Tag Archives: something

[ISN] The Ambassador who worked from Nairobi bathroom to avoid State Dept. IT

http://arstechnica.com/information-technology/2015/03/the-ambassador-who-worked-from-nairobi-bathroom-to-avoid-state-dept-it/ By Sean Gallagher Ars Technica March 8, 2015 The current scandal roiling over the use of a private e-mail server by former Secretary of State Hillary Clinton is just the latest in a series of scandals surrounding government e-mails. And it’s not the first public airing of problems with the State Department’s IT operations—and executives’ efforts to bypass or work around them. At least she didn’t set up an office in a restroom just to bypass State Department network restrictions and do everything over Gmail. However, another Obama administration appointee—the former ambassador to Kenya—did do that, essentially refusing to use any of the Nairobi embassy’s internal IT. He worked out of a bathroom because it was the only place in the embassy where he could use an unsecured network and his personal computer, using Gmail to conduct official business. And he did all this during a time when Chinese hackers were penetrating the personal Gmail inboxes of a number of US diplomats. Why would such high-profile members of the administration’s foreign policy team so flagrantly bypass federal and agency regulations to use their own personal e-mail to conduct business? Was it that they had something they wanted to keep out of State’s servers and away from Congressional oversight? Was it that State’s IT was so bad that they needed to take matters into their own hands? Or was it because the department’s IT staff wasn’t responsive enough to what they saw as their personal needs, and they decided to show just how take-charge they were by ignoring all those stuffy policies? The answer is probably a little bit of all of the above. But in the case of former ambassador Scott Gration, the evidence points heavily toward someone who wanted to work outside the system because he just couldn’t stand it. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Surprise! America Already Has a Manhattan Project for Developing Cyber Attacks

http://www.wired.com/2015/02/americas-cyber-espionage-project-isnt-defense-waging-war By Kevin Poulsen Threat Level Wired.com 02.18.15 “What we really need is a Manhattan Project for cybersecurity.” It’s a sentiment that swells up every few years in the wake of some huge computer intrusion—most recently the Sony and Anthem hacks. The invocation of the legendary program that spawned the atomic bomb is telling. The Manhattan Project is America’s go-to shorthand for our deep conviction that if we gather the smartest scientists together and give them billions of dollars and a sense of urgency, we can achieve what otherwise would be impossible. A Google search on “cyber Manhattan Project” brings up results from as far back as 1997—it’s second only to “electronic Pearl Harbor” in computer-themed World War II allusions. In a much-circulated post on Medium last month, futurist Marc Goodman sets out what such a project would accomplish. “This Manhattan Project would help generate the associated tools we need to protect ourselves, including more robust, secure, and privacy-enhanced operating systems,” Goodman writes. “Through its research, it would also design and produce software and hardware that were self-healing and vastly more resistant to attack and resilient to failure than anything available today.” These arguments have so far not swayed a sitting American president. Sure, President Obama mentioned cybersecurity at the State of the Union, but his proposal not only doesn’t boost security research and development, it potentially criminalizes it. At the White House’s cybersecurity summit last week, Obama told Silicon Valley bigwigs that he understood the hacking problem well—“We all know what we need to do. We have to build stronger defenses and disrupt more attacks”—but his prescription this time was a tepid executive order aimed at improving information sharing between the government and industry. Those hoping for something more Rooseveltian must have been disappointed. On Monday, we finally learned the truth of it. America already has a computer security Manhattan Project. We’ve had it since at least 2001. Like the original, it has been highly classified, spawned huge technological advances in secret, and drawn some of the best minds in the country. We didn’t recognize it before because the project is not aimed at defense, as advocates hoped. Instead, like the original, America’s cyber Manhattan Project is purely offensive. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Is this the future of cyberwarfare?

http://america.aljazeera.com/watch/shows/america-tonight/articles/2015/2/5/blackenergy-malware-cyberwarfare.html By Aaron Ernst Al Jazeera America February 5, 2015 Five years ago, the most sophisticated cyber weapon the world had ever seen ravaged Iran’s nuclear program. Allegedly developed by the U.S. and Israel, the complex virus infected the computer system that ran the centrifuges. Slight tweaks to the software caused hundreds of the centrifuges to self-destruct, setting the program back years. The malware was dubbed Stuxnet. Traditionally, foreign governments have used malware to spy and steal. But this was something entirely different. “Stuxnet, it is a weapon, it’s not ‘like’ a weapon,” says German computer security expert Ralph Langner, who was the first to identify how the virus worked. “It is a weapon because it was designed to cause physical damage.” Now, Langner worries that Stuxnet could come back to haunt the U.S. Those same vulnerabilities in Iran’s nuclear control systems that the malware exploited can be found in similar systems throughout America. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] PSA: Your crypto apps are useless unless you check them for backdoors

http://arstechnica.com/security/2015/02/psa-your-crypto-apps-are-useless-unless-you-check-them-for-backdoors/ By Dan Goodin Ars Technica Feb 4, 2015 At the beginning of the year, I did something I’ve never done before: I made a new year’s resolution. From here on out, I pledged, I would install only digitally signed software I could verify hadn’t been tampered with by someone sitting between me and the website that made it available for download. It seemed like a modest undertaking, but in practice, it has already cost me a few hours of lost time. With practice, it’s no longer the productivity killer it was. Still, the experience left me smarting. In some cases, the extra time I spent verifying signatures did little or nothing to make me more secure. And too many times, the sites that took the time to provide digital signatures gave little guidance on how to use them. Even worse, in one case, subpar security practices of some software providers undercut the protection that’s supposed to be provided with digitally signed code. And in one extreme case, I installed the Adium instant messaging program with no assurance at all, effectively crossing my fingers that it hadn’t been maliciously modified by state-sponsored spies or criminally motivated hackers. More about those deficiencies later—let’s begin first with an explanation of why digital signatures are necessary and how to go about verifying them. By now, most people are familiar with man-in-the-middle attacks. They’re waged by someone with the ability to monitor traffic passing between an end user and a website—for instance, a hacker sniffing an unsecured Wi-Fi connection or the National Security Agency sniffing the Internet backbone. When the data isn’t encrypted, the attacker can not only read private communications but also replace legitimate software normally available for download with maliciously modified software. If the attack is done correctly, the end user will have no idea what’s happening. Even when Web connections are encrypted with the HTTPS standard, highly skilled hackers still may be able to seed a website with malicious counterfeit downloads. That’s where digital signatures come in. A prime candidate for such an attack is the OTR plugin for the Pidgin instant messenger. It provides the means to encrypt messages so (1) they can’t be read by anyone monitoring the traffic sent between two parties and (2) each party can know for sure that the person on the other end is, in fact, who she claims to be. Fortunately, the OTR installer is provided through an encrypted HTTPS connection, which goes a long way to thwarting would-be man-in-the-middle attackers. But strict security practices require more, especially for software as sensitive as OTR. That’s why the developers included a GPG signature users can check to verify that the executable file hasn’t been altered in any way. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] About the infosec skills shortage

http://3vildata.tumblr.com/post/109188919632/about-the-infosec-skills-shortage By https://twitter.com/addelindh and https://twitter.com/0xtero http://3vildata.tumblr.com/ Jan 26th, 2015 Today I got into an argument on Twitter that started with me saying something sarcastic in reference to a recent statement by a vendor and ended with a discussion about the skills shortage in security. Twitter can be a difficult medium sometimes and I don’t really feel that I got my point across, so this is my attempt to correct that. Before I start I would like to point out that in no way do I think that this is the only reason there is a skills shortage in security, but that I do consider it a large contributing factor. In the beginning, there was firewalls Enterprise investment in security has traditionally been in products such as firewalls, anti-virus, IPS/IDS, and so on. Security products has in turn been marketed and sold as “solutions” rather than tools; heavily automated and not really much to work with. Because of this, they have been considered as infrastructure components rather than applications, you just install and configure them and then let them do their magic. Automation is great, until it isn’t The thing about buying automated solutions is that it removes the incentive to invest in knowledge of the problem the solution was supposed to solve. Why pay money so that someone can learn how to solve a problem that has already been solved, right? For an enterprise, this makes perfect sense, and for a while it worked. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] ‘Blackhat’ review: Michael Mann movie bombs

http://www.sfgate.com/movies/article/Blackhat-review-Michael-Mann-movie-bombs-6016040.php By Mick LaSalle SFGate.com January 15, 2015 You ever see a garbage truck unload? It backs up slowly and stops, the back door drops, and a cascade of wet, smelly junk comes rolling and tumbling out. Releasing a movie in January is something like that. Aside from the 2014 releases going wide following Oscar-qualifying runs in Los Angeles, what makes it into theaters in January is generally pretty raw merchandise. So the January release of “Blackhat,” the latest film from a major American director, Michael Mann (“Heat,” “The Last of the Mohicans”) was a real mystery. And it remained a mystery until about 10 or 15 minutes into the film, when the mental image returned, of that garbage truck backing up very slowly … “Blackhat” is a film about cybercrime that is, at first, difficult to follow, and later, perfectly clear and preposterous. A hacker or a team of hackers causes a Chinese nuclear reactor to blow, and China and the United States team up to stop them before they can strike again. That means springing from prison the one genius hacker smart enough to beat the hackers at their own game. He’s played by Chris Hemsworth, because that’s what computer geniuses look like in the movies. Mann suffocates “Blackhat” with style. The trouble starts in the opening scene, in which he shows how the Remote Access Trojan makes its way from the hackers to the nuclear reactor. He does this by having the camera go below the floor and then zip along miles of cable and, of course, we have no idea what we’re looking at, and it’s not particularly interesting. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Spike in Malware Attacks on Aging ATMs

http://krebsonsecurity.com/2014/10/spike-in-malware-attacks-on-aging-atms/ By Brian Krebs Krebs on Security October 20, 2014 This author has long been fascinated with ATM skimmers, custom-made fraud devices designed to steal card data and PINs from unsuspecting users of compromised cash machines. But a recent spike in malicious software capable of infecting and jackpotting ATMs is shifting the focus away from innovative, high-tech skimming devices toward the rapidly aging ATM infrastructure in the United States and abroad. Last month, media outlets in Malaysia reported that organized crime gangs had stolen the equivalent of about USD $1 million with the help of malware they’d installed on at least 18 ATMs across the country. Several stories about the Malaysian attack mention that the ATMs involved were all made by ATM giant NCR. To learn more about how these attacks are impacting banks and the ATM makers, I reached out to Owen Wild, NCR’s global marketing director, security compliance solutions. Wild said ATM malware is here to stay and is on the rise. BK: I have to say that if I’m a thief, injecting malware to jackpot an ATM is pretty money. What do you make of reports that these ATM malware thieves in Malaysia were all knocking over NCR machines? OW: The trend toward these new forms of software-based attacks is occurring industry-wide. It’s occurring on ATMs from every manufacturer, multiple model lines, and is not something that is endemic to NCR systems. In this particular situation for the [Malaysian] customer that was impacted, it happened to be an attack on a Persona series of NCR ATMs. These are older models. We introduced a new product line for new orders seven years ago, so the newest Persona is seven years old. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Obama’s Cyber Czar Wants to Replace Passwords With Selfies

http://www.nationaljournal.com/tech/obama-s-cyber-czar-wants-to-replace-passwords-with-selfies-20141009 BY BRENDAN SASSO National Journal October 9, 2014 The Obama administration’s top cybersecurity official wants to get rid of passwords. “Frankly, I would love to kill the password dead as a primary security method, because it’s terrible,” said Michael Daniel, the White House cybersecurity coordinator, during a discussion Thursday hosted by the Center for National Policy and The Christian Science Monitor. So what would replace the password? Daniel suggested that “selfies” would be one possibility. A device could scan a photo of a person’s face and grant access only to the right one. “You could use the cameras on cell phones, which are now ubiquitous, so the selfies are used for something besides posting on Facebook,” Daniel said. Fingerprint scanners, which are already in use on iPhones, are another possibility, Daniel said. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail