[ISN] Microsoft pays Australian hacker $100, 000 for finding security holes

http://www.smh.com.au/it-pro/security-it/microsoft-pays-australian-hacker-100000-for-finding-security-holes-20131009-hv1xt.html By Ben Grubb and Jim Finkle smh.com.au October 9, 2013 Microsoft is paying a well-known Australian hacking expert more than $100,000 for finding security holes in its software, one of the largest bounties awarded to date by a tech company. The company also released a much anticipated update to Internet Explorer, which it said fixes a bug that made users of the browser vulnerable to remote attack. James Forshaw, who heads vulnerability research at Melbourne-based consulting firm Context Information Security, won Microsoft’s first $US100,000 ($106,000) bounty for identifying a new “exploitation technique” in Windows, which will allow it to develop defences against an entire class of attacks, the company said. Forshaw is among the many “white hat” hackers who hack for good and get rewarded for their efforts. Companies such as Apple and Facebook have hall of fame pages on their websites to recognise hackers, and some companies even pay them. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Silk Road: suspicions grow that server was hacked ahead of arrests

http://www.theguardian.com/technology/2013/oct/08/silk-road-hack-suspicion-fbi-server By Charles Arthur theguardian.com 8 October 2013 There’s a new theory about how the FBI And CIA tracked down the physical location of the Silk Road servers, and it has nothing to do with the man accused of being the site’s operator, Ross Ulbricht, or queries he might have made on StackExchange. Instead, the rumour in hacker circles is that the CIA – with or without the help of the National Security Agency – accessed the server via Tor, and somehow ran an exploit on it which meant that they could locate it over the “normal” internet. Having done that, they then got in touch with the company hosting the server itself (which may be in Iceland, as we’ll explain) and then managed to take an image of the server. They may also have planted tracking systems on the server which allowed them to trace those who logged in to Silk Road – which would certainly help to explain how the British police last week arrested four men on suspicion of supplying controlled substances through Silk Road. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Security compromised at security companies — during Cyber Security Month

http://www.foxnews.com/tech/2013/10/08/security-compromised-at-security-companies-during-cyber-security-month/ FoxNews.com October 08, 2013 Now who do you trust? To celebrate the beginning of National Cyber Security Month, hackers have turned up the heat on the security companies themselves. On Tuesday morning, hackers briefly compromised the website of AVG, the maker of one of the world’s most popular free anti-virus products, as well as fellow software firm Avira. Meanwhile, the servers of popular secure-networking company PureVPN were pilfered by pirates last week


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Water and wastewater SCADA cybersecurity

http://www.isa.org/InTechTemplate.cfm?Section=General_Information2&template=/ContentManagement/ContentDisplay.cfm&ContentID=94400 By Norman Anderson, P.E., and Bill Phillips, P.E. InTech September/October 2013 This article is based on presentations made at the 2013 ISA Water/Wastewater and Automatic Controls Symposium on 7 August 2013 (www.isawwsymposium.com). Network security for water sector process control systems (PCS), such as supervisory control and data acquisition (SCADA) systems, is increasingly important and ever evolving due to the need for secure and reliable control systems. Additionally, PCSs continue to grow, and the management of network-connected devices and the expansion of PCS networks can be difficult and cumbersome. To properly secure PCS networks, a multistage process is needed incorporating risk assessment, planning, design, implementation, and maintenance for a comprehensive defense-in-depth strategy. A critical aspect of defense-in-depth is the overall network system architecture and the network segmentation plan. A properly planned and executed network architecture and segmentation strategy lays the foundation for security and simplifies expansion and maintenance of the network. There are industry-accepted methods for industrial control system (ICS) network architecture and segmentation strategies that can be applied to water sector PCSs and SCADA systems. Industry-standard techniques, based on recently published standards and network design guides, are used to create a layered network architecture approach to security, including the use of logical subnets and virtual local-area networks (VLANs) for segmentation. The advantage of this approach is simpler configuration of network security appliances and simpler management and expansion of the network, leading to increased network availability and a reduction in threat risk. A case study will be used to provide examples of actual methods implemented for a water sector utility. Overview As cyberattacks and the threat of compromised network security continue to rise, so does the need for securing ICSs. ICSs include many different types of systems, with water sector PCSs being one of the higher profile targets because their critical infrastructure affects large populations. Past statistics from the Cyber Emergency Response Team show recorded cataloged vulnerabilities and reported incidents continuing to rise through the years. A set of “honeypot”1 ICS set up by Trend Micro to look like vulnerable power and water plants was attacked by hackers 25 times within 28 days. Security is important for the water sector because attacks can damage critical infrastructure that affects public safety; lead to significant operational downtime; cause financial loss, such as the loss of revenue for the utility and its customers; and attract significant media attention causing loss of confidence and fear from the public. There are many resources available that provide guidance on where to start and how to secure networks. In general, there are four key steps in the process of planning and designing to secure networks for defense-in-depth, as shown in figure 1: […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail