http://carnal0wnage.attackresearch.com/2015/05/normal-0-false-false-false-en-us-x-none.html By Valsmith carnal0wnage.attackresearch.com May 16, 2015 I recently read this article: http://www.foxnews.com/tech/2015/03/17/ground-control-analysts-warn-airplane-communications-systems-vulnerable-to/ and it brought to mind some thoughts that have been percolating for quite a while. Sometime last year I believe Dave Aitel coined the term Stunt Hacking, which I think is a pretty good way to describe it. We often see these media blitzes about someone hacking a car, or an airplane, or some other device. The public who has a limited understanding of the technology, and the media who has a worse understanding, get in a frenzy or outrage, the security company hopes this translates into sales leads, and the researcher hopes this translates into name recognition leading to jobs, raises, conference talks, etc. A question that I think we should keep in mind is: Why would a company hire someone who just publicly displayed how little they understand about the technology and made their desired potential client look bad. There are two problems with this: 1.) The research is often FUD or based on a very limited understanding of real world deployment or 2.) Any actually valuable technical research gets lost in the hype. Let me be clear, I am not saying that researchers like Charlie Miller or Barnaby Jack haven’t contributed meaningful or ground breaking research to the community, (they have), but many ride a hype wave that is often unwarranted. Unscrupulous infosec companies take advantage of such researchers work to drive sales of mediocre consulting services as well. The practice of companies pushing their best researchers to drop and overhype controversial or gimmicky bugs makes no sense from a business perspective either from the security vendor or the services purchaser point of view. Who wins in the long run? The vendor loses credibility and the purchaser suffers in the PR space. […]
http://www.defenseone.com/technology/2015/03/cia-restructuring-adds-new-cyber-focus/106953/ By Patrick Tucker defenseone.com March 6, 2015 The CIA will create a new directorate designed to boost the agency’s ability to collect and use digital intelligence in operations, agency CIA Director John Brennan announced. The move to launch a “directorate of digital innovation” comes a two weeks after the Washington Post first reported that Brennan would be restructuring the agency to place a much stronger emphasis on the use of computers and electronic intelligence. The move is a big change for the agency, one that reflects a fundamental evolution in intelligence gathering. CIA traditionally has been tasked with collecting information from human sources (also called HUMINT). The NSA, conversely, is tasked with collecting information from electric sources in the form of signals (also called SIGINT). Today’s announcement is a formal recognition that the electronic world is overtaking the human one, and that collecting information from humans now has a digital component to it. “Digital technology holds great promise for mission excellence, while posing serious threats to the security of our operations and information,” Brennan said, in message to the Intelligence Community, released Friday. “We must place our activities and operations in the digital domain at the very center of all our mission endeavors.” Brennan said a new senior position will “oversee the acceleration of digital and cyber integration across all of our mission areas.” […]
Please accept with no obligation, implied or implicit, my best wishes for an environmentally conscious, socially responsible, low-stress, non-addictive, gender-neutral celebration of the winter or in some locations summer solstice holiday, practiced within the most enjoyable traditions of the religious persuasion of your choice, or secular practices of your choice, with respect for the religious/secular persuasion and/or traditions of others, or their choice not to practice religious or secular traditions at all. I also wish you a fiscally successful, personally fulfilling and medically uncomplicated recognition of the onset of the generally accepted calendar year 2015, but not without due respect for the calendars of choice of other cultures whose contributions to society have helped make America great. Not to imply that America is necessarily greater than any other country nor the only America in the Western Hemisphere. Also, this wish is made without regard to the race, creed, color, age, physical ability, religious faith or sexual preference of the wishee.
http://www.denverpost.com/business/ci_26556583/denver-based-ping-identity-gets-35-million-investment By Laura Keeney The Denver Post 09/18/2014 Recent data breaches at high-profile companies such as Home Depot and Goodwill Stores have thrust Internet security back into the spotlight, and one local company is on the verge of a giant leap forward in the mission to make data safer. Denver-based Ping Identity is expected to announce early Thursday a $35 million investment boost, led by global investment firm KKR and newcomer Ten Eleven Ventures, which also includes some of Ping’s existing investors. This investment brings Ping’s total funding to $110 million. This latest shot in the arm is recognition that data security is a hot topic. It’s also a nod to Ping’s identity and access-management technology — generally called “single sign-on” — that goes above and beyond traditional password-based approaches to data security, said Ping’s senior marketing director Jeff Nolan. “Companies have an appetite for the kind of change we’ve been talking about for years because the cost of a data breach is far greater than the cost of replacing the old infrastructure that allowed it in the first place,” he said. “There’s independent research that shows something like 76 percent of those data breaches are the result of a compromised password. The solution here is not better passwords but getting rid of the password altogether.” […]
http://www.propublica.org/article/lizhong-fan By Ryan Gabrielson, ProPublica and Andrew Becker, Center for Investigative Reporting, illustration by David Sleight, ProPublica August 26, 2014 LIZHONG FAN’S DESK WAS AMONG A CROWD of cubicles at the Arizona Counter Terrorism Information Center in Phoenix. For five months in 2007, the Chinese national and computer programmer opened his laptop and enjoyed access to a wide range of sensitive information, including the Arizona driver’s license database, other law enforcement databases, and potentially a roster of intelligence analysts and investigators. The facility had been set up by state and local authorities in the aftermath of the 9/11 terror attacks, and so, out of concerns about security, Fan had been assigned a team of minders to watch him nearly every moment inside the center. Fan, hired as a contract employee specializing in facial recognition technology, was even accompanied to the bathroom. However, no one stood in Fan’s way when he packed his equipment one day in early June 2007, then returned home to Beijing. There’s a lot that remains mysterious about Fan’s brief tenure as a computer programmer at the Arizona counterterrorism center. No one has explained why Arizona law enforcement officials gave a Chinese national access to such protected information. Nor has anyone said whether Fan copied any of the potentially sensitive materials he had access to. But the people responsible for hiring Fan say one thing is clear: The privacy of as many as 5 million Arizona residents and other citizens has been exposed. Fan, they said, was authorized to use the state’s driver’s license database as part of his work on a facial recognition technology. He often took that material home, and they fear he took it back to China. […]
http://www.theregister.co.uk/2014/05/07/4chan_bounty/ By Darren Pauli The Register 7 May 2014 Internet armpit 4chan now has a bug bounty – although with just $20 in “self-serve ad spend” on the website or an annual membership up for grabs, it’s not particularly bountiful. The bounty programme was launched after the image-board website and a drawing website, both founded by Chris “moot” Poole, were compromised by miscreants. The bounty [details here] may help to deter future attacks by encouraging hackers to quietly report vulnerabilities so they could be fixed. But 4chan’s effort could be hindered as the cashless reward stands as one of the stingiest on the internet, with researchers rewarded the princely sum of 20 bucks in “self-serve ad spend” or a free annual 4chan membership (worth $20) for each bug disclosure, plus recognition in the presently empty hall of fame. Poole blogged about how he had awoken last week to a series of missed phone calls from pals who told him he’d “been hacked twice in one day”. […]
http://www.wired.com/opinion/2014/01/using-computer-drug-war-decade-dangerous-excessive-punishment-consequences/ By Hanni Fakhoury Wired.com 01.23.14 Before Edward Snowden showed up, 2013 was shaping up as the year of reckoning for the much criticized federal anti-hacking statute, the Computer Fraud and Abuse Act (“CFAA”). The suicide of Aaron Swartz in January 2013 brought the CFAA into mainstream consciousness, so Congress held hearings about the case, and legislative fixes were introduced to change the law. Finally, there seemed to be a newfound scrutiny of CFAA prosecutions and punishment for accessing computer data without or in excess of “authorization” – which affected everyone from Chelsea Manning to Jeremy Hammond to Andrew “Weev” Auernheimer (disclosure: I’m one of his lawyers on appeal). Not to mention less illustrious personalities and everyday users, such as people who delete cookies from their browsers. But unfortunately, not much has changed; if anything, the growing recognition of the powerful capabilities of modern computing and networking has resulted in a “cyber panic” in legislatures and prosecutor offices across the country. Instead of reexamination, we’ve seen aggressive charges and excessive punishment. This cyber panic isn’t just a CFAA problem. In the zeal to crack down on cyberbullying, legislatures have passed overbroad laws criminalizing speech clearly protected by the First Amendment. This comes after one effort to use the CFAA to criminalize cyberbullying
Please accept with no obligation, implied or implicit, my best wishes for an environmentally conscious, socially responsible, low-stress, non-addictive, gender-neutral celebration of the winter solstice holiday, practiced within the most enjoyable traditions of the religious persuasion of your choice, or secular practices of your choice, with respect for the religious/secular persuasion and/or traditions of others, or their choice not to practice religious or secular traditions at all. I also wish you a fiscally successful, personally fulfilling and medically uncomplicated recognition of the onset of the generally accepted calendar year 2014, but not without due respect for the calendars of choice of other cultures whose contributions to society have helped make America great. Not to imply that America is necessarily greater than any other country nor the only America in the Western Hemisphere. Also, this wish is made without regard to the race, creed, color, age, physical ability, religious faith or sexual preference of the wishee.