[ISN] Help InfoSec News with a donation

http://www.infosecnews.org/help-infosec-news-with-a-donation/ InfoSec News is always in a little cash crunch For $1.00 at the local diner, you can buy a bottomless cup of coffee. At the local bookstore, a large three shot, double latte cappuccino is nearly $6.00. Ideally we’d like to see every InfoSec News subscriber sacrifice at least one or two days without his or her coffee to enable us to not only continue the work we’ve been doing, but improve our services. “Keeping up with security related news is important in this business, and I have little time to troll the web for news. ISN is a great service to me.” “This is the most informative mail list I have ever been on and have passed it on to many of my associates whoshare the same opinion.” “The ISN list is highly recommended, and probably more entertaining than BugTRAQ.” “I’ve found your list to be perhaps the single best security-related list to subscribe” “I’m absolutely in love with the ISN and its rich contents” “ISN has been an invaluable resource.” A donation of $1 to $5 or $20 isn’t a lot when you consider the work done behind the scenes here, such as dealing with Microsoft SMTPSVC, bounced mail, and dead addresses. Its no small feat finding, filtering, formatting, and analyzing the news stories that more than 6000 information security, homeland defense, and open source intelligence professionals depend on a daily basis. We greatly appreciate any amount you’re willing to send out way, Thank you for your support!




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Retailers Now Actively Sharing Cyberthreat Intelligence

http://www.darkreading.com/attacks-breaches/retailers-now-actively-sharing-cyberthreat-intelligence/d/d-id/1317086 By Kelly Jackson Higgins Dark Reading 10/30/2014 The retail industry’s R-CISC has been up and running for four months now and is looking for more retailers to sign up. When a threat alert arrived about a new malware threat during a recent industry gathering of retailers, a group of them immediately left the room to check in with their home networks. The intel came in the form of an email via the retail industry’s new intelligence-sharing program, the Retail Cyber Intelligence Sharing Center (R-CISC). “We happened to be having a meeting… and someone got intel on some malware. Immediately, people got up [and left the room] and checked on their systems and detected it,” says Suzie Squier, senior vice president of the Retail Industry Leaders Association (RILA), which spearheaded the formation of the R-CISC. R-CISC, which RILA announced back in May, has been up and running for about four months now, gradually ramping up to 100 member retail organizations participating in the industry’s information sharing and analysis center (ISAC). Target, American Eagle Outfitters, Gap, JC Penney, Lowe’s Nike, Safeway, VF, Walgreens, and other major retailers, sit on the board of directors of the R-CISC, a portal-based threat intelligence-sharing platform for retailers that includes feeds from government and other industry sources, and provides threat analysis. It’s open to all retailers


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Social Engineers work in teams to harness the power of information

http://www.csoonline.com/article/2840953/social-engineering/social-engineers-work-in-teams-to-harness-the-power-of-information.html By Steve Ragan Salted Hash CSO Online Oct 30, 2014 Proving once again that information viewed as harmless can often enable an attacker, the contestants in this years Social Engineering Capture the Flag (SECTF) contest at DEF CON 22 worked in teams of two in order to collect vital information from some of the nation’s largest companies. Social-Engineer.org has released the final report form the SECTF contest held at DEF CON 22 this summer in Las Vegas. As always, the goal of the contest is awareness, using live demonstrations to provide actual examples of the techniques and tactics used by malicious attackers. The only difference is that none of the contestants were actually causing harm; there is a strict rule against victimization. If that wasn’t the case, then some of the companies in this year’s contest would have had an additional layer of problems to deal with. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Banks’ Concerns About Cyberthreats Grow

http://www.bankinfosecurity.com/banks-concerns-about-cyberthreats-grow-a-7486 By Tracy Kitten Bank Info Security October 28, 2014 Banking leaders say they’re substantially more concerned today than they were just six months ago about cyber-attacks and geopolitical threats aimed at the global financial system. That’s according to a report covering results of a survey conducted during the third quarter and published last week by the Depository Trust & Clearing Corp. The DTCC provides clearing and settlement services for banking institutions. Participants in the survey included financial stakeholders from throughout the world. Since March, when the DTCC last conducted its Systemic Risk Barometer survey, more global banking leaders say they see ongoing cyber-risks as posing increasing concern. They rate cyberthreats as the No. 1 systemic risk facing the global economy today. Banking institutions and other financial services firms surveyed by the DTCC say that in the past 12 months, they have increased their investments in systems and technologies designed to monitor and mitigate systemic risks, such as cyber-attacks and economic recessions that could collapse the global financial system. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Retailers accuse credit unions of talking smack about card breaches

http://arstechnica.com/security/2014/10/retailers-accuse-credit-unions-of-talking-smack-about-card-breaches/ By Sean Gallagher Ars Technica Oct 30, 2014 Reeling from the bad press associated with an ongoing parade of data breaches caused by criminal infiltration of their payment systems, representatives of six retail industry associations signed a joint open letter that pushes back against a vocal critic of retailers’ cyber-security practices—credit union associations. In the letter addressed to the presidents of the Credit Union National Association (CUNA) and the National Association of Federal Credit Unions (NAFCU), retail industry representatives accused the associations of spreading “a number of misleading and factually inaccurate points… in the media and before Congress in regards to the cyber security in our country.” The industry group executives insisted that retailers already share the burden of dealing with the cost of lost data—at least to the degree that they are contractually obliged by credit card organizations. But given how much they actually do pay, the retailers may protest too much. Unsafe at any register The letter is a direct response to comments made in a letter to House Homeland Security Committee chairman Rep. Michael McCaul (R-TX) by Carrie Hunt, the NAFCU’s senior vice president of government affairs, posted on October 28. In her letter, Hunt called out the retail industry for not carrying enough of the burden associated with the loss of customers’ financial data. While credit unions and other financial institutions are subject to strict standards and regulations on handling sensitive customer financial data, Hunt wrote, “retailers and many other entities…are not subject to these same standards, and they become victims of data breaches and data theft all too often. While these entities still get paid, financial institutions bear a significant burden as the issuers of payment cards used by millions of consumers.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Please help InfoSec News with a donation

http://www.infosecnews.org/help-infosec-news-with-a-donation/ InfoSec News is always in a little cash crunch For $1.00 at the local diner, you can buy a bottomless cup of coffee. At the local bookstore, a large three shot, double latte cappuccino is nearly $6.00. Ideally we’d like to see every InfoSec News subscriber sacrifice at least one or two days without his or her coffee to enable us to not only continue the work we’ve been doing, but improve our services. “Keeping up with security related news is important in this business, and I have little time to troll the web for news. ISN is a great service to me.” “This is the most informative mail list I have ever been on and have passed it on to many of my associates whoshare the same opinion.” “The ISN list is highly recommended, and probably more entertaining than BugTRAQ.” “I’ve found your list to be perhaps the single best security-related list to subscribe” “I’m absolutely in love with the ISN and its rich contents” “ISN has been an invaluable resource.” A donation of $1 to $5 or $20 isn’t a lot when you consider the work done behind the scenes here, such as dealing with Microsoft SMTPSVC, bounced mail, and dead addresses. Its no small feat finding, filtering, formatting, and analyzing the news stories that more than 6000 information security, homeland defense, and open source intelligence professionals depend on a daily basis. We greatly appreciate any amount you’re willing to send out way, Thank you for your support! http://www.infosecnews.org/help-infosec-news-with-a-donation/


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Did Drupal Drop The Ball? Users Who Didn’t Update Within 7 Hours ‘Should Assume They’ve Been Hacked’

http://www.forbes.com/sites/thomasbrewster/2014/10/30/did-drupal-drop-the-ball-users-who-didnt-update-within-7-hours-should-assume-theyve-been-hacked/ By Thomas Fox-Brewster Forbes.com 10/30/2014 Hackers are remarkably quick off the mark. Drupal, the creator of the eponymous content management system that millions use the world over, now knows that all too well. In mid-October it patched a SQL injection flaw, which could be exploited by tricking a database into coughing up data from its tables and columns using the SQL language. But yesterday, it said that thanks to an automated attack that hit up as many Drupal sites containing the vulnerability as quickly as possible, anyone who didn’t update to version 7.32 within seven hours of its release should assume they’ve been hacked. The bombshell was officially dropped in an advisory late yesterday, ranked ‘Highly Critical’. And for all those users concerned, updating to version 7.32 or applying the patch fixes the vulnerability but will not fix a compromised website, the warning read. It gets a little worse, as Michael Hess HES -1.01% of the Drupal security team notes: “If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised – some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site.” Hackers who broke into Drupal-based sites may have done all kinds of nasty things, from installing backdoors to simply grabbing all data on that site. They might even be able to use their leverage to compromise other websites and apps hosted on the same server, escalating their attacks. Put simply, this could be catastrophic for victims. SQL injection is one of the most commonly used attack methods on the planet. Tools like slqmap automate such attacks requiring little technical skill of the hacker, yet lead to devastating results. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail