Tag Archives: 199

[ISN] A looming anniversary, and a special offer

www.cerias.purdue.edu/site/blog/post/a_looming_anniversary_and_a_special_offer/ [This was posted on Twitter Thursday by Gene Spafford – @TheRealSpaf and I figured I should share this with the list. Please check out the above link for complete details, history, and the special offer! – WK] Sunday, December 06, 2015 by spaf It may seem odd to consider June 2016 as January approaches, but I try to think ahead. And June 2016 is a milestone anniversary of sorts. So, I will start with some history, and then an offer to get something special and make a charitable donation at the same time. In June of 1991, the first edition of Practical Unix Security was published by O’Reilly. That means that June 2016 is the 25th anniversary of the publication of the book. How time flies! Read the history and think of participating in the special offer to help us celebrate the 25th anniversary of something significant! History In summer of 1990, Dan Farmer wrote the COPS scanner under my supervision. That toolset embodied a fair amount of domain expertise in Unix that I had accumulated in prior years, augmented with items that Dan found in his research. It generated a fair amount of “buzz” because it exposed issues that many people didn’t know and/or understand about Unix security. With the growth of Unix deployment (BSD, AT&T, Sun Microsystems, Sequent, Pyramid, HP, DEC, et al) there were many sites adopting Unix for the first time, and therefore many people without the requisite sysadmin and security skills. I thus started getting a great deal of encouragement to write a book on the topic. I consulted with some peers and investigated the deals offered by various publishers, and settled on O’Reilly Books as my first contact. I was using their Nutshell handbooks and liked those books a great deal: I appreciated their approach to getting good information in the hands of readers at a reasonable price. Tim O’Reilly is now known for his progressive views on publishing and pricing, but was still a niche publisher back then. […] Special Offer If you have someone (maybe yourself) who you’d like to provide with a special gift, here’s an offer of one that includes a donation to two worthwhile non-profit organizations. (This is in the spirit of my recent bow tie auction for charity.) You can make a difference as well as get something special! Over the years, Simson, Alan, and I have often been asked to autograph copies of the book. We know there is some continuing interest in this (I as asked again, last week). Furthermore, the 25th anniversary seems like a milestone worth noting with something special. Therefore, we are making this offer. For a contribution where everything after expenses will go to two worthwhile, non-profit organizations, you will get (at least) an autographed copy of an edition of Practical Unix & Internet Security!! Depending on the amount you include, I may throw in some extras. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Breaking 512-bit RSA with Amazon EC2 is a cinch. So why all the weak keys?

arstechnica.com/security/2015/10/breaking-512-bit-rsa-with-amazon-ec2-is-a-cinch-so-why-all-the-weak-keys/ By Dan Goodin Ars Technica Oct 20, 2015 The cost and time required to break 512-bit RSA encryption keys has plummeted to an all-time low of just $75 and four hours using a recently published recipe that even computing novices can follow. But despite the ease and low cost, reliance on the weak keys to secure e-mails, secure-shell transactions, and other sensitive communications remains alarmingly high. The technique, which uses Amazon’s EC2 cloud computing service, is described in a paper published last week titled Factoring as a Service. It’s the latest in a 16-year progression of attacks that have grown ever faster and cheaper. When 512-bit RSA keys were first factored in 1999, it took a supercomputer and hundreds of other computers seven months to carry out. Thanks to the edicts of Moore’s Law—which holds that computing power doubles every 18 months or so—the factorization attack required just seven hours and $100 in March, when “FREAK,” a then newly disclosed attack on HTTPS-protected websites with 512-bit keys, came to light. In the seven months since FREAK’s debut, websites have largely jettisoned the 1990s era cipher suite that made them susceptible to the factorization attack. And that was a good thing since the factorization attack made it easy to obtain the secret key needed to cryptographically impersonate the webserver or to decipher encrypted traffic passing between the server and end users. But e-mail servers, by contrast, remain woefully less protected. According to the authors of last week’s paper, the RSA_EXPORT cipher suite is used by an estimated 30.8 percent of e-mail services using the SMTP protocol, 13 percent of POP3S servers. and 12.6 percent of IMAP-based e-mail services. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Seeing stars, again: Naval Academy reinstates celestial navigation

www.capitalgazette.com/news/naval_academy/ph-ac-cn-celestial-navigation-1014-20151009-story.html By Tim Prudente capitalgazette.com October 12, 2015 The same techniques guided ancient Polynesians in the open Pacific and led Sir Ernest Shackleton to remote Antarctica, then oriented astronauts when the Apollo 12 was disabled by lightning, the techniques of celestial navigation. A glimmer of the old lore has returned to the Naval Academy. Officials reinstated brief lessons in celestial navigation this year, nearly two decades after the full class was determined outdated and cut from the curriculum. That decision, in the late 1990s, made national news and caused a stir among the old guard of navigators. Maritime nostalgia, however, isn’t behind the return. Rather, it’s the escalating threat of cyber attacks that has led the Navy to dust off its tools to measure the angles of stars. After all, you can’t hack a sextant. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] China Allegedly Hacked Top Former FBI Lawyer

http://www.newsweek.com/china-hackers-fbi-marion-bowman-367451 By Jeff Stein Newsweek.com 8/31/15 Marion “Spike” Bowman, a top former FBI lawyer and U.S. counterintelligence official who heads an influential organization of retired American spies, says a hacker from China penetrated his home computer, beginning with an innocent-looking email last spring. “It was an email supposedly from a woman in China, and I exchanged correspondence with her a couple of times,” says Bowman, who was deputy general counsel to three FBI directors between 1995 and 2006. “She sent me a document that a friend of hers had supposedly written, in English, and wanted my opinion on it,” he tells Newsweek. She also sent him her picture. “I never got around to replying, so I never heard from her again,” says Bowman, who went on to become deputy director of the National Counterintelligence Executive, which is tasked with developing policies to thwart foreign spies and terrorists. But then, a week ago, he says, he got another message from China via his email account at George Washington University, where he has lectured on national security law since 2003. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] A disaster foretold — and ignored

http://www.washingtonpost.com/sf/business/2015/06/22/net-of-insecurity-part-3/ By Craig Timberg The Washington Post June 22, 2015 The seven young men sitting before some of Capitol Hill’s most powerful lawmakers weren’t graduate students or junior analysts from some think tank. No, Space Rogue, Kingpin, Mudge and the others were hackers who had come from the mysterious environs of cyberspace to deliver a terrifying warning to the world. Your computers, they told the panel of senators in May 1998, are not safe — not the software, not the hardware, not the networks that link them together. The companies that build these things don’t care, the hackers continued, and they have no reason to care because failure costs them nothing. And the federal government has neither the skill nor the will to do anything about it. “If you’re looking for computer security, then the Internet is not the place to be,” said Mudge, then 27 and looking like a biblical prophet with long brown hair flowing past his shoulders. The Internet itself, he added, could be taken down “by any of the seven individuals seated before you” with 30 minutes of well-choreographed keystrokes. The senators — a bipartisan group including John Glenn, Joseph I. Lieberman and Fred D. Thompson — nodded gravely, making clear that they understood the gravity of the situation. “We’re going to have to do something about it,” Thompson said. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] GCHQ spies given immunity from anti-hacking laws

http://www.telegraph.co.uk/technology/internet-security/11612659/GCHQ-spies-given-immunity-from-anti-hacking-laws.html By Sophie Curtis The Telegraph 18 May 2015 The government has quietly rewritten a key clause of the Computer Misuse Act, giving GCHQ staff, intelligence officers and police immunity from prosecution for hacking into computers and mobile phones. The Computer Misuse Act, which came into effect in 1990, states that gaining unauthorised access to computer material is a criminal offence, punishable by up to 12 months’ imprisonment and a fine. Until recently, any violation of this Act was required to be by Article 8 of the European Convention on Human Rights, which provides a right to respect for one’s “private and family life, his home and his correspondence”, subject to certain restrictions that are “in accordance with law”. In May 2014, campaign group Privacy International, along with seven internet and communications service providers, filed complaints with the Investigatory Powers Tribunal, challenging GCHQ’s hacking activities, (exposed by NSA whistleblower Edward Snowden in 2013). […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Update: Credit card terminals have used same password since 1990s

http://www.computerworld.com/article/2913808/malware-vulnerabilities/credit-card-terminals-have-used-same-password-since-1990s.html By Martyn Williams IDG News Service April 23, 2015 While retailers battle breaches that have resulted in tens of millions of credit card numbers stolen, word comes from the RSA Conference in San Francisco that a major vendor of payment terminals has been shipping devices for over two decades with the same default password. The vendor wasn’t named by the researchers, David Byrne and Charles Henderson, but they did disclose the password: 166816. A Google search reveals that’s the default password for several models of credit card terminal sold by Verifone, a Silicon Valley-based vendor that says it connects 27 million payment devices and has operations in 150 countries. In a statement on Thursday, Verifone acknowledged that all its devices in the field came with the same default password, which the company said was Z66831. Over the years, the password has become known and can be found on the Internet along with instructions for programming terminals, Verifone said. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] China Reveals Its Cyberwar Secrets

http://www.thedailybeast.com/articles/2015/03/18/china-reveals-its-cyber-war-secrets.html By Shane Harris The Daily Beast March 18, 2015 A high-level Chinese military organization has for the first time formally acknowledged that the country’s military and its intelligence community have specialized units for waging war on computer networks. China’s hacking exploits, particularly those aimed at stealing trade secrets from U.S. companies, have been well known for years, and a source of constant tension between Washington and Beijing. But Chinese officials have routinely dismissed allegations that they spy on American corporations or have the ability to damage critical infrastructure, such as electrical power grids and gas pipelines, via cyber attacks. Now it appears that China has dropped the charade. “This is the first time we’ve seen an explicit acknowledgement of the existence of China’s secretive cyber-warfare forces from the Chinese side,” says Joe McReynolds, who researches the country’s network warfare strategy, doctrine, and capabilities at the Center for Intelligence Research and Analysis. McReynolds told The Daily Beast the acknowledgement of China’s cyber operations is contained in the latest edition of an influential publication, The Science of Military Strategy, which is put out by the top research institute of the People’s Liberation Army and is closely read by Western analysts and the U.S. intelligence community. The document is produced “once in a generation,” McReynolds said, and is widely seen as one of the best windows into Chinese strategy. The Pentagon cited the previous edition (PDF), published in 1999, for its authoritative description of China’s “comprehensive view of warfare,” which includes operations in cyberspace. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail