[ISN] The Open Enigma Project Kickstarter

http://www.infosecnews.org/the-open-enigma-project-kickstarter/ By William Knowles Senior Editor InfoSec News March 5, 2014 Imagine having this iconic device on your desk: You can use it to simply display a scrolling marquee of any text message on its unique LED screen or encrypt/decrypt any information you wish to use (still today) a very secure key. This is an ideal device to teach or learn about encryption, history & math. Because of its open software & the community of developers, the possibilities are endless & your reward is bound to increase in value over time as new applications (like e-mail encryption, secure router, etc) are written. The original (pre-war) Enigma code was initially broken in Poland and subsequently by a team of Bletchley Park cryptologists under the leadership of U.K.’s own Alan Turing who is one of the fathers of computer science. Bletchley Park’s ability to break the Enigma code is believed to have shortened World War II by about 2 years. Enigma machines are an extremely rare and important part of computing history. A real Enigma machine sold for $200,000 in 2011. Transforming a prototype into a production unit takes a lot of effort, time & MONEY. This is where you come in! Whether you are brand new to the world of Encryption or a seasoned Cryptologist, whether you know every detail of the German Enigma’s story or it’s news to you, YOU can help us write it’s future. Not only will your pledge let you enjoy this phenomenal product, but it will also help us continue to develop it’s feature set. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] DHS proposes $1.25 billion for cybersecurity spending

http://www.fiercegovernmentit.com/story/dhs-proposes-125-billion-cybersecurity-spending/2014-03-04 By David Perera FierceGovernmentIT March 4, 2014 The proposed Homeland Security Department cybersecurity budget for the coming federal fiscal year amounts to $1.25 billion, show budget documents released today. DHS over the course of the Obama administration has assumed an increasingly central role in securing federal networks and in urging private sector companies considered to be “critical infrastructure” into better cybersecurity practices. Under the cybersecurity executive President Obama signed in 2013 (EO 13636), DHS now also has the task of encouraging critical infrastructure firms into adopting the framework of controls released by the National Institute of Standards and Technology in February. An overview of the DHS fiscal 2015 budget proposal shows DHS planning to spend $8.5 million on a voluntary adoption program. Other notable elements of the DHS cybersecurity proposal include: […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Italian spyware firm relies on U.S. Internet servers

http://www.washingtonpost.com/world/national-security/italian-spyware-firm-relies-on-us-internet-servers/2014/03/03/25f94f12-9f00-11e3-b8d8-94577ff66b28_story.html By Ellen Nakashima and Ashkan Soltani The Washington Post March 3, 2014 An Italian computer spyware firm, whose tools foreign governments allegedly have used to snoop on dissidents and journalists, relies heavily on the servers of U.S. Internet companies, according to a new report. At least 20 percent of the servers used by clients of Hacking Team, based in Milan, are located in the United States, effectively making the companies that own those servers key nodes in a hidden global network of spyware servers, according to a report to be released Tuesday by Citizen Lab, at the University of Toronto’s Munk School of Global Affairs. The discovery raises ethical questions for the cloud companies whose servers Hacking Team clients use to surreptitiously take control of targets’ computers and phones, turn on Web cameras and intercept encrypted communications. And it comes amid a growing cry for export controls on such software. The United States was home to the single largest concentration of Hacking Team servers detected since May 2012, according to the researchers. Of the 555 machines identified worldwide, the researchers found that 80 belonged to Linode, a New Jersey firm, and that 40 of those were in the United States. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping

http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundreds-of-apps-open-to-eavesdropping/ By Dan Goodin Ars Technica Mar 4 2014 Hundreds of open source packages, including the Red Hat, Ubuntu, and Debian distributions of Linux, are susceptible to attacks that circumvent the most widely used technology to prevent eavesdropping on the Internet, thanks to an extremely critical vulnerability in a widely used cryptographic code library. The bug in the GnuTLS library makes it trivial for attackers to bypass secure sockets layer (SSL) and Transport Layer Security (TLS) protections available on websites that depend on the open source package. Initial estimates included in Internet discussions such as this one indicate that more than 200 different operating systems or applications rely on GnuTLS to implement crucial SSL and TLS operations, but it wouldn’t be surprising if the actual number is much higher. Web applications, e-mail programs, and other code that use the library are vulnerable to exploits that allow attackers monitoring connections to silently decode encrypted traffic passing between end users and servers. The bug is the result of commands in a section of the GnuTLS code that verify the authenticity of TLS certificates, which are often known simply as X509 certificates. The coding error, which may have been present in the code since 2005, causes critical verification checks to be terminated, drawing ironic parallels to the extremely critical “goto fail” flaw that for months put users of Apple’s iOS and OS X operating systems at risk of surreptitious eavesdropping attacks. Apple developers have since patched the bug. “It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification,” an advisory issued by Red Hat warned. “An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] FedRAMP Cloud Security Approval: Look Who Applied

http://www.informationweek.com/government/cloud-computing/fedramp-cloud-security-approval-look-who-applied/d/d-id/1114101 By Wyatt Kash InformationWeek Government March 4, 2014 FedRAMP (Federal Risk and Authorization Management Program), the program that helps agencies migrate to the cloud securely, is making public the names of cloud service providers that are in the process of obtaining the government’s security certification. The information appears in a new FedRAMP resource section on the Federal CIO Council’s cloud.cio.gov site. FedRAMP.gov visitors were redirected to the site beginning last week. The new site provides a range of materials that agencies and cloud providers need to meet FedRAMP requirements. The new FedRAMP site identifies, among other information, 10 previously undisclosed ”cloud systems in process” seeking FedRAMP certification for new or additional cloud infrastructure, platform, and software services. The site provides details on the services under review from CenturyLink Technology Solutions, Clear Government Solutions (CGS), Economic Systems, Fiberlink (a unit of IBM), Hewlett-Packard, Layered Tech Government Solutions, Microsoft, Oracle, SecureKey Technologies, and Virtustream. CA Technologies also is reportedly seeking FedRAMP certification. FedRAMP has already certified 14 cloud services from 12 providers, including an Oracle PaaS offering approved on Feb. 24. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Could the NHS give you a computer virus? Outdated software is putting official sites at risk of attack

http://www.dailymail.co.uk/sciencetech/article-2573101/Could-NHS-COMPUTER-virus-Outdated-software-putting-official-sites-risk-attack.html By James Temperton Computer Active Magazine 4 March 2014 Hundreds of NHS websites have huge security flaws that could see them taken over or defaced by hackers. During investigations, more than 2,000 vulnerabilities have been found, with experts warning criminals could use these flaws to easily infect people’s computers and steal their personal information. There are said to be around 5,000 NHS domains – covering everything from GPs’ surgeries to sites that help people give up smoking or offer advice on breastfeeding. However, because there’s no central body responsible for the security and maintenance of these sites, many are abandoned, making them easy prey for hackers. The majority of these flaws are caused by outdated versions of WordPress. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Las Vegas Sands: Some customer data was stolen in hacking

http://www.lasvegassun.com/news/2014/feb/28/las-vegas-sands-some-customer-data-was-stolen-hack/ By Hannah Dreier Associated Press Feb. 28, 2014 Computer hackers stole some Las Vegas Sands customers’ Social Security and driver’s license numbers during a data breach earlier this month, the casino company said Friday. Las Vegas Sands Corp. said in a statement that the information about some patrons at its Bethlehem, Pa., hotel-casino was compromised during the Feb. 10 attack. It was unclear whether credit card information was also taken. Sands said it was still working to determine whether customer information from other properties was breached. The company runs the Italian-themed Venetian and Palazzo on the Las Vegas Strip, and several hotel-casinos in China and Singapore. In its statement, Sands noted that the number of patron accounts that were compromised make up less than 1 percent of all visitors to the Bethlehem casino since its 2009 opening. The company did not provide the number of patron accounts at risk. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail