http://www.theregister.co.uk/2015/08/11/your_numbers_arent_random_says_infosec_boffin/ By Richard Chirgwin The Register 11 Aug 2015 The randomness (or rather, lack thereof) of pseudo-random number generators (PRNGs) is a persistent pain for those who work at the low layers of cryptography. Security researcher Bruce Potter, whose activity in the field stretches back more than a decade, when he demonstrated war-driving using Bluetooth, says problems both in design and implementation undermine the effectiveness of common crypto libraries. Now Potter’s work (his BlackHat presentation is here [PDF]) has led to the claim that nobody really understands what’s going on. Part of the problem, he writes, is that people tend to conflate “entropy” with “randomness”, when in fact the two mean different things: entropy is a measurement of the uncertainty of an outcome, while randomness is a long-term assessment of entropy. […]
http://www.nextgov.com/cybersecurity/2015/07/after-dodging-bullet-hit-opm-interior-owns-cyber-problem/117904/ By Aliya Sternstein Nextgov.com July 15, 2015 Sometimes fear is the best motivator. At the Interior Department, this was the case when computer hackers stole millions of federal employee records from an Office of Personnel Management database stored inside one of Interior’s data centers. The assailants left Interior’s data unscathed. But point taken, Interior Chief Information Officer Sylvia Burns said Wednesday afternoon. The incident, part of a historic hack against the U.S. government, prompted the department to expedite a goal of eliminating wimpy passwords as the only safeguard when signing in to agency systems. The intruders, suspected Chinese spies, used a stolen password from an OPM contractor to copy OPM’s database, according to federal officials. From OPM’s network, the bad guys then scampered across the entire Interior facility’s IT environment, Burns said. All other data, however, was not compromised, she said. “When I, as a CIO for the department, learned of the intrusion, it was horrifying to me and since that time, my team and I have been on high alert working probably seven days a week, long hours to take our lessons learned and do a mitigation plan around it,” Burns said. […]
http://www.defenseone.com/technology/2015/07/how-break-cias-cloud-amazon/117175/ By Patrick Tucker defenseone.com July 7, 2015 Last year, Amazon Web Services surprised a lot of people in Washington by beating out IBM for a $600 million contract to provide cloud services and data storage to the CIA and the broader intelligence community. But more money can bring more problems. Amazon, in essence, has turned itself into the most valuable data target on the planet. The cloud is completely separate from the rest of the Internet and heavy duty encryption is keeping the spies’ secrets relatively safe from outsiders — but what about an attack from within? In 2010, Army PFC Bradley — now Chelsea — Manning explained how she stole millions of classified and unclassified government documents: “Weak servers, weak logging, weak physical security, weak counter-intelligence, inattentive signal analysis.” She “listened and lip-synced to Lady Gaga’s ‘Telephone’ while exfiltrating possibly the largest data spillage in American history.” So if you wanted to pull off a similar feat at Amazon, how would you do it? First, get a job at Amazon’s Commercial Cloud Service or C2S, sometimes called the “spook cloud.” According to this help-wanted ad, applicants must pass a single-scope background investigation—in essence, the kind of detailed 10-year background check required for a Top Secret security clearance. Of course, to a savvy spy or informant, obtaining top-secret clearance is not the barrier it once was. […]
http://www.wired.com/2015/06/airlines-security-hole-grounded-polish-planes/ By Kim Zetter Security Wired.com 6.22.15 MORE THAN 10 airplanes were grounded on Sunday after hackers apparently got into computer systems responsible for issuing flight plans to pilots of Poland’s state-owned LOT airline. The apparent weak link? The flight plan-delivery protocol used by every airline. In fact, though this may be the first confirmed hack of its kind, it’s very similar to a mysterious grounding of United Airlines planes that happened last month. Yesterday, hackers breached the network at Warsaw’s Chopin airport, causing some flights to be cancelled and others to be delayed. Approximately 1,400 passengers on flights headed to Dusseldorf, Hamburg, Copenhagen, and cities in Poland were affected by the grounding. The problem was reportedly fixed after about five hours. “We’re using state-of-the-art computer systems, so this could potentially be a threat to others in the industry,” LOT spokesman Adrian Kubicki told the BBC. It’s possible that potentiality is already a reality. Last month, all United flights in the US were grounded for nearly an hour after the airline apparently experienced problems with flight plans dispatched to its pilots. […]
http://arstechnica.com/security/2015/06/report-hack-of-government-employee-records-discovered-by-product-demo/ By Sean Gallagher Ars Technica June 11, 2015 As officials of the Obama administration announced that millions of sensitive records associated with current and past federal employees and contractors had been exposed by a long-running infiltration of the networks and systems of the Office of Personnel Management on June 4, they claimed the breach had been found during a government effort to correct problems with OPM’s security. An OPM statement on the attack said that the agency discovered the breach as it had “undertaken an aggressive effort to update its cybersecurity posture.” And a DHS spokesperson told Ars that “interagency partners” were helping the OPM improve its network monitoring “through which OPM detected new malicious activity affecting its information technology systems and data in April 2015.” Those statements may not be entirely accurate. According to a Wall Street Journal report, the breach was indeed discovered in April. But according to sources who spoke to the WSJ’s Damian Paletta and Siobhan Hughes, it was in fact discovered during a sales demonstration of a network forensics software package called CyFIR by its developer, CyTech Services. “CyTech, trying to show OPM how its cybersecurity product worked, ran a diagnostics study on OPM’s network and discovered malware was embedded on the network,” Paletta and Hughes reported. And, according to federal investigators, that malware may have been in place for over a year. US intelligence agencies have joined the investigation into the breach. But it’s still not even clear what data was accessed by the attackers. Meanwhile, the breach has triggered outrage from unions representing federal employees. In a letter to OPM Director Katherine Archuleta, American Federation of Government Employees president J. David Cox expressed displeasure at the way OPM had handled the breach, calling the 18 months of credit monitoring and $1 million liability insurance OPM is offering federal employees “entirely inadequate, either as compensation or protection from harm.” […]
http://www.zdnet.com/article/islamic-state-has-best-cyber-offence-of-any-terrorist-group/ By Stilgherrian ZDNet News June 5, 2015 “ISIS [also known as Islamic State] came onto the scene very quickly, but they already have arguably the best cyber offensive capability of any extremist movement out there, and it’s still early days,” Mikko Hypponen, chief research officer at F-Secure said. “We still haven’t seen real physical damage being done by any extremist group, and it’s probably going to take a while until we see it. But these guys are the first ones that actually have some existing hackers who have joined them and moved in from the West,” Hypponen told the AusCERT Information Security Conference on Australia’s Gold Coast in his keynote address on Friday morning. “It’s not yet really a big problem, but obviously this isn’t getting better, this is getting worse,” he said. One such hacker is Abu Hussain Al Britani, a British citizen that F-Secure had been tracking as a traditional hacker three years ago. They lost track of him two years ago, but found him again last summer in Syria. Al Britani has been kicked off Twitter around 20 times, but appears to be tweeting again this week. […]
http://www.v3.co.uk/v3-uk/news/2411419/fbi-europol-and-nca-gunning-for-top-200-black-hats-making-exploit-kits-for-criminals By Alastair Stevenson V3.co.uk 03 Jun 2015 Law enforcement agencies need to mount a coordinated effort to shut down the exploit developers and hosting sites powering organised crime, according to experts from the FBI, Europol and the UK’s National Crime Agency (NCA). The experts made the claim during a panel discussion at InfoSec 2015, when FBI assistant legal attaché Michael Driscoll listed taking down the “core group” of 200 black hats creating exploit kits as one of the biggest challenges facing law enforcement. “We’re looking to stop that marketplace of tools. There’s a small group creating the core technologies that feed the criminal world,” he said. “The problem is they’re easily bought on the criminal marketplace and distributed. I could go now and pick them up for $200. We’re focusing our resources on taking out the people that do the most damage.” […]
http://carnal0wnage.attackresearch.com/2015/05/normal-0-false-false-false-en-us-x-none.html By Valsmith carnal0wnage.attackresearch.com May 16, 2015 I recently read this article: http://www.foxnews.com/tech/2015/03/17/ground-control-analysts-warn-airplane-communications-systems-vulnerable-to/ and it brought to mind some thoughts that have been percolating for quite a while. Sometime last year I believe Dave Aitel coined the term Stunt Hacking, which I think is a pretty good way to describe it. We often see these media blitzes about someone hacking a car, or an airplane, or some other device. The public who has a limited understanding of the technology, and the media who has a worse understanding, get in a frenzy or outrage, the security company hopes this translates into sales leads, and the researcher hopes this translates into name recognition leading to jobs, raises, conference talks, etc. A question that I think we should keep in mind is: Why would a company hire someone who just publicly displayed how little they understand about the technology and made their desired potential client look bad. There are two problems with this: 1.) The research is often FUD or based on a very limited understanding of real world deployment or 2.) Any actually valuable technical research gets lost in the hype. Let me be clear, I am not saying that researchers like Charlie Miller or Barnaby Jack haven’t contributed meaningful or ground breaking research to the community, (they have), but many ride a hype wave that is often unwarranted. Unscrupulous infosec companies take advantage of such researchers work to drive sales of mediocre consulting services as well. The practice of companies pushing their best researchers to drop and overhype controversial or gimmicky bugs makes no sense from a business perspective either from the security vendor or the services purchaser point of view. Who wins in the long run? The vendor loses credibility and the purchaser suffers in the PR space. […]
This management book focuses on the crucial knowledge you'll need to become a great manager and leader. It will teach you the important management and leadership skills so others will call you "great"!
