Tag Archives: special

[ISN] Attention, Cyber Pros: The Pentagon Wants You — 3, 000 of You

http://www.nextgov.com/cybersecurity/2015/03/pentagon-has-until-2016-extend-3000-jobs-offers-civilian-cyber-whizzes/106842/ By Aliya Sternstein Nextgov.com March 5, 2015 The military has been given the go-ahead to fast-track the hiring of 3,000 computer whiz civilians, in part, to flesh out the half-staffed U.S. Cyber Command, federal officials announced Thursday. Yesterday, command leaders told Congress they need to be able to quicker make compensation deals with prospective employees, as threats from nation state hackers mount. The permission slip the Office of Personnel Management signed applies to the entire Defense Department, including the command, according to a notice posted in the Federal Register. The 5-year-old command organizes cyberattacks against adversaries and network defense operations. The pay scale for the new Defense positions starts at $42,399 and goes up to $132,122. Under the arrangement, the Pentagon can skip the process of rating applicants based on traditional competitive criteria. Instead, the department can offer jobs based on the candidate’s unique skills and knowledge. The special qualifications include the ability to analyze malware, respond to incidents, manage cyber fire drills and detect vulnerabilities, among other things. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] The Drug Cartels’ IT Guy

http://motherboard.vice.com/read/radio-silence By Brian Anderson motherboard.vice.com March 3, 2015 It could have been any other morning. Felipe del Jesús Peréz García got dressed, said goodbye to his wife and kids, and drove off to work. It would be a two hour commute from their home in Monterrey, in Northeastern Mexico’s Nuevo León state, to Reynosa, in neighboring Tamaulipas state, where Felipe, an architect, would scout possible installation sites for cell phone towers for a telecommunications company before returning that evening. That was the last time anyone saw him. Felipe’s wife, Tanya, is haunted by his disappearance. “All this time I’ve spent searching for his whereabouts,” she told me. Felipe was 26, with clear hazel eyes and a wide mouth, when he disappeared on March 19, 2013, just under two years ago. It’s a story, or lack thereof, that’s common across Mexico. People vanish, and the vast majority of cases aren’t solved for years, if they’re ever closed at all. Tanya is just one of the bereaved in an expanding web of loved ones and friends left with more questions than answers, and a collective resolve to seek justice for los desaparecidos. They’re waiting for the phone to ring. Only this story is, perhaps, not just another kidnapping. What happened to Feli​pe Peréz? One theory suggests he was abducted by a sophisticated organized crime syndicate, and then forced into a hacker brigade that builds and services the cartel’s hidden, backcountry communications infrastructure. They’re the Geek Squads to some of the biggest mafia-style organizations in the world. That’s how Tanya sees it, at least. She looks at the rash of kidnapping cases across Mexico, many of which have taken place in Tamaulipas, targeted specifically at architects, engineers, and other information technology types, and can’t help but think Felipe was one of them. Nearly 40 information technology specialists have disappeared in Mexico s​ince 2008, allegedly nabbed by one of the two dominant gangs in the region, the Cartel del Golfo or Los Zetas. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Credit Card Breach at Mandarin Oriental

http://krebsonsecurity.com/2015/03/credit-card-breach-at-mandarian-oriental/ By Brian Krebs Krebs on Security March 4, 2015 In response to questions from KrebsOnSecurity, upscale hotel chain Mandarin Oriental Hotel Group today confirmed that its hotels have been affected by a credit card breach. Reached for comment about reports from financial industry sources about a pattern of fraudulent charges on customer cards that had all recently been used at Mandarin hotels, the company confirmed it is investigating a breach. “We can confirm that Mandarin Oriental has been alerted to a potential credit card breach and is currently conducting a thorough investigation to identify and resolve the issue,” the company said in an emailed statement. “Unfortunately incidents of this nature are increasingly becoming an industry-wide concern. The Group takes the protection of customer information very seriously and is coordinating with credit card agencies and the necessary forensic specialists to ensure our guests are protected.” Mandarin isn’t saying yet how many of the company’s two-dozen or so locations worldwide may be impacted, but banking industry sources say the breach almost certainly impacted most if not all Mandarin hotels in the United States, including locations in Boston, Florida, Las Vegas, Miami, New York, and Washington, D.C. Sources also say the compromise likely dates back to just before Christmas 2014. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] PSA: Your crypto apps are useless unless you check them for backdoors

http://arstechnica.com/security/2015/02/psa-your-crypto-apps-are-useless-unless-you-check-them-for-backdoors/ By Dan Goodin Ars Technica Feb 4, 2015 At the beginning of the year, I did something I’ve never done before: I made a new year’s resolution. From here on out, I pledged, I would install only digitally signed software I could verify hadn’t been tampered with by someone sitting between me and the website that made it available for download. It seemed like a modest undertaking, but in practice, it has already cost me a few hours of lost time. With practice, it’s no longer the productivity killer it was. Still, the experience left me smarting. In some cases, the extra time I spent verifying signatures did little or nothing to make me more secure. And too many times, the sites that took the time to provide digital signatures gave little guidance on how to use them. Even worse, in one case, subpar security practices of some software providers undercut the protection that’s supposed to be provided with digitally signed code. And in one extreme case, I installed the Adium instant messaging program with no assurance at all, effectively crossing my fingers that it hadn’t been maliciously modified by state-sponsored spies or criminally motivated hackers. More about those deficiencies later—let’s begin first with an explanation of why digital signatures are necessary and how to go about verifying them. By now, most people are familiar with man-in-the-middle attacks. They’re waged by someone with the ability to monitor traffic passing between an end user and a website—for instance, a hacker sniffing an unsecured Wi-Fi connection or the National Security Agency sniffing the Internet backbone. When the data isn’t encrypted, the attacker can not only read private communications but also replace legitimate software normally available for download with maliciously modified software. If the attack is done correctly, the end user will have no idea what’s happening. Even when Web connections are encrypted with the HTTPS standard, highly skilled hackers still may be able to seed a website with malicious counterfeit downloads. That’s where digital signatures come in. A prime candidate for such an attack is the OTR plugin for the Pidgin instant messenger. It provides the means to encrypt messages so (1) they can’t be read by anyone monitoring the traffic sent between two parties and (2) each party can know for sure that the person on the other end is, in fact, who she claims to be. Fortunately, the OTR installer is provided through an encrypted HTTPS connection, which goes a long way to thwarting would-be man-in-the-middle attackers. But strict security practices require more, especially for software as sensitive as OTR. That’s why the developers included a GPG signature users can check to verify that the executable file hasn’t been altered in any way. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] CarolinaCon-11 is coming – March 20th-22nd 2015

Forwarded from: Vic Vandal h4x0rs, InfoSec geeks, script kidz, posers, and friends, CarolinaCon is back for its 11th year, which is also billed as “the last CarolinaCon as we know it”. For about the price of your average movie admission with popcorn and a drink ($20), YOU are invited to join us for yet another intimate and informative weekend of hacking-related education. This year’s event will be held on the weekend of March 20th-22nd 2015 in Raleigh NC at the North Raleigh Hilton (Midtown). The currently chosen lineup includes more presenters named Old Gregg than you’ll find at any conference anywhere, along with other esteemed individuals, such as; – Have you ever drunk Bailey’s from a shoe? (aka Pen-Testing & Social Engineering Convergence) – Old Gregg (smrk3r) – Cryptocurrency Laundering Theory for Fun and Retirement – Old Gregg (myddrn) – How to design your “You got hacked” page – Old Gregg (digital shokunin) – Electronics Engineering for Pen-Testers – Old Gregg (melvin2001) – Phony Business – What Goes Around Comes Back Around – Unregistered & Snide – Elevator Obscura: Industry Hacks & Answers to all Your Odd Questions About Those Magical Moving Rooms – Howard Payne & Deviant Ollam – Rethinking the Origins of the Lock – Schuyler Towne – RedneckSec – @th3mojo – Cyber War Stories – Andrew Shumate – One Step Closer to the Matrix: Machine Learning and Augmented Reality in Networking – Rob Weiss & John Eberhardt – I live in a van and so can you – Mark Rickert, aka Matt Foley – Drilling Deeper with Veil’s PowerTools – Justin Warner (@sixdub) & Will Schroeder (@harmj0y) – Hacker’s Practice Ground – Lokesh Pidawekar – Social engineering is bullsh*t, call it what it is – surpherdave – Anatomy of Web Client Attacks – Jason Gillam – Art of Post-infection Response and Mitigation – chill – SPAM, Phish and Other Things Good to Eat – Joshua Schroeder / JoshInGeneral …..and potentially 1-2 other l33t talks that we might be able to squeeze in! Side events currently on tap include; – Capture The Flag – Mobile Museum of Vintage Technology – Lockpicking Village – Hacker Trivia – Android Netrunner – Pulp Fiction Canonical Drinking Game – “Unofficial” Shootout (details at http://hackers.withguns.com/) For those traveling to the event or who simply want to stay at the Hilton venue throughout, hotel rooms at the special CarolinaCon group rate can be reserved via this link. http://www.hilton.com/en/hi/groups/personalized/R/RDUNHHF-CCC-20150319/index.jhtml?WT.mc_id=POG ALERT: The special group rate is only available until February 20th, so book now if interested. For other exciting details as they develop stay tuned to: http://www.carolinacon.org If you have any important questions about the event that are NOT answered in website content you can send an email to; infocarolinacon.org Peace, Vic


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Capture the Flag: Meet the team bossing one of the toughest hacking competitions around

http://www.zdnet.com/article/capture-the-flag-meet-the-team-bossing-one-of-the-toughest-hacking-competitions-around/ By Michiel van Blommestein February 2, 2015 Nobody doubts that the amount of tech talent that Poland has at its disposal is substantial and a team of security specialists’ triumph in the recent Capture the Flag series of hacking contests seems to confirm it’s not short of ability, even when some parts of the country’s own cybersecurity could use some improvement. Poland’s winning team was Dragon Sector, a group which currently consists of 13 active members from organisations including Google, the Polish CERT, as well as students. In a whole series of events, Dragon Sector competed in various tasks to show their hacking prowess and cyberdefence skills. Among the challenges were solving a number of problems within a set time period, and gaining access to opposing servers while trying to keep their own network safe. Out of the total 33 on-site events they attended, Dragon Sector won seven and took runner-up or third place for a further 18. Other recent high-profile wins for Dragon Sector include last year’s Positive Hack Days Capture the Flat (CTF) in Moscow and Hack.lu CTF in Luxembourg. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Obama talks cybersecurity, but Federal IT system breaches increasing [Updated]

http://arstechnica.com/tech-policy/2015/01/obama-talks-cybersecurity-but-federal-it-systems-breaches-increase/ By David Kravets Ars Technica Jan 20, 2015 Update: This post was updated Tuesday evening to reflect comments the president made during his State of the Union address: President Barack Obama urged Congress and the American public to embrace cyber security legislation during his State of the Union address Tuesday evening. The Cyber Intelligence Sharing and Protection Act, known as CISPA, was unveiled by Obama a week ago and is controversial because it allows companies to share cyber threat information with the Department of Homeland Security—data that might include their customers’ private information. “No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism. So tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information. That should be a bipartsan effort. If we don’t act, we’ll leave our nation and our economy vulnerable. If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe,” the president said without identifying his CISPA proposal and others by name. New research out earlier Tuesday from George Mason University, however, calls into question how effective Obama’s proposal would be. That’s because the federal government’s IT professionals as a whole have “a poor track record in maintaining good cybersecurity and information-sharing practices.” What’s more, the federal bureaucracy “systematically” fails to meet its own federal cybersecurity standards despite billions of dollars in funding. According to a paper by Eli Dourado, a George Mason research fellow, and Andrea Castillo, manager of the university’s Technology Policy Program: […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] FBI wants you to become a cyber agent

http://www.networkworld.com/article/2863395/security0/fbi-wants-you-to-become-a-cyber-agent.html By Michael Cooney LAYER 8 Network World Jan 5, 2015 With its increased emphasis on Internet crime it might come as small surprise the FBI is now looking to bulk –up its cyber agent workforce. The agency in a job posting that is open until Jan. 20 said it has “many vacancies” for cyber special agents to investigate all manner of cyber crimes from website hacks and data theft to botnets and denial of service attacks. To keep pace with the evolving threat, the Bureau is appealing to experienced and certified cyber experts to consider joining the FBI to apply their well-honed tradecraft as cyber special agents, the agency stated. Key requirements to be a special agent include passing a rigorous background check and fitness test. Agents must be at least 23 and no older than 37. Prospective cyber special agents are expected to meet the same threshold as special agents, but also have a wealth of experience in computers and technology. Preferred backgrounds include computer programming and security, database administration, malware analysis, digital forensics, and even ethical hacking. An extensive list of sought-after backgrounds and certifications can be seen on the job posting, the FBI noted. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail