I read an article on Infosec Island today located here in which a former Clinton official spoke of placing a black box in the cloud. I agree, there is no reason this data cannot be stored externally rather than engage in the lengthy and costly search that ensues when airliners have issues. I’d also like to extend this concept a bit further. Why is it not completely possible to retrofit our existing airlines with drone-like command and control capabilities? I would suggest that we seriously consider a secure method of taking over an airplane in certain situations and completely shutting out the pilots. So if a terrorist tries and take command of a plane mid-air, we should have the ability to take over that plane and safely land it at the nearest airfield using the same technology that we use on drones. I realize there are many challenges here, but there is no reason this is not completely possible. Now off my soapbox.
http://www.bloomberg.com/news/2014-03-18/irs-employee-took-home-data-on-20-000-workers-at-agency.html By Richard Rubin Bloomberg March 18, 2014 A U.S. Internal Revenue Service employee took home a computer thumb drive containing unencrypted data on 20,000 fellow workers, the agency said in a statement today. The tax agency’s systems that hold personal data on hundreds of millions of Americans weren’t breached, the statement said. “This incident is a powerful reminder to all of us that we must do everything we can to protect sensitive data –- whether it involves our fellow employees or taxpayers,” IRS Commissioner John Koskinen said in a message to employees. “This was not a problem with our network or systems, but rather an isolated incident.” The IRS is contacting the current and former employees involved, almost all of whom worked in Pennsylvania, Delaware and New Jersey. The information dates to 2007, before the IRS started using automatic encryption. [...]Tags: america, com, data, day, internal, Law, oh, Personal, problem, service, systems, today
http://www.thenews.com.pk/Todays-News-3-238069-KSE-to-hire-information-security-expert By Shahid Shah The News March 14, 2014 KARACHI: The Karachi Stock Exchange (KSE) is hiring the chief information security officer to ensure security of data, official sources said on Thursday. They said four candidates have already been shortlisted for the position. The acting CISO is conducting interviews of the candidates. The sources said the decision was taken after the managing director of the KSE had received an email in July last year, which alleged that some officials of its Information Technology department were involved in data leakage. This newspaper had reported the issue even before the above-mentioned email. The email shot from an unknown source stated that some people had access to highly confidential data of buying and selling of shares. Consequently, the board of directors constituted an internal audit committee and initiated an enquiry against this, which caused expulsion of four employees of IT department, while a general manager of the department was sent on forced leave in August 2013. The KSE had hired an independent forensic consultant Sidat Hyder Morshed Associate to investigate the highly sensitive matter and inspect the computers of the IT department. [...]Tags: audit, cause, com, committee, data, day, end, ensure, internal, Security, technology, today, use
http://arstechnica.com/information-technology/2014/03/nsas-automated-hacking-engine-offers-hands-free-pwning-of-the-world/ By Sean Gallagher Ars Technica March 12, 2014 Since 2010, the National Security Agency has kept a push-button hacking system called Turbine that allows the agency to scale up the number of networks it has access to from hundreds to potentially millions. The news comes from new Edward Snowden documents published by Ryan Gallagher and Glenn Greenwald in The Intercept today. The leaked information details how the NSA has used Turbine to ramp up its hacking capacity to “industrial scale,” plant malware that breaks the security on virtual private networks (VPNs) and digital voice communications, and collect data and subvert targeted networks on a once-unimaginable scale. Turbine is part of Turbulence, the collection of systems that also includes the Turmoil network surveillance system that feeds the NSA’s XKeyscore surveillance database. While it is controlled from NSA and GCHQ headquarters, it is a distributed set of attack systems equipped with packaged “exploits” that take advantage of the ability the NSA and GCHQ have to insert themselves as a “man in the middle” at Internet chokepoints. Using that position of power, Turbine can automate functions of Turbulence systems to corrupt data in transit between two Internet addresses, adding malware to webpages being viewed or otherwise attacking the communications stream. Since Turbine went online in 2010, it has allowed the NSA to scale up from managing hundreds of hacking operations each day to handling millions of them. It does so by taking people out of the loop of managing attacks, instead using software to identify, target, and attack Internet-connected devices by installing malware referred to as “implants.” According to the documents, NSA analysts can simply specify the type of information required and let the system figure out how to get to it without having to know the details of the application being attacked. The “selectors” that analysts can use to target victims through Turbine are significant. Using Turmoil as a targeting system, Turbine can look for identifying cookies from a number of Web services, including Google, Yahoo, Twitter, Facebook, Hotmail, and DoubleClick, as well as those from the Russian services Mail.ru, Rambler, and Yandex. Those cookies are all available for targeting purposes, as is user account information from a whole host of services. [...]Tags: able, application, com, come, data, day, device, Exploit, exploits, Internet, malware, National, Security, service, software, systems, target, technology, today, use
http://krebsonsecurity.com/2014/03/adobe-microsoft-push-security-updates/ By Brian Krebs Krebs on Security March 11, 2014 Adobe and Microsoft today each released software updates to fix serious security flaws in their products. Adobe pushed an update that plugs a pair of holes in its Flash Player software. Microsoft issued five updates, including one that addresses a zero-day vulnerability in Internet Explorer that attackers have been exploiting of late. Microsoft’s five bulletins address 23 distinct security weaknesses in Microsoft Windows, Internet Explorer and Silverlight. The Internet Explorer patch is rated critical for virtually all supported versions of IE, and plugs at least 18 security holes, including a severe weakness in IE 9 and 10 that is already being exploited in targeted attacks. Microsoft notes that the exploits targeting the IE bug seen so far appear to perform a check for the presence of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET); according to Microsoft, the exploits fail to proceed if EMET is detected. I’ve recommended EMET on several occasions, and would encourage any Windows users who haven’t yet deployed this tool to spend a few minutes reading this post and consider taking advantage of it to further harden their systems. The latest version — 4.1 — is available at this link and requires Microsoft’s .NET Framework 4 platform. For those of you who don’t mind beta-testing software, Microsoft has released a preview version of the next generation of EMET — EMET 5.0 Technical Preview. This month’s updates include a fix for another dangerous bug – deep within the operating system on just about every major version of Windows – that also was publicly disclosed prior to today’s patches. Microsoft’s Technet Blog has more details on these and other bulletins released today. [...]Tags: able, com, day, end, Exploit, exploits, framework, Internet, just, Law, product, review, ROC, Security, software, systems, target, today, use, vulnerability
http://www.infosecnews.org/the-open-enigma-project-kickstarter/ By William Knowles Senior Editor InfoSec News March 5, 2014 Imagine having this iconic device on your desk: You can use it to simply display a scrolling marquee of any text message on its unique LED screen or encrypt/decrypt any information you wish to use (still today) a very secure key. This is an ideal device to teach or learn about encryption, history & math. Because of its open software & the community of developers, the possibilities are endless & your reward is bound to increase in value over time as new applications (like e-mail encryption, secure router, etc) are written. The original (pre-war) Enigma code was initially broken in Poland and subsequently by a team of Bletchley Park cryptologists under the leadership of U.K.’s own Alan Turing who is one of the fathers of computer science. Bletchley Park’s ability to break the Enigma code is believed to have shortened World War II by about 2 years. Enigma machines are an extremely rare and important part of computing history. A real Enigma machine sold for $200,000 in 2011. Transforming a prototype into a production unit takes a lot of effort, time & MONEY. This is where you come in! Whether you are brand new to the world of Encryption or a seasoned Cryptologist, whether you know every detail of the German Enigma’s story or it’s news to you, YOU can help us write it’s future. Not only will your pledge let you enjoy this phenomenal product, but it will also help us continue to develop it’s feature set. [...]Tags: application, applications, cause, com, come, computing, continue, day, device, end, important, product, software, time, today, use, value, wish
http://www.fiercegovernmentit.com/story/dhs-proposes-125-billion-cybersecurity-spending/2014-03-04 By David Perera FierceGovernmentIT March 4, 2014 The proposed Homeland Security Department cybersecurity budget for the coming federal fiscal year amounts to $1.25 billion, show budget documents released today. DHS over the course of the Obama administration has assumed an increasingly central role in securing federal networks and in urging private sector companies considered to be “critical infrastructure” into better cybersecurity practices. Under the cybersecurity executive President Obama signed in 2013 (EO 13636), DHS now also has the task of encouraging critical infrastructure firms into adopting the framework of controls released by the National Institute of Standards and Technology in February. An overview of the DHS fiscal 2015 budget proposal shows DHS planning to spend $8.5 million on a voluntary adoption program. Other notable elements of the DHS cybersecurity proposal include: [...]Tags: able, com, companies, cyber, Cybersecurity, day, end, framework, government, infrastructure, National, option, practice, president, program, Security, technology, today