Tag Archives: today

[ISN] NIST outlines guidance for security of copiers, scanners


http://gcn.com/articles/2015/02/25/nist-replication-device-security.aspx By GCN Staff Feb 25, 2015 The National Institute of Standards and Technology announced its internal report 8023: Risk Management for Replication Devices is now available. The guidance covers protecting the information processed, stored or transmitted on replication devices (RDs), which are devices that copy, print or scan documents, images or objects. Because today’s RDs have the characteristics of computing devices (storage, operating systems, CPUs and networking) they are vulnerable to a number of exploits, NIST said. Among the threats to RDs are: […]

Tags: , , , , , , , , , , , , , , , , , , ,

[ISN] Surprise! America Already Has a Manhattan Project for Developing Cyber Attacks

http://www.wired.com/2015/02/americas-cyber-espionage-project-isnt-defense-waging-war By Kevin Poulsen Threat Level Wired.com 02.18.15 “What we really need is a Manhattan Project for cybersecurity.” It’s a sentiment that swells up every few years in the wake of some huge computer intrusion—most recently the Sony and Anthem hacks. The invocation of the legendary program that spawned the atomic bomb is telling. The Manhattan Project is America’s go-to shorthand for our deep conviction that if we gather the smartest scientists together and give them billions of dollars and a sense of urgency, we can achieve what otherwise would be impossible. A Google search on “cyber Manhattan Project” brings up results from as far back as 1997—it’s second only to “electronic Pearl Harbor” in computer-themed World War II allusions. In a much-circulated post on Medium last month, futurist Marc Goodman sets out what such a project would accomplish. “This Manhattan Project would help generate the associated tools we need to protect ourselves, including more robust, secure, and privacy-enhanced operating systems,” Goodman writes. “Through its research, it would also design and produce software and hardware that were self-healing and vastly more resistant to attack and resilient to failure than anything available today.” These arguments have so far not swayed a sitting American president. Sure, President Obama mentioned cybersecurity at the State of the Union, but his proposal not only doesn’t boost security research and development, it potentially criminalizes it. At the White House’s cybersecurity summit last week, Obama told Silicon Valley bigwigs that he understood the hacking problem well—“We all know what we need to do. We have to build stronger defenses and disrupt more attacks”—but his prescription this time was a tepid executive order aimed at improving information sharing between the government and industry. Those hoping for something more Rooseveltian must have been disappointed. On Monday, we finally learned the truth of it. America already has a computer security Manhattan Project. We’ve had it since at least 2001. Like the original, it has been highly classified, spawned huge technological advances in secret, and drawn some of the best minds in the country. We didn’t recognize it before because the project is not aimed at defense, as advocates hoped. Instead, like the original, America’s cyber Manhattan Project is purely offensive. […]

Tags: , , , , , , , , , , , , , , , , , , , , , , ,

[ISN] China’s New Rules for Selling Tech to Banks Have US Companies Spooked

http://www.wired.com/2015/01/chinas-new-rules-selling-tech-banks-us-companies-spooked/ By Davey Alba Wired.com 01.29.15 Technology companies that want to sell equipment to Chinese banks will have to submit to extensive audits, turn over source code, and build “back doors” into their hardware and software, according to a copy of the rules obtained by foreign companies already doing billions of dollar worth of business in the country. The new rules were laid out in a 22-page document from Beijing, and are presumably being put in place so that the Chinese government can peek into computer banking systems. Details about the new regulations, which were reported in The New York Times today, are a cause for concern, particularly to Western technology companies. In 2015, the China tech market is expected to account for 43 percent of tech-sector growth worldwide. With these new regulations, foreign companies and business groups worry that authorities may be trying to push them out of the fast-growing market. According to the Times, the groups—which include the US Chamber of Commerce—sent a letter Wednesday to a top-level Communist Party committee, criticizing the new policies that they say essentially amount to protectionism. The new bank rules and the reaction from Western corporations represent the latest development in an ongoing squabble between China and the US over cybersecurity and technology. The US government has held China responsible for a number of cyberattacks on American companies, and continues to be wary that Chinese-made hardware, software and internet services may have some built-in features that allow the Chinese government to snoop on American consumers. Meanwhile, China has used the recent disclosures by former NSA contractor Edward Snowden as proof that the US is already doing this kind of spying—and that this is reason enough to get rid of American technology in the country. […]

Tags: , , , , , , , , , , , , , , , , , , , , , , , , ,

[ISN] About the infosec skills shortage

http://3vildata.tumblr.com/post/109188919632/about-the-infosec-skills-shortage By https://twitter.com/addelindh and https://twitter.com/0xtero http://3vildata.tumblr.com/ Jan 26th, 2015 Today I got into an argument on Twitter that started with me saying something sarcastic in reference to a recent statement by a vendor and ended with a discussion about the skills shortage in security. Twitter can be a difficult medium sometimes and I don’t really feel that I got my point across, so this is my attempt to correct that. Before I start I would like to point out that in no way do I think that this is the only reason there is a skills shortage in security, but that I do consider it a large contributing factor. In the beginning, there was firewalls Enterprise investment in security has traditionally been in products such as firewalls, anti-virus, IPS/IDS, and so on. Security products has in turn been marketed and sold as “solutions” rather than tools; heavily automated and not really much to work with. Because of this, they have been considered as infrastructure components rather than applications, you just install and configure them and then let them do their magic. Automation is great, until it isn’t The thing about buying automated solutions is that it removes the incentive to invest in knowledge of the problem the solution was supposed to solve. Why pay money so that someone can learn how to solve a problem that has already been solved, right? For an enterprise, this makes perfect sense, and for a while it worked. […]

Tags: , , , , , , , , , , , , , , , , , , , ,

[ISN] How a 7-year-old girl hacked a public Wi-Fi network in 10 minutes

http://www.information-age.com/technology/security/123458891/how-7-year-old-girl-hacked-public-wi-fi-network-10-minutes By Ben Rossi Information Age 21 January 2015 Free Wi-Fi at a coffee shop or other public space is a welcome sign for millions of people everyday who want to get some work done, make a video call, or just catch up on a bit of online shopping. However, as results of a new experiment today prove, public Wi-Fi is so unsecure it can even be hacked by a seven-year-old child – and in just over ten minutes. The ethical hacking experiment was conducted as part of a new Wi-Fi safety public awareness campaign by VPN provider www.hidemyass.com, which aims to to highlight just how effortlessly hackers can compromise any of the UK’s almost 270,000 public Wi-Fi spots. With the consent of her family and in a controlled environment, IT-savvy seven-year-old Betsy Davies managed to hack a willing participant’s laptop while they were connected to a purpose-made open Wi-Fi network – designed to replicate those found on the high street. […]

Tags: , , , , , , ,

[ISN] Oracle to fix 167 vulnerabilities, including a backdoor-like flaw in its E-Business Suite

http://www.computerworld.com/article/2872694/oracle-to-fix-167-vulnerabilities-including-a-backdoor-like-flaw-in-its-e-business-suite.html By Lucian Constantin IDG News Service Jan 20, 2015 Oracle’s monster batch of security updates expected Tuesday will include a fix for a serious misconfiguration issue in its E-Business Suite product that can give hackers access to databases full of sensitive business records. Renowned database security expert David Litchfield discovered the issue last year on a client’s system and at first he thought it was a backdoor left behind by an attacker. “On investigation, it turns out the ‘backdoor’ is part of a seeded installation!” he said Monday on Twitter. “I was flabbergasted. Still am.” In a pre-announcement about its quarterly Critical Patch Update expected today, Oracle said that 10 vulnerabilities will be fixed in E-Business Suite, six of which can be exploited remotely without authentication. […]

Tags: , , , , , , , , , , , ,

[ISN] Why I Hope Congress Never Watches Blackhat

http://www.wired.com/2015/01/why-i-hope-congress-never-watches-blackhat/ By Kevin Poulsen Threat Level Wired.com 01.16.15 What a strange time. Last week I was literally walking the red carpet at the Hollywood premiere of Michael Mann’s Blackhat, a crime thriller that I had the good fortune to work on as a “hacker adviser” (my actual screen credit). Today, all I’m thinking is, please, God, don’t let anybody in Congress see the film. I’ll explain my anxiety in a minute. First, the movie: Mann, the legendary director of hardboiled crime films like Heat, Collateral, and Miami Vice, always has been a stickler for authenticity, and he brought me into Blackhat as an adviser early on, before it had a title or a lead actor. If you’re wondering how one gets involved in a Michael Mann film, here’s how it works: Mann calls you on the phone. You think, “Why is Michael Mann calling me?” After a phone conversation and an interview in Los Angeles, you’re officially invited on board as a consultant. It turned out Blackhat’s screenwriter had read my cybercrime book Kingpin, and he’d suggested me to Mann. When I showed up for my first consulting meeting, I expected to find a roomful of people crowded around a long conference table. Instead, it was just me and Mann, sitting in his office for five hours at a time. He had questions about malware, hacking, how modern computer intrusions play out. For subsequent meetings, I was given the current iteration of the screenplay (watermarked with my name, lest I leak it to the Pirate Bay), and we went over it line by line, looking at dialogue, discussing tweaks to the hacking and forensics scenes, and working on some of the procedural elements in the plot. Later, Mann brought in a second computer consultant, OkCupid hacker Chris McKinley, to write code for the movie and train leading man Chris Hemsworth in Linux basics, making Hemsworth officially the best-looking human to ever use a command line. […]

Tags: , , , , , , , , , , , , , , ,

[ISN] US, UK Establish a Joint Hacker A-Team To Conduct Cyber War Games

http://www.defenseone.com/technology/2015/01/us-uk-establish-joint-hacker-team-conduct-cyber-war-games/103170/ By Patrick Tucker Defense One January 16, 2015 The White House on Friday unveiled a series of steps to increase co-operation between the United States and the United Kingdom in combating cyber threats. Those steps include better threat information sharing and the creation of a new joint cyber task force. The U.S. and U.K. already collaborate with one another and with many other countries on cyber defense issues through the Computer Emergency Readiness Team program. Today, President Barack Obama and British Prime Minister David Cameron announced the formation of a “joint cell,” that will have a physical presence in both countries and will bring together Internet security experts from the United Kingdom’s Government Communications Headquarters, GCHQ, Security Service, MI5, the National Security Agency, NSA, and the Federal Bureau of Investigation. “The cell, which will allow staff from each agency to be co-located, will focus on specific cyber defense topics and enable cyber threat information and data to be shared at pace and at greater scale,” according to a White House statement. The cell will conduct cyber war games in the spring, simulating attacks on the financial sector. […]

Tags: , , , , , , , , , , , , , , , ,