[ISN] The Boston Marathon Bombing: Keep Calm and Carry On

http://www.theatlantic.com/national/archive/2013/04/the-boston-marathon-bombing-keep-calm-and-carry-on/275014/ By Bruce Schneier The Atlantic April 15, 2013 As the details about the bombings in Boston unfold, it’d be easy to be scared. It’d be easy to feel powerless and demand that our elected leaders do something — anything — to keep us safe. It’d be easy, but it’d be wrong. We need to be angry and empathize with the victims without being scared. Our fears would play right into the perpetrators’ hands — and magnify the power of their victory for whichever goals whatever group behind this, still to be uncovered, has. We don’t have to be scared, and we’re not powerless. We actually have all the power here, and there’s one thing we can do to render terrorism ineffective: Refuse to be terrorized. It’s hard to do, because terrorism is designed precisely to scare people — far out of proportion to its actual danger. A huge amount of research on fear and the brain teaches us that we exaggerate threats that are rare, spectacular, immediate, random — in this case involving an innocent child — senseless, horrific and graphic. Terrorism pushes all of our fear buttons, really hard, and we overreact. But our brains are fooling us. Even though this will be in the news for weeks, we should recognize this for what it is: a rare event. That’s the very definition of news: something that is unusual — in this case, something that almost never happens. […] ______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More! http://www.shopinfosecnews.org




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Hagel nixes medal for drone pilots, cyberwarriors

http://www.washingtontimes.com/news/2013/apr/15/hagel-nixes-medal-drone-pilots-cyber-warriors/ By Kristina Wong The Washington Times April 15, 2013 Defense Secretary Chuck Hagel is canceling the creation of a heroism medal for drone pilots and cyber warriors, prompted by uproar over its precedence over the Bronze Star and Purple Heart medals. Mr. Hagel, who ordered a Pentagon review of the new medal, said Monday: “While the review confirmed the need to ensure such recognition, it found that misconceptions regarding the precedence of the award were distracting from its original purpose.” Instead of the Distinguished Warfare Medal, military leaders are encouraged to develop a special pin or device that would be attached to already existing medals or ribbons, he said. […] ______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More! http://www.shopinfosecnews.org


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Hacker celeb ‘Mudge’ joins Google after DARPA

http://news.cnet.com/8301-1009_3-57579744-83/hacker-celeb-mudge-joins-google-after-darpa/ By Seth Rosenblatt Security & Privacy CNET News April 15, 2013 Peiter “Mudge” Zatko, who was hired three years ago to be a project manager at the U.S. Department of Defense’s research and development division known as the Defense Advanced Research Projects Agency, has announced via Twitter that he’s returning to the private sector with Google. In his new role at Google, The Security Ledger reports, Zatko will be working in an unspecified role with Motorola Mobility’s Advanced Technology and Projects division, reporting to Regina Dugan. Dugan is also new to Google, hired last month away from her position as director of DARPA. It’s no surprise that Zatko followed Dugan to Google. When he was first hired by Dugan at DARPA, he told CNET that he was impressed with Dugan’s leadership. “Now they are running more programs out of DARPA that are not classified beyond what they need to be, so it will enable more people to have visibility into them,” he said in 2010, praising her “entrepreneurial” focus. Zatko has a long history of innovating in the computer security world. As a teenager in the 1980s, he was involved in various hacking endeavors, and wound up running the L0pht hacker space in the 1990s. As a leader then in the movement to get companies to fully reveal their security vulnerabilities publicly, “he invented anti-sniffing technology that became the first remote promiscuous system detector used by the Defense Department,” CNET’s Elinor Mills reported when Zatko joined DARPA. […] ______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More! http://www.shopinfosecnews.org


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] New security protection, fixes for 39 exploitable bugs coming to Java

http://arstechnica.com/security/2013/04/new-security-protection-fixes-for-39-exploitable-bugs-coming-to-java/ By Dan Goodin Ars Technica Apr 15 2013 Oracle plans to release an update for the widely exploited Java browser plugin. The update fixes 39 critical vulnerabilities and introduces changes designed to make it harder to carry out drive-by attacks on end-user computers. The update scheduled for Tuesday comes as the security of Java is reaching near-crisis levels. Throughout the past year, a series of attacks hosted on popular websites has been used to surreptitiously install malware on unwitting users’ machines. The security flaws have been used to infect employees of Facebook and Apple in targeted attacks intended to penetrate those companies. The vulnerabilities have also been exploited to hijack computers of home and business users. More than once, attackers have exploited one previously undocumented bug within days or weeks of patching a previous “zero-day,” as such vulnerabilities are known, creating a string of attacks on the latest version of the widely used plugin. In all, Java 7 Update 21 will fix at least 42 security bugs, Oracle said in a pre-release announcement. The post went on to say that “39 of those vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.” The advisory didn’t specify or describe the holes that will be patched. Security Exploration, a Poland-based security company that has discovered dozens of “security issues” in Java, has a running list of them here. In addition to the bug fixes, Oracle developers plan to roll out changes to Java that are intended to help end users make better decisions about when (and when not) to allow Java code to be executed in their browsers. Under the update, Java will display a variety of messages and dialog boxes, such as the one shown above, when it encounters websites that host Java applets. In some cases, the code will be executed only after an end user clicks an “OK” button. […] ______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More! http://www.shopinfosecnews.org


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] WordPress Hackers Exploit Username ‘Admin’

http://www.informationweek.com/security/attacks/wordpress-hackers-exploit-username-admin/240152864 By Mathew J. Schwartz Information Week April 15, 2013 Attention, WordPress users: If you have a WordPress username set to “admin,” change it immediately. That warning was issued Friday by WordPress founder Matt Mullenweg, in the wake of reports that thousands of WordPress sites with an administrator username set to “admin” or “Admin” had been compromised via large-scale brute force attacks. Service provider HostGator, notably, reported Thursday that “this attack is well organized and … very, very distributed; we have seen over 90,000 IP addresses involved in this attack.” According to survey website W3Techs, approximately 18% of all websites — by some estimates, about 64 million sites — run WordPress. Successfully exploited sites get a backdoor installed that provides attackers with ongoing access to the WordPress site, regardless of whether a user subsequently changes the password guessed by attackers. Exploited sites are then used to scan for WordPress installations, and launch the same type of attack against those sites. […] ______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More! http://www.shopinfosecnews.org


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] MI5 warns UK universities of cyber-attack threat

http://news.techworld.com/security/3441704/mi5-warns-uk-universities-of-cyber-attack-threat/ By John E Dunn Techworld 11 April 2013 British universities will be issued with overhauled security guidance after a warning by MI5 on the risk of foreign-sponsored cyber-attacks, it has been reported. According to The Financial Times, vice chancellors of leading universities were reminded by MI5’s outgoing head Sir Jonathan Evans that universities are now considered part of the country’s critical infrastructure and must take steps to secure research data and intellectual property. It’s not clear what steps university heads have already taken to secure sensitive data but Universities UK is said to be in the process of creating a security guidance document. “We are drawing the sector’s attention to these issues,” Professor Eric Thomas of Universities UK was quoted by the FT as saying. […] ______________________________________________ Attend #HITB2013AMS April 8th – 11th in Amsterdam. Featuring over 42 international speakers and keynotes by Bob Lord and Edward Schwartz http://conference.hitb.org


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Algerian Hacker Details Cyber Attack on Israel

http://www.aawsat.net/2013/04/article55298744 By Yassin Boudhan Asharq Al-Awsat 15 Apr, 2013 An Algerian hacker using the handle “Ismail-man54” said that thousands of Arab and Muslim hackers opposed to Israel participated in the recent attack on 90 Israeli websites. He also said that the attack had been planned since November 2012, with the goal of wiping Israel off the electronic map. He confirmed that “the campaign will continue until this goal is achieved,” adding, “the files that were obtained after the hacking were sent to the security service affiliated with the dismissed Palestinian government in Gaza.” Concerning the all-out cyber war on Israeli sites, Ismail told Asharq Al-Awsat that he was “one of the first people who called for this campaign and one of the key participants in it.” Ismail showed Asharq Al-Awsat a video, which he posted on YouTube on November 16, 2012, in which he called for “preparing for the launch of an electronic campaign against Israel.” He said that he had “discussed the idea with hackers from Saudi Arabia, and that it was prepared for through [their] communication online.” […] ______________________________________________ Attend #HITB2013AMS April 8th – 11th in Amsterdam. Featuring over 42 international speakers and keynotes by Bob Lord and Edward Schwartz http://conference.hitb.org


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] N. Korea’s hacking capabilities advance

http://english.yonhapnews.co.kr/national/2013/04/11/79/0301000000AEN20130411008351320F.HTML By Kim Kwang-tae yonhapnews.co.kr April 11, 2013 SEOUL, April 11 (Yonhap) — A technical blunder by a hacker appears to have reinforced what South Korea has long suspected: North Korea has been behind several hacking attacks on South Korea in recent years. The unidentified hacker accessed South Korean routes on Feb. 22 via an Internet Protocol (IP), just weeks before the massive hacking attack that paralyzed networks of South Korean financial firms and broadcasters. The hacker exposed the IP address (175.45.178.xx) for up to several minutes due to technical problems in a communication network, giving South Korea a rare clue into tracing the origin of the hacking attack that took place on March 20, according to South Korean officials. The IP address, the online equivalent of a street address or a phone number, is registered in Ryugyong-dong in Pyongyang, the capital of North Korea, according to the state-run Korea Internet & Security Agency. […] ______________________________________________ Attend #HITB2013AMS April 8th – 11th in Amsterdam. Featuring over 42 international speakers and keynotes by Bob Lord and Edward Schwartz http://conference.hitb.org


Facebooktwittergoogle_plusredditpinterestlinkedinmail