[ISN] New Firm Pitches Cybersecurity for Less Well-Heeled

http://blogs.wsj.com/digits/2014/03/27/new-firm-pitches-cybersecurity-for-less-well-heeled/ By DANNY YADRON Digits The Wall Street Journal March 27, 2014 Last week, we wrote about military contractors pitching banks and energy companies on big-ticket anti-hacking technology




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Law Firms Are Pressed on Security for Data

http://dealbook.nytimes.com/2014/03/26/law-firms-scrutinized-as-hacking-increases/ By MATTHEW GOLDSTEIN Dealbook The New York Times MARCH 26, 2014 A growing number of big corporate clients are demanding that their law firms take more steps to guard against online intrusions that could compromise sensitive information as global concerns about hacker threats mount. Wall Street banks are pressing outside law firms to demonstrate that their computer systems are employing top-tier technologies to detect and deter attacks from hackers bent on getting their hands on corporate secrets either for their own use or sale to others, said people briefed on the matter who spoke on the condition of anonymity. Some financial institutions are asking law firms to fill out lengthy 60-page questionnaires detailing their cybersecurity measures, while others are doing on-site inspections. Other companies are asking law firms to stop putting files on portable thumb drives, emailing them to nonsecure iPads or working on computers linked to a shared network in countries like China and Russia where hacking is prevalent, said the people briefed on the matter. In some cases, banks and companies are threatening to withhold legal work from law firms that balk at the increased scrutiny or requesting that firms add insurance coverage for data breaches to their malpractice policies. “It is forcing the law firms to clean up their acts,” said Daniel B. Garrie, executive managing partner with Law & Forensics, a computer security consulting firm that specializes in working with law firms. “When people say, ‘We won’t pay you money because your security stinks,’ that carries weight.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] How will Windows XP end of support affect health IT security?

http://healthitsecurity.com/2014/03/27/how-will-windows-xp-end-of-support-affect-health-it-security/ By Patrick Ouellette Health IT Security March 27, 2014 As is the case with most pending vendor support deadlines, the upcoming end of Microsoft Windows XP support on April 8, 2014 has been a polarizing topic in the enterprise and healthcare spaces. There are some organizations that may be unaware that Microsoft will no longer be providing security patches and others that are building Fort Knox 2.0 because of the XP end of support. However, a few IT security professionals within healthcare organizations told HealthITSecurity.com that they believe the biggest impact will likely be on smaller healthcare organizations. The reality for these organizations is that they must account for projects such as ICD-10 or Meaningful Use and upgrading their XP machines may go on the back-burner out of necessity. Without the proper funding and IT security talent available to some providers, these security concerns become that much more difficult to manage. Stephen Person, Network & Security Engineer at North Valley Hospital and HealthCare Information Security and Privacy Practitioner (HCISPP) said he guarantees that many organizations are looking at the end-of-life of Windows XP. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Patch management flubs facilitate cybercrime

http://www.networkworld.com/news/2014/032714-solutionary-280149.html By Ellen Messmer Network World March 27, 2014 Failures in patch management of vulnerable systems have been a key enabler of cybercrime, according to the conclusions reached in Solutionary’s annual Global Threat Intelligence Report out today, saying it sees botnet attacks as the biggest single threat. The managed security services provider, now part of NTT, compiled a year’s worth of scans of customers’ networks gathered through 139,000 network devices, such as intrusion-detections systems, firewall and routers, and analyzed about 300 million events, along with 3 trillion collected logs associated with attacks. Solutionary says it relies on several types of vendor products for these scans, including Qualys, Nessus, Saint, Rapid7, nCircle and Retina. Solutionary also looked at the latest exploit kits used by hackers, which include exploits from as far back as 2006. Solutionary found that half of the vulnerability scans it did on NTT customers last year were first identified and assigned CVE numbers between 2004 and 2011. “That is, half of the exploitable vulnerabilities we identified have been publicly known for at least two years, yet they remain open for an attacker to find and exploit,” Solutionary said in its Global Threat Intelligence Report. “The data indicates many organizations today are unaware, lack the capability, or don’t perceive the importance of addressing these vulnerabilities in a timely manner.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Feds want an expanded ability to hack criminal suspects’ computers

http://arstechnica.com/tech-policy/2014/03/feds-want-an-expanded-ability-to-hack-criminal-suspects-computers/ By Cyrus Farivar Ars Technica March 27, 2014 The United States Department of Justice wants to broaden its ability to hack criminal suspects’ computers according to a new legal proposal that was first published by the Wall Street Journal on Thursday. If passed as currently drafted, federal authorities would gain an expanded ability to conduct “remote access” under a warrant against a target computer whose location is unknown or outside of a given judicial district. It would also apply in cases where that computer is part of a larger network of computers spread across multiple judicial districts. In the United States, federal warrants are issued by judges who serve one of the 94 federal judicial districts and are typically only valid for that particular jurisdiction. The 402-page document entitled “Advisory Committee on Criminal Rules” is scheduled to be discussed at an upcoming Department of Justice (DOJ) meeting next month in New Orleans. Federal agents have been known to use such tactics in past and ongoing cases: a Colorado federal magistrate judge approved sending malware to a suspect’s known e-mail address in 2012. But similar techniques have been rejected by other judges on Fourth Amendment grounds. If this rule revision were to be approved, it would standardize and expand federal agents’ ability to surveil a suspect and to exfiltrate data from a target computer regardless of where it is. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Why Cyber War Will Not and Should Not Have Its Grand Strategist

Forwarded from: security curmudgeon On Wed, 26 Mar 2014, InfoSec News wrote: : http://www.au.af.mil/au/ssq/digital/pdf/spring_2014/Libicki.pdf : : Strategic Studies Quarterly (SSQ) : The Strategic Journal of the United States Air Force : Volume 8, Issue 1 – Spring 2014 : By Martin C. Libicki : : Even assuming the cyber domain has yet to stop evolving, it is not clear : a classic strategic treatment of cyber war is possible, or, if it were, : it would be particularly beneficial. The salutary effects of such : classics are limited, the basic facts of cyberspace and cyber war do not : suggest it would be as revolutionary as airpower has been, and if there : were a classic on cyber war, it would likely be pernicious. The subject is interesting, the link to af.mil is intriguing. Oh wait, Libicki? I know that name… “The following hints may be indicative. Private hackers are more likely to use techniques that have been circulating throughout the hacker community. While it is not impossible that they have managed to generate a novel exploit to take advantage of a hitherto unknown vulnerability, they are unlikely to have more than one.”


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] 4th Flt Passes Cyber Security Inspection On First Attempt

http://mayportmirror.jacksonville.com/military/mayport-mirror/2014-03-26/story/4th-flt-passes-cyber-security-inspection-first-attempt March 26, 2014 From U.S. 4th Fleet Public Affairs U.S. 4th Fleet on March 21 concluded a weeklong cyber security inspection by a team from U.S. Fleet Cyber Command, earning a passing score on its first attempt. The inspection was a comprehensive, graded evaluation of all cyber security areas, including leadership engagement, physical security, administration, training and network configuration. U.S. 4th Fleet was recognized for excellent leadership engagement and received no deductions for culture or conduct. Further, U.S. 4th Fleet leaders made a point of learning from the inspection team, said its officer in charge, Capt. Larry Flint. “They said, ‘We’ve done our best, and we think we’re ready, but don’t pull any punches,’ and we certainly didn’t,” Flint said. The inspection team’s report to the fleet included several recommendations for improvement, as well as praise for good work. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] The Death and Re-birth of the Full-Disclosure Mail List

http://blog.osvdb.org/2014/03/26/the-death-and-re-birth-of-the-full-disclosure-mail-list/ By jerichoattrition March 26, 2014 After John Cartwright abruptly announced the closure of the Full Disclosure mail list, there was a lot of speculation as to why. I mailed John Cartwright the day after and asked some general questions. In so many words he indicated it was essentially the emotional wear and tear of running the list. While he did not name anyone specifically, the two biggest names being speculated were ‘NetDev’ due to years of being a headache, and the more recent thread started by Nicholas Lemonias. Through other channels, not via Cartwright, I obtained a copy of a legal threat made against at least one hosting provider for having copies of the mails he sent. This mail was no doubt sent to Cartwright among others. As such, I believe this is the “straw that broke the camels back” so to speak. A copy of that mail can be found at the bottom of this post and it should be a stark lesson that disclosure mail list admins are not only facing threats from vendors trying to stifle research, but now security researchers. This includes researchers who openly post to a list, have a full discussion about the issue, desperately attempt to defend their research, and then change their mind and want to erase it all from public record. As I previously noted, relying on Twitter and Pastebin dumps are not a reliable alternative to a mail list. Others agree with me including Gordon Lyon, the maintainer of seclists.org and author of Nmap. He has launched a replacement Full Disclosure list to pick up the torch. Note that if you were previously subscribed, the list users were not transferred. You will need to subscribe to the new list if you want to continue participating. The new list will be lightly moderated by a small team of volunteers. The community owes great thanks to both John and now Gordon for their service in helping to ensure that researchers have an outlet to disclose. Remember, it is a mail list on the surface; behind the scenes, they deal with an incredible number of trolls, headache, and legal threats. Until you run a list or service like this, you won’t know how emotionally draining it is. Note: The following mail was voluntarily shared with me and I was granted permission to publish it by a receiving party. It is entirely within my legal right to post this mail. From: Nicholas Lemonias. (lem.nikolas@googlemail.com) Date: Tue, Mar 18, 2014 at 9:11 PM Subject: Abuse from $ISP hosts To: abuse@ Dear Sirs, I am writing you to launch an official complaint relating to Data Protection Directives / and Data Protection Act (UK). Therefore my request relates to the retention of personal and confidential information by websites hosted by Secunia. These same information are also shared by UK local and governmental authorities and financial institutions, and thus there are growing concerns of misuse of such information. Consequently we would like to request that you please delete ALL records containing our personal information (names, emails, etc..) in whole, from your hosted websites (seclists.org) and that distribution of our information is ceased . We have mistakenly posted to the site, and however reserve the creation rights to that thread, and also reserve the right to have all personal information deleted, and ceased from any electronic dissemination, use either partially or in full. I hope that the issue is resolved urgently without the involvement of local authorities. I look forward to hearing from you soon. Thanks in advance, *Nicholas Lemonias* Update 7:30P EST: Andrew Wallace (aka NetDev) has released a brief statement regarding Full Disclosure. Further, Nicholas Lemonias has threatened me in various ways in a set of emails, all public now. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail