Tag Archives: different

[ISN] Random numbers aren’t, says infosec boffin

http://www.theregister.co.uk/2015/08/11/your_numbers_arent_random_says_infosec_boffin/ By Richard Chirgwin The Register 11 Aug 2015 The randomness (or rather, lack thereof) of pseudo-random number generators (PRNGs) is a persistent pain for those who work at the low layers of cryptography. Security researcher Bruce Potter, whose activity in the field stretches back more than a decade, when he demonstrated war-driving using Bluetooth, says problems both in design and implementation undermine the effectiveness of common crypto libraries. Now Potter’s work (his BlackHat presentation is here [PDF]) has led to the claim that nobody really understands what’s going on. Part of the problem, he writes, is that people tend to conflate “entropy” with “randomness”, when in fact the two mean different things: entropy is a measurement of the uncertainty of an outcome, while randomness is a long-term assessment of entropy. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Hackers Can Disable a Sniper Rifle — Or Change Its Target

http://www.wired.com/2015/07/hackers-can-disable-sniper-rifleor-change-target/ By Andy Greenberg Security Wired.com 07.29.15 PUT A COMPUTER on a sniper rifle, and it can turn the most amateur shooter into a world-class marksman. But add a wireless connection to that computer-aided weapon, and you may find that your smart gun suddenly seems to have a mind of its own—and a very different idea of the target. At the Black Hat hacker conference in two weeks, security researchers Runa Sandvik and Michael Auger plan to present the results of a year of work hacking a pair of $13,000 TrackingPoint self-aiming rifles. The married hacker couple have developed a set of techniques that could allow an attacker to compromise the rifle via its Wi-Fi connection and exploit vulnerabilities in its software. Their tricks can change variables in the scope’s calculations that make the rifle inexplicably miss its target, permanently disable the scope’s computer, or even prevent the gun from firing. In a demonstration for WIRED (shown in the video above), the researchers were able to dial in their changes to the scope’s targeting system so precisely that they could cause a bullet to hit a bullseye of the hacker’s choosing rather than the one chosen by the shooter. “You can make it lie constantly to the user so they’ll always miss their shot,” says Sandvik, a former developer for the anonymity software Tor. Or the attacker can just as easily lock out the user or erase the gun’s entire file system. “If the scope is bricked, you have a six to seven thousand dollar computer you can’t use on top of a rifle that you still have to aim yourself.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Healthcare Vendor Risk Management Programs Lagging, Says Study

http://healthitsecurity.com/news/healthcare-vendor-risk-management-programs-lagging-says-study By Elizabeth Snell healthitsecurity.com July 8, 2015 Healthcare vendor risk management programs can have a huge impact on a healthcare organization’s ability to keep sensitive data – such as patient PHI – secure. However, if a recent study is any indication, healthcare vendor risk management programs have room for improvement. The 2015 Vendor Risk Management Benchmark Study, conducted by The Shared Assessments Program and Protiviti, found that vendor risk management programs within financial services organizations are more mature than companies in other industries, such as insurance and healthcare. “Even the more optimistic assessments of the current state of vendor risk management indicate that significant improvements may be needed,” the report’s authors explained. “The time for progress and improvements in vendor risk management capabilities is now, particularly when considering that cyberattacks and other security incidents are very likely to continue increasing.” The survey interviewed more than 460 executives and managers in various industries. Respondents were asked to rate their organization’s maturity level in different areas of vendor risk management on a 0 to 5 scale, with 0 equal to “Do not perform” and 5 equal to “Continuous improvement – benchmarking, moving to best practices.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Strategic Friendship in Asymmetric Domain)

http://www.pircenter.org/en/blog/view/id/208 By Oleg Demidov PIR Center 09.05.2015 The bilateral intergovernmental Russian-Chinese agreement on cooperation in the field of international information security which was signed on May 8, 2015 during the visit to Moscow of Xi Jinping, General Secretary of the CPC and the President of China, could potentially become an important milestone in Russia’s strategy of pivoting to the East. Though in its current state the agreement rather provides a general cooperation framework, it also provides a broad range of directions for further practical cooperation steps and efforts between the two countries. It primarily focuses on systemic information exchange between special services of the two states, joint monitoring and prevention of escalation of serious incidents and especially conflicts in cyberspace, ensuring and strengthening cybersecurity of critical infrastructures, countering ICT-enabled forms and methods of terrorism, exchange of expertise and academic knowledge on cybersecurity, etc. A strong focus in made on joining efforts in countering the unlawful use of ICTs targeted at “undermining of social order, political and social stability, provoking extremism, hate and social unrest”, and even (and this is something quite new even for Russian doctrines, let alone intergovernmental agreements) “threatening to the spiritual sphere” of the two nations. Noteworthy, the agreement for the first time for a Russian official international document operates with the notion of strategic stability with regard to cyberspace and information security. Previously, a more broad and vague notion of ICT-enabled threats to international peace and security was used. Something distinct from a mere terminological equilibristic, this conceptual update serves as an indicator of the fact that Moscow now truly regards China as a strategic partner in the dialogue on political and military dimension of cybersecurity. The discourse of strategic stability was always linked to the issues of WMD strategic balance and (in Russian view) strategic antimissile defense. Now cybersecurity has a strong presence in this “elite club” of ultimate global security factors in the Russian strategic thinking, and first intergovernmental manifestation of this paradigm is addressed to and agreed with China. Accidentally or not, this aspect reveals interesting intersections with the recently published updated DoD’s Strategy for Cyberspace, which has replaced the previous document from 2011, even having in mind that an intergovernmental agreement and a national strategy are very different documents in terms of their scope and purposes. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] CfP – Workshop on Security and Privacy in Cloud-based Applications (in conjunction with ARES EU Projects Symposium 2015)

Forwarded from: “Egner, A.I.” *** Apologies for multiple copies *** CALL FOR PAPERS ************************************************************************ Workshop on Security and Privacy in Cloud-based Applications (in conjunction with ARES EU Projects Symposium 2015) Université Paul Sabatier, Toulouse, France, August 24th – 28th, 2015 http://www.ares-conference.eu/conference/ares-eu-symposium/au2eu/ ************************************************************************ Cloud services and cloud-based applications have become increasingly popular in the recent years. Security and privacy of the cloud-based applications have always been major roadblock for wide use of cloud services that involve sensitive data. Therefore this research field attracts a lot of attention from the academia and industry. The aim of the workshop is to provide the environment to exchange ideas and to foster discussions on a broad list of aspects related to privacy and security of cloud-based applications, and to find answers to questions like: How do we design authentication and authorization frameworks for cross-cloud environments, supporting different identity/attribute providers and organizational policies while guaranteeing privacy, security and trust? How can we extend current solutions with higher assurance of claims, trust indicators, policy enforcement mechanisms and processing under encryption techniques to address specific security and confidentiality requirements of large distributed infrastructures? What is the best way to validate practical aspects of the cloud-based applications, such as scalability, efficiency, maturity and usability? Next to regular sessions with research papers, the workshop will include an invited talk as well as a round table on “Evolution of privacy-preserving authentication and authorization tools: from concepts to deployment“, presenting the results of the FP7 AU2EU project (http://www.au2eu.eu/). CONFERENCE TOPICS The conference topics include, but are not limited to: – Privacy-preserving Authentication – Attribute-based Authorization – Integrated Authentication and Authorization – Assurance of Claims – Crypto-based Policy Enforcement – Attribute-based Encryption – Secure Data Management – Key Management – Trust Management – Operations under Encryption – Homomorphic Encryption – Searchable Encryption – Privacy-Preserving Data Mining – Security as a Service – Big Data Security PAPER SUBMISSIONS The proceedings of ARES 2014, published by Conference Publishing Services (CPS), are available here in the IEEE XPlore Digital Library. Authors are invited to submit research and application papers according the following guidelines: 8 pages (a maximum of 10 pages is tolerated), two columns, single-spaced, including figures and references, using 10 pt fonts and number each page. Submitted papers will be carefully evaluated based on originality, significance, technical soundness, presentation and clarity of exposition. Simultaneous submission of the same work to multiple venues, submission of previously published work, or plagiarism constitutes dishonesty or fraud. ARES, like other scientific and technical conferences and journals, prohibits these practices and may take action against authors who have committed them. Contact author must provide the following information at the ARES conference system: paper title, authors’ names, affiliations, postal address, phone, fax, and e-mail address of the author(s), about 200-250 word abstract, and about five keywords. Accepted papers will be given guidelines in preparing and submitting the final manuscript(s) together with the notification of acceptance. Double blind review: ARES requires anonymized submissions – please make sure that submitted papers contain no author names or obvious self-references. Details about submission can be found here: http://www.ares-conference.eu/conference/conference/submission/ IMPORTANT DATES Submission Deadline May 8, 2015 Author Notification June 1, 2015 Proceedings Version June 8, 2015 Conference August 24-28, 2015 PROGRAM CHAIRS – Milan Petkovic (General Chair), Philips Research / Eindhoven University of Technology – Netherlands – Jan Camenisch (Program Co-Chair), IBM Research – Zurich, Switzerland – John Zic (Program Co-Chair), CSIRO – Sydney, Australia – Alexandru Egner (Organization Co-Chair), Eindhoven University of Technology – Netherlands PROGRAM COMMITTEE – Giuseppe Ateniese, Sapienza University of Rome, Italy – George Danezis, University College London, UK – Refik Molva, EURECOM, France – Gerrit Bleumer, Scheidt & Bachmann, Germany – Ljiljana Brankovic, University of Newcastle, Australia – Jeroen Doumen, Irdeto, Netherlands – Csilla Farkas, University of South Carolina, USA – Pietro Colombo, University of Insubria, Italy – Simone Fischer-Hubner, Karlstad University, Sweden – Dieter Gollmann, Hamburg University of Technology, Germany – Tanya Ignatenko, Eindhoven University of Technology, Netherlands – Mizuho Iwaihara, Waseda University, Japan – Sushil Jajodia, George Mason University, USA – Nguyen Manh Tho, Vienna University of Technology, Austria – Guenther Pernul, University of Regensburg, Germany – Bart Preneel, KU Leuven, Belgium – Kai Rannenberg, Goethe University Frankfurt, Germany – Ahmad-Reza Sadeghi, Darmstadt University, Germany – Andreas Schaad, Huawei Research – Yuan Zhang, State University of New York at Buffalo, USA – Sabrina De Capitani di Vimercati, University of Milan, Italy For any questions, please contact the organization co-chair: a.i.egner (at) tue.nl


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Call for Papers – Workshop on Security and Privacy in Cloud-based Applications (in conjunction with ARES EU Projects Symposium 2015)

Forwarded from: “Egner, A.I.” CALL FOR PAPERS ************************************************************************ Workshop on Security and Privacy in Cloud-based Applications (in conjunction with ARES EU Projects Symposium 2015) Université Paul Sabatier, Toulouse, France, August 24th – 28th, 2015 http://www.ares-conference.eu/conference/ares-eu-symposium/au2eu/ ************************************************************************ Cloud services and cloud-based applications have become increasingly popular in the recent years. Security and privacy of the cloud-based applications have always been major roadblock for wide use of cloud services that involve sensitive data. Therefore this research field attracts a lot of attention from the academia and industry. The aim of the workshop is to provide the environment to exchange ideas and to foster discussions on a broad list of aspects related to privacy and security of cloud-based applications, and to find answers to questions like: How do we design authentication and authorization frameworks for cross-cloud environments, supporting different identity/attribute providers and organizational policies while guaranteeing privacy, security and trust? How can we extend current solutions with higher assurance of claims, trust indicators, policy enforcement mechanisms and processing under encryption techniques to address specific security and confidentiality requirements of large distributed infrastructures? What is the best way to validate practical aspects of the cloud-based applications, such as scalability, efficiency, maturity and usability? Next to regular sessions with research papers, the workshop will include an invited talk as well as a round table on “Evolution of privacy-preserving authentication and authorization tools: from concepts to deployment“, presenting the results of the FP7 AU2EU project (http://www.au2eu.eu/). CONFERENCE TOPICS The conference topics include, but are not limited to: – Privacy-preserving Authentication – Attribute-based Authorization – Integrated Authentication and Authorization – Assurance of Claims – Crypto-based Policy Enforcement – Attribute-based Encryption – Secure Data Management – Key Management – Trust Management – Operations under Encryption – Homomorphic Encryption – Searchable Encryption – Privacy-Preserving Data Mining – Security as a Service – Big Data Security PAPER SUBMISSIONS The proceedings of ARES 2014, published by Conference Publishing Services (CPS), are available here in the IEEE XPlore Digital Library. Authors are invited to submit research and application papers according the following guidelines: 8 pages (a maximum of 10 pages is tolerated), two columns, single-spaced, including figures and references, using 10 pt fonts and number each page. Submitted papers will be carefully evaluated based on originality, significance, technical soundness, presentation and clarity of exposition. Simultaneous submission of the same work to multiple venues, submission of previously published work, or plagiarism constitutes dishonesty or fraud. ARES, like other scientific and technical conferences and journals, prohibits these practices and may take action against authors who have committed them. Contact author must provide the following information at the ARES conference system: paper title, authors’ names, affiliations, postal address, phone, fax, and e-mail address of the author(s), about 200-250 word abstract, and about five keywords. Accepted papers will be given guidelines in preparing and submitting the final manuscript(s) together with the notification of acceptance. Double blind review: ARES requires anonymized submissions – please make sure that submitted papers contain no author names or obvious self-references. Details about submission can be found here: http://www.ares-conference.eu/conference/conference/submission/ IMPORTANT DATES Submission Deadline May 8, 2015 Author Notification June 1, 2015 Proceedings Version June 8, 2015 Conference August 24-28, 2015 PROGRAM CHAIRS – Milan Petkovic (General Chair), Philips Research / Eindhoven University of Technology – Netherlands – Jan Camenisch (Program Co-Chair), IBM Research – Zurich, Switzerland – John Zic (Program Co-Chair), CSIRO – Sydney, Australia – Alexandru Egner (Organization Co-Chair), Eindhoven University of Technology – Netherlands PROGRAM COMMITTEE – Giuseppe Ateniese, Sapienza University of Rome, Italy – George Danezis, University College London, UK – Refik Molva, EURECOM, France – Gerrit Bleumer, Scheidt & Bachmann, Germany – Ljiljana Brankovic, University of Newcastle, Australia – Jeroen Doumen, Irdeto, Netherlands – Csilla Farkas, University of South Carolina, USA – Pietro Colombo, University of Insubria, Italy – Simone Fischer-Hubner, Karlstad University, Sweden – Dieter Gollmann, Hamburg University of Technology, Germany – Tanya Ignatenko, Eindhoven University of Technology, Netherlands – Mizuho Iwaihara, Waseda University, Japan – Sushil Jajodia, George Mason University, USA – Nguyen Manh Tho, Vienna University of Technology, Austria – Guenther Pernul, University of Regensburg, Germany – Bart Preneel, KU Leuven, Belgium – Kai Rannenberg, Goethe University Frankfurt, Germany – Ahmad-Reza Sadeghi, Darmstadt University, Germany – Andreas Schaad, Huawei Research – Yuan Zhang, State University of New York at Buffalo, USA – Sabrina De Capitani di Vimercati, University of Milan, Italy For any questions, please contact the organization co-chair: a.i.egner (at) tue.nl


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Why Clinton’s Private Email Server Was Such a Security Fail

http://www.wired.com/2015/03/clintons-email-server-vulnerable/ By ANDY GREENBERG SECURITY Wired.com 03.04.15 FOR A SECRETARY of state, running your own email server might be a clever—if controversial—way to keep your conversations hidden from journalists and their pesky Freedom of Information Act requests. But ask a few security experts, and the consensus is that it’s not a very smart way to keep those conversations hidden from hackers. On Monday, the New York Times revealed that former secretary of state and future presidential candidate Hillary Clinton used a private email account rather than her official State.gov email address while serving in the State Department. And this was no Gmail or Yahoo! Mail account: On Wednesday the AP reported that Clinton actually ran a private mail server in her home during her entire tenure leading the State Department, hosting her email at the domain Clintonemail.com. Much of the criticism of that in-house email strategy has centered on its violation of the federal government’s record-keeping and transparency rules. But as the controversy continues to swirl, the security community is focused on a different issue: the possibility that an unofficial, unprotected server held the communications of America’s top foreign affairs official for four years, leaving all of it potentially vulnerable to state-sponsored hackers. “Although the American people didn’t know about this, it’s almost certain that foreign intelligence agencies did, just as the NSA knows which Indian and Spanish officials use Gmail and Yahoo accounts,” says Chris Soghoian, the lead technologist for the American Civil Liberties Union. “She’s not the first official to use private email and not the last. But there are serious security issue associated with these kinds of services…When you build your house outside the security fence, you’re on your own, and that’s what seems to have happened here.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] ‘CSI: Cyber’ review: Hackwork

http://www.nj.com/entertainment/tv/index.ssf/2015/03/csi_cyber_review_patricia_arquette_cbs.html By Vicki Hyman NJ Advance Media for NJ.com March 04, 2015 Thank goodness Patricia Arquette just won an Oscar, because otherwise I’d really have nothing to say about “CSI: Cyber.” The newest “CSI” franchise, which debuts on CBS tonight at 10 p.m., is about the FBI’s cyber crime division, comes with all the series’ high-tech visual flourishes and stars “Boyhood” star Arquette, who, um, just won an Oscar. Yeah. Oh! This time, the Who theme song is “I Can See For Miles.” I’m not saying “CSI: Cyber” isn’t worth watching. I’m just saying there’s not a heck of a lot to say about it. (The original flavor “CSI” is still plugging away after 15 years, while the Miami and New York franchises lasted 10 and 9 seasons, respectively. The latest entry is a bit different in that there’s a lot of people peering at computer screens instead of into microscopes. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail