Tag Archives: programmers

[ISN] Researchers: Israeli military networks breached by hackers

http://www.israelhayom.com/site/newsletter_article.php?id=24913 Reuters and Israel Hayom Staff April 19, 2015 Hackers sent emails to various military addresses that purported to show breaking military news, or, in some cases, a clip featuring “Girls of the IDF” • Researchers: Hackers were likely Arabic-speaking programmers, based on their language settings. Hackers have managed to penetrate computer networks associated with the Israeli military in an espionage campaign that skillfully packages existing attack software with trick emails, according to security researchers at Blue Coat Systems Inc. The four-month-old effort, most likely by Arabic-speaking programmers, shows how the Middle East continues to be a hotbed for cyber espionage and how widely the ability to carry off such attacks has spread, the researchers said. Waylon Grange, a researcher with the Blue Coat who discovered the campaign, said the vast majority of the hackers’ software was cobbled together from widely available tools, such as the remote-access Trojan called Poison Ivy. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] USENIX: Unstable code can lead to security vulnerabilities

http://www.computerworld.com/s/article/9249246/USENIX_Unstable_code_can_lead_to_security_vulnerabilities By Joab Jackson IDG News Service June 19, 2014 As if tracking down bugs in a complex application isn’t difficult enough, programmers now must worry about a newly emerging and potentially dangerous trap, one in which a program compiler simply eliminates chunks of code it doesn’t understand, often without alerting the programmer of the missing functionality. The code that can lead to this behavior is called optimization-unstable code, or “unstable code,” though it is more of a problem with how compilers optimize code, rather than the code itself, said Xi Wang, a researcher at the Massachusetts Institute of Technology. Wang discussed his team’s work at the USENIX annual technical conference, being held this week in Philadelphia. With unstable code, programs can lose functionality or even critical safety checks without the programmer’s knowledge. That this problem is only now coming to the attention of researchers may mean that many programs considered as secure, especially those written in C or other low-level system languages, may have undiscovered vulnerabilities. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Comey: FBI ‘Grappling’ With Hiring Policy Concerning Marijuana

http://blogs.wsj.com/law/2014/05/20/director-comey-fbi-grappling-with-hiring-policy-concerning-marijuana/ By Charles Levinson The Wall Street Journal May 20, 2014 Monday was a big day for the nation’s cyber police. The Justice Department charged five Chinese military officials with hacking, and brought charges against the creators of powerful hacking software. But FBI Director James B. Comey said Monday that if the FBI hopes to continue to keep pace with cyber criminals, the organization may have to loosen up its no-tolerance policy for hiring those who like to smoke marijuana. Congress has authorized the FBI to add 2,000 personnel to its rolls this year, and many of those new recruits will be assigned to tackle cyber crimes, a growing priority for the agency. And that’s a problem, Mr. Comey told the White Collar Crime Institute, an annual conference held at the New York City Bar Association in Manhattan. A lot of the nation’s top computer programmers and hacking gurus are also fond of marijuana. “I have to hire a great work force to compete with those cyber criminals and some of those kids want to smoke weed on the way to the interview,” Mr. Comey said. Mr. Comey said that the agency was “grappling with the question right now” of how to amend the agency’s marijuana policies, which excludes from consideration anyone who has smoked marijuana in the previous three years, according to the FBI’s Web site. One conference goer asked Mr. Comey about a friend who had shied away from applying because of the policy. “He should go ahead and apply,” despite the marijuana use, Mr. Comey said. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Where’s the Next Heartbleed Bug Lurking?

http://www.technologyreview.com/news/527016/wheres-the-next-heartbleed-bug-lurking/ By Robert Lemos MIT Technology Review April 29, 2014 After causing widespread panic and changing of passwords, the Heartbleed bug has largely disappeared from the news. Yet the implications of the discovery are still being debated across the computer industry. The biggest concern for security experts is how to preëmpt other flaws lurking in the Internet’s foundations. The Heartbleed bug was discovered earlier this month in a piece of software called OpenSSL that is widely used to establish a secure connection between Web browsers and servers by managing the cryptographic keys involved. OpenSSL is an “open source” project, meaning that the underlying code is published along with the software. Also, like many other open-source efforts, it is maintained by a small group of volunteer programmers (see “The Underfunded Project Keeping the Web Secure”). The problem is being recognized by big software companies that rely on efforts like OpenSSL. Last week, the Linux Foundation, which provides support for the popular Linux operating system, launched an effort called the Core Infrastructure Initiative to support small open-source projects. Companies including Google, Amazon, Facebook, IBM, Intel, Cisco, and Dell have so far committed more than $3 million to the effort. A steering committee will try to identify the open-source projects that most need financial support. “The problem with open source is that you have the ‘free rider’ problem,” says Chris Wysopal, a well-known computer security expert and chief technology officer and cofounder of Veracode, an application-security assessment firm. “People and companies who are using it, and getting huge value out of it, are not giving a lot of money to keep it going.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Here’s why it took 2 years for anyone to notice the Heartbleed bug

http://www.vox.com/2014/4/12/5601828/we-massively-underinvest-in-internet-security By Timothy B. Lee Vox.com April 12, 2014 What caused the Heartbleed Bug that endangered the privacy of millions of web users this week? On one level, it looks like a simple case of human error. A software developer from Germany contributed code to the popular OpenSSL software that made a basic, but easy-to-overlook mistake. The OpenSSL developer who approved the change didn’t notice the issue either, and (if the NSA is telling the truth) neither did anyone else for more than 2 years. It’s hard to blame those guys. OpenSSL is an open source project. As the Wall Street Journal describes it, the project is “managed by four core European programmers, only one of whom counts it as his full-time job.” The OpenSSL Foundation had a budget of less than $1 million in 2013. That’s shocking. Software like OpenSSL increasingly serves as the foundation of the American economy. Cleaning up the mess from the Heartbleed bug will cost millions of dollars in the United States alone. In a society that spends billions of dollars developing software, we should be spending more trying to keep it secure. If we don’t do something about that, we’re doomed to see problems like Heartbleed crop up over and over again. Why security flaws are different from other bugs Computer security is a classic collective action problem. We all benefit from efforts to improve software security, but most organizations don’t make it a priority. For most of us, it’s economically rational to free-ride on others’ computer security efforts. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] The Belarusian Connection – Obamacare network vulnerable to cyber attack

http://freebeacon.com/the-belarusian-connection/ By Bill Gertz Washington Free Beacon February 3, 2014 U.S. intelligence agencies last week urged the Obama administration to check its new healthcare network for malicious software after learning that developers linked to the Belarus government helped produce the website, raising fresh concerns that private data posted by millions of Americans will be compromised. The intelligence agencies notified the Department of Health and Human Services, the agency in charge of the Healthcare.gov network, about their concerns last week. Specifically, officials warned that programmers in Belarus, a former Soviet republic closely allied with Russia, were suspected of inserting malicious code that could be used for cyber attacks, according to U.S. officials familiar with the concerns. The software links the millions of Americans who signed up for Obamacare to the federal government and more than 300 medical institutions and healthcare providers. “The U.S. Affordable Care Act software was written in part in Belarus by software developers under state control, and that makes the software a potential target for cyber attacks,” one official said. Cyber security officials said the potential threat to the U.S. healthcare data is compounded by what they said was an Internet data “hijacking” last year involving Belarusian state-controlled networks. The month-long diversion covertly rerouted massive amounts of U.S. Internet traffic to Belarus


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] CFP: Web 2.0 Security and Privacy 2014

Forwarded from: Dr Tyrone W A Grandison http://w2spconf.com/2014/cfp.html WEB 2.0 SECURITY AND PRIVACY 2014 WORKSHOP CALL FOR PAPERS IMPORTANT DATES Paper submission deadline: February 26, 2014 (11:59pm US-PST) Workshop acceptance notification date: March 29, 2014 Workshop date: Sunday, May 18, 2014 Workshop paper submission web site: https://www.easychair.org/conferences/?conf=w2sp2014 W2SP brings together researchers, practitioners, web programmers, policy makers, and others interested in the latest understanding and advances in the security and privacy of the web, browsers, cloud, mobile and their eco-system. We have had seven years of successful W2SP workshops. This year, we will additionally invite selected papers to a special issue of the journal. W2SP is held in conjunction with the IEEE Symposium on Security and privacy, which will take place from May 18-21, 2014, at the Fairmont Hotel in San Jose, California. W2SP will continue to be open-access: all papers will be made available on the workshop website, and authors will not need to forfeit their copyright. We are seeking both short position papers (2–4 pages) and longer papers (a maximum of 10 pages). Papers must be formatted for US letter (not A4) size paper with margins of at least 3/4 inch on all sides. The text must be formatted in a two-column layout, with columns no more than 9 in. high and 3.375 in. wide. The text must be in Times font, 10-point or larger, with 12-point or larger line spacing. Authors are encouraged to use the IEEE conference proceedings templates. The scope of W2SP 2014 includes, but is not limited to: Analysis of Web, Cloud and Mobile Vulnerabilities Forensic Analysis of Web, Cloud and Mobile Systems Security Analysis of Web, Cloud and Mobile Systems Advances in Penetration Testing Advances in (SQL/code) Injection Attacks Trustworthy Cloud-based, Web and Mobile services Privacy and Reputation in Web (e.g. Social Networks), Cloud, Mobile Systems Security and Privacy as a Service Usable Security and Privacy Security and Privacy Solutions for the Web, Cloud and Mobile Identity Management, Psuedonymity and ANonymity Security/Privacy Web Services/Feeds/Mashups Provenance and Governance Security and Privacy Policy Management for the Web, Cloud and Mobile Next-Generation Web/Mobile Browser Technology Security/Privacy Extensions and Plug-ins Online Privacy and Security frameworks Advertisement and Affiliate fraud Studies on Understanding Web/Cloud/Mobile Security and Privacy Technical Solutions for Security and Privacy legislation Solutions for connecting the Business, Legal, Technical and Social aspects on Web/Cloud/Mobile Security and Privacy. Technologies merging Economics with Security/Privacy Innovative Security/Privacy Solutions for Industry Verticals Any questions should be directed to the program chair: tgrandison (at) proficiencylabs.com. WORKSHOP CO-CHAIRS Larry Koved (IBM Research) Matt Fredrikson (University of Wisconsin – Madison) PROGRAM CHAIR Tyrone Grandison (Proficiency Labs) PROGRAM COMMITTEE Aaron Massey (Georgia Institute of Technology) Adrienne Porter Felt (Google) Aleecia M. McDonald (Center for Internet & Society) Alex Smolen (Twitter) Alexander Polyakov (ERPScan) Amine Cherrai (Amine Cherrai Consulting) Anand Prakash (E-Billing Solutions Pvt. Ltd) Bhavani Thuraisingham (University of Texas – Dallas) Brad Malin (Vanderbilt University) Carrie Gates (CA Technologies) Christy Philip Matthew (Offcon Info Security) Dieter Gollmann (Hamburg University of Technology) Elena Ferrari (University of Insubria) Gerome Miklau (University of Massachusetts – Amherst) Hakan Hacigumus (NEC Labs) Ilya Mironov (Microsoft Research) James Kettle (Context Information Security) Kimberley Hall (Security Advisory & Management Services Ltd) Michael Franz (University of California – Irvine) Michael Waidner (Technische Universitat Darmstadt) Monica Chew (Mozilla) Pierangela Samarati (University of Milan) Rafae Bhatti (Price Waterhouse Coopers) Reginaldo Silva (Ubercomp) Rose Gamble (University of Tulsa) Sabrina De Capitani di Vimercati (University of Milan) Sean Thorpe (University of Technology – Jamaica) Sid Stamm (Mozilla) Simson Garfinkel (Naval Postgraduate School) Szymon Gruszecki Varun Bhagwan (Yahoo) Vinnie Moscaritolo (Silent Circle)


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] These are the codes you need to crack to get a job as a British cyberspy

http://qz.com/123190/these-are-the-codes-you-need-to-crack-to-get-a-job-as-a-british-cyberspy/ By Leo Mirani Quartz September 11, 2013 A website, canyoufindit.co.uk, just went live. It contains 28 sets of five letters and one set of three letters. There are five answers. If you get them right, you may be on your way to joining GCHQ, Britain’s signals-intelligence agency, in either the “cyber and technical operations,” “maths and cryptography” or “advanced technology research” departments. The website was registered in March to TMP Worldwide, a recruitment company that has in the past helped GCHQ search for women engineers. This is not the first time GCHQ has used puzzles to find skilled programmers. In 2011, the agency set up a similar, now-defunct website, titled “Can you crack it,” which the Telegraph newspaper later reported led to a “path to a job” for all who solved its puzzles. Cracking it involved several steps that required programming skills to complete, at the end of which lay a form to apply to GCHQ. Such methods may be essential for GCHQ, which has a tough time attracting and retaining staff. Ian Lobban, director of GCHQ since 2008, told the intelligence and security committee of Parliament early in 2011 that his agency can offer recruits a fantastic mission but can’t compete with the salaries offered by the private sector. The agency has since put in place more “flexible packages for internet specialists.” By January this year Lobban was hopeful: […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail