Tag Archives: vulnerabilities

Gartner Provides Seven Steps Security Leaders Can Take to Deal With Spectre and Meltdown

Security and risk management leaders must take a pragmatic and risk-based approach to the ongoing threats posed by an entirely new class of vulnerabilities, according to Gartner, Inc. "Spectre" and "Meltdown" are the code names given to different strains of a new class of attacks that target an underlying exploitable design implementation inside the majority of computer chips manufactured over the last 20 years.

[ISN] Attention, Cyber Pros: The Pentagon Wants You — 3, 000 of You

http://www.nextgov.com/cybersecurity/2015/03/pentagon-has-until-2016-extend-3000-jobs-offers-civilian-cyber-whizzes/106842/ By Aliya Sternstein Nextgov.com March 5, 2015 The military has been given the go-ahead to fast-track the hiring of 3,000 computer whiz civilians, in part, to flesh out the half-staffed U.S. Cyber Command, federal officials announced Thursday. Yesterday, command leaders told Congress they need to be able to quicker make compensation deals with prospective employees, as threats from nation state hackers mount. The permission slip the Office of Personnel Management signed applies to the entire Defense Department, including the command, according to a notice posted in the Federal Register. The 5-year-old command organizes cyberattacks against adversaries and network defense operations. The pay scale for the new Defense positions starts at $42,399 and goes up to $132,122. Under the arrangement, the Pentagon can skip the process of rating applicants based on traditional competitive criteria. Instead, the department can offer jobs based on the candidate’s unique skills and knowledge. The special qualifications include the ability to analyze malware, respond to incidents, manage cyber fire drills and detect vulnerabilities, among other things. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Hacker Claims Feds Hit Him With 44 Felonies When He Refused to Be an FBI Spy

http://www.wired.com/2015/02/hacker-claims-feds-hit-44-felonies-refused-fbi-spy/ By Andy Greenberg Threat Level Wired.com 02.18.15 A year ago, the Department of Justice threatened to put Fidel Salinas in prison for the rest of his life for hacking crimes. But before the federal government brought those charges against him, Salinas now says, it tried a different tactic: recruiting him. A Southern District of Texas judge sentenced Salinas earlier this month to six months in prison and a $10,600 fine after he pleaded guilty to a misdemeanor count of computer fraud and abuse. The charge stemmed from his repeatedly scanning the local Hidalgo County website for vulnerabilities in early 2012. But just months before he took that plea, the 28-year-old with ties to the hacktivist group Anonymous instead faced 44 felony hacking and cyberstalking charges, all of which were later dismissed. And now that his case is over, Salinas is willing to say why he believes he faced that overwhelming list of empty charges. As he tells it, two FBI agents asked him to hack targets on the bureau’s behalf, and he refused. Over the course of a six-hour FBI interrogation in May, 2013, months after his arrest, Salinas says two agents from the FBI’s Southern District of Texas office asked him to use his skills to gather information on Mexican drug cartels and local government figures accepting bribes from drug traffickers. “They asked me to gather information on elected officials, cartel members, anyone I could get data from that would help them out,” Salinas told WIRED in a phone interview before his sentencing. “I told them no.” “Fundamentally this represents the FBI trying to recruit by indictment,” says Salinas’ lawyer Tor Ekeland, who took the case pro bono last year. “The message was clear: If he had agreed to help them, they would have dropped the charges in a second.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Lenovo installs adware on customer laptops and compromises ALL SSL.

http://marcrogers.org/2015/02/19/lenovo-installs-adware-on-customer-laptops-and-compromises-all-ssl/ By Marc Rogers FEBRUARY 19, 2015 A pretty shocking thing came to light this evening – Lenovo is installing adware that uses a “man-in-the-middle” attack to break secure connections on affected laptops in order to access sensitive data and inject advertising. As if that wasn’t bad enough they installed a weak certificate into the system in a way that means affected users cannot trust any secure connections they make – TO ANY SITE. We trust our hardware manufacturers to build products that are secure. In this current climate of rising cybercrime, if you cant trust your hardware manufacturer you are in a very difficult position. That manufacturer has a huge role to play in keeping you safe – from releasing patches to update software when vulnerabilities are found to behaving in a responsible manor with the data the collect and the privileged access they have to your hardware. When bad guys are able to get into the supply chain and install malware it is devastating. Often users find themselves with equipment that is compromised and are unable to do anything about it. When malware is installed with the access a manufacturer has it buries itself deep inside the system often with a level of access that often takes it beyond the reach of antivirus or other countermeasures. This is why it is all the more disappointing – and shocking – to find a manufacturer doing this to its customers voluntarily. Lenovo has partnered with a company called Superfish to install advertising software on it’s customer’s laptops. Under normal circumstances this would not be cause for concern. However Superfish’s software has quite a reputation. It is a notorious piece of “adware”, malicious advertising software. A quick search on Google reveals numerous links for pages containing everything from software to remove Superfish to consumers complaining about the presence of this malicious advertising tool. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Is this the future of cyberwarfare?

http://america.aljazeera.com/watch/shows/america-tonight/articles/2015/2/5/blackenergy-malware-cyberwarfare.html By Aaron Ernst Al Jazeera America February 5, 2015 Five years ago, the most sophisticated cyber weapon the world had ever seen ravaged Iran’s nuclear program. Allegedly developed by the U.S. and Israel, the complex virus infected the computer system that ran the centrifuges. Slight tweaks to the software caused hundreds of the centrifuges to self-destruct, setting the program back years. The malware was dubbed Stuxnet. Traditionally, foreign governments have used malware to spy and steal. But this was something entirely different. “Stuxnet, it is a weapon, it’s not ‘like’ a weapon,” says German computer security expert Ralph Langner, who was the first to identify how the virus worked. “It is a weapon because it was designed to cause physical damage.” Now, Langner worries that Stuxnet could come back to haunt the U.S. Those same vulnerabilities in Iran’s nuclear control systems that the malware exploited can be found in similar systems throughout America. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Google Launches New Incentive Program for Bug Hunters

http://www.eweek.com/security/google-launches-new-incentive-program-for-bug-hunters.html By Jaikumar Vijayan eWEEK.com 2015-02-02 Google will offer up-front grants of up to $3,133.70 to selected vulnerability researchers who will receive rewards regardless of whether they find a bug. Buoyed by the success of its existing bug-bounty program, Google has launched an initiative to reward researchers interested in finding security vulnerabilities in its products. Google’s new Vulnerability Research Grants initiative will offer up-front cash awards of up to $ 3,133.70 to researchers interested in taking a crack at specific Google products and services. Unlike the company’s current bug-bounty program, the new initiative will reward vulnerability researchers regardless of whether they find a bug or not. At the same time, researchers who do actually find a bug under the grants program will remain eligible for a bounty under Google’s current Security Rewards Program as well. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] What every utility should know about the new physical security standard

http://www.intelligentutility.com/article/15/01/what-every-utility-should-know-about-new-physical-security-standard By William E. Reiter intelligentutility.com Jan 29, 2015 On April 16, 2013, an incident in San Jose, California, led to development of a new physical security standard for owners and operators of transmission stations and substations. In the 2013 incident, a sniper attack on a Pacific Gas & Electric transmission substation knocked out 17 large transformers that powered Silicon Valley. The sniper attack served as a dramatic wake-up call for the industry and raised fears regarding the vulnerability of the nation’s power grid to terrorist attack. The more than 160,000 transmission line miles that comprise the U.S. power grid are designed to handle natural and man-made disasters, as well as fluctuations in demand; but what about physical attack? As a result of the San Jose assault, the Federal Energy Regulatory Commission (FERC) in April 2014 required the North America Energy Reliability Corporation (NERC) to establish Critical Infrastructure Protection (CIP) standards to “address physical security risks and vulnerabilities related to the reliable operation” of the bulk power system. NERC developed and issued what is now commonly referred to as CIP-014-1. This is a physical security standard that has a stated purpose to identify and protect transmissions stations and transmission substations and their associated primary control centers that—if rendered inoperable or damaged as a result of a physical attack—could result in uncontrolled separation or cascading within an interconnection. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Northrop Grumman Foundation Congratulates Top 28 Teams Advancing to CyberPatriot National Finals Competition

http://www.globenewswire.com/newsarchive/noc/press/pages/news_releases.html?d=10116947 FALLS CHURCH, Va. – Jan. 26, 2015 – The Northrop Grumman Foundation, presenting sponsor for CyberPatriot VII, is proud to congratulate the top 25 high school and three middle school teams advancing to the national finals competition on March 13 in Washington, D.C. CyberPatriot, established by the Air Force Association, is the National Youth Cyber Education Program that’s inspiring students toward careers in cybersecurity and other science, technology, engineering, and mathematics (STEM) disciplines critical to our nation’s future. The program features the National Youth Cyber Defense Competition, cyber camps, and an elementary school education program. This year’s finalists represent schools and other organizations from Alabama, California, Colorado, Florida, Iowa, Louisiana, Massachusetts, Michigan, Missouri, New Jersey, New Mexico, Oklahoma, South Dakota, Texas, Virginia, and Manitoba, Canada. Click here for a complete listing of finalists. “We are so proud of all the students who participated this year and we wish the top 28 finalists all the best as they prepare for the big showdown,” said Sandra Evers-Manly, president of the Northrop Grumman Foundation and vice president of Northrop Grumman Global Corporate Responsibility. “CyberPatriot has proven to be an innovative way to inspire young people to pursue a career in cybersecurity. It is filling the much-needed pipeline of qualified cyber talent and we couldn’t be more pleased with its success. CyberPatriot is a true example of how a hands-on, STEM initiative can make an impact by addressing a national imperative.” A record 2,175 teams, up 40 percent from the previous year, competed this year in a series of online rounds where students were given a set of virtual images that represent operating systems and were tasked with finding vulnerabilities and hardening the system while maintaining critical services. Students competed from across the U.S. and in other parts of the world to be among the top finalists that receive an all-expenses-paid trip to the CyberPatriot National Finals in Washington, D.C. “The need for cyber defenders has never been more relevant, or urgent,” said Diane Miller, director, CyberPatriot Programs, Northrop Grumman. “To address the increasingly complex threat requires diversity of education, experience, and approach to problem solving. CyberPatriot is inspiring our youth at every level and from every pocket of the country to cultivate a cyber workforce with a strong ethical foundation, the requisite technical skills and life skills in communications, leadership and teamwork so important to potential employers. These students are career-ready and poised to take on this national and global challenge.” In its fifth year as presenting sponsor, the Northrop Grumman Foundation and Northrop Grumman Corporation continue to devote time, talent and resources to support CyberPatriot. In addition to the foundation’s financial support, Northrop Grumman awards annual scholarship funds to the top winning teams and contributes employee volunteers and mentors. The company also provides internships to CyberPatriot competitors, as do other industry and government organizations. Northrop Grumman also partnered this year with Cyber Security Challenge UK to bring CyberPatriot to the U.K.. Known as CyberCenturion, this youth cyber defense competition will hold its finals competition on April 17 at Bletchley Park in London. The CyberPatriot VII Teams will compete face-to-face in a one-day event to defend virtual networks and mobile devices from a professional aggressor team. The National Finalists will also face-off in four additional competition components: the Digital Cyber Crime Scene Challenge from the Digital Forensic Consortium, the Cisco Networking Challenge, the Leidos Digital Forensics Challenge, and a Mobile Application Challenge hosted by AT&T. These extra challenges expose teams to new elements and skillsets of the many career opportunities available to them. As a global provider of cybersecurity solutions, Northrop Grumman is committed to grooming tomorrow’s cyber workforce and is engaged in supporting numerous cybersecurity education, training and technology initiatives. For more information on Northrop Grumman in cyber, go to www.northropgrumman.com/cyber. The Northrop Grumman Foundation supports diverse and sustainable programs for students and teachers. These programs create innovative education experiences in science, technology, engineering and mathematics. For more information please visit www.northropgrumman.com/foundation. CONTACT: Marynoele Benson Northrop Grumman Corporation 703-556-1651 marynoele.benson@ngc.com


Facebooktwittergoogle_plusredditpinterestlinkedinmail