[ISN] Missing Perspective on the Closure of the Full-Disclosure Mail List

http://blog.osvdb.org/2014/03/19/missing-perspective-on-the-closure-of-the-full-disclosure-mail-list/ By jerichoattrition OSVDB March 19, 2014 This morning I woke to the news that the Full-Disclosure mail list was closing its doors. Assuming this is not a hoax (dangerously close to April 1st) and not spoofed mail that somehow got through, there seems to be perspective missing on the importance of this event. Via Facebook posts and Twitter I see casual disappointment, insults that the list was low signal to noise, and that many had stopped reading it a while back. I don’t begrudge the last comment one bit. The list has certainly had its share of noise, but that is the price we pay as a community and industry for having a better source for vulnerability disclosure. Speaking to the point of mail lists specifically, there were three lists that facilitated this: Bugtraq, Full-Disclosure, and Open Source Security (OSS). Bugtraq has been around the longest and is the only alternative to Full-Disclosure really (remember that VulnWatch didn’t last, and was ultimately low traffic). OSS is a list that caters to open source software and does not traffic in commercial software. A majority of the posts come from open source vendors (e.g. Linux distributions), the software’s maintainer, etc. It is used as much for disclosure as coordination between vendors and getting a CVE assigned. One of the first things that should be said is a sincere “thank you” to John Cartwright for running the list so long. For those of you who have not moderated a list, especially a high-traffic list, it is no picnic. The amount of spam alone makes list moderation a pain in the ass. Add to that the fake exploits, discussions that devolve into insults, and topics that are on the fringe of the list’s purpose. Trying to sort out which should be allowed becomes more difficult than you would think. More importantly, he has done it in a timely manner for so long. Read the bold part again, because that is absolutely critical here. When vulnerability information goes out, it is important that it goes out to everyone equally. Many mails sent to Bugtraq and Full-Disclosure are also sent to other parties at the same time. For example, every day we get up to a dozen mails to the OSVDB Moderators with new vulnerability information, and those lists and other sources (e.g. Exploit-DB, OffSec, 1337day). If you use one or a few of those places as your primary source for vulnerability intelligence, you want that information as fast as anyone else. A mail sent on Friday afternoon may hit just one of them, before appearing two days later on the rest. This is due to the sites being run with varying frequency, work schedules, and dedication. Cartwright’s quick moderation made sure those mails went out quickly, often at all hours of the day and over weekends. While many vulnerability disclosers will send to multiple sources, you cannot assume that every disclosure will hit every source. Some of these sites specialize in a type of vulnerability (e.g. web-based), while some accept most but ignore a subset (e.g. some of the more academic disclosures). Further, not every discloser sends to all these sources. Many will send to a single mail list (e.g. Bugtraq or FD), or to both of them. This is where the problem arises. For many of the people still posting to the two big disclosure lists, they are losing out on the list that was basically guaranteed to post their work. Make no mistake, that isn’t the case for both lists. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Man Who Exposed Target Security Breach Is Focus of Sony Movie Deal (Exclusive)

http://www.hollywoodreporter.com/news/man-who-exposed-target-security-689782 By Borys Kit The Hollywood Reporter 3/19/2014 Sony has picked up the rights to the New York Times article “Reporting From the Web’s Underbelly,” which focused on cyber security blogger Brian Krebs. Krebs, with his site KrebsonSecurity.com, was the first person to expose the credit card breach at Target that shook the retail world in December. Richard Wenk, the screenwriter who wrote Sony’s high-testing big-screen version of The Equalizer, is on board to write what is being envisioned as a cyber-thriller inspired by the article and set in the high-stakes international criminal world of cyber-crime. Escape Artists’ Steve Tisch, Todd Black and Jason Blumenthal are producing as are Todd Hoffman and Richard Arlook. David Bloomfield will executive produce. Nicole Perlroth’s New York Times article told of Krebs, who has the appearance of a mild-mannered accountant but writes with a 12-gauge shotgun by his side, is an expert in the digital underground and is on a first-name basis with some of the biggest cyber-criminals in the world, many of whom are Russian. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Teen hacker hits five Omani government websites

http://gulfnews.com/news/gulf/oman/teen-hacker-hits-five-omani-government-websites-1.1306001 Staff Report Gulf News March 19, 2014 Muscat: Five Oman government websites, including the Telecommunications Regulatory Authority (TRA) and the General Directorate of Traffic, were hacked on Tuesday evening. Local media reported that the hacker was a 14-year-old who calls himself Dr DarknesS. He said he hacked the TRA website to express his displeasure over the poor services provided by telecom companies, according to Shabiba daily newspaper. The teenager said that one has to shell out a large amount of money when signing up for any telecom subscription but the service provided is below par. “Hacking is the only way to register one’s protest,” the hacker said. The quality of Internet services in Oman is poor compared to other GCC countries, he said, adding that in neighbouring countries people have a wide choice because there are a large number of operators but here due to the monopoly the quality is very poor. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Obama Administration Denies ‘Abandoning the Internet’

http://www.nextgov.com/cio-briefing/2014/03/obama-administration-denies-abandoning-internet/80881/ By Brendan Sasso National Journal March 19, 2014 A top Commerce Department official pushed back Wednesday against concerns that the Obama administration is opening the door to an Internet takeover by Russia, China, and other authoritarian regimes. The fears stem from the Commerce Department’s announcement last Friday that it plans to give the Internet Corporation for Assigned Names and Numbers, an international nonprofit group, control over the technical system that allows computers to connect to Web addresses. “Our announcement has led to some misunderstanding about our plan, with some individuals raising concern that the U.S. government is abandoning the Internet. Nothing could be further from the truth,” Lawrence Strickling, the assistant Commerce secretary for communications and information, said in a statement. “This announcement in no way diminishes our commitment to preserving the Internet as an engine for economic growth and innovation.” He said the U.S. government will continue to push ICANN to adopt polices that are in the interest of the United States and an open Internet. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Target Inc. Is Still a Liability Landmine

http://www.fool.com/investing/general/2014/03/19/target-inc-is-still-a-liability-landmine.aspx By Rich Duprey The Motley Fool March 19, 2014 Three months have passed since the massive data breach at Target (NYSE: TGT) ended, and though the retailer continues to plug away, investors should be cautious treading here, because there’s still a massive liability IED waiting to detonate


Facebooktwittergoogle_plusredditpinterestlinkedinmail

Fox News Comments on Thailand: Flight 370

I just saw a news release with Greta Van Susteren about Thailand’s participation in the radar data for Flight 370. I myself have been searching online using DigitalGlobe.com’s satellite data in their crowdsourcing effort to search for flight 370. Although I can certainly understand how some people could be upset by the response that Thailand didn’t provide radar data “because they weren’t asked”. This sort of response is typical of Thai culture. My wife is Thai and I think that amoungst many cultures of the world, Thais are some of the most caring and loving people but their cultural norms make others (especially western cultures) feel like they don’t care. Quite in fact it is very common in Thai culture to avoid conflict and stay out of other people’s problems or situations entirely. In Thai culture their perception is that they are giving respect by staying out of other people’s business and affairs unless a Thai is asked directly to get involved. This is a deep rooted belief and likely why they did not get involved to provide data until there was a specific request for them to get involved. I know this runs contrary to Christian beliefs entirely but it is how the culture operates and this situation is likely being misinterpreted. In personal dealings with my own wife and her family I have found this dynamic to be troublesome and cause of some misunderstandings. I am certain that the Thai people care deeply for the loss of flight 370 just as much as any other country. Additionally the Thai government is in disarray adding difficulties to this scenario with severe problems in their parliament and leadership. I ask my fellow countrymen and others to not sit in judgement because of this odd cultural dynamic. My two cents. Peace!


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] DDoS Attack on InfoSec News

http://www.infosecnews.org/ddos-attack-on-infosec-news/ By William Knowles Senior Editor InfoSec News March 18, 2013 InfoSec News has been mitigating a prolonged distributed denial-of-service (DDoS) attack from a large globally distributed botnet that has lasted over a week. We apologize for any minor disruptions this may have caused and continue to monitor and mitigate the attack. Thank you all for your continued support, and we aren’t going to let this impact our mission to send out timely and relevant information security news to the community.


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] IRS Employee Took Home Data on 20,000 Workers at Agency

http://www.bloomberg.com/news/2014-03-18/irs-employee-took-home-data-on-20-000-workers-at-agency.html By Richard Rubin Bloomberg March 18, 2014 A U.S. Internal Revenue Service employee took home a computer thumb drive containing unencrypted data on 20,000 fellow workers, the agency said in a statement today. The tax agency’s systems that hold personal data on hundreds of millions of Americans weren’t breached, the statement said. “This incident is a powerful reminder to all of us that we must do everything we can to protect sensitive data –- whether it involves our fellow employees or taxpayers,” IRS Commissioner John Koskinen said in a message to employees. “This was not a problem with our network or systems, but rather an isolated incident.” The IRS is contacting the current and former employees involved, almost all of whom worked in Pennsylvania, Delaware and New Jersey. The information dates to 2007, before the IRS started using automatic encryption. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail