www.theregister.co.uk/2015/11/29/hello_barbie_controversy_reignited_with_insecurity_claims/ By Richard Chirgwin The Register 29 Nov 2015 Back in February, The Register queried the security and privacy implications of Mattel’s “Hello Barbie”, and now the doll has hit the shelves, a prominent security researcher has turned up the first security problems with the toy. After an initial flurry of concern, the issue went quiet, but last Friday Matt Jakubowski (formerly of Trustwave’s SpiderLabs) reignited it by extracting Wi-Fi network names, account IDs, and MP3 files from the toy. That brought a defensive response from Oren Jacob, CEO of ToyTalk (which provides the cloud processing chunk of Hello Barbie). He called Jakubowski an “enthusiastic researcher”, said the data is “already available” to customers, and “no major security or privacy protections have been compromised”. While it’s probably easier to get an SSID by standing outside a house and letting it pop up on your phone’s Wi-Fi connection list, an account ID is another matter, since all an attacker needs is to get a password and they have access to the Hello Barbie account. […]
www.computerworld.com/article/3006360/security/us-government-wants-in-on-the-public-cloud-but-needs-more-transparency.html By Blair Hanley Frank IDG News Service Nov 18, 2015 The federal government is trying to move more into the cloud, but service providers’ lack of transparency is harming adoption, according to Arlette Hart, the FBI’s chief information security officer. “There’s a big piece of cloud that’s the ‘trust me’ model of cloud computing,” she said during an on-stage interview at the Structure conference in San Francisco on Wednesday. That’s a tough sell for organizations like the federal government that have to worry about protecting important data. While Hart said that the federal government wants to get at the “enormous value” in public cloud infrastructure, its interest in moving to public cloud infrastructure is also tied to a need for greater security. While major providers like Amazon and Microsoft offer tools that meet the U.S. government’s regulations, not every cloud provider is set up along those lines. In Hart’s view, cloud providers need to be more transparent about what they do with security so the government and other customers can verify that their practices are sufficient for protecting data. […]
www.theregister.co.uk/2015/10/16/navy_engineer_attempted_espionage/ By Alexander J Martin The Register 16 Oct 2015 A civilian US naval engineer has been sentenced to 11 years in prison for attempted espionage, after passing military technology secrets to an FBI undercover agent posing as an Egyptian intelligence officer. The Register can report that 36-year-old Mostafa Ahmed Awwad “took advantage of his position of trust within the Navy to share the schematics of the USS Gerald R. Ford nuclear aircraft carrier with individuals whom he believed were representing a foreign government,” according to Assistant Attorney General Carlin. According to sealed court documents, cited in the Department of Justice release, Awwad had met the undercover FBI agent at a hotel and “described a detailed plan to circumvent US Navy computer security by installing software on his restricted computer system that would enable him to copy documents without causing a security alert.” […]
http://www.computerworld.com/article/2975780/security/oracle-still-clueless-about-security.html By Steven J. Vaughan-Nichols Computerworld Aug 25, 2015 Oracle’s chief security officer, Mary Ann Davidson, recently ticked off almost everyone in the security business. She proclaimed that you had to do security “expertise in-house because security is a core element of software development and you cannot outsource it.” She continued, “Whom do you think is more trustworthy? Who has a greater incentive to do the job right — someone who builds something, or someone who builds FUD around what others build?” Oh. Wait. That’s what Davidson said in 2011! What she said in 2015 was that security reports based on reverse-engineering Oracle code and then applying static or dynamic analysis to it does not lead to “proof of an actual vulnerability. Often, they are not much more than a pile of steaming … FUD.” Davidson’s blog post is one long rant that boils down to, “How dare people analyze Oracle code?” “I have seen a large-ish uptick in customers reverse engineering our code to attempt to find security vulnerabilities in it.
http://gcn.com/articles/2015/08/19/zero-trust-security.aspx By Paul McCloskey GCN.com Aug 19, 2015 Agencies are increasingly turning to predictive analytics to root out fraud, but those aren’t the only tools being used to spot and control anomalous behavior. New identity security tools are emerging to help enterprises that might be victimized in fraud schemes enabled by insiders or attackers using insider credentials. Those users have been at the center of several recent high-profile attacks. Their privileges were exploited as the result of sophisticated spear-phishing attacks, including the one on health insurer Anthem earlier this year in which 80 million records were stolen. “These are privileged users with access to everything in the database — not just their records; they have the ability to go from system to system inside a corporate or government infrastructure,” said Ken Ammon, chief strategy officer at Xceedium. “What happens is criminals target those individuals because they know their roles or their accounts are extremely powerful in the organization,” Ammon said. “If they can send them an email that they might click on, it installs as a super user who now can download the entire corporate database from network to network.” To help defend against that vulnerability, Xceedium has embraced a policy of “zero trust,” whereby access is extended only for a specific reason and for a specific amount of time. […]
http://www.csoonline.com/article/2952395/security-awareness/a-primer-on-dealing-with-the-media-as-a-hacker-and-dealing-with-hackers-as-the-media.html By Steve Ragan Salted Hash CSO July 23, 2015 Next month, thousands of hackers will travel to Las Vegas, and hundreds of journalists are going follow them. The adversarial relationship between hackers and the press has existed for years, but there are ways to navigate the playing field and strike a balance The idea for this post came from two places; Twitter and a blog post by Violet Blue over at Rapid7. The Rapid7 post has a lot of great advice for Black Hat and dealing with the media on a corporate level. It’s a smart post, and it’s something you should read either before or after reading this article. I’d also like to point out two additional sources from Uli Ries and The Grugq. For the hackers: Not everyone in the media is your enemy, but – and be real clear about this – they’re not your friends either. They’re working stiffs, and like you they have a job with demands, unique pressures, and stress. For you, hacking is a way of life – it’s who you are. That mindset is the same for journalists. Granted, there’s nothing wrong with having friends in the media, in fact it’s helpful at times, but there needs to be a level of trust that exists in that relationship and trust is earned – even among friends. […]
http://www.businessinsider.com/we-found-out-how-much-money-hackers-actually-make-2015-7 By CALE GUTHRIE WEISSMAN Business Insider Jul. 14, 2015 It’s a known fact that hacking makes money. But how much money? And how do hackers carry out their internal dealings with one another so as not to step on each other’s toes? Much like the fine-tuned systems of mafias and gangs that act almost identically to businesses, hackers have also created their own extremely intricate systems — and the scale of their operations is astounding. Security researchers have been embedding themselves into these online underbellies to see precisely what’s going on. This way they can get an early look at the malware hackers are cooking up, while also learning just how the system works. The information security company Trustwave has been doing just this for years. It now has a lot to show for it, including discovering how much money a hacking gang makes and how precisely the cybercrime ecosystem works. Trustwave’s VP of Security Research Ziv Mador has put together a presentation he gives to customers so they can get a better handle on how to protect themselves. As he put it, it’s just a “glance of what we find.” But Mador has given Business Insider an exclusive look at the wheeling and dealing of hackers inside this secretive world — check it out below. […]
http://www.zdnet.com/article/ukraines-cyber-warfare-how-nato-helps-the-country-defend-itself-against-digital-threats/ By Andrada Fiscutean Central European Processing ZDNet News June 11, 2015 Ukraine’s recent history has been dramatic, with border changes, riots, the occupation of government buildings, and bloodshed. Behind all this, a quiet conflict, free of gunfire but equally hard-fought, has been taking place in the online world. DDoS attacks and communications jamming has lead to misinformation in an already confused country. Now, North Atlantic Alliance nations are joining forces to help Ukraine protect its digital space. Albania, Estonia, Hungary, Poland, Portugal, Romania, and Turkey have offered financial or in-kind contributions to Ukraine’s Cyber Defense Trust Fund, a program agreed by world leaders during a NATO summit held last September in Wales. US president Barack Obama, British prime minister David Cameron, German chancellor Angela Merkel, and French president François Hollande all participated. “The technical requirements for the implementation of this project have been set up and the negotiations for the necessary legal arrangements are at an advanced stage,” a NATO official in Brussels told ZDNet. “NATO needs to keep abreast of the rapidly changing threat landscape and to maintain a robust cyber-defence,” he added. […]