Tag Archives: question

[ISN] Privacy talk at DEF CON canceled under questionable circumstances

http://www.csoonline.com/article/2947377/network-security/privacy-talk-at-def-con-canceled-under-questionable-circumstances.html By Steve Ragan Salted Hash CSO July 12, 2015 Earlier this month, several news outlets reported on a powerful tool in the fight between those seeking anonymity online, versus those who push for surveillance and taking it away. The tool, ProxyHam, is the subject of a recently canceled talk at DEF CON 23 and its creator has been seemingly gagged from speaking about anything related to it. Something’s off, as this doesn’t seem like a typical cancellation. Privacy is important, and if recent events are anything to go by – such as the FBI pushing to limit encryption and force companies to include backdoors into consumer oriented products and services; or the recent Hacking Team incident that exposed the questionable and dangerous world of government surveillance; striking a balance between law enforcement and basic human freedoms is an uphill struggle. Over the last several years, reports from various watchdog organizations have made it clear that anonymity on the Internet is viewed as a bad thing by some governments, and starting to erode worldwide. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Overcoming paralysis – why financial services organisations have to race to update their Windows Server strategy

http://www.bobsguide.com/guide/news/2015/Jul/6/overcoming-paralysis-why-financial-services-organisations-have-to-race-to-update-their-windows-server-strategy.html By Dave Foreman, ECS, Practice Director Bob’s Guide July 6, 2015 Most of the technical support teams we work with know their Microsoft Server operating system inside out and have hardly lifted their phone to call Microsoft support in years. But this well-oiled machine is about to become IT departments’ biggest headache. With the end of Microsoft’s support for Server 2003 on July 14th 2015, migration from this rather old operating system has escalated from being a niggling worry to a high-risk agenda item. Only a handful of businesses have started their migration and even they will have to rely on Microsoft extended support. But this is not a cost-effective or risk-free option in the long term. At some point a new vulnerability in the operating system will be discovered and exploited; businesses will be exposed and the regulators will have a stronger case for non-compliance. According to the credit card industry’s PCI Security Council standards, if an unsupported operating system is Internet-facing, it will be logged as an automatic compliance failure. CIOs are caught between a rock and a hard place. Nobody wants to be caught in a position where they have to answer tough questions about plans to meet compliance and mitigate risk. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Hard to Sprint When You Have Two Broken Legs

http://carnal0wnage.attackresearch.com/2015/06/hard-to-sprint-when-you-have-two-broken.html By Valsmith June 14, 2015 Now as a disclaimer, I don’t work for the government so there is a lot I don’t know but I have friends who do or who have in the past and you hear things. I also pay attention and listen to questions I get in my training classes and conference talks. This directive from the White House is laughable for a number of reasons and demonstrates just how out of touch decision makers in the Government are on these issues. 1.) Technically skilled people have been BEGGING to improve cyber security in the government for well over 15 years. I don’t think this is any kind of secret, just google for a bit or talk to anyone who works in government in the trenches. Asking for staff, tools, budget, authority, support and getting little of it. In a way, this directive is insulting to them after years of asking, trying and failing suddenly someone says: “oh hey I have an idea, why don’t you go and secure stuff!”. Right. Unless you are going to supply those things they need RIGHT NOW, they will fail. And government procurement and hiring organizations are notoriously slow so the chances of that happening are slim. 2.) IT Operations. The first thing that has to be in place for there to be any real chance is solid IT operations. Organizations have to be able to push out images and patches quickly, orderly, and with assurance. Backup recovery, knowledge of inventory, well managed systems, etc. are all paramount. Do you know how most government IT operations are managed? By contractors, aka the lowest bidder. These are the Raytheons, Booz Allens, Boeings, Lockheeds, etc. who bid on large omnibus support contracts, win them, and THEN try to fill the staffing requirements. How do you win the lowest bid in services / support contracts? By keeping staffing costs down, aka paying the lowest possible salaries. This results in some of the most piss-poor IT operations in the world. You want to know why Hilary Clinton, former Secretaries of Defense, and numerous other government staff run their own private mail servers? Most likely its because their work provided email DOESN’T work. Slow systems, tiny inbox quotas, inability to handle attachments, downtime, no crypto or crypto incompatible with anyone else, these are just a few of the issues out there. And its not just email. I have personally seen a government conference room system take 15-20 minutes to log in at the windows login prompt, due too poor IT practices. I was told that most of the time people resorted to paper hand outs or overhead projectors. Yeh like the ones you had in highschool in the 90s with the light bulbs and transparencies. Essentially what this directive is saying: “Hey you low end IT staff, winners of the lowest bid, who can barely keep a network up or run a mail server, make sure you become infosec experts and shore up our defenses, and you have 30 days to do it.” Right. I have heard horror stories from acquaintances in the government of waiting 6 months for an initial account setup ticket to get performed. Weeks to get a new desktop deployed. It is idiotic to think that current IT operations can support this kind of request. But that is who typically manages servers, network and desktops, and who would have to deploy whatever security tools would be needed to do this in support of pitifully small infosec teams. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Skytalks 2015 CFP – NOW OPEN

Forwarded from: bluknight bluknight@skytalks.info> == https://skytalks.info == Skytalks is a ‘sub-conference’ that gives a unique platform for researchers to share their research, for angry hackers to rant about the issues of their industry, and for curious souls to probe interesting issues, all without the watchful eye of the rest of the world. With a strict, well-enforced “no recording” policy, research that is underway or critical of a vendor can be aired to your peers. You are talking to other security people, sharing your working knowledge of a topic. That said, this isn’t a soapbox to say and trash whoever or whatever you want. Skytalks is old-school DEF CON. We encourage handles – we want your material to stand on its own, not what company’s logo is on your slide deck. We encourage the audience to ask questions and challenge what does not seem to be right. Speakers will be held accountable for their material by their peers… loudly. We’re looking for talks that are about cutting edge material, either in-progress, or ready to be disclosed… at the risk of offending a company. Talks that challenge the industry norms are great. Calling out those who plague our beloved industry, welcome! Talks that are outside the realm of a PG rating, can find (and have found) a home here (was re: Teledildonics). First time speakers are welcome. We have had the privilege and honor of hosting for the first time some great names in the community. You, too, can be among that group. What you must bring: A compelling topic, slides, and willingness to educate and/or face your peers. You should be: outgoing, willing to educate, wanting to learn (yes, as a presenter), and wanting to engage your peers. If you lack any of these skills, we can fix this. Please bring a spare liver. A good talk is about mutual learning; it is a conversation. We just provide a room of professionals that want to converse, over booze. Sometimes… a lot of booze. Your submission must include a brief abstract that explains your talk. It must include a detailed outline of the major talking points. Optionally, you can give us additional information or arguments about why we should accept your talk. What we provide: A place to present, with projectors (VGA video). While we may have adapters on-hand, please be prepared and bring your own. We’ll have a PA system with appropriate microphones, as well as audio input from a device if you need it. Please let us know if you have any special requirements, such as a fire extinguisher for when you plan to set the table on fire. Please note: all speakers must already be badged Defcon attendees. Skytalks cannot provide DEF CON badges for speakers, and Skytalks badges, while great keepsakes, do not provide access to DEF CON itself. Also, dongs. == https://skytalks.info ==


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Korean Log-in Security Questions ‘Too Easy’

http://english.chosun.com/site/data/html_dir/2015/05/22/2015052201606.html Chosun.com May 22, 2015 Internet users in Korea are notoriously more exposed to security risks than their counterparts in other countries, partly because their password hints are too easy to guess, Google analysis released Thursday shows. The search giant analyzed security questions selected by the users around the world to help them when they forget the password. According to the analysis, a majority of Korean users selected too-easy-to-guess questions like “the city where you were born” and “what’s your favorite food.” If a hacker tries 10 times to crack the password, their chances of guessing the right answer are 39 percent and 43 percent. If “Seoul” is the answer to the birthplace question, the question is no more secure than the password “1234.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Lets Call Stunt Hacking What it is, Media Whoring.

http://carnal0wnage.attackresearch.com/2015/05/normal-0-false-false-false-en-us-x-none.html By Valsmith carnal0wnage.attackresearch.com May 16, 2015 I recently read this article: http://www.foxnews.com/tech/2015/03/17/ground-control-analysts-warn-airplane-communications-systems-vulnerable-to/ and it brought to mind some thoughts that have been percolating for quite a while. Sometime last year I believe Dave Aitel coined the term Stunt Hacking, which I think is a pretty good way to describe it. We often see these media blitzes about someone hacking a car, or an airplane, or some other device. The public who has a limited understanding of the technology, and the media who has a worse understanding, get in a frenzy or outrage, the security company hopes this translates into sales leads, and the researcher hopes this translates into name recognition leading to jobs, raises, conference talks, etc. A question that I think we should keep in mind is: Why would a company hire someone who just publicly displayed how little they understand about the technology and made their desired potential client look bad. There are two problems with this: 1.) The research is often FUD or based on a very limited understanding of real world deployment or 2.) Any actually valuable technical research gets lost in the hype. Let me be clear, I am not saying that researchers like Charlie Miller or Barnaby Jack haven’t contributed meaningful or ground breaking research to the community, (they have), but many ride a hype wave that is often unwarranted. Unscrupulous infosec companies take advantage of such researchers work to drive sales of mediocre consulting services as well. The practice of companies pushing their best researchers to drop and overhype controversial or gimmicky bugs makes no sense from a business perspective either from the security vendor or the services purchaser point of view. Who wins in the long run? The vendor loses credibility and the purchaser suffers in the PR space. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Researcher who joked about hacking a jet plane barred from United flight

http://arstechnica.com/security/2015/04/researcher-who-joked-about-hacking-a-jet-plane-barred-from-united-flight/ By Dan Goodin Ars Technica April 19, 2015 A researcher who specializes in the security of commercial airplanes was barred from a United Airlines flight Saturday, three days after he tweeted a poorly advised joke mid-flight about hacking a key communications system of the plane he was in. Chris Roberts was detained by FBI agents on Wednesday as he was deplaning his United flight, which had just flown from Denver to Syracuse, New York. While on board the flight, he tweeted a joke about taking control of the plane’s engine-indicating and crew-alerting system, which provides flight crews with information in real-time about an aircraft’s functions, including temperatures of various equipment, fuel flow and quantity, and oil pressure. In the tweet, Roberts jested: “Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? ‘PASS OXYGEN ON’ Anyone ? :)” FBI agents questioned Roberts for four hours and confiscated his iPad, MacBook Pro, and storage devices. Find myself on a 737/800, lets see Box Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? “PASS OXYGEN ON” Anyone ? 🙂 — Chris Roberts (@Sidragon1) April 15, 2015 On Saturday night, Roberts faced more fallout, this time from the airline itself. Shortly after passing TSA screening and arriving at the gate to board a San Francisco-bound flight, members of United Corporate Security were there to stop him from getting on the plane. They told him United officials would inform him by mail of the reason within the next two weeks. Roberts was able to book last-minute travel on a Southwest flight and arrived in San Francisco late Saturday night, three days ahead of a presentation he’s scheduled to present at next week’s RSA security conference. “Nevertheless, United’s refusal to allow Roberts to fly is both disappointing and confusing,” wrote attorneys from the Electronic Frontier Foundation, who are providing Roberts with legal representation. “As a member of the security research community, his job is to identify vulnerabilities in networks so that they can be fixed. Indeed, he was headed to RSA speak about security vulnerabilities in a talk called ‘Security Hopscotch’ when attempting to board the United flight.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Hacker In Trouble With Feds After Tweeting About ‘Playing’ With Plane Comms Mid-Flight

http://www.forbes.com/sites/thomasbrewster/2015/04/17/hacker-tweets-about-hacking-plane-gets-computers-seized/ By Thomas Fox-Brewster Forbes Staff 4/17/2015 What’s the first rule of flight club? No, it’s not “don’t talk about flight club”. The first rule is: do not tweet about hacking flight systems when using the on-board Wi-Fi. But pro hacker and founder of One World Labs, Chris Roberts, did just that on a trip from Denver to Syracuse yesterday. His tweet wouldn’t have made much sense to the average Twitter https://twitter.com/Sidragon1/status/588433855184375808 Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? “PASS OXYGEN ON” Anyone ? 🙂 — Chris Roberts (@Sidragon1) April 15, 2015 But it made sense to US government officials, who evidently picked up on the references to on-board communications systems (the tweets did not refer to compromising flight control technologies). Rogers said when the flight landed, he was grabbed by FBI agents, questioned for four hours and when Rogers declined to hand over his computing equipment, they seized it all, including an iPad, a MacBook Pro, three hard drives, a flash drive and some USB sticks. He got to keep his phone. All devices were encrypted, so the border control cops may have had a tough time getting anything useful from Roberts’ machines. He still hasn’t retrieved his toys and has not seen a warrant. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail