Tag Archives: today

[ISN] CircleCityCon: The missing update


http://www.csoonline.com/article/2365184/security-industry/circlecitycon-the-missing-update.html By Steve Ragan Salted Hash CSO June 19, 2014 Last weekend, 240 people attended CircleCityCon, Indianapolis’ first major security conference. It was an amazing time, offering a chance to lean form a wide range of professionals. There were more than thirty talks recorded at the event, thanks to Adrian Crenshaw (@irongeek_adc) and his team of volunteers. Salted Hash has included some of the videos below, but all of them are worth a look. In fact, Irongeek has recorded hundreds of talks over the years, and his archive of security footage is impressive. Today’s post serves as an update to my coverage of CircleCityCon, but it’s also the tale of how I learned an important lesson. This post, and the future articles based on the talks from this year’s CircleCityCon, almost didn’t happen. On Monday morning, my mobile office (a ThinkPad T430s) fizzled out. At first, it was determined that the video card had died, but once that was fixed, the system was still hosed. Ultimately, it was a RAM issue. [...]

Tags: , , , , , , , ,

[ISN] “H4CKERS WANTED” report: NSA not having trouble filling cybersecurity jobs

http://www.networkworld.com/article/2364271/security0/h4ckers-wanted-report-nsa-not-having-trouble-filing-cybersecurity-jobs.html By Ellen Messmer NetworkWorld June 18, 2014 While there’s a notion that a dearth of cybersecurity professionals the shortage is most acute at the “high end” where $250,000 salaries are not uncommon for those who combine technical and managerial skills. That’s according to the RAND Corp. report today on the topic, which also looked at how well the National Security Agency and other military-focused agencies were recruiting cybersecurity pros. The ‘H4CKERS WANTED” report from RAND, the non-profit policy think tank funded by the U.S. government and private endowment, looked at whether cybersecurity jobs are going unfilled, especially in the federal government, and if so, why. Co-authored by Martin Libicki, David Sentry and Julia Pollak, the RAND report reaches the conclusion that in the spectrum of the tasks that cybersecurity professionals might do, two types stand out as hard to find and recruit. In addition to the managerial job often thought of as the “chief information security officer” these days, it’s also the talented geeky few who can figure out that highly stealthy attacks are occurring or who can find “the hidden vulnerabilities in software and systems that allow advanced persistent threats to take hold of targeted systems.” Demand for cybersecurity skills in general began rising within the last five years, the report says, not because hackers are attacking networks more but because the defenders of those networks are far more aware of the hackers and are eager to employ someone who can set up ways to detect and stop them. In addition, the rise of state-sponsored stealthy cyber-espionage—and in some cases, even hard-hitting attacks suggestive of cyberwar

Tags: , , , , , , , , , , , , , , , ,

[ISN] DDoS attacks knock Feedly offline for second day running

http://www.computerworld.com/s/article/9249064/DDoS_attacks_knock_Feedly_offline_for_second_day_running By Gregg Keizer Computerworld June 12, 2014 RSS aggregator Feedly today went dark for the second time in two days as another wave of distributed-denial-of service (DDoS) attacks knocked it offline. At approximately 10:30 a.m. ET (7:30 a.m. PT), Feedly acknowledged that it had again been targeted by cyber criminals, who seem bent on crippling the RSS provider. “The ops team has reviewed the attacks and is working on building a second line of defense to neutralize this second attack,” said company officials, including Edwin Khodabakchian, Feedly CEO, in a brief status update on the firm’s blog. After a four-hour outage, Feedly was restored at 2:30 p.m. ET, 11:30 a.m. PT. [...]

Tags: , , , , , , , ,

[ISN] The $10 Million Deductible – Why the cyberinsurance industry is a mess.

http://www.slate.com/articles/technology/future_tense/2014/06/target_breach_cyberinsurance_is_a_mess.html By Josephine Wolff Slate.com June 12, 2014 Do you still shop at Target? There’s been controversy over how much of an impact the massive breach of 40 million credit and debit card numbers in late 2013 had on the company’s shareholders and customers. And that controversy speaks to a larger cybersecurity problem plaguing industry today: the difficulty of assessing the impact and costs of these sorts of security breaches and the challenges that presents when it comes to trying to buy and sell cyberinsurance. Yes, that’s a real thing—and a great business to be in, at the moment, if you can figure out how to develop accurate actuarial models, that is. A recent New York Times article touted cyberinsurance as the “fastest-growing niche in the [insurance] industry today.” Nicole Perlroth and Elizabeth Harris report: “[A]fter the breach at Target, its profit was cut nearly in half—down 46 percent over the same period the year before—in large part because the breach scared away its customers.” These enormous costs to brand reputation make it difficult for companies to get as much cyber risk coverage as they want, and the demand is only growing. The Times cites statistics showing a 21 percent increase in demand for cyberinsurance policies from 2012 to 2013, with total premiums reaching $1.3 billion last year and individual companies able to acquire a maximum of roughly $300 million in coverage. At the time of its breach, Target had only $100 million in coverage, with a $10 million deductible, and had been turned away by at least one insurer when it tried to acquire more cyberinsurance, Perlroth and Harris report. They suggest that this coverage may fall well short of the massive losses incurred by the company when it saw its profits nearly halved. But their piece comes less than a month after Eric Chemi argued exactly the opposite about the impact of Target’s security breach in a piece for Bloomberg Businessweek titled “Investors Couldn’t Care Less About Data Breaches.” He wrote: [...]

Tags: , , , , , , , , , , , , , , , , , , , , , ,

[ISN] Annual cost of cybercrime hits near $400 billion

http://www.networkworld.com/article/2360983/security0/annual-cost-of-cybercrime-hits-near-400-billion.html By Ellen Messmer NetworkWorld June 9, 2014 An estimate of the global cost of cybercrime — losses from cyber-espionage theft of intellectual property, plus all types of personal and financial data stolen and dealing with the fallout — is being tabbed at least $400 billion annually, according to the report published today by the Center for Strategic and International Studies. In its report “Net Losses: Estimating the Global Cost of Cybercrime,” Washington, D.C.-based think tank CSIS claims the countries hit most are the United States, China and Germany based on their overall national wealth in Gross Domestic Product (GDP). Those three countries together are estimated to have suffered $200 billion in cybercrime losses on an annual basis. CSIS acknowledges there’s going to be debate over how to calculate the cost of cybercrime the way it broadly defines it. But CSIS, whose research draws largely from the work of economists, argues it could not be lower than $375 billion and the maximum could actually be $575 billion. “Even the smallest of these figures is more than the national income of most countries and governments and companies underestimate how much risk they face from cybercrime and how quickly this risk can grow,” the report says. By coincidence, the CSIS report on the cost of cybercrime comes in the wake of the U.S. Department of Justice crime charges related to alleged cybercrime operations in China and Eastern Europe that are accused of stealing millions of dollars from U.S. businesses through either theft of trade secrets or outright financial fraud. [...]

Tags: , , , , , , , , , , , , , , , , , , , ,

[ISN] Banks: Credit Card Breach at P.F. Chang’s

http://krebsonsecurity.com/2014/06/banks-credit-card-breach-at-p-f-changs/ By Brian Krebs Krebs on Security June 10, 2014 Nationwide chain P.F. Chang’s China Bistro said today that it is investigating claims of a data breach involving credit and debit card data reportedly stolen from restaurant locations nationwide. On June 9, thousands of newly-stolen credit and debit cards went up for sale on rescator[dot]so, an underground store best known for selling tens of millions of cards stolen in the Target breach. Several banks contacted by KrebsOnSecurity said they acquired from this new batch multiple cards that were previously issued to customers, and found that all had been used at P.F. Chang’s locations between the beginning of March 2014 and May 19, 2014. Contacted about the banks’ claims, the Scottsdale, Arizona-based restaurant chain said it has not yet been able to confirm a card breach, but that the company “has been in communications with law enforcement authorities and banks to investigate the source.” “P.F. Chang’s takes these matters very seriously and is currently investigating the situation, working with the authorities to learn more,” the company said in an emailed statement. “We will provide an update as soon as we have additional information.” [...]

Tags: , , , , , , , , , ,

[ISN] LulzSec hacker ‘Sabu’ praised by FBI for helping stop more than 300 cyber attacks

http://www.independent.co.uk/life-style/gadgets-and-tech/lulzsec-hacker-sabu-praised-by-fbi-for-helping-stop-more-than-300-cyber-attacks-9438035.html By James Vincent The Independent 27 May 2014 A notorious former member of hacking group Anonymous has been praised by US prosecutors for providing “extremely valuable” assistance to the FBI and thwarting cyber attacks planned by his former associates. According to court documents Hector Xavier Monsegur, otherwise known as ‘Sabu’, helped law enforcement stop more than 300 separate attacks since his arrest for computer hacking in June 2011. Mr Monsegur is set to be sentenced today for his involvement in a number of major cyber attacks in the year of his arrest, with prosecutors recommending that he receive a reduced sentence. In May 2011 Mr Monsegur and five other members of the loosely-defined Anonymous movement formed what court documents describe as “an elite hack collective or ‘crew’ commonly referred to as LulzSec”. [...]

Tags: , , , , , ,

[ISN] Cyber warfare unregulated, says IDF adviser

http://www.haaretz.com/news/diplomacy-defense/.premium-1.591665 By Gili Cohen Haaretz.com May 20, 2014 Iyyar 20, 5774 Speaking at the CyberNight conference at the Shamoon College of Engineering in Be’er Sheva, Maj. A., the Military Intelligence legal adviser, described the role of legal consulting in the era of cybernetic warfare, saying that “Although the field is not regulated – and because the field is not regulated – the legal adviser plays a central role. This role is developing on the job, step by step, because there is no breakthrough convention or legislation” on the horizon. The IDF last year appointed a legal adviser for cyber warfare, whose main task is to regulate cyber warfare activities, based on principles of international law. The military has refused to confirm whether one of this adviser’s tasks is to approve targets, as it is for most of its legal advisers in operational positions. Many field commanders have been critical of these legal advisers’ work, said Maj. A. “Our ‘customers,’ at least some of them, perceive the jurists as interfering, rather than helping,” she said. “It’s no small challenge.” Maj. A. said that when providing advice “for various operations,” as she put it, she often had no choice but to rely on the Law and Administration Ordinance of 1948, “which has a clause that is still relevant, which says the army is allowed to take any legal step necessary to protect the State of Israel. That’s how we operate today.” [...]

Tags: , , , , , , , , , ,