Tag Archives: audit

[ISN] Call for Papers – YSTS X – Information Security Conference, Brazil

Forwarded from: Luiz Eduardo Hello ISN readers and sorry for the possible cross-postings you might see, on behalf of the conference’s organization team I would like to let you know that YSTS X’s CFP is currently opened. Call for Papers – YSTS X – Information Security Conference, Brazil YSTS 10th Edition Where: Sao Paulo, Brazil When: June 13th, 2016 Call for Papers Opens: December 13th, 2015 Call for Papers Close: March 1st, 2016 www.ysts.org @ystscon INTRODUCTION This is the celebratory 10th edition of the well-known information security conference “you Sh0t the Sheriff” and we are sending this CFP out so you share with us the coolest stuff you’ve been working on. The conference will be happening on June, 13th in a secret location within the city of Sao Paulo, Brazil. This is a great opportunity for you to speak about the latest research you have been working on to the most influential crowd in the Brazilian Information Security realm. ABOUT THE CONFERENCE you Sh0t the Sheriff is a very unique, one-day, event dedicated to bringing cutting edge talks to the top-notch professionals of the Braziiian Information Security Community. The conference’s main goal is to bring the attendees to the current state of the information security world by bringing the most relevant topics from different Infosec segments of the market and providing an environment that is ideal for both networking and idea sharing. YSTS is a an exclusive, mostly invite-only security con. Getting a talk accepted, will, not only get you to the event, but after you successfully present your talk, you will receive a challenge-coin that guarantees your entry to YSTS for as long as the conference exists. Due to the great success of the previous years’ editions, yes, we’re keeping the good old usual format: * YSTS 10 will be held at an almost secret location only announced to whom it may concern a couple of weeks before the con * the venue will be, most likely, a very cool club or a bar (seriously, look at the pictures) * appropriate environment to network with great security folks from Brazil and abroad * since it is a one-day con with tons of talks and activities, we make sure we fill everyone with coffee, food and booze CONFERENCE FORMAT Anything Information Security related is interesting for the conference, which will help us create a cool and diverse line-up. We strictly *do not* accept commercial/ product-related pitches. Keep in mind though, this is a one-day conference, we receive a lot of submissions, so your unique research with cool demos and any other possible twist you can throw in to keep the audience engaged will surely stand out to the other papers. Just in case you need some ideas, some of the topics in security that could be interesting to us: * Mobile Devices & BY0D – Bring your 0wn3d Device * Real Social Networking Threats * Embedded Systems * Everything in Offensive Security * “the” Cloud * Inside Jobs Detection/ Techniques * Big Data * Small Data * Tiny Data (the type that breaks big things) * Internet of all the things you can break * Career & Management topics * (cool and useful) Information Security Policies * Privacy in the Digital World * Messing with Network Protocols * RF Stuff * Mobile Payments * Authentication * Incident Response Stories and Policies * Information Warfare * Malware/ Botnets * DDoS Evolution or Stories (or solution, if you have one) * Secure Programming * Hacker Culture * Application Security * Virtualization * DataBase Security * Cryptography * System Weaknesses * Infrastructure and Critical Systems * Reverse Engineering * Social Reverse Engineering * Reversing Social Engineering * Caipirinha and Feijoada Hacks * and everything else information security related that our attendees would enjoy, the coolest/ different/ most creative submissions win, keep that in mind! We do like shorter talks, so please submit your talks and remember they must be 30 minutes long. (yes, we do strictly enforce that) We are also opened to some 15-minute talks, some of the smart people around might not need 30 minutes to deliver a message, or it might be a project that has been just kicked-off. 15 minutes might be your thing and that’s nothing to be ashamed about. you Sh0t the Sheriff is the perfect conference to release your new projects, other people have released very cool research before they presented it at the bigger cons later in the year. We also like that, a lot. And yes, we do prefer new hot-topics. “First-time” speakers are more than welcome. If you’ve got good content to present, that’s all that matters. SPEAKER PRIVILEGES (and yeah, that applies only to the 30 minute-long talks) * USD 1,000.00 to help covering travel expenses for international speakers * or R$ 1,200.00 to help covering travel expenses for Brazilian speakers who live outside of Sao Paulo * Breakfast, lunch and dinner during conference * Pre-and-post-conference official party (and the unofficial ones as well) * Auditing products in traditional Brazilian barbecue restaurants * Life-time free admission for all future YSTS conferences CFP IMPORTANT INFO (aka: RTFM) Each paper submission must include the following information * in text format only * * Abstract/ Presentation Title * Your Name, company/title, address, email and phone/contact number * Short biography * Summary or abstract for your presentation * Other publications or conferences where this material has been or will be published/submitted. * Speaking experience * Do you need or have a visa to come to Brasil? * is it a 30 minute or a 15 minute talk? * Technical requirements (others than LCD Projector) VERY IMPORTANT DATES Conference Date: June 13th, 2016 Final CFP Submission – March 1st, 2016 Final Notification of Acceptance – April 1st, 2016 Final Material Submission for accepted presentations – May 1st, 2016 (we might ask you to remotely present your talk to us at this date) All submissions must be sent via email, in text format only to: cfp/at/ysts.org IMPORTANT CONTACT INFORMATION Paper Submissions: cfp/at/ysts.org General Inquiries: b0ard/at/ysts.org Sponsorship Inquiries: sponsors/at/ysts.org OTHER STUFF Conference website www.ysts.org Video clips http://youtu.be/6ZblAdYZUGU http://youtu.be/ah-dLkwiK0Y tinyurl.com/ystsendorsements Some Pix tinyurl.com/ysts9pix tinyurl.com/ysts8pix tinyurl.com/ysts7pix1 tinnyurl.com/ysts5pix1 tinyurl.com/yoush0tthesheriff6 twitter @ystscon official twitter hashtag #ystscon We hope to see you there! Luiz Eduardo & Nelson Murilo & Willian Caprino




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] DNC: Sanders campaign improperly accessed Clinton voter data

www.washingtonpost.com/politics/dnc-sanders-campaign-improperly-accessed-clinton-voter-data/2015/12/17/a2e2e14e-a522-11e5-b53d-972e2751f433_story.html By Rosalind S. Helderman, Anne Gearan and John Wagner The Washington Post December 17, 2015 Officials with the Democratic National Committee have accused the presidential campaign of Sen. Bernie Sanders of improperly accessing confidential voter information gathered by the rival campaign of Hillary Clinton, according to several party officials. Jeff Weaver, the Vermont senator’s campaign manager, acknowledged that a low-level staffer had viewed the information but blamed a software vendor hired by the DNC for a glitch that allowed access. Weaver said one Sanders staffer was fired over the incident. The discovery sparked alarm at the DNC, which promptly shut off the Sanders campaign’s access to the strategically crucial list of likely Democratic voters. The DNC maintains the master list and rents it to national and state campaigns, which then add their own, proprietary information gathered by field workers and volunteers. Firewalls are supposed to prevent campaigns from viewing data gathered by their rivals. NGP VAN, the vendor that handles the master file, said the incident occurred Wednesday while a patch was being applied to the software. The process briefly opened a window into proprietary information from other campaigns, said the company’s chief, Stu Trevelyan. He said a full audit will be conducted. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Being homeless a struggle — even with a $100,000 job offer

www.seattletimes.com/seattle-news/being-homeless-a-struggle-even-with-a-100000-job-offer/ By Danny Westneat The Seattle Times December 6, 2015 When I first meet James Simmons, he’s at the state welfare office trying to get some more food stamps. He survives on those, along with some free meals he gets at the homeless shelter, where he lives. It’s a jarring background to what I’m there to talk to him about. Which is that he just got offered a six-figure job as a security-systems analyst. “The job only exists in there,” he says, pointing at a beat-up laptop computer. “What exists in there doesn’t help me eat.” Simmons, 55, lives at the Compass Center’s night shelter near Seattle Center, beneath a church parking garage. He’s got a bunk in a room with 60 other men. He’s been homeless, off and on, for the past seven years. Yet on his laptop he shows me the interviews and job leads he’s had only in the past week. IBM. Wells Fargo. Frontier Airlines. T-Mobile. Experian. Daimler Chrysler. All interested in tapping his decades of experience as a certified information systems auditor, which he describes as “basically a cyber-cop.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Secret DHS Audit Could Prove Governmentwide Hacker Surveillance Isn’t Really Governmentwide

www.nextgov.com/cybersecurity/2015/11/secret-dhs-audit-could-prove-governmentwide-network-surveillance-isnt-really-governmentwide/124018/ By Aliya Sternstein Nextgov.com November 25, 2015 A secret federal audit substantiates a Senate committee’s concerns about underuse of a governmentwide cyberthreat surveillance tool, the panel’s chairman says. The intrusion-prevention system, named EINSTEIN 3 Accelerated, garnered both ridicule and praise following a hack of 21.5 million records on national security employees and their relatives. The scanning tool failed to block the attack, on an Office of Personnel network, because it can only detect malicious activity that people have seen before. At OPM, the attackers, believed to be well-resourced Chinese cyber sleuths, used malware that security researchers and U.S. spies had never witnessed. Still, EINSTEIN came in handy, according to U.S. officials, after the OPM malware was identified through other monitoring tools. The Department of Homeland Security loaded EINSTEIN with the “indicators” of the attack pattern so it could scan for matching footprints on other government networks. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Secret DHS Audit Could Prove Governmentwide Hacker Surveillance Isn’t Really Governmentwide

www.nextgov.com/cybersecurity/2015/11/secret-dhs-audit-could-prove-governmentwide-network-surveillance-isnt-really-governmentwide/124018/ By Aliya Sternstein Nextgov.com November 25, 2015 A secret federal audit substantiates a Senate committee’s concerns about underuse of a governmentwide cyberthreat surveillance tool, the panel’s chairman says. The intrusion-prevention system, named EINSTEIN 3 Accelerated, garnered both ridicule and praise following a hack of 21.5 million records on national security employees and their relatives. The scanning tool failed to block the attack, on an Office of Personnel network, because it can only detect malicious activity that people have seen before. At OPM, the attackers, believed to be well-resourced Chinese cyber sleuths, used malware that security researchers and U.S. spies had never witnessed. Still, EINSTEIN came in handy, according to U.S. officials, after the OPM malware was identified through other monitoring tools. The Department of Homeland Security loaded EINSTEIN with the “indicators” of the attack pattern so it could scan for matching footprints on other government networks. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Ernst & Young Confronts Madoff’s Specter in Trial Over Audits

www.bloomberg.com/news/articles/2015-10-14/ernst-young-confronts-madoff-s-specter-in-trial-over-audits?cmpid=twtr1 By Sophia Pearson Bloomberg.com October 14, 2015 Ernst & Young LLP took Bernie Madoff at his word when it signed off on audits of a fund that helped feed the biggest Ponzi scheme in U.S. history. The firm must now defend that decision at the first trial of an auditor over losses tied to Madoff, who’s serving a 150-year prison term for stealing billions of dollars from thousands of investors. FutureSelect Portfolio Management Inc., which lost $112 million in its investment in the feeder fund, says Ernst & Young was reckless in its review. The purported assets weren’t just exaggerated; they didn’t even exist, FutureSelect says. Ernst & Young calls its sign-off reasonable based on generally accepted auditing standards, which the firm “scrupulously” followed. The case boils down to second-guessing a review that can provide only “reasonable assurance” that a client’s financial statements are correct, the firm says. “No audit of a Madoff-advised fund could have detected this Ponzi scheme,” Amy Call Well, an Ernst & Young spokeswoman, said in an e-mailed statement. “EY was not the auditor of any Madoff entity, we were among the many auditors of funds that chose to use Madoff as their investment adviser.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Pentagon Small Biz Office Didn’t Know About Cyber Training

http://www.nextgov.com/cybersecurity/2015/09/pentagon-small-biz-office-didnt-know-about-contractor-cyber-training/122036/ By Aliya Sternstein NextGov.com September 25, 2015 Hackers pummel small companies because they are easy targets, with poor security hygiene and network access to big business partners, say security specialists. That logic applies to small military contractors, too. But the Pentagon’s Office of Small Business Programs has resources to help protect the little defense businesses – it just didn’t know it. That was the finding of a Government Accountability Office audit released Thursday. The office “had not identified or disseminated cybersecurity resources to defense small businesses that the businesses could use to understand cybersecurity and cyberthreats,” Joseph Kirschbaum, GAO director for defense capabilities and management, said in the report. Office employees “were not aware of existing cybersecurity resources such as those we identified when we met with them in June 2015.” Even as the Pentagon was imposing data breach regulations on the $55.5 billion sector, the office essentially had other priorities than advocating information security awareness. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Why Germany’s Cybersecurity Law Isn’t Working

http://www.defenseone.com/ideas/2015/08/why-germanys-cybersecurity-law-isnt-working/119208/ BY SANDRO GAYCKEN COUNCIL ON FOREIGN RELATIONS AUGUST 18, 2015 This summer, Germany adopted a new law, known in German as the IT-Sicherheitsgesetz, to regulate cybersecurity practices in the country. The law requires a range of critical German industries establish a minimal set of security measures, prove they’ve implemented them by conducting security audits, identify a point of contact for IT-security incidents and measures, and report severe hacking incidents to the federal IT-security agency, the BSI (Bundesamt für Sicherheit in der Informationstechnik). Failure to comply will result in sanctions and penalties. Specific regulations apply to the telecommunications sector, which has to deploy state of the art protection technologies and inform their customers if they have been compromised. Other tailored regulations apply to nuclear energy companies, which have to abide by a higher security standard. Roughly 2000 companies are subject to the new law. The government sought private sector input early on in the process of conceptualizing the law—adhering to the silly idea of multistakeholderism—but it hasn’t been helpful in heading off conflict. German critical infrastructure operators have been very confrontational and offered little support. Despite some compromises from the Ministry of the Interior, which drafted the law, German industry continues to disagree with most of its contents. First, there are very few details to clarify what is meant by “minimal set of security measures” and “state of the art security technology.” The vagueness of the text is somewhat understandable. Whenever ministries prescribed concrete technologies and detailed standards in the past, they were mostly outdated when the law was finally enacted (or soon after that), so some form of vagueness prevents this. But vagueness is inherently problematic. Having government set open standards limits market innovation as security companies will develop products to narrowly meet the standards without considering alternatives that could improve cybersecurity. Moreover, the IT security industry is still immature. It is impossible to test and verify a product’s ultimate effectiveness and efficiency, leading to vendors promising a broad variety of silver bullet cybersecurity solutions—a promise that hardly lasts longer than the first two hours of deployment. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail