message with all of the party details and sent it to the first 30 invitees. Suddenly, my phone froze. I left it alone for a few minutes, but it was still frozen. I took the battery out, waited a minute and then turned the phone back on. To my relief, the phone was working again. However, after I powered the phone back on, I noticed the background picture wasn’t the same. I clicked into my contact list and saw it was empty—there wasn’t a single number listed! I checked again and again. I felt sick. Not only had I lost all my personal contacts’ phone numbers, I lost all the numbers of my wife’s friends; it had taken nearly a year to gather all of that information… there was no way I’d be able to track down all of those contacts again.

“Then I remembered Lookout. I went to open Lookout’s application on my phone, but all of my apps were gone too. Once I reinstalled Lookout, I also went online and logged into my account. I couldn’t believe it… all of my contacts were still on file! I started to transfer all the numbers back onto my phone and was amazed that I recovered everything I’d lost in less than ten minutes. Five months later, everyone came to my wife’s surprise party; it was a huge success. Thanks, Lookout!”

Inlägget kommer från den localtime

Security – Infoworld

IBM makes QRadar security event management product more intelligent

IBM is widely expanding the intelligence gathering functions available to its security-event management (SEM) product, QRadar Security Intelligence Platform, as well as designing a virtual-appliance version of it that works on the VMware platform.

Inlägget kommer från den localtime

Threat Level

Ask the Question No One Is Asking: Crowdsourcing the Republican Primary Debate

Are you the type who, when watching a political debate, screams at the moderator for not asking the right question — the one you’re just dying to hear the answer to? The one that’s really important?

Well, here’s a chance to get your question asked.

Wired is partnering with The Guardian and New York University in a project called the “Citizens’ Agenda” ahead of Wednesday night’s Republican presidential nominee debate in Arizona – the last debate before Super Tuesday.

The premise is simple — submit the question you think the top candidates for the Republican presidential nomination should answer. Fellow readers can vote your idea up or down and Wired will find a way to deliver the top questions to CNN’s John King this afternoon.

Of particular interest are questions that haven’t been asked over the last 20 debates during the primary. For instance, when the project analyzed the questions asked in the early set of debates, only two of them were about climate change.

There’s no promise he’ll actually ask any of these suggestions, but if he doesn’t, when you yell at the TV Wednesday night, you can do so with even more indignant fervor.

P.S. Though the form below asks for name and e-mail, your real name and e-mail address is not required, though you do have to put something in the fields.

Voting App

Inlägget kommer från den localtime

Security – Infoworld

Group files FTC complaint against Google for privacy changes

The U.S. Federal Trade Commission should force Google to halt its plan to consolidate user identities across its services and fine the company for violating an October privacy settlement with the agency, privacy group the Center for Digital Democracy said in a complaint filed Wednesday.

Inlägget kommer från den localtime

Cloud security, big data, and mobile to dominate RSA conference

There are fewer topics stirring bigger buzz among information security professionals than big data, cloud security, and mobile. So it’s no surprise that those topics will dominate the discussions this year at the RSA Conference 2012.

Inlägget kommer från den localtime

The Hacker News [ THN ] – Providing Information & Updates to Security Experts and Hackers

Mirage Anti-Bot 2.0 : Protection against ZeuS, SpyEye Malwares

Mirage Anti-Bot 2.0 : Protection against ZeuS, SpyEye Malwares

Jean-Pierre aka DarkCoderSc and Fred De Vries Develop and Release the second version of Another great security tool named “Mirage Anti-Bot 2.0″. Zeus and SpyEye were the two main families of botnet software. These types of malware are spread mainly through drive-by downloads and phishing schemes.
<!– adsense –>
They are so-called

Inlägget kommer från Team : Evilhackerz (noreply@blogger.com) den localtime

Packet Storm Security Headlines

Crap PINs Give Wallet Thieves 1-In-11 Jackpot Shot

Inlägget kommer från Packet Storm Security Headlines den localtime

Bugtraq

[ MDVSA-2012:023 ] libxml2

Posted by security on Feb 22

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2012:023
http://www.mandriva.com/security/
_______________________________________________________________________

Package : libxml2
Date : February 22, 2012
Affected: 2010.1, 2011., Enterprise Server 5.0
_______________________________________________________________________

Problem Description:…

Inlägget kommer från Bugtraq den localtime

Packet Storm Security Headlines

Spam Crashes To Historic Low As Malware Explodes On Mobiles

Inlägget kommer från Packet Storm Security Headlines den localtime

Critical Systems At Risk From GPS Jamming On UK Roads

Inlägget kommer från Packet Storm Security Headlines den localtime

EU Court To Rule On Acta Legality

Inlägget kommer från Packet Storm Security Headlines den localtime

The Hacker News [ THN ] – Providing Information & Updates to Security Experts and Hackers

2012 Most Vulnerable Cities At Risk Of Cyber Crime

2012 Most Vulnerable Cities At Risk Of Cyber Crime

Norton’s study showed the city was one of the ten worst for hacking. Each city was ranked by the prevalence of PCs and smartphones in addition to social media use with risk factors like unsecured Wi-Fi hotspots and malware attempts. Manchester was found to be the riskiest city and Vancouver is the third most vulnerable city in Canada for

Inlägget kommer från Team : Evilhackerz (noreply@blogger.com) den localtime

Bugtraq

Multiple XSS in Chyrp

Posted by advisory on Feb 22

Advisory ID: HTB23073
Product: Chyrp
Vendor: Chyrp
Vulnerable Version(s): 2.5b1 and probably prior
Tested Version: 2.5b1
Vendor Notification: 1 February 2012
Vendor Patch: 2 February 2012
Public Disclosure: 22 February 2012
Vulnerability Type: Cross Site Scripting (XSS)
CVE Reference(s): CVE-2012-1001
Solution Status: Fixed by Vendor
Risk Level: Medium
Credit: High-Tech Bridge SA Security Research Lab ( https://www.htbridge.ch/advisory/ )…

Inlägget kommer från Bugtraq den localtime

Infosec Island Latest Articles

Anonymous, NSA, Power Grids and False Flags

So… Anonymous Is Going To Attack The Grid Huh?

Ok so Anonymous, or those claiming to be “Anonymous” have put out the word that they plan on attacking the internet’s root DNS servers.

This unqualified threat left on Pastebin somehow has translated in the minds at NSA (Gen. Keith Alexander) that Anonymous will eventually attack the power grid (America’s in this instance) and drop the power for “limited” areas of the country…

Maybe… Someday… BOOGA BOOGA BOOGA! You scared yet?… Cuz this works great at the kids birthday parties. *peers with slit eyes while making magic hands*

Seriously, Anonymous has never officially made a statement (as if they really could given their model of operation) about attacking the power infrastructure at all. Sure, there were some drops of IP addresses in the recent past that they claimed were SCADA systems (they were, but they were really only HVAC systems in various places across the country)

So where is the NSA getting this all from? Surely they are projecting a little bit here huh? Such an imagination on these guys!  Wait… What’s that? There was a movie about something like this? Oh yeah… “Live Free Or Die Hard” THAT’s where they saw this! They think Anonymous is gonna have a big FIRE SALE!

Well, it’s a logical conclusion I guess… That is until you let logic actually cloud your thinking and decide that it would not be in their best interest to do such things as a group.

Damn, there goes the screenplay I was thinking of!

FUD MUCH?

Down to brass tacks here… Dear NSA… Really? How about this, how about instead of worrying about it, you maybe force the PLC makers and their interface third party contractors into actually securing their shit?

Maybe re-design and re-tool everything a bit and re-mediate the issues in the first place so there won’t be this great ability to attack such systems as they sit on the internet?

This whole line of dialog that the Anon’s are gonna attack the grid is a bit premature and really does a disservice to us all. This is especially the case when you talk to journalists hungry for a cutline that will make the wires buzz and get their byline in big print. This is plainly just FUD of the worst kind Kieth and you should be ashamed of yourself.

First off, you are gonna tell me that Anonymous or for that matter Antisec is going to be stupid enough to attempt such a thing. This would be a death blow to the group. I mean, if they did this kind of action, then they would be the most hunted of all the problem children online.

Secondly, you are giving them WAAAAAAAAY to much credit in the technical skill department here. Look at the attacks these guys have been pulling off! They have all been quick hits at low hanging SQLi fruit and you seem to think this implies great skill?

Kieth, do you even know how to run a computer? Do you have a working knowledge of hacking? Cuz, I am telling you right here and now, I don’t think you know what you think you know… If you know what I mean.

To date, the hacks that the skiddies have pulled off have been embarrassing abd surely a pain in the ass, but they have not been 3l337 as they say in the biz, nor have they really shown any cohesive ability to plan larger and more complex operations at all. In short, and I know you have heard the term I am about to use…

Anonymous is not synonymous with APT. Please do listen to what Bejtlich said in the WSJ piece (finally he and I agree on something.. Shouldn’t the forces of gravity and magnetism stop now and implode?) This is not an issue now and I really doubt that it will be an issue later.

Unless you take into account that Anonymous may in fact not be the ones that do it… They just use the convenience of the name and their poor operational model…

Say, Is That A FALSE FLAG In Your Pocket Or Are You Just Glad To See Me?

So, this brings be to a conversation I had earlier about all of this on Twitter. I spoke of this very thing at DEFCON last summer and I would hasten you all to consider what I am saying again.

IF Anonymous does in fact attack the grid, I would put to you that it is not in fact “Anonymous” whatever that may be, but instead those nation states using the nome de plume of the collective as a cover for their actions against a sovereign nation. This is called a “False Flag” operation and it would be used to attack while having the perfect cover (thanks anonymous!) for the operation to be pinned on others.

Say China (the usual suspect) wants to test our ability to deflect such an attack and decides maybe to hit a small power grid in podunk Iowa. They could just as easily post a Pastebin saying AH HA! ANONYMOUS IS GONNA HIT THIS FACILITY! and then just do it.

Alternatively, they could claim it after the fact as Anonymous and no matter how much the Anon core would say “WE DIDN’T DO IT” no one would really believe them would they? Especially now that Keith is out of the NSA closet here huh? This is a win/win for the nation states and a lose/lose for the Anon’s really.

I warned you…. So, now the stage is set and we anxiously await the curtain to drop… *pops popcorn*

Satire Aside…

Anyway, I just wanted to re-iterate that once again we have the media running with a story that seems to have legs, and even if you read into it “This won’t happen now, but soon” it still does the trick for the government.

After all, I am sure many out there are now worried that Anonymous is after their power systems. That one day their lights will go off and a large shadow of a Guy Fawkes mask will hang in the air like some plot device from a James Bond film..

Or… wait… Like the capitol blowing up in that last Die Hard film… So, which one of you Anon’s is Thomas Jane? Sabu? Meh.

Look, see through this WSJ story as either one of two things depending on your bent and jaded nature.

1) NSA is really worried about this and not so much Anonymous but nation states using their name… (this I can get behind)

2) NSA/Keith et al. Are using this as a means to an end to get what they want… They want complicity on the part of the people to enact more laws and oversight on their part of the internet… And by proxy control over all our privacy.

Up to you guys what you think…

Either way though, I would say that Anonymous has let the genie out and they did not account for this… You all could be in some deep shit here.. Let the games begin!

K.

Cross-posted from Krypt3ia

Copyright 2010 Respective Author at Infosec Island

Inlägget kommer från Infosec Island Latest Articles den localtime

Cyber War News

MYSQL, NERO, US Miliatary Exposed as vulnerable by @D35m0nd142

@D35m0nd142 has discovered and rediscovered a few vulnerable sites that carry big names. Its not the first time either that D35m0nd142 has hacked and exploited high profile sites as we have seen close to 100 over the past few months.

Inlägget kommer från den localtime

Bugtraq

[ MDVSA-2012:022 ] libpng

Posted by security on Feb 22

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2012:022
http://www.mandriva.com/security/
_______________________________________________________________________

Package : libpng
Date : February 22, 2012
Affected: 2010.1, 2011., Enterprise Server 5.0
_______________________________________________________________________

Problem Description:

A…

Inlägget kommer från Bugtraq den localtime

Ubuntu Security Notices

USN-1371-1: cvs vulnerability

Ubuntu Security Notice USN-1371-1

22nd February, 2012

cvs vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 11.10
• Ubuntu 11.04
• Ubuntu 10.10
• Ubuntu 10.04 LTS

Summary

cvs could be made to crash or run programs as your login if it connected to
a malicious proxy server.

Software description

• cvs
  – Concurrent Versions System

Details

It was discovered that cvs incorrectly handled certain responses from
proxy servers. If a user were tricked into connecting to a malicious proxy
server, a remote attacker could cause cvs to crash, or possibly execute
arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 11.10:

cvs

2:1.12.13+real-6ubuntu0.1

Ubuntu 11.04:

cvs

1:1.12.13-12ubuntu1.11.04.1

Ubuntu 10.10:

cvs

1:1.12.13-12ubuntu1.10.10.1

Ubuntu 10.04 LTS:

cvs

1:1.12.13-12ubuntu1.10.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2012-0804

Inlägget kommer från Ubuntu Security Notices den localtime

Infosec Island Latest Articles

US and Netherlands Expand Cybersecurity Coordination

Secretary Napolitano and Dutch Minister of Security and Justice Ivo Opstelten Sign Letter of Intent on Cybersecurity Cooperation

Secretary of Homeland Security Janet Napolitano and Dutch Minister of Security and Justice Ivo Opstelten signed a Letter of Intent to build upon cooperative cybersecurity initiatives to promote a safe, secure and resilient cyber environment.

“The United States is strongly committed to working with international partners to combat threats to security and economic stability. This Letter will help us strengthen collaboration and cooperation in the area of cybersecurity with the Dutch government to better protect the citizens of both nations,” said Secretary Napolitano.

“Cybersecurity has become a priority on the international agenda. In January, the Netherlands opened the National Cybersecurity Center, a partnership between the public, private and academic sectors. Bilateral security cooperation between the Netherlands and the United States is already strong and this Letter of Intent will further enhance our collaboration in cybersecurity,” said Minister Ivo Opstelten.

The Letter of Intent recognizes expanded coordination between the United States and the Netherlands, and outlines several areas to further collaborate on cybersecurity including incident management and response activities, control systems security, and cybersecurity exercises.

During the meeting, Secretary Napolitano and Minister Opstelten also discussed the importance of international security partnerships as well as collaborative efforts to combat terrorism and transnational crime, and ensure a stronger, safer, and more resilient global supply chain.

Secretary Napolitano traveled to the Netherlands last June to meet with her counterparts as part of the Department’s ongoing commitment to securing the global supply chain and international transportation systems.

Source:  http://www.dhs.gov/ynews/releases/20120222-napolitano-opstelten-cybersecurity-cooperation.shtm

Copyright 2010 Respective Author at Infosec Island

Inlägget kommer från Infosec Island Latest Articles den localtime

Bugtraq

Multiple security vulnerabilities in Tremulous 1.1.0, GPP1, and unofficial MG and TJW engines

Posted by Simon McVittie on Feb 22

Background
==========

Tremulous is a team-based FPS game with RTS elements. Its engine and
game logic are based on the GPL source release of the Quake III Arena
engine and game logic by id Software.

The de facto upstream developer of the Quake III engine is now another
fork, ioquake3; in particular, ioquake3 fixes many security
vulnerabilities present in the original Quake III Arena source release.
Unlike (for instance) OpenArena or Urban…

Inlägget kommer från Bugtraq den localtime

Naked Security – Sophos

YouPorn passwords available for download, thousands of users exposed

Want a free password for one of the world’s most popular adult websites?

YouPorn, one of the world’s most popular porn video websites appears to have been caught with its pants down.

Inlägget kommer från den localtime

The Hacker News [ THN ] – Providing Information & Updates to Security Experts and Hackers

Syrian Malware and Darkcomet RAT : They can’t blame the Developers

Syrian Malware and Darkcomet RAT : They  can’t blame  the Developers

Two days before we reported about The Syrian Malware – programs used to target the Syrian opposition. According to Report, They steal the identities of opposition activists, then impersonate them in online chats, then they gain the trust of other users, pass out Trojan horse viruses and encourage people to open them.<!–

Inlägget kommer från Team : Evilhackerz (noreply@blogger.com) den localtime

Bugtraq

[SECURITY] [DSA 2415-1] libmodplug security update

Posted by Nico Golde on Feb 22

————————————————————————-
Debian Security Advisory DSA-2415-1 security () debian org
http://www.debian.org/security/ Nico Golde
February 21, 2012 http://www.debian.org/security/faq
————————————————————————-

Package : libmodplug
Vulnerability : several
Problem type : local…

Inlägget kommer från Bugtraq den localtime

[SECURITY] [DSA 2414-1] fex security update

Posted by Nico Golde on Feb 22

————————————————————————-
Debian Security Advisory DSA-2413-1 security () debian org
http://www.debian.org/security/ Nico Golde
February 21, 2012 http://www.debian.org/security/faq
————————————————————————-

Package : fex
Vulnerability : insufficient input sanitization…

Inlägget kommer från Bugtraq den localtime

The Hacker News [ THN ] – Providing Information & Updates to Security Experts and Hackers

Dropper Malware comes with DLL Hijacking Feature

Dropper Malware comes with DLL Hijacking Feature
Trojans, Viruses, Worms have become the scare of the year, and with good reason. Many of the recent files are malicious in nature, causing the infected user at the very worst, to lose everything on their computer. There are few specially coded malware, which are not only developed to ensure that they cause maximum damage and steal all the sensitive

Inlägget kommer från Team : Evilhackerz (noreply@blogger.com) den localtime

SANS Internet Storm Center, InfoCON: green

Apache 2.4 Features, (Wed, Feb 22nd)

The Apache Foundation released version 2.4.1 of its popular web server, including a number of interesting changes [1]. Among the features, I would like to highlight some of the security relevant changes:
- more granular logging. Logging is always a tedious and often overlooked security component. Apache 2.4 will allow for log levels to be configured on a per-directory level.
- various changes to timeouts. We had a number of tools over the last few years that attacked web servers by exhausting connections. The new timeout changes may help with that, but over all, I don’t think there is a simple fix for this problem.
- changes to the proxy configuration. Some use apache not just as a web server, but as a proxy to restrict access to resources, or as a load balancer. This can help with security, but in the past, bugs in Apache’s implementation of these features has caused problems.
- Apache now includes a mod_session that will have Apache take care of sessions. This includes support for encrypted sessions, and support for session based authentication. Really have to see how this will all work in more detail. It appears that headers will be used to add data to sessions. This could be a new opportunity to exploit http response splitting. Note that the session information may be stored on the client, not just the server. Unencrypted sessions on the client could pose interesting security issues.
- mod_ssl has been improved to allow it to check for invalid client certificates via OCSP.
Version 2.4.1 is now available for download. I recommend you start testing it, but hold off on using it in production until some of the features have been debugged.
[1] http://httpd.apache.org/docs/2.4/new_features_2_4.html
——

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Inlägget kommer från SANS Internet Storm Center, InfoCON: green den localtime

F-Secure Antivirus Research Weblog

Digital Activists are Building an Uncensorable Network

Scientific American’s March issue has an intriguing article which explores the efforts of digital activists to circumvent corporate and governmental control over the Internet. The aim of the moment is to configure and build a decentralized mesh network that cannot be blocked, filtered or turned off.

Egypt’s Internet shutdown during last year’s Arab Spring played a significant inspirational role.

Image: Scientific American Magazine

With a “shadow” network configured, activists would remain able to communicate, even after central hubs have gone dark.

Image: Scientific American Magazine

Here’s the online version of the article: The Shadow Web

And here are some supplemental links from the print edition:

  •  FreedomBox Foundation
  •  FunkFeuer
  •  Mesh Networks Research Group

Another fascinating addition to all of this is Scientific American’s Science Talk podcast: The Coming Entanglement [MP3].

In the podcast, SA editor Fred Guterl talks with Bill Joy and Danny Hillis about the need to build an alternative, hardier network due to the ever increasing complexity of our current Internet (which makes it ever more prone to unexplained failures).

Joy and Hillis envision a simpler, more robust network as a way to shelter some of our critical infrastructure from entanglements.

On 22/02/12 At 01:43 PM

Inlägget kommer från F-Secure Antivirus Research Team (mailto:weblog\@PLEASE-REMOVE-THIS.f-secure.com) den localtime

The Hacker News [ THN ] – Providing Information & Updates to Security Experts and Hackers

MegaUpload founder Kim Dotcom released on bail

MegaUpload founder Kim Dotcom released on bail

Kim Dotcom, the millionaire founder of the file-sharing website Megaupload, was released on bail Wednesday after a judge said he didn’t appear to have enough money to flee. Authorities in the U.S. allege founder Kim Dotcom facilitated millions of illegal downloads through his company and he is subject to online piracy charges.<!– adsense –>
Last

Inlägget kommer från Team : Evilhackerz (noreply@blogger.com) den localtime

Mobile malware on the rise, McAfee Q4 Threats Report

McAfee Q4 Threats Report, Mobile malware on the rise
The number of new malware releases slowed during the final three months of 2011, but was higher than expected for the year. Computer and mobile security firm McAfee has warned “no organisation,platform or device” is immune from malware attacks as it released its Q4 2011 Threats Report.
Mobile malware hit more than 400 unique samples in Q4, up

Inlägget kommer från Team : Evilhackerz (noreply@blogger.com) den localtime

Los Angeles Police Canine Association hit by Hackers

Los Angeles Police Canine Association hit by Hackers

The official website of the Los Angeles County Police Canine Association (http://www.lacpca.com) was hacked by CabinCr3w group of Hackers.<!– adsense –>
Hackers leak lots of data from the site on a Pastebin Note titled as “PedoCop & Police Emails”. This data include officers names, addresses, and phone numbers of hundreds of officers and

Inlägget kommer från Team : Evilhackerz (noreply@blogger.com) den localtime

Naked Security – Sophos

IMP or CCDP? Who cares, it’s still storing your data

The Communications Capabilities Development Programme is the British government’s attempt at rehashing the opposing Labour party’s failed surveillance reforms.

The Interception Modernisation Programme was the subject of much criticism; does this new programme look any better?

Inlägget kommer från den localtime

Exploit-DB updates

[dos] – Unity 3D Web Player <= 3.2.0.61061 Denial of Service

Inlägget kommer från den localtime

Commtouch Café

Infographic: Compromised Websites – An Owner’s Perspective

Inlägget kommer från den localtime

Exploit-DB updates

[webapps] – D-Link DSL-2640B Authentication Bypass

Inlägget kommer från den localtime

[webapps] – WebcamXP and Webcam 7 Directory Traversal Vulnerability

Inlägget kommer från den localtime

[webapps] – Dlink DCS series CSRF Change Admin Password

Inlägget kommer från den localtime

[webapps] – Limesurvey (PHPSurveyor v.1.91+ stable) Blind SQL Injection

Inlägget kommer från den localtime

[dos] – DAMN Hash Calculator v1.5.1 Local Heap Overflow PoC

Inlägget kommer från den localtime

Naked Security – Sophos

IRS releases its top ‘Dirty Dozen’ tax scams

Ushering in tax season, the U.S. Internal Revenue Service (IRS) has released its annual “Dirty Dozen” tax scams for 2012.

Inlägget kommer från den localtime

The Hacker News [ THN ] – Providing Information & Updates to Security Experts and Hackers

Apache 2.4 Comes Out, Major update after 6 years

Apache 2.4 Comes Out, Major update after 6 years
The Apache Software Foundation officially released the Apache 2.4 today as the first major update to this leading open-source web-server in more than a half-decade. Apache 2.4 is slated to deliver superior performance to its 2.2 predecessor and better compete with the growingly-popular NGINX web-server. It is the first major release of Apache in

Inlägget kommer från Team : Evilhackerz (noreply@blogger.com) den localtime

Exploit-DB updates

[webapps] – BRIM < 2.0.0 SQL Injection

Inlägget kommer från den localtime

[webapps] – ForkCMS 3.2.5 Multiple Vulnerabilities

Inlägget kommer från den localtime

Naked Security – Sophos

Beware Changelog spammed-out malware attack

Internet users are receiving emails claiming to contain a changelog – but the files attached are really designed to infect computers.

Inlägget kommer från den localtime

Exploit-DB updates

[webapps] – Sagem F@ST 2604 CSRF Vulnerability (ADSL Router)

Inlägget kommer från den localtime

The Hacker News [ THN ] – Providing Information & Updates to Security Experts and Hackers

India demands Real time monitoring on Indian Gmail & Yahoo Emails

India demands Real time monitoring on Indian Gmail & Yahoo Emails
Looks like the Government Of India is really after the digital communication in India. Internet content providers Yahoo, Gmail and others would be asked to route all emails accesed in India through the country even if the mail account is registered outside the country. In a written statement filed in a civil court here, Yahoo India

Inlägget kommer från Team : Evilhackerz (noreply@blogger.com) den localtime

Naked Security – Sophos

Alleged fraudster has until next week to decrypt her hard drive for prosecutors

Prosecutors are keen to discover what is on the encrypted laptop of Ramona Fricosu, a Colorado woman accused of committing financial fraud.

The case has raised interesting questions of whether you can be forced by law to hand over your password, or decrypt your computer.

Inlägget kommer från den localtime

Cyber War News

CBI, Central Bureau Of Investigations India taken offline by Bangladeshi Cyber Army

BCA, Bangladeshi cyber army, a self claimed largest hacking group in bangladeshi has taken the CBI offline and as a result the sites been down for some time now due to the attack.

Inlägget kommer från den localtime

Senast uppdaterad av Venus 2012-02-22 23:16:41