[ISN] Chester Nez, last of the World War II Navajo ‘code talkers, ‘ passes away quietly at 93

http://www.infosecnews.org/chester-nez-last-of-the-world-war-ii-navajo-code-talkers-passes-away-quietly-at-93/ By William Knowles Senior Editor InfoSec News June 5, 2014 Chester Nez, the last original Navajo Code Talker, has passed away quietly in his sleep at his Albuquerque home. Nez served with the United States Marines in the Pacific and helped defeat the Japanese by creating a code, using the Navajo language, and secret words that was never broken. Sent to a boarding school as a child, Nez and other Navajo children were discouraged from speaking their native language and instructed to only use English, but that didn’t stop them from whispering Navajo to each other in secret. In 1942, Navajo were recruited from boarding schools to join the Marines and use their unique skills to develop an unbreakable code to pass messages. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] There’s a Security Gap at the Capitol. And It’s as Troublesome as the One at Navy Yard.

http://www.nationaljournal.com/congress/there-s-a-security-gap-at-the-capitol-and-it-s-as-troublesome-as-the-one-at-navy-yard-20140605 By Matt Vasilogambros National Journal June 5, 2014 On Sept. 23, as on most days, Aaron Alexis arrived at work at the Washington Navy Yard. He drove up to the front gates, displaying his parking pass and credentials. Sitting next to him was a backpack containing a shotgun and shells. The bag was never searched. He walked into Building 197, having never gone through a metal detector, and started his rampage, killing 12 people. It was a frightening gap in security—a gap not unlike the one that exists at the U.S. Capitol now. Most people, visitors and staffers alike, enter congressional office buildings through side doors, where they are met by Capitol Police and metal detectors. They empty their pockets and their bags are searched. But some House staffers who drive into work don’t experience this level of security. To experience this gap, I drove along this week with two senior staffers from a congressional office, who asked not to be named for this story. We approached the House side of Capitol Hill on New Jersey Avenue Southeast. A Capitol Police officer met us at the barricades. He checked the driver’s parking sticker and ID and told us to pop the trunk, which contained golf clubs, a box, and two travel bags. He looked in the trunk for less than a second, closed it, and let us in, having never checked the bags or box or asked what was in them. I didn’t show him any credentials, nor did he have a metal-detector wand in his hand. We then drove into the Rayburn House Office Building parking garage and found a spot a couple of levels down. We parked and walked right into the building, one staffer carrying a bag. There was no metal detector or major Capitol Police presence. We were now in one of the office buildings where lawmakers and their staff work every day, having gone through practically zero security. As we walked over to the Longworth House Office Building, one staffer told me that this day’s arrival was normal. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Canadian security professionals unsure about defenses, Ponemon study finds

http://www.itbusiness.ca/news/canadian-security-professionals-unsure-about-defenses-ponemon-study-finds/49183 By Candice So itbusiness.ca June 5, 2014 A little over half of Canada’s IT security professionals aren’t very confident about their ability to defend against attacks – and 77 per cent of them aren’t getting the support they need from the C-suite to protect confidential data. That’s according to a new survey from the Ponemon Institute on behalf of Websense Inc., a security solutions provider. Researchers polled 236 IT administrators in Canada to find out more about the challenges they face, as well as what’s keeping them up at night. Respondents had an average of nine years’ experience in the field. Strikingly, 56 per cent of those polled said they don’t feel their organization is protected from hackers mounting advanced attacks. Another 59 per cent said they felt they had the power to stop confidential information from leaking outside of their organization, while 43 per cent said they felt they understood the scope of threats their organization is facing. And most tellingly, 36 per cent said one or more significant attacks had hit them in the past year, though just 29 per cent said they were sure they had lost confidential data due to a cyber attack. Twenty-seven per cent said they didn’t know exactly hackers had stolen. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] A Day at the Miami Beach Cyberarms Fair

http://www.businessweek.com/articles/2014-06-05/infiltrate-conference-draws-hackers-spies-to-miami-beach By Michael Riley Business Week June 05, 2014 Thomas Lim, the founder of a boutique company that sells cybermunitions and hacking tools to governments and corporations around the world, has mischievous taste in T-shirts. The one he’s got on, as he sits in the Art Deco-style bar of Miami Beach’s famed Fontainebleau Hotel, says he’s a reservist for Unit 61398 of the People’s Liberation Army, a notorious group of Chinese computer spies. It’s an inside joke aimed at the 160 hackers, spooks, and mercenaries attending Infiltrate, an annual security conference that draws a more elite crowd than the larger industry confabs. An unusually boisterous 44-year-old in a business that prizes discretion, Lim is the chief executive officer of Coseinc, based in Singapore. His nation-state clients are mostly countries that want to join the U.S. and China in the cyber­power club but don’t have the skills to do it on their own. He conducts a lot of business at conferences—networking, picking up clients—and Infiltrate is one of his favorites. While most such gatherings have become unabashedly commercial affairs, Infiltrate still maintains the feel of a digital Casa­blanca, where hackers mingle with spies, and defense contractors troll the bars for talent. Mindful of laws on corporate espionage, sellers of cybermunitions are careful to say they only provide information and code; the buyers decide what to do with it. Over two days in May, Lim trades Edward Snowden jokes with National Security Agency spies and slams beers with Argentinian exploit developers. (Exploits allow a hacker to take over an unsuspecting user’s PC.) The event’s technical talks—and sideshows such as Brazilian jujitsu demonstrations—draw experts from England, Finland, France, Italy, and Malaysia. There are no name badges, only color-coded wristbands: black for featured speakers, red for the audience. The list of attendees is secret. If you don’t already know who you’re talking to, the ground rules suggest, you shouldn’t be asking. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Flaw Lets Hackers Control Electronic Highway Billboards

http://www.nextgov.com/cybersecurity/2014/06/flaw-lets-hackers-control-electronic-highway-billboards/85849/ By Aliya Sternstein Nextgov.com June 5, 2014 The Homeland Security Department is cautioning transportation operators about a security hole in some electronic freeway billboards that could let hackers display bogus warnings to drivers. “The vulnerability is a hard-coded password that could allow unauthorized access to the highway sign,” DHS officials said in an alert on Wednesday. Hard-coded passwords, sometimes called back doors, are default logins that software developers code into their programs. The vulnerability was identified in Daktronics Vanguard highway notification sign configuration software, officials said. A “proof of concept” method to exploit the flaw has been made available, DHS officials warned. The Federal Highway Administration informed DHS of a public report of the vulnerability, Homeland Security officials said. Officials have notified the vendor to confirm the issue and figure out a fix. In the meantime, they are recommending users “review sign messaging,” update passwords and secure communication paths to the signs. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] US Army warns of database breaches in South Korea

http://news.techworld.com/security/3523699/us-army-warns-of-database-breaches-in-south-korea/ By Jeremy Kirk Techworld.com 06 June 2014 The U.S. Army warned Thursday that databases holding information on 16,000 South Korean civilian employees of the U.S. military and applicants for base jobs may have been compromised. The military became aware on May 28 that the Korean National Recruitment System may have been breached, according to a letter addressed to Korean employees signed by Gen. Curtis M. Scaparrotti, head of U.S. Forces Korea (USFK). Information that may have been disclosed includes peoples’ names, contact information, education, work experience and Korean Identification Number, which is South Korea’s national government ID issued to citizens. That system may have been accessed through a server run by the Civilian Human Resources Agency Far East, according to a report in Pacific Stars and Stripes. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Still reeling from Heartbleed, OpenSSL suffers from crypto bypass flaw

http://arstechnica.com/security/2014/06/still-reeling-from-heartbleed-openssl-suffers-from-crypto-bypass-flaw/ By Dan Goodin Ars Technica June 5, 2014 A researcher has uncovered another severe vulnerability in the OpenSSL cryptographic library. It allows attackers to decrypt and modify Web, e-mail, and virtual private network traffic protected by the transport layer security (TLS) protocol, the Internet’s most widely used method for encrypting traffic traveling between end users and servers. The TLS bypass exploits work only when traffic is sent or received by a server running OpenSSL 1.0.1 and 1.0.2-beta1, maintainers of the open-source library warned in an advisory published Thursday. The advisory went on to say that servers running a version earlier than 1.0.1 should update as a precaution. The vulnerability has existed since the first release of OpenSSL, some 16 years ago. Library updates are available on the front page of the OpenSSL website. People who administer servers running OpenSSL should update as soon as possible. The underlying vulnerability, formally cataloged as CVE-2014-0224, resides in the ChangeCipherSpec processing, according to an overview published Thursday by Lepidum, the software developer that discovered the flaw and reported it privately to OpenSSL. It makes it possible for attackers who can monitor a connection between an end user and server to force weak cryptographic keys on client devices. Attackers can then exploit those keys to decrypt the traffic or even modify the data before sending it to its intended destination. “OpenSSL’s ChangeCipherSpec processing has a serious vulnerability,” the Lepidum advisory stated. “This vulnerability allows malicious intermediate nodes to intercept encrypted data and decrypt them while forcing SSL clients to use weak keys which are exposed to the malicious nodes. There are risks of tampering with the exploits on contents and authentication information over encrypted communication via web browsing, e-mail and VPN, when the software uses the affected version of OpenSSL.” Client devices are vulnerable no matter what older version of OpenSSL they are running. As stated earlier, servers are vulnerable when running 1.0.1 and 1.0.2-bata1, according to an accompanying OpenSSL advisory. The attacks are possible only when both sides are running a vulnerable OpenSSL version. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail