Tag Archives: context

[ISN] Cloud security remains a barrier for CIOs across Europe

http://www.computerweekly.com/news/2240236318/Cloud-security-remains-a-barrier-for-CIOs-across-Europe By Cliff Saran ComputerWeekly.com 09 December 2014 Security issues are the main factor limiting the further use of cloud computing services, research from Eurostat has found. In a survey conducted by the European Commission’s Eurostat statistics service, public cloud computing was reportedly used by 24% of large enterprises and 12% of small and medium-sized enterprises (SMEs) in the EU. However, the survey noted that the risk of a security breach scored highest both for large enterprises and SMEs, at 57% and 38% respectively. “Firms attach importance to the protection of their IT systems, but the issue can be seen in the wider context of resilience to possible security breaches when using the cloud,” the Eurostat report stated. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Alere Home Monitoring data breach class suit thrown out

http://healthitsecurity.com/2014/10/09/alere-home-monitoring-data-breach-class-suit-thrown-out/ By Patrick Ouellette Health IT Security October 9, 2014 Nearly two years after Alere Home Monitoring, Inc. reported that an employee’s password-protected laptop was stolen from their car and 116,000 patients’ data was potentially compromised, a California federal judge threw out a possible class action suit that sought $116 million in damages. Law360 reports that U.S. District Judge Jon S. Tigar found no liability for the negligent release of stolen medical information under California’s Confidential Medical Information Act (CMIA). According to the report, plaintiffs were given 21 days to refile an amended complaint. “These two California Court of Appeal decisions are the only published opinions interpreting this California statute statutory law, and plaintiffs have cited no other data that would persuade this federal court sitting in diversity that the California Supreme Court would necessarily decide the issue otherwise,” Judge Tigar wrote. Alere’s 2012 breach exposed home monitoring patients’ names, addresses, dates of birth, Social Security numbers and diagnosis codes. For context, there are a lot of patients who use Alere products through Medicare coverage, explaining why the scope of the breach was so large. The patients involved in the class suit used Alere’s International Normalized Ratio (INR) products at home for bleeding and blood clot tests, with the information to be transmitted between the patient and physician. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Hacker exploits printer Web interface to install, run Doom

http://arstechnica.com/security/2014/09/hacker-exploits-printer-web-interface-to-install-run-doom/ By Sam Machkovech Ars Technica Sept 15 2014 On Friday, a hacker presenting at the 44CON Information Security Conference in London picked at the vulnerability of Web-accessible devices and demonstrated how to run unsigned code on a Canon printer via its default Web interface. After describing the device’s encryption as “doomed,” Context Information Security consultant Michael Jordon made his point by installing and running the first-person shooting classic Doom on a stock Canon Pixma MG6450. Sure enough, the printer’s tiny menu screen can render a choppy and discolored but playable version of id Software’s 1993 hit, the result of Jordon discovering that Pixma printers’ Web interfaces didn’t require any authentication to access. “You could print out hundreds of test pages and use up all the ink and paper, so what?” Jordon wrote at Context’s blog report about the discovery, but after a little more sniffing, he found that the devices could also easily be redirected to accept any code as legitimate firmware. A vulnerable Pixma printer’s Web interface allows users to change the Web proxy settings and the DNS server. From there, an enterprising hacker can crack the device’s encryption in eight steps, the final of which includes unsigned, plain-text firmware files. The hacking possibilities go far beyond enabling choppy, early ’90s gaming: “We can therefore create our own custom firmware and update anyone’s printer with a Trojan image which spies on the documents being printed or is used as a gateway into their network,” Jordon wrote. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Ground Zero Summit 2014, New Delhi India | Call For Paper Open

Forwarded from: GroundZero Summit CFP Ground Zero Summit 2014 13 – 16 November 2014, New Delhi, India Ground Zero Summit (G0S) 2014 in its second year promises to be Asia’s largest Information Security gathering and proposes to be the ultimate platform for showcasing researches and sharing knowledge in the field of cyber security. G0S rationale: The increasing volume and complexity of cyber threats – including phishing scams, data theft, and online vulnerabilities, demand that we remain vigilant about securing our systems and information. Enterprises and governments worldwide are grappling the grim reality of data and critical systems being exploited. This summits aims at addressing these new forms of cyber attack and formulate solutions. Web URL : http://g0s.org/ Tracks and relevant submissions G0S is a triple track conference and papers have to be submitted under the following tracks. Systems Track (OS/Systems/Application/Hardware) * OS exploitation * Application hacking * Rootkits and Malware * Forensics and Anti-forensics * SCADA security and exploitation * Telecom equipment security and exploitation * Embedded device/hardware security and exploitation * Malware on the mobile platform – Android, Windows OS, Symbian * Mobile Application Security. * Bitcoin Forensics * Banking Security * Communications Track (Communication and Networks) * Protocol exploitation and security * Satellite Technology / Security * Aviation Security * Botnet communication, C&C and takedowns * Web hacking * Radio communication hacking * GSM/3G/LTE/5G networks – security and exploitation * Satellite communication hacking * Network security * Intrusion prevention (and evasion) techniques * APT prevention (and evasion) techniques * Replacing network Security with “Intelligent, self automated Networks” * Growth of Mobile Data Networks with repercussions for the same * Strategy Track (Gov/GRC/Cyber warfare/CII) * GRC * Privacy * Social media in context of security and Privacy * Surveillance * Auditing * New age Cyber warfare/Cyber intelligence/Cyber terrorism/Cyber crimes * Upcoming information security trends * Critical infrastructure Protection * Cyber security in context of the Govt * Global Cyber Diplomacy * IT Act 2008 in light of Prism Surveillance * Security VS privacy * Evolving role of CERT to protect country’s citizens against external and internal intrusions * Repercussions of PRISM surveillance leak on Social Media E-mail for submission: “cfp (at) g0s.org” Speaker’s Privileges * G0S is providing all speakers with return air tickets (Economy). * For Indian speakers return air tickets will be provided for distance more than 300 kms, others will be provided First Class train tickets. * Accommodation in New Delhi for 3 nights (check out time as per hotel policy). * One speaker pass and one complementary Conference pass. * Invitation to Conference party. * An honorarium of USD 1000 is to be awarded for talks that are new, highly technical and have never been presented or published before (exclusive to G0S 2014) anywhere online or offline. * Please note that the selection of a paper for an honorarium is at the sole discretion of the Ground Zero Staff and their decision will be final based on the technical depth of the talk and whether it has been presented/published before. * The selected speakers will be notified about the same in our acceptance email. * In cases where there are more than one speakers for the same session. * Only one speaker may avail benefits and privileges under G0S policy. IIC membership will be provided to all speakers for 1 year initially.


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Crypto weakness in smart LED lightbulbs exposes Wi-Fi passwords

http://arstechnica.com/security/2014/07/crypto-weakness-in-smart-led-lightbulbs-exposes-wi-fi-passwords/ By Dan Goodin Ars Technica July 7, 2014 In the latest cautionary tale involving the so-called Internet of things, white-hat hackers have devised an attack against network-connected lightbulbs that exposes Wi-Fi passwords to anyone in proximity to one of the LED devices. The attack works against LIFX smart lightbulbs, which can be turned on and off and adjusted using iOS- and Android-based devices. Ars Senior Reviews Editor Lee Hutchinson gave a good overview here of the Philips Hue lights, which are programmable, controllable LED-powered bulbs that compete with LIFX. The bulbs are part of a growing trend in which manufacturers add computing and networking capabilities to appliances so people can manipulate them remotely using smartphones, computers, and other network-connected devices. A 2012 Kickstarter campaign raised more than $1.3 million for LIFX, more than 13 times the original goal of $100,000. According to a blog post published over the weekend, LIFX has updated the firmware used to control the bulbs after researchers discovered a weakness that allowed hackers within about 30 meters to obtain the passwords used to secure the connected Wi-Fi network. The credentials are passed from one networked bulb to another over a mesh network powered by 6LoWPAN, a wireless specification built on top of the IEEE 802.15.4 standard. While the bulbs used the Advanced Encryption Standard (AES) to encrypt the passwords, the underlying pre-shared key never changed, making it easy for the attacker to decipher the payload. “Armed with knowledge of the encryption algorithm, key, initialization vector, and an understanding of the mesh network protocol we could then inject packets into the mesh network, capture the Wi-Fi details, and decrypt the credentials, all without any prior authentication or alerting of our presence,” researchers from security consultancy Context wrote. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Ancient vulnerabilities are geddon in the way of security

http://www.zdnet.com/ancient-vulnerabilities-are-geddon-in-the-way-of-security-7000031192/ By Stilgherrian for The Full Tilt ZDNet.com July 3, 201 “We are failing at communicating to the rest of the world,” says James Lyne, global head of security research at Sophos. “I think that we have a fundamental broken behaviour in this industry that we need to go and shift.” And he’s got numbers to back up his claim. Lyne has been warbiking. That’s exactly the same thing as wardriving, that is, driving around a city to map out its open and poorly secured wireless networks, but with more lycra. His results for London and San Fransisco are already online, and those for Las Vegas, Hanoi and Sydney are coming soon. On Wednesday, journalists were given a preview of Sydney’s results, which Lyne described as the “least worst of a bad bunch”. Of the 34,476 wi-fi networks he detected while cycling Sydney streets, 1,371 (3.98 percent) were still using the obsolete Wired Equivalent Privacy (WEP) protocol. That’s significantly better than San Francisco’s 9.5 percent, which presumably has so many obsolete wireless networks because it rolled them out sooner, but it’s still a worry. “WEP is just broken, bad, has been known-bad for such a long time, and there really isn’t a context in which it should be used now — and it’s still remarkably present,” Lyne told ZDNet. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Hackers cause per capita loss of US$224 in China in 2013

http://www.wantchinatimes.com/news-subclass-cnt.aspx?id=20140506000060&cid=1103&utm_content=buffer44f85 By Staff Reporter WantChinaTimes.com 2014-05-06 In 2013, 552 million people around the world lost their personal information to hackers. In China alone, 164 million people were affected by internet crime, with combined losses reaching US$37 billion or a per capita loss of US$224, the Guangzhou-based Dayoo reports, citing Symantec Corporation. In 2001, a hacker war between China and the United States rocked the world. Since then, the internet has quickly spread to the whole of China with amazing speed, and the battlefield is wide and plentiful for the relentless assault of black and white hat hackers. With the rising popularity of smartphones, there are now 12 million malicious links ready at any time to threaten personal information and financial security. From the viewpoint of quite a few top hackers, payment accounts which look safe can be changed at any time, money in savings accounts can be directly transferred to a hacker’s account, and hackers can directly give orders without paying money. More than 60% of network platforms have safety faults and if a user fails to adopt any protection measures, being attacked is just a matter of time. The problem is that most people are not aware of the battle din ringing in their phones, their PCs and their networks. In a computer security context, a hacker is someone who seeks and exploits weaknesses in a computer system or computer network. They may be motivated by profit, protest or simple love of a challenge, and may be lone wolfs or part of a worldwide underground network. PW, the owner of a software development firm in Guangzhou, has another unknown job as a senior hacker. A computer expert, PW sees himself a non-typical hacker who loves the sport for its own sake. He said about 80% of websites have various faults and successfully carrying out attacks on these websites is just a matter of time. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Thoughts on USG Candor to China on Cyber

http://www.lawfareblog.com/2014/04/thoughts-on-usg-candor-to-china-on-cyber/ By Jack Goldsmith lawfareblog.com April 8, 2014 Paul is skeptical about the USG’s unilateral briefing to Chinese officials on some of its cyber operations and doctrines that David Sanger discloses in the NYT. He argues that China is unlikely to reciprocate, he doubts the usefulness of the unilateral disclosure, and he wonders why the USG does not share the information with the American public. I think the matter is more complex. First, it may be (as I have long argued) that greater candor by the USG vis a vis China is a necessary precondition to genuine progress on the development of norms for cyberoperations – both exploitation and attack. Unless we can credibly convey what we are doing and what we might do (and not do) in certain cyber situations, our adversaries will assume the worst and (a) invest in their own cyber programs to keep up – a classic arms race situation, and/or (b) interpret particular cyberoperations in a risk-averse fashion, in their least charitable light, which might induce unwarranted escalation in those contexts. Our adversaries will rationally assume the worst because, despite USG claims about its responsible use of cyber exploitations and attacks, the news is filled with reports about prodigious USG cyber-operations and aggressive plans in this realm. Indeed, as Sanger notes: “The Pentagon plans to spend $26 billion on cybertechnology over the next five years — much of it for defense of the military’s networks, but billions for developing offensive weapons — and that sum does not include budgets for the intelligence community’s efforts in more covert operations. It is one of the few areas, along with drones and Special Operations forces, that are getting more investment at a time of overall Pentagon cutbacks.” Second, Paul is right to be skeptical about reciprocity by China. But it sounds like the United States didn’t give up much new information on U.S. doctrine for the use of cyberweapons. (Sanger states that “elements of the doctrine can be pieced together from statements by senior officials and a dense “Presidential Decision Directive” on such activities signed by Mr. Obama in 2012.”) More importantly, the United States can in theory benefit from unilateral disclosure of doctrine and weapons capabilities even if China doesn’t reciprocate, for the unilateral disclosure might assist China in interpreting, and not misinterpreting, USG actions in the cyber realm – all to the USG’s advantage. As Sanger says, “American officials say their latest initiatives were inspired by Cold-War-era exchanges held with the Soviets so that each side understood the “red lines” for employing nuclear weapons against each other.” In theory, unilateral information disclosure to China about the nature of USG cyberoperations can help China interpret USG actions properly, and can thereby help tamp down on the possibility of mistaken escalation by China; and the USG might also in this manner help China to see the benefits to itself in disclosure to the USG. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail