Tag Archives: committee

[ISN] NASA, Dept of Defense, Commerce etc probed over use of backdoored Juniper kit

www.theregister.co.uk/2016/01/26/juniper_us_government/ By Chris Williams The Register 26 Jan 2016 A bunch of US government departments and agencies – from the military to NASA – are being grilled over their use of backdoored Juniper firewalls. The House of Representatives’ Committee on Oversight and Government Reform fired off letters to top officials over the weekend, demanding to know if any of the dodgy NetScreen devices were used in federal systems. Juniper’s ScreenOS software – the firmware that powers in its firewalls – was tampered with by mystery hackers a few years ago to introduce two vulnerabilities: one was an administrator-level backdoor accessible via Telnet or SSH using a hardcoded password, and the other allowed eavesdroppers to decrypt intercepted VPN traffic. The flaws, which were smuggled into the source code of the firmware, were discovered on December 17 by Juniper, and patches were issued three days later to correct the faults. The backdoor (CVE-2015-7755) affects ScreenOS versions 6.3.0r17 through 6.3.0r20, and the weak VPN encryption (CVE-2015-7756) affects ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] [CFP] Speak About Your Cyberwar at PHDays VI

Forwarded fFrom: Alexander Lashkov Positive Hack Days VI, the international forum on practical information security, opens Call for Papers. Our international program committee consisting of very competent and experienced experts will consider every application, whether from a novice or a recognized expert in information security, and select the best proposals. Now, more than ever before, cybersecurity specialists are being asked to stop sitting on the fence and choose a side — competitive intelligence vs DLP systems; security system developers vs targeted cyberattacks; cryptographers vs reverse engineers; hackers vs security operations centers. A new concept of PHDays VI is designed to show what the current vibe is in information security. We want researchers to speak about the real dangerous threats and possible consequences. We also expect developers and integrators to give real answers to these threats rather than to talk about empowering security technologies. Come and share your experience at PHDays VI in Moscow, May 17 and 18, 2016. Your topic can revolve around any modern infosec field: new targeted attacks against SCADA, new threats to medical equipment, vulnerabilities of online government services, unusual techniques to protect mobile apps, antisocial engineering in social networks, or what psychological constitution SOC experts have. In addition, this year, we are planning to discuss IS software design, development tools, and SSDL principles. Our key criteria is that your research should be unique and offer a fresh perspective on hacking, modern information technologies, and the role they play in our lives. If you have something interesting or surprising to share, but none of the formats are suitable for your participation, please apply anyway and be sure we will consider your work. The first stage of CFP ends on January 31, 2016. Apply now — the number of final reports is limited. In 2015, the forum brought together 3,500 participants. In 2016, it is expected to see 4,000 attendees: information security leaders, CIO and CISO of the world’s largest companies, top managers of giant banks, industrial and oil and gas producing enterprises, telecoms, and IT vendors, representatives from different government departments. Positive Hack Days featured a variety of distinguished participants including Bruce Schneier (the legendary cryptography expert), Whitfield Diffie (one of the inventors of asymmetric cryptography), Mohd Noor Amin (IMPACT, UN), Natalya Kasperskaya (CEO of InfoWatch), Travis Goodspeed (a reverse engineer and wireless enthusiast from the U.S.), Tao Wan (the founder of China Eagle Union), Nick Galbreath (Vice-President of IPONWEB), Mushtaq Ahmed (Emirates Airline), Marc Heuse (the developer of Hydra, Amap, and THC-IPV6), Karsten Nohl (a specialist in GSM engineering), Donato Ferrante and Luigi Auriemma (famous SCADA experts from Italy), and Alexander Peslyak (the creator of the password cracking tool John the Ripper). Find any details about the format, participation rules, and CFP instructions on the PHDays website: www.phdays.com/call_for_papers/


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] DNC: Sanders campaign improperly accessed Clinton voter data

www.washingtonpost.com/politics/dnc-sanders-campaign-improperly-accessed-clinton-voter-data/2015/12/17/a2e2e14e-a522-11e5-b53d-972e2751f433_story.html By Rosalind S. Helderman, Anne Gearan and John Wagner The Washington Post December 17, 2015 Officials with the Democratic National Committee have accused the presidential campaign of Sen. Bernie Sanders of improperly accessing confidential voter information gathered by the rival campaign of Hillary Clinton, according to several party officials. Jeff Weaver, the Vermont senator’s campaign manager, acknowledged that a low-level staffer had viewed the information but blamed a software vendor hired by the DNC for a glitch that allowed access. Weaver said one Sanders staffer was fired over the incident. The discovery sparked alarm at the DNC, which promptly shut off the Sanders campaign’s access to the strategically crucial list of likely Democratic voters. The DNC maintains the master list and rents it to national and state campaigns, which then add their own, proprietary information gathered by field workers and volunteers. Firewalls are supposed to prevent campaigns from viewing data gathered by their rivals. NGP VAN, the vendor that handles the master file, said the incident occurred Wednesday while a patch was being applied to the software. The process briefly opened a window into proprietary information from other campaigns, said the company’s chief, Stu Trevelyan. He said a full audit will be conducted. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Secret DHS Audit Could Prove Governmentwide Hacker Surveillance Isn’t Really Governmentwide

www.nextgov.com/cybersecurity/2015/11/secret-dhs-audit-could-prove-governmentwide-network-surveillance-isnt-really-governmentwide/124018/ By Aliya Sternstein Nextgov.com November 25, 2015 A secret federal audit substantiates a Senate committee’s concerns about underuse of a governmentwide cyberthreat surveillance tool, the panel’s chairman says. The intrusion-prevention system, named EINSTEIN 3 Accelerated, garnered both ridicule and praise following a hack of 21.5 million records on national security employees and their relatives. The scanning tool failed to block the attack, on an Office of Personnel network, because it can only detect malicious activity that people have seen before. At OPM, the attackers, believed to be well-resourced Chinese cyber sleuths, used malware that security researchers and U.S. spies had never witnessed. Still, EINSTEIN came in handy, according to U.S. officials, after the OPM malware was identified through other monitoring tools. The Department of Homeland Security loaded EINSTEIN with the “indicators” of the attack pattern so it could scan for matching footprints on other government networks. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Secret DHS Audit Could Prove Governmentwide Hacker Surveillance Isn’t Really Governmentwide

www.nextgov.com/cybersecurity/2015/11/secret-dhs-audit-could-prove-governmentwide-network-surveillance-isnt-really-governmentwide/124018/ By Aliya Sternstein Nextgov.com November 25, 2015 A secret federal audit substantiates a Senate committee’s concerns about underuse of a governmentwide cyberthreat surveillance tool, the panel’s chairman says. The intrusion-prevention system, named EINSTEIN 3 Accelerated, garnered both ridicule and praise following a hack of 21.5 million records on national security employees and their relatives. The scanning tool failed to block the attack, on an Office of Personnel network, because it can only detect malicious activity that people have seen before. At OPM, the attackers, believed to be well-resourced Chinese cyber sleuths, used malware that security researchers and U.S. spies had never witnessed. Still, EINSTEIN came in handy, according to U.S. officials, after the OPM malware was identified through other monitoring tools. The Department of Homeland Security loaded EINSTEIN with the “indicators” of the attack pattern so it could scan for matching footprints on other government networks. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] What cybersecurity means for global trade

https://agenda.weforum.org/2015/09/what-cybersecurity-means-for-global-trade/ By James Lockett Sep 15 2015 Cybersecurity is a sensitive and important issue, but it is also one that is open to inappropriate use by policy makers who choose to use it to inhibit free trade in ICT (Information and Communications Technology). Ironically, the internet and ICT may offer more benefits to the development of global trade than any single policy has managed to achieve. Cybersecurity does not fall neatly into a single set of rules. Rather, it spans espionage and theft, privacy and data protection, cross-border trade and investment in ICT, and cross-border criminal enforcement. Because of this, it can be open to restrictive trade measures defined as ensuring national self-sufficiency to protect national security. When implemented for the wrong reasons, such policy making does little more than create the illusion of national security, and will tend to inhibit the vital flow of ICT products and services needed in order for countries and societies to leverage the advantages of the Digital Age and Digital Economy. When originally established, the General Agreement on Tariffs and Trade (GATT) was intended to deal with the very technical issue of regulating trade between signatory countries. Other multilateral institutions created at the time in order to enhance international cooperation, most notably the United Nations, were created to address issues of national or international security and peace. The GATT was drafted in such a way so as not to unduly constrain signatories’ freedom of action in matters of national security, and this policy space has resulted in ambiguities that can be exploited in ways that are unhelpful. For example, in 2010 a group of United States senators called for the private sale of telecommunications equipment from a Chinese company to a major US carrier to be blocked on the grounds that the carrier was also a supplier to the military. In a 2012 report, citing cybersecurity concerns, the US House Permanent Select Committee on Intelligence recommended that US telecommunications operators not do business with China’s leading network equipment suppliers, and that the government should block takeovers of US companies by the largest Chinese equipment manufacturers. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] The Next Wave of Cyberattacks Won’t Steal Data — They’ll Change It

http://www.defenseone.com/threats/2015/09/next-wave-cyberattacks-wont-steal-data-theyll-change-it/120701/ By Patrick Tucker DefenseOne.com September 10, 2015 The big attacks that have been disclosed so far in 2015 involved the theft of data, and a lot of it. Some 21 million personnel records were taken from the Office of Personnel Management, likely by China, while 4,000 records, some with “sensitive” information, were stolen from the Joint Chiefs civilian email system, a theft blamed on Russia. But America’s top spies say the attacks that worry them don’t involve the theft of data, but the direct manipulation of it, changing perceptions of what is real and what is not. Director of National Intelligence James Clapper spelled out his concerns in written testimony presented to the House Subcommittee on Intelligence today. “Most of the public discussion regarding cyber threats has focused on the confidentiality and availability of information; cyber espionage undermines confidentiality, whereas denial of service operations and data deletion attacks undermine availability,” he wrote. “In the future, however, we might also see more cyber operations that will change or manipulate electronic information in order to compromise its integrity (i.e., accuracy and reliability) instead of deleting it or disrupting access to it.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] FBI director: Ability to unlock encryption is not a ‘fatal’ security flaw

https://www.washingtonpost.com/world/national-security/fbi-director-ability-to-unlock-encryption-is-not-a-fatal-security-flaw/2015/09/10/6dd0ac8e-57fc-11e5-8bb1-b488d231bba2_story.html By Ellen Nakashima The Washington Post September 10, 2015 In the tug of war between the government and U.S. companies over whether firms should hold a key to unlock encrypted communications, a frequent argument of technologists and privacy experts is that maintaining such a key poses a security threat. But on Thursday, FBI Director James B. Comey pointed out that a number of major Internet companies do just that “so they can read our e-mails and send us ads.” And, he said: “I’ve never heard anybody say those companies are fundamentally insecure and fatally flawed from a security perspective.” Comey was airing a new line of government argument in the year-old public debate over the desirability of compelling Internet companies to provide a way for law enforcement to have access to decrypted communications. Although he didn’t name names, he was alluding to major e-mail providers Google and Yahoo, which both encrypt customers’ e-mails as they fly between servers, but decrypt them once they land in order to scan them and serve customers relevant ads. Comey, who spoke at a cyberthreats hearing held by the House Intelligence Committee, has been a leading voice advancing the concerns of law enforcement that the growing trend of strong encryption — where devices and some communications are encrypted and companies do not hold the keys to decode them — will increasingly leave criminal investigators in the dark. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail