[ISN] Ancient vulnerabilities are geddon in the way of security

http://www.zdnet.com/ancient-vulnerabilities-are-geddon-in-the-way-of-security-7000031192/ By Stilgherrian for The Full Tilt ZDNet.com July 3, 201 “We are failing at communicating to the rest of the world,” says James Lyne, global head of security research at Sophos. “I think that we have a fundamental broken behaviour in this industry that we need to go and shift.” And he’s got numbers to back up his claim. Lyne has been warbiking. That’s exactly the same thing as wardriving, that is, driving around a city to map out its open and poorly secured wireless networks, but with more lycra. His results for London and San Fransisco are already online, and those for Las Vegas, Hanoi and Sydney are coming soon. On Wednesday, journalists were given a preview of Sydney’s results, which Lyne described as the “least worst of a bad bunch”. Of the 34,476 wi-fi networks he detected while cycling Sydney streets, 1,371 (3.98 percent) were still using the obsolete Wired Equivalent Privacy (WEP) protocol. That’s significantly better than San Francisco’s 9.5 percent, which presumably has so many obsolete wireless networks because it rolled them out sooner, but it’s still a worry. “WEP is just broken, bad, has been known-bad for such a long time, and there really isn’t a context in which it should be used now — and it’s still remarkably present,” Lyne told ZDNet. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Order restored to universe as Microsoft surrenders confiscated No-IP domains

http://arstechnica.com/security/2014/07/order-restored-to-universe-as-microsoft-surrenders-confiscated-no-ip-domains/ By Dan Goodin Ars Technica July 2, 2014 Microsoft has surrendered the 23 domain names it confiscated from dynamic domain hosting service No-IP.com, a move that begins the process of restoring millions of connections that went dark as a result of the highly controversial legal action. At the time this post was being prepared, No-IP had recovered 18 of the domains and was in the process of reacquiring the remaining five from Public Interest Registry, the registry for Internet addresses ending in .org, No-IP spokeswoman Natalie Goguen told Ars. People who rely on No-IP subdomains that don’t end in .org should already have service restored, as long as the domain name service (DNS) server they use has been updated to reflect Wednesday’s transfer. Users who are still experiencing connectivity problems should try using DNS services from Google or OpenDNS, which have both updated their lookups to incorporate the transfers. Microsoft confiscated the No-IP domains in late June through a secretive legal maneuver that didn’t give the dynamic DNS provider an opportunity to oppose the motion in court. Microsoft’s ex parte request was part of a legal action designed to dismantle two sprawling networks of infected Windows computers that were abusing No-IP in an attempt to evade takedown. As partial justification for the request, Microsoft lawyers argued No-IP didn’t follow security best practices. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] PF Chang’s says breach was ‘highly sophisticated criminal operation’

http://www.computerworld.com/s/article/9249540/PF_Chang_39_s_says_breach_was_39_highly_sophisticated_criminal_operation_39_ By Martyn Williams IDG News Service July 2, 2014 Restaurant chain P.F. Chang’s China Bistro says the theft of credit and debit card information from some of its restaurants earlier this year was “part of a highly sophisticated criminal operation.” But the chain, which only discovered the breach after a large batch of card numbers were offered on an Internet forum, said it’s still working with the U.S. Secret Service and forensic experts to determine exactly what happened. “We continue to make progress in our investigation into the recent security compromise that affected P.F. Chang’s,” said Rick Federico, CEO of PF Chang’s, in a statement posted Tuesday on the company’s website. “We will continue sharing important details once they have been confirmed by a team of third-party forensic experts.” The statement was the first update issued by the company in three weeks and didn’t add much additional information to what was already known: that an attack apparently hit the point-of-sale systems in the company’s restaurants and sucked up card numbers used between March and May of this year. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] BAE Says Hedge Fund Attack on Hedge Fund Wasn’t Real

http://www.bloomberg.com/news/2014-07-02/bae-says-hedge-fund-attack-on-hedge-fund-wasn-t-real.html By Chris Strohm Bloomberg.com July 2, 2014 The hacking attack on a hedge fund that was described by a security official with BAE Systems Plc (BA/) last month wasn’t real, a company spokeswoman said. The attack was one of several “illustrative scenarios” that BAE internally developed and was “incorrectly presented” as authentic, Natasha Davies, a company spokeswoman, said in a telephone interview today. The company, based in London, sells network security services to government and corporate clients. The notion of a serious hacking attack on a hedge fund fueled questions about network security at financial institutions and helped lead to the creation of a new group to promote computer security within the banking industry. Paul Henninger, global product director for BAE Systems Applied Intelligence, said June 19 that hackers successfully inserted malicious software that delayed by several hundred microseconds a large, unnamed hedge fund’s order-entry system. Henninger said the hackers also rerouted data that might be used to make money in rogue stock-market transactions. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Hacked companies face SEC scrutiny over disclosure, controls

http://www.sfgate.com/business/article/Hacked-companies-face-SEC-scrutiny-over-5596541.php By Dave Michaels SFGate.com July 2, 2014 The Securities and Exchange Commission has opened investigations of a number of companies, examining whether they properly handled and disclosed a growing number of cyberattacks. The investigations are focused on whether the companies adequately guarded data and informed investors about the impact of breaches, according to two people familiar with the matter who asked not to be named because the probes aren’t public. Target Corp., the victim of a breach last year that allowed hackers to access payment data for 40 million of its customers’ debit and credit cards, is one of the companies facing SEC scrutiny, according to company filings. The prospect of enforcement actions against companies that have been victims of cyberattacks marks a new front in the agency’s efforts to combat the rising threat hackers pose to public companies, brokerages and financial markets. Previously, the SEC had focused on guiding public companies on how to disclose those risks and making sure financial companies have adequate defenses against hackers. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail