Tag Archives: site

[ISN] Hacking Team’s Leak Helped Researchers Hunt Down a Zero-Day

www.wired.com/2016/01/hacking-team-leak-helps-kaspersky-researchers-find-zero-day-exploit/ By Kim Zetter Security Wired.com 01/13/16 ZERO-DAY EXPLOITS ARE a hacker’s best friend. They attack vulnerabilities in software that are unknown to the software maker and are therefore unpatched. Criminal hackers and intelligence agencies use zero day exploits to open a stealth door into your system, and because antivirus companies also don’t know about them, the exploits can remain undetected for years before they’re discovered. Until now, they’ve usually been uncovered only by chance. But researchers at Kaspersky Lab have, for the first time, discovered a valuable zero-day exploit after intentionally going on the hunt for it. And they did so by using only the faintest of clues to find it. The malware they found is a remote-code execution exploit that attacks a vulnerability in Microsoft’s widely used Silverlight software—a browser plug-in Netflix and other providers use to deliver streaming content to users. It’s also used in SCADA and other industrial control systems that are installed in critical infrastructure and industrial facilities. The vulnerability, which Microsoft called “critical” in a patch released to customers on Tuesday, would allow an attacker to infect your system after getting you to visit a malicious website where the exploit resides—usually through a phishing email that tricks you into clicking on a malicious link. The attack works with all of the top browsers except Chrome—but only because Google removed support for the Silverlight plug-in in its Chrome browser in 2014. […]




[ISN] A looming anniversary, and a special offer

www.cerias.purdue.edu/site/blog/post/a_looming_anniversary_and_a_special_offer/ [This was posted on Twitter Thursday by Gene Spafford – @TheRealSpaf and I figured I should share this with the list. Please check out the above link for complete details, history, and the special offer! – WK] Sunday, December 06, 2015 by spaf It may seem odd to consider June 2016 as January approaches, but I try to think ahead. And June 2016 is a milestone anniversary of sorts. So, I will start with some history, and then an offer to get something special and make a charitable donation at the same time. In June of 1991, the first edition of Practical Unix Security was published by O’Reilly. That means that June 2016 is the 25th anniversary of the publication of the book. How time flies! Read the history and think of participating in the special offer to help us celebrate the 25th anniversary of something significant! History In summer of 1990, Dan Farmer wrote the COPS scanner under my supervision. That toolset embodied a fair amount of domain expertise in Unix that I had accumulated in prior years, augmented with items that Dan found in his research. It generated a fair amount of “buzz” because it exposed issues that many people didn’t know and/or understand about Unix security. With the growth of Unix deployment (BSD, AT&T, Sun Microsystems, Sequent, Pyramid, HP, DEC, et al) there were many sites adopting Unix for the first time, and therefore many people without the requisite sysadmin and security skills. I thus started getting a great deal of encouragement to write a book on the topic. I consulted with some peers and investigated the deals offered by various publishers, and settled on O’Reilly Books as my first contact. I was using their Nutshell handbooks and liked those books a great deal: I appreciated their approach to getting good information in the hands of readers at a reasonable price. Tim O’Reilly is now known for his progressive views on publishing and pricing, but was still a niche publisher back then. […] Special Offer If you have someone (maybe yourself) who you’d like to provide with a special gift, here’s an offer of one that includes a donation to two worthwhile non-profit organizations. (This is in the spirit of my recent bow tie auction for charity.) You can make a difference as well as get something special! Over the years, Simson, Alan, and I have often been asked to autograph copies of the book. We know there is some continuing interest in this (I as asked again, last week). Furthermore, the 25th anniversary seems like a milestone worth noting with something special. Therefore, we are making this offer. For a contribution where everything after expenses will go to two worthwhile, non-profit organizations, you will get (at least) an autographed copy of an edition of Practical Unix & Internet Security!! Depending on the amount you include, I may throw in some extras. […]


[ISN] Call for Papers – YSTS X – Information Security Conference, Brazil

Forwarded from: Luiz Eduardo Hello ISN readers and sorry for the possible cross-postings you might see, on behalf of the conference’s organization team I would like to let you know that YSTS X’s CFP is currently opened. Call for Papers – YSTS X – Information Security Conference, Brazil YSTS 10th Edition Where: Sao Paulo, Brazil When: June 13th, 2016 Call for Papers Opens: December 13th, 2015 Call for Papers Close: March 1st, 2016 www.ysts.org @ystscon INTRODUCTION This is the celebratory 10th edition of the well-known information security conference “you Sh0t the Sheriff” and we are sending this CFP out so you share with us the coolest stuff you’ve been working on. The conference will be happening on June, 13th in a secret location within the city of Sao Paulo, Brazil. This is a great opportunity for you to speak about the latest research you have been working on to the most influential crowd in the Brazilian Information Security realm. ABOUT THE CONFERENCE you Sh0t the Sheriff is a very unique, one-day, event dedicated to bringing cutting edge talks to the top-notch professionals of the Braziiian Information Security Community. The conference’s main goal is to bring the attendees to the current state of the information security world by bringing the most relevant topics from different Infosec segments of the market and providing an environment that is ideal for both networking and idea sharing. YSTS is a an exclusive, mostly invite-only security con. Getting a talk accepted, will, not only get you to the event, but after you successfully present your talk, you will receive a challenge-coin that guarantees your entry to YSTS for as long as the conference exists. Due to the great success of the previous years’ editions, yes, we’re keeping the good old usual format: * YSTS 10 will be held at an almost secret location only announced to whom it may concern a couple of weeks before the con * the venue will be, most likely, a very cool club or a bar (seriously, look at the pictures) * appropriate environment to network with great security folks from Brazil and abroad * since it is a one-day con with tons of talks and activities, we make sure we fill everyone with coffee, food and booze CONFERENCE FORMAT Anything Information Security related is interesting for the conference, which will help us create a cool and diverse line-up. We strictly *do not* accept commercial/ product-related pitches. Keep in mind though, this is a one-day conference, we receive a lot of submissions, so your unique research with cool demos and any other possible twist you can throw in to keep the audience engaged will surely stand out to the other papers. Just in case you need some ideas, some of the topics in security that could be interesting to us: * Mobile Devices & BY0D – Bring your 0wn3d Device * Real Social Networking Threats * Embedded Systems * Everything in Offensive Security * “the” Cloud * Inside Jobs Detection/ Techniques * Big Data * Small Data * Tiny Data (the type that breaks big things) * Internet of all the things you can break * Career & Management topics * (cool and useful) Information Security Policies * Privacy in the Digital World * Messing with Network Protocols * RF Stuff * Mobile Payments * Authentication * Incident Response Stories and Policies * Information Warfare * Malware/ Botnets * DDoS Evolution or Stories (or solution, if you have one) * Secure Programming * Hacker Culture * Application Security * Virtualization * DataBase Security * Cryptography * System Weaknesses * Infrastructure and Critical Systems * Reverse Engineering * Social Reverse Engineering * Reversing Social Engineering * Caipirinha and Feijoada Hacks * and everything else information security related that our attendees would enjoy, the coolest/ different/ most creative submissions win, keep that in mind! We do like shorter talks, so please submit your talks and remember they must be 30 minutes long. (yes, we do strictly enforce that) We are also opened to some 15-minute talks, some of the smart people around might not need 30 minutes to deliver a message, or it might be a project that has been just kicked-off. 15 minutes might be your thing and that’s nothing to be ashamed about. you Sh0t the Sheriff is the perfect conference to release your new projects, other people have released very cool research before they presented it at the bigger cons later in the year. We also like that, a lot. And yes, we do prefer new hot-topics. “First-time” speakers are more than welcome. If you’ve got good content to present, that’s all that matters. SPEAKER PRIVILEGES (and yeah, that applies only to the 30 minute-long talks) * USD 1,000.00 to help covering travel expenses for international speakers * or R$ 1,200.00 to help covering travel expenses for Brazilian speakers who live outside of Sao Paulo * Breakfast, lunch and dinner during conference * Pre-and-post-conference official party (and the unofficial ones as well) * Auditing products in traditional Brazilian barbecue restaurants * Life-time free admission for all future YSTS conferences CFP IMPORTANT INFO (aka: RTFM) Each paper submission must include the following information * in text format only * * Abstract/ Presentation Title * Your Name, company/title, address, email and phone/contact number * Short biography * Summary or abstract for your presentation * Other publications or conferences where this material has been or will be published/submitted. * Speaking experience * Do you need or have a visa to come to Brasil? * is it a 30 minute or a 15 minute talk? * Technical requirements (others than LCD Projector) VERY IMPORTANT DATES Conference Date: June 13th, 2016 Final CFP Submission – March 1st, 2016 Final Notification of Acceptance – April 1st, 2016 Final Material Submission for accepted presentations – May 1st, 2016 (we might ask you to remotely present your talk to us at this date) All submissions must be sent via email, in text format only to: cfp/at/ysts.org IMPORTANT CONTACT INFORMATION Paper Submissions: cfp/at/ysts.org General Inquiries: b0ard/at/ysts.org Sponsorship Inquiries: sponsors/at/ysts.org OTHER STUFF Conference website www.ysts.org Video clips http://youtu.be/6ZblAdYZUGU http://youtu.be/ah-dLkwiK0Y tinyurl.com/ystsendorsements Some Pix tinyurl.com/ysts9pix tinyurl.com/ysts8pix tinyurl.com/ysts7pix1 tinnyurl.com/ysts5pix1 tinyurl.com/yoush0tthesheriff6 twitter @ystscon official twitter hashtag #ystscon We hope to see you there! Luiz Eduardo & Nelson Murilo & Willian Caprino


[ISN] [CFP] Speak About Your Cyberwar at PHDays VI

Forwarded fFrom: Alexander Lashkov Positive Hack Days VI, the international forum on practical information security, opens Call for Papers. Our international program committee consisting of very competent and experienced experts will consider every application, whether from a novice or a recognized expert in information security, and select the best proposals. Now, more than ever before, cybersecurity specialists are being asked to stop sitting on the fence and choose a side — competitive intelligence vs DLP systems; security system developers vs targeted cyberattacks; cryptographers vs reverse engineers; hackers vs security operations centers. A new concept of PHDays VI is designed to show what the current vibe is in information security. We want researchers to speak about the real dangerous threats and possible consequences. We also expect developers and integrators to give real answers to these threats rather than to talk about empowering security technologies. Come and share your experience at PHDays VI in Moscow, May 17 and 18, 2016. Your topic can revolve around any modern infosec field: new targeted attacks against SCADA, new threats to medical equipment, vulnerabilities of online government services, unusual techniques to protect mobile apps, antisocial engineering in social networks, or what psychological constitution SOC experts have. In addition, this year, we are planning to discuss IS software design, development tools, and SSDL principles. Our key criteria is that your research should be unique and offer a fresh perspective on hacking, modern information technologies, and the role they play in our lives. If you have something interesting or surprising to share, but none of the formats are suitable for your participation, please apply anyway and be sure we will consider your work. The first stage of CFP ends on January 31, 2016. Apply now — the number of final reports is limited. In 2015, the forum brought together 3,500 participants. In 2016, it is expected to see 4,000 attendees: information security leaders, CIO and CISO of the world’s largest companies, top managers of giant banks, industrial and oil and gas producing enterprises, telecoms, and IT vendors, representatives from different government departments. Positive Hack Days featured a variety of distinguished participants including Bruce Schneier (the legendary cryptography expert), Whitfield Diffie (one of the inventors of asymmetric cryptography), Mohd Noor Amin (IMPACT, UN), Natalya Kasperskaya (CEO of InfoWatch), Travis Goodspeed (a reverse engineer and wireless enthusiast from the U.S.), Tao Wan (the founder of China Eagle Union), Nick Galbreath (Vice-President of IPONWEB), Mushtaq Ahmed (Emirates Airline), Marc Heuse (the developer of Hydra, Amap, and THC-IPV6), Karsten Nohl (a specialist in GSM engineering), Donato Ferrante and Luigi Auriemma (famous SCADA experts from Italy), and Alexander Peslyak (the creator of the password cracking tool John the Ripper). Find any details about the format, participation rules, and CFP instructions on the PHDays website: www.phdays.com/call_for_papers/


[ISN] Police make arrest in hack of toymaker VTech, which exposed data on 6 million kids

www.chicagotribune.com/business/ct-vtech-toy-hack-20151216-story.html By Andrea Peterson The Washington Post December 16, 2015 Police in Britain arrested a 21-year-old man Tuesday as part of an investigation into the massive hack against Hong Kong-based toymaker VTech. VTech sells popular toys for young children, including smartwatches and tablets. The November breach of several company databases exposed information about approximately 5 million adults and more than 6 million children around the world, including names, genders and birth dates. The tech website Motherboard reported that pictures, chat logs between parents and their children, and audio recordings also were leaked, but the company has said it “cannot confirm” that data was reached by the hacker. VTech’s systems were reportedly vulnerable to a well-known hacking technique. The alleged hacker told Motherboard that he attacked the company and then went to the media to highlight its poor security practices. The incident raised new questions about the digital security of toys at a time when big corporations are increasingly marketing dolls and other devices that connect to the Internet and collect data about children. This month, researchers publicly disclosed security problems with Hello Barbie, a new doll that relies on artificial intelligence and an online connection to carry on conversations with children. ToyTalk, the company that Hello Barbie’s voice features, worked with the researchers to help fix “many of the issues they raised” before they were revealed. […]


[ISN] Global Payments to Buy Heartland for $4.3 Billion

www.bankinfosecurity.com/global-payments-to-buy-heartland-for-43-billion-a-8753 By Tracy Kitten @FraudBlogger Bank Info Security December 16, 2015 Two leading payments processors that each suffered massive data breaches are consolidating. Atlanta-based Global Payments Inc. plans to buy its smaller rival, Princeton, N.J.-based Heartland Payment Systems Inc., for $4.3 billion. The deal that is expected to close during the fiscal fourth quarter ending May 31, 2016. Industry observers are weighing in on whether the merged companies will successfully build a strong culture of security. “Heartland really took its breach to heart and was one of the best examples of how to learn from such an event and turn it into a leadership opportunity,” says Al Pascual, director of fraud and security at Javelin Strategy & Research. “I give the CEO [Bob Carr] a lot of credit for that. Global Payments was quite the opposite, with one of the least transparent breach events in the payments industry. I’m hoping the security culture of Heartland becomes the dominant one.” But Tom Wills, managing director of payments security consultancy Secure Strategies, says it could be difficult for the new company created through the merger to improve security. […]


[ISN] J.P. Morgan, BOA, Citi, And Wells Spending $1.5 Billion To Battle Cyber Crime

www.forbes.com/sites/stevemorgan/2015/12/13/j-p-morgan-boa-citi-and-wells-spending-1-5-billion-to-battle-cyber-crime/ By Steve Morgan Contributor Forbes / Tech Dec 13, 2015 There’s a showdown between the world’s largest corporations, governments, and cybersecurity companies who are going up against a global network of cyber criminals. The British insurance company Lloyd’s estimates that cyber attacks cost businesses as much as $400 billion a year, which includes direct damage plus post-attack disruption to the normal course of business. Some vendor and media forecasts put the cybercrime figure as high as $500 billion and more. The banking and financial services sector has been the prime target of cyber criminals over the last five years, followed by IT & telecom, defense, and the oil and gas sector, according to TechSci Research, an IT market intelligence firm. Infosecurity Magazine stated in an article earlier this year that financial services firms are hit by security incidents a staggering 300 times more frequently than businesses in other industries. Deloitte states that the financial services sector faces the greatest economic risk related to cybersecurity. The biggest U.S. banks are responding to the cyber crime epidemic with some of the biggest security budgets. […]


[ISN] Hacker Claims to Have Taken Sensitive Data from City of Providence

www.golocalprov.com/news/new-hacker-claims-to-have-taken-sensitive-data-from-city-of-providence GoLocalProv News Team December 13, 2015 The City of Providence’s website was hacked on Sunday morning, and following the hacker posting an ominous message claiming to have control of sensitive data and that the data is for sale, the city and the hacker have given conflicting reports as to the impact. It is unknown what data, if any, is under the control of the City of Providence, but as three years ago the City of Providence accidentally gave GoLocalProv the Social Security numbers to thousands of retired City Workers. The message posted Sunday morning on the city’s website read: Sorry You g0t Hacked by g0tchack ALL SENSITIVE DATA & DATABASE FOR SALE!! 1 BTC […]