Tag Archives: analysis

My latest Gartner research: Predicts 2017: Security Solutions

…into access control policies, up from 1% in 2016. Analysis by: Lawrence Pingree Key Findings: Although firewalls continue to augment overall security with…

Gartner Subscribers can access this research by clicking here.




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] CarolinaCon-12 – March 2016 – FINAL ANNOUNCEMENT

Forwarded from: Vic Vandal CarolinaCon-12 will be held on March 4th-6th, 2016 in Raleigh NC. For the cheap price of $40 YOU could get a full weekend of talks, hacks, contests, and parties. Regarding the price increase to $40, it was forced due to ever-rising venue costs. But we promise to provide more value via; great talks, great side events, kickass new attendee badges, cool giveaways, etc. We’ve selected as many presentations as we can fit into the lineup. Here they are, in no particular order: – Mo Money Mo Problems: The Cashout – Benjamin Brown – Breaking Android apps for fun and profit – Bill Sempf – Gettin’ Vishy with it – Owen / Snide- @LinuxBlog – Buffer Overflows for x86, x86_64 and ARM – John F. Davis (Math 400) – Surprise! Everything can kill you. – fort – Advanced Reconnaissance Framework – Solray – Introducing PS>Attack, a portable PowerShell attack toolkit – Jared Haight – Reverse Engineer iOS apps because reasons – twinlol – FLOSS every day – automatically extracting obfuscated strings from malware – Moritz Raabe and William Ballenthin – John the Ripper sits in the next cubicle: Cracking passwords in a Corporate environment – Steve Passino – Dynamic Analysis with Windows Performance Toolkit – DeBuG (John deGruyter) – Deploying a Shadow Threat Intel Capability: Understanding YOUR Adversaries without Expensive Security Tools – grecs – AR Hacking: How to turn One Gun Into Five Guns – Deviant Ollam – Reporting for Hackers – Jon Molesa @th3mojo – Never Go Full Spectrum – Cyber Randy – I Am The Liquor – Jim Lahey CarolinaCon-12 Contests/Challenges/Events: – Capture The Flag – Crypto Challenge – Lockpicking Village – Hardware Hack-Shop – Hacker Trivia – Unofficial CC Shootout LODGING: If you’re traveling and wish to stay at the Con hotel here is the direct link to the CarolinaCon discount group rate: www.hilton.com/en/hi/groups/personalized/R/RDUNHHF-CCC-20160303/index.jhtml NOTE: The website defaults to March 3rd-6th instead of March 4th-6th and the group rate is no longer available on March 3rd. So make sure that you change the reservation dates to get the group rate. ATTENTION: The discount group rate on Hilton hotel rooms expires THIS weekend on JANUARY 31st 2016, so act quickly if you plan on staying at the hotel for all of the weekend fun and you want the group rate. CarolinaCon formal proceedings/talks will run; – 7pm to 11pm on Friday – 10am to 9pm on Saturday – 10am to 4pm on Sunday For presentation abstracts, speaker bios, the final schedule, side event information, and all the other exciting details (as they develop and as our webmaster gets to them) stay tuned to: www.carolinacon.org ADVERTISERS / VENDORS / SPONSORS: There are no advertisers, vendors, or sponsors allowed at CarolinaCon….ever. Please don’t waste your time or ours in asking. CarolinaCon has been Rated “M” for Mature. Peace, Vic


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Broad use of cloud services leaves enterprise data vulnerable to theft, report says

www.networkworld.com/article/3025944/security/broad-use-of-cloud-services-leave-enterprise-data-vulnerable-to-theft-report-says.html By Patrick Nelson Network World Jan 25, 2016 Data theft is a very real and growing threat for companies that increasingly use cloud services, says a security firm. Workers who widely share documents stored in the cloud with clients, independent contractors, or even others within the company are creating a Swiss-cheese of security holes, a study by Blue Coat Systems has found. In some cases, cloud documents were publicly discoverable through Google searches, the researchers say of their analysis. ‘Broadly shared’ The study found that 26% of documents stored in cloud apps are shared so widely that they pose a security risk. Compounding the issue is that many organizations aren’t even aware of it. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] 8 out of 10 mobile health apps open to HIPAA violations, hacking, data theft

www.healthcareitnews.com/news/8-out-10-mobile-health-apps-open-hipaa-violations-hacking-data-theft By Bill Siwicki Healthcare IT News January 13, 2016 A new report shows 84 percent of U.S. FDA-approved health apps tested by IT security vendor Arxan Technologies did not adequately address at least two of the Open Web Application Security Project top 10 risks. Most health apps are susceptible to code tampering and reverse-engineering, two of the most common hacking techniques, the report found. Ninety-five percent of the FDA-approved apps lack binary protection and have insufficient transport layer protection, leaving them open to hacks that could result in privacy violations, theft of personal health information, as well as device tampering and patient safety issues. The new research from Arxan, which this year placed special emphasis on mobile health apps, was based on analysis of 126 popular health and finance apps from the United States. United Kingdom, Germany and Japan. There is a disparity between consumer confidence and the attention given to security by app developers, the study found. While the majority of app users and app executives said they believe their apps are secure, nearly all apps Arxan assessed proved to be vulnerable […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Russian Satellite Maneuvers, Silence Worry Intelsat

spacenews.com/russian-satellite-maneuvers-silence-worry-intelsat/ By Mike Gruss Spacenews.com October 9, 2015 WASHINGTON – A mysterious Russian military satellite parked itself between two Intelsat satellites in geosynchronous orbit for five months this year, alarming company executives and leading to classified meetings among U.S. government officials. The Russian satellite, alternatively known as Luch or Olymp, launched in September 2014 and seven months later moved to a position directly between the Intelsat 7 and Intelsat 901 satellites, which are located within half a degree of one another 36,000 kilometers above the equator. At times, the Russian satellite maneuvered to about 10 kilometers of the Intelsat space vehicles, sources said, a distance so close that company leaders believed their satellites could be at risk. The satellite’s movements were highlighted by Brian Weeden, technical adviser at the Secure World Foundation, in an Oct. 5 analysis of Russian rendezvous and proximity operations for SpaceNews’ sister publication, the Space Review. “This is not normal behavior and we’re concerned,” Kay Sears, president of Intelsat General, the government services arm of Intelsat, said in an Oct. 8 interview with SpaceNews. “We absolutely need responsible operators. Space is a domain that has to be protected.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Analysis: China-US hacking accord is tall on rhetoric, short on substance

http://arstechnica.com/tech-policy/2015/09/analysis-china-us-hacking-accord-is-tall-on-rhetoric-short-on-substance/ By David Kravets Ars Technica Sep 27, 2015 It’s always a good thing when governments, especially superpowers, strike agreements toward the goal of peace and prosperity. The accord President Barack Obama and Chinese President Xi Jinping announced Friday—a “common understanding” to curb state-sponsored, corporate cyber espionage toward one another—inches us toward that goal if we assume both sides would uphold their end of the bargain. “We’ve agreed that neither the US nor the Chinese government will conduct or knowingly support cyber theft of intellectual property, including trade secrets or other confidential business information for commercial advantage,” Obama said during a press conference with the Chinese leader at his side. Obama added that economic cyber-espionage “has to stop.” For his part, the Chinese leader said, “Both governments will not engage in or support online theft of intellectual property.” It’s a momentous first step at a historical stage in which the battlefield is evolving online—from the real world to the virtual world. And it comes as both sides are engaged in finger pointing on the topic and accusing the other of cyber transgressions. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Russian-speaking hackers breach 97 websites, many of them dating ones

http://www.networkworld.com/article/2977448/russian-speaking-hackers-breach-97-websites-many-of-them-dating-ones.html By Jeremy Kirk IDG News Service Aug 30, 2015 Russian-speaking hackers have breached 97 websites, mostly dating-related, and stolen login credentials, putting hundreds of thousands of users at risk. Many of the websites are niche dating ones similar to Ashley Madison, according to a list compiled by Hold Security, a Wisconsin-based company that specializes in analyzing data breaches. A few are job-related sites. Batches of stolen information were found on a server by the company’s analysts, said Alex Holden, Hold Security’s founder and CTO. The server, for some reason, was not password protected, allowing analysis of its contents, he said. None of the dating sites are nearly as prominent as Ashley Madison, which saw sensitive company information, emails, internal documents and details of 30 million registered users released in a devastating data breach. Holden said this Russian-speaking group is not related to Impact Team, which claimed credit for the intrusion into Ashley Madison. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Oracle, still clueless about security

http://www.computerworld.com/article/2975780/security/oracle-still-clueless-about-security.html By Steven J. Vaughan-Nichols Computerworld Aug 25, 2015 Oracle’s chief security officer, Mary Ann Davidson, recently ticked off almost everyone in the security business. She proclaimed that you had to do security “expertise in-house because security is a core element of software development and you cannot outsource it.” She continued, “Whom do you think is more trustworthy? Who has a greater incentive to do the job right — someone who builds something, or someone who builds FUD around what others build?” Oh. Wait. That’s what Davidson said in 2011! What she said in 2015 was that security reports based on reverse-engineering Oracle code and then applying static or dynamic analysis to it does not lead to “proof of an actual vulnerability. Often, they are not much more than a pile of steaming … FUD.” Davidson’s blog post is one long rant that boils down to, “How dare people analyze Oracle code?” “I have seen a large-ish uptick in customers reverse engineering our code to attempt to find security vulnerabilities in it. This is why I’ve been writing a lot of letters to customers that start with “hi, howzit, aloha” but end with ‘please comply with your license agreement and stop reverse engineering our code, already.’” Because God forbid someone should find a security hole! Oracle backed away from Davidson’s position in less than 24 hours. “We removed the post as it does not reflect our beliefs or our relationship with our customers,” wrote Edward Screven, Oracle executive vice president and chief corporate architect. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail