Tag Archives: problem

[ISN] CarolinaCon-12 – March 2016 – FINAL ANNOUNCEMENT

Forwarded from: Vic Vandal CarolinaCon-12 will be held on March 4th-6th, 2016 in Raleigh NC. For the cheap price of $40 YOU could get a full weekend of talks, hacks, contests, and parties. Regarding the price increase to $40, it was forced due to ever-rising venue costs. But we promise to provide more value via; great talks, great side events, kickass new attendee badges, cool giveaways, etc. We’ve selected as many presentations as we can fit into the lineup. Here they are, in no particular order: – Mo Money Mo Problems: The Cashout – Benjamin Brown – Breaking Android apps for fun and profit – Bill Sempf – Gettin’ Vishy with it – Owen / Snide- @LinuxBlog – Buffer Overflows for x86, x86_64 and ARM – John F. Davis (Math 400) – Surprise! Everything can kill you. – fort – Advanced Reconnaissance Framework – Solray – Introducing PS>Attack, a portable PowerShell attack toolkit – Jared Haight – Reverse Engineer iOS apps because reasons – twinlol – FLOSS every day – automatically extracting obfuscated strings from malware – Moritz Raabe and William Ballenthin – John the Ripper sits in the next cubicle: Cracking passwords in a Corporate environment – Steve Passino – Dynamic Analysis with Windows Performance Toolkit – DeBuG (John deGruyter) – Deploying a Shadow Threat Intel Capability: Understanding YOUR Adversaries without Expensive Security Tools – grecs – AR Hacking: How to turn One Gun Into Five Guns – Deviant Ollam – Reporting for Hackers – Jon Molesa @th3mojo – Never Go Full Spectrum – Cyber Randy – I Am The Liquor – Jim Lahey CarolinaCon-12 Contests/Challenges/Events: – Capture The Flag – Crypto Challenge – Lockpicking Village – Hardware Hack-Shop – Hacker Trivia – Unofficial CC Shootout LODGING: If you’re traveling and wish to stay at the Con hotel here is the direct link to the CarolinaCon discount group rate: www.hilton.com/en/hi/groups/personalized/R/RDUNHHF-CCC-20160303/index.jhtml NOTE: The website defaults to March 3rd-6th instead of March 4th-6th and the group rate is no longer available on March 3rd. So make sure that you change the reservation dates to get the group rate. ATTENTION: The discount group rate on Hilton hotel rooms expires THIS weekend on JANUARY 31st 2016, so act quickly if you plan on staying at the hotel for all of the weekend fun and you want the group rate. CarolinaCon formal proceedings/talks will run; – 7pm to 11pm on Friday – 10am to 9pm on Saturday – 10am to 4pm on Sunday For presentation abstracts, speaker bios, the final schedule, side event information, and all the other exciting details (as they develop and as our webmaster gets to them) stay tuned to: www.carolinacon.org ADVERTISERS / VENDORS / SPONSORS: There are no advertisers, vendors, or sponsors allowed at CarolinaCon….ever. Please don’t waste your time or ours in asking. CarolinaCon has been Rated “M” for Mature. Peace, Vic




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Techies busted for cyber crime

timesofindia.indiatimes.com/city/kolkata/Techies-busted-for-cyber-crime/articleshow/50635343.cms By Dwaipayan Ghosh TNN Jan 19, 2016 Kolkata: The Bidhannagar Police’s cyber cell arrested an employee of Wipro after the tech MNC lodged a complaint against unknown persons stealing sensitive data. This is the second arrest based on a specific complaint by the firm. The accused has been identified as Manish Ghosh, who was picked up from his residence on Sunday . Police said Ghosh is an expert in software coding. He kept a huge amount of data in compressed form in his mobile phone and laptop. During interrogation of Azaruddin Ahmed, who was the first person to be arrested in this case, police came to know that a few former and present employees of the company were also involved in the crime, which led to Ghosh’s arrest. Cops said the accused worked for Wipro BPO and was assigned to a British company -Talk Talk -to complete their backend services. Every weekend, the accused used data they got from Wipro to call up customers of Talk Talk. They would tell the customer how their internet speed was being “compromised” due to a virus. Once the customer gave their consent to know why there was a problem, the accused used two softwares -Team Viewer and Amiclient -to take control of their desktops. They would impress the need to send them an engineer for services and then charge them $70 for the visit. If the client asked them to add the bill to the existing monthly bills, they said it was not possible as engineers needed to be outsourced. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Police make arrest in hack of toymaker VTech, which exposed data on 6 million kids

www.chicagotribune.com/business/ct-vtech-toy-hack-20151216-story.html By Andrea Peterson The Washington Post December 16, 2015 Police in Britain arrested a 21-year-old man Tuesday as part of an investigation into the massive hack against Hong Kong-based toymaker VTech. VTech sells popular toys for young children, including smartwatches and tablets. The November breach of several company databases exposed information about approximately 5 million adults and more than 6 million children around the world, including names, genders and birth dates. The tech website Motherboard reported that pictures, chat logs between parents and their children, and audio recordings also were leaked, but the company has said it “cannot confirm” that data was reached by the hacker. VTech’s systems were reportedly vulnerable to a well-known hacking technique. The alleged hacker told Motherboard that he attacked the company and then went to the media to highlight its poor security practices. The incident raised new questions about the digital security of toys at a time when big corporations are increasingly marketing dolls and other devices that connect to the Internet and collect data about children. This month, researchers publicly disclosed security problems with Hello Barbie, a new doll that relies on artificial intelligence and an online connection to carry on conversations with children. ToyTalk, the company that Hello Barbie’s voice features, worked with the researchers to help fix “many of the issues they raised” before they were revealed. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Hello Barbie controversy re-ignited with insecurity claims

www.theregister.co.uk/2015/11/29/hello_barbie_controversy_reignited_with_insecurity_claims/ By Richard Chirgwin The Register 29 Nov 2015 Back in February, The Register queried the security and privacy implications of Mattel’s “Hello Barbie”, and now the doll has hit the shelves, a prominent security researcher has turned up the first security problems with the toy. After an initial flurry of concern, the issue went quiet, but last Friday Matt Jakubowski (formerly of Trustwave’s SpiderLabs) reignited it by extracting Wi-Fi network names, account IDs, and MP3 files from the toy. That brought a defensive response from Oren Jacob, CEO of ToyTalk (which provides the cloud processing chunk of Hello Barbie). He called Jakubowski an “enthusiastic researcher”, said the data is “already available” to customers, and “no major security or privacy protections have been compromised”. While it’s probably easier to get an SSID by standing outside a house and letting it pop up on your phone’s Wi-Fi connection list, an account ID is another matter, since all an attacker needs is to get a password and they have access to the Hello Barbie account. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Even DHS Doesn’t Want the Power It Would Get Under CISA

www.defenseone.com/threats/2015/10/even-dhs-doesnt-want-power-it-would-get-under-cisa/123015/ By PATRICK TUCKER defenseone.com OCTOBER 21, 2015 The Senate is currently debating a bill to give Department of Homeland Security unprecedented access to personal information, a measure intended to help to protect the nation from cyber attacks. Yes, that DHS, whose director had his Comcast account hacked yesterday. Even stranger: DHS doesn’t even want the power it would be granted. The bill is the Cyber Information Sharing Act, or CISA. It would give companies legal immunity to send DHS a broad range of information about the users of their websites. DHS would then be allowed to speed that (nominally anonymized) information along to the NSA, DoD, FBI, the FCC or other bodies. Through a byzantine series of twists and turns, that could potentially include foreign militaries. In July, DHS officials pointed out various problems with CISA in a seven-page memo. They argued, among other things, that the bill “could sweep away important privacy protections, particularly the provisions in the Stored Communications Act limiting the disclosure of the content of electronic communications to the government by certain providers.” But hey, what’s a little privacy loss in the name of better security? Unfortunately, according to DHS’s memo, CISA fails there, too. “These provisions would undermine the policy goals that were thoughtfully constructed to maximize privacy and accuracy of information, and to provide the NCCIC with the situational awareness we need to better serve the nation’s cybersecurity needs,” it said. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Report finds many nuclear power plant systems “insecure by design”

arstechnica.com/security/2015/10/report-finds-many-nuclear-power-plant-systems-insecure-by-design/ By Sean Gallagher Ars Technica Oct 8, 2015 A study of the information security measures at civilian nuclear energy facilities around the world found a wide range of problems at many facilities that could leave them vulnerable to attacks on industrial control systems—potentially causing interruptions in electrical power or even damage to the reactors themselves. The study, undertaken by Caroline Baylon, David Livingstone, and Roger Brunt of the UK international affairs think tank Chatham House, found that many nuclear power plants’ systems were “insecure by design” and vulnerable to attacks that could have wide-ranging impacts in the physical world—including the disruption of the electrical power grid and the release of “significant quantities of ionizing radiation.” It would not require an attack with the sophistication of Stuxnet to do significant damage, the researchers suggested, based on the poor security present at many plants and the track record of incidents already caused by software. The researchers found that many nuclear power plant systems were not “air gapped” from the Internet and that they had virtual private network access that operators were “sometimes unaware of.” And in facilities that did have physical partitioning from the Internet, those measures could be circumvented with a flash drive or other portable media introduced into their onsite network—something that would be entirely too simple given the security posture of many civilian nuclear operators. The use of personal devices on plant networks and other gaps in security could easily introduce malware into nuclear plants’ networks, the researchers warned. The security strategies of many operators examined in the report were “reactive rather than proactive,” the Chatham House researchers noted, meaning that there was little in the way of monitoring of systems for anomalies that might warn of a cyber-attack on a facility. An attack could be well underway before it was detected. And because of poor training around information sec […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Salted Hash: Live from DerbyCon 5.0 (Day 1)

http://www.csoonline.com/article/2986763/security-awareness/salted-hash-live-from-derbycon-5-0-day-1.html By Steve Ragan Salted Hash CSO Online Sept 25, 2015 DerbyCon 5.0 has officially started, and it didn’t take long before the halls were flooded with hackers looking to catch-up with their peers as they headed to the first talk of the day. On Thursday, I had the chance to catch-up with a number of people who resonated with the thought process of yesterday’s post. The point being, insider threats aren’t what you think they are, and the core issue isn’t a malicious user – it’s a clueless user. In addition, when dealing with insider-based issues, policies that prohibit or hinder workflow will create more problems than they solve. Today, the topic is threat intelligence. I learned something interesting recently, if you gather a group of hackers and researchers around a table and ask them to define threat intelligence, the conversation will quickly spins into a rage fueled discussion about sales-driven security (meaning InfoSec products that are pitched and sold with no real security value). […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Legacy IT, legacy acquisition compound cyber risk

http://fcw.com/articles/2015/09/17/legacy-it-risk.aspx By Adam Mazmanian FCW.com Sep 17, 2015 The way the government buys technology can constrain efforts to protect federal systems from cybersecurity threats, says Michael Daniel, the top White House advisor on cybersecurity. Federal agencies continue to rely on legacy systems that are vulnerable to intrusions and hard to secure. “The burden of legacy in government is a huge one,” Daniel said at the Billington Cybersecurity Conference in Washington, D.C., on Sept. 17. Government is struggling with the problem of how to move off of old systems. “We have architectures and hardware and software in places that is indefensible, no matter how much money and talent we put on it. We don’t have a good process for moving off,” Daniel said. Security measures are often bolted on to older hardware, software and operating systems, “rather than being deeply embedded in the product,” Daniel said. Compounding the problem are legacy acquisition methods. “We treat computer systems as a gigantic capital investment like a building, rather than investments you need to continually refresh,” Daniel said. But moving to a more flexible budgeting and acquisition system, to allow for revolving funds and other more nimble financial instruments, requires new law. “We’re going to need some help from Congress. There’s a very strong resistance to making some of those shifts among a lot of folks on the Hill,” he said. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail