Tag Archives: wonder

[ISN] Why I Hope Congress Never Watches Blackhat

http://www.wired.com/2015/01/why-i-hope-congress-never-watches-blackhat/ By Kevin Poulsen Threat Level Wired.com 01.16.15 What a strange time. Last week I was literally walking the red carpet at the Hollywood premiere of Michael Mann’s Blackhat, a crime thriller that I had the good fortune to work on as a “hacker adviser” (my actual screen credit). Today, all I’m thinking is, please, God, don’t let anybody in Congress see the film. I’ll explain my anxiety in a minute. First, the movie: Mann, the legendary director of hardboiled crime films like Heat, Collateral, and Miami Vice, always has been a stickler for authenticity, and he brought me into Blackhat as an adviser early on, before it had a title or a lead actor. If you’re wondering how one gets involved in a Michael Mann film, here’s how it works: Mann calls you on the phone. You think, “Why is Michael Mann calling me?” After a phone conversation and an interview in Los Angeles, you’re officially invited on board as a consultant. It turned out Blackhat’s screenwriter had read my cybercrime book Kingpin, and he’d suggested me to Mann. When I showed up for my first consulting meeting, I expected to find a roomful of people crowded around a long conference table. Instead, it was just me and Mann, sitting in his office for five hours at a time. He had questions about malware, hacking, how modern computer intrusions play out. For subsequent meetings, I was given the current iteration of the screenplay (watermarked with my name, lest I leak it to the Pirate Bay), and we went over it line by line, looking at dialogue, discussing tweaks to the hacking and forensics scenes, and working on some of the procedural elements in the plot. Later, Mann brought in a second computer consultant, OkCupid hacker Chris McKinley, to write code for the movie and train leading man Chris Hemsworth in Linux basics, making Hemsworth officially the best-looking human to ever use a command line. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Sony hack was good news for INSURERS and INVESTORS

http://www.theregister.co.uk/2015/01/15/sony_hack_was_good_news_for_insurers_and_investors/ By Mark Pesce The Register 15 Jan 2015 Whoever hacked Sony Entertainment at the end of November changed information security forever. Where once hackers had been most concerned to gain access to the honeypots of credit cards and bank accounts, this theft had a different goal, one that became clear with the steady release of Sony’s most intimate secrets throughout December. This wasn’t about money. This was all about humiliation. We now know way too much about the inner workings of one of the ‘Big Four’ film studios. The magic of cinema looks weak and ugly under close examination. Everything that once seemed lofty and businesslike has been exposed as little more than high school politics and juvenile name-calling. In the back of our heads, we wonder if the rich and powerful talk always trash outside the spotlight. Is Sony the exception


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Heartbleed Superbug Found in Utility Monitoring Systems

http://www.nextgov.com/cybersecurity/2014/05/heartbleed-superbug-found-utility-monitoring-systems/84637/ By Aliya Sternstein NextGov.com May 16, 2014 Software that monitors utility plants and other operations at several military installations has been found to be affected by the recently discovered superbug Heartbleed, when configured a certain way, according to the Homeland Security Department and the software’s manufacturer. “The latest release of Schneider Electric Wonderware Intelligence Version 1.5 SP1 is not susceptible to the OpenSSL vulnerability. However, users have been known to reinstall Tableau Server, the vulnerable third-party component that is affected. Therefore, Schneider Electric Wonderware has issued a patch and a security bulletin addressing this vulnerability in all versions,” states a bulletin from the DHS Cyber Emergency Response Team. Exploits made by hackers “that target this vulnerability are known to be publicly available” on the Web, DHS said. Heartbleed is a defect in common Web encryption software that researchers discovered in early April. Wonderware servers, made by Schneider Electric, collect and analyze plant performance data through the Web. The company’s cyber team identified the bug in the third-party component. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Thoughts on USG Candor to China on Cyber

http://www.lawfareblog.com/2014/04/thoughts-on-usg-candor-to-china-on-cyber/ By Jack Goldsmith lawfareblog.com April 8, 2014 Paul is skeptical about the USG’s unilateral briefing to Chinese officials on some of its cyber operations and doctrines that David Sanger discloses in the NYT. He argues that China is unlikely to reciprocate, he doubts the usefulness of the unilateral disclosure, and he wonders why the USG does not share the information with the American public. I think the matter is more complex. First, it may be (as I have long argued) that greater candor by the USG vis a vis China is a necessary precondition to genuine progress on the development of norms for cyberoperations – both exploitation and attack. Unless we can credibly convey what we are doing and what we might do (and not do) in certain cyber situations, our adversaries will assume the worst and (a) invest in their own cyber programs to keep up – a classic arms race situation, and/or (b) interpret particular cyberoperations in a risk-averse fashion, in their least charitable light, which might induce unwarranted escalation in those contexts. Our adversaries will rationally assume the worst because, despite USG claims about its responsible use of cyber exploitations and attacks, the news is filled with reports about prodigious USG cyber-operations and aggressive plans in this realm. Indeed, as Sanger notes: “The Pentagon plans to spend $26 billion on cybertechnology over the next five years — much of it for defense of the military’s networks, but billions for developing offensive weapons — and that sum does not include budgets for the intelligence community’s efforts in more covert operations. It is one of the few areas, along with drones and Special Operations forces, that are getting more investment at a time of overall Pentagon cutbacks.” Second, Paul is right to be skeptical about reciprocity by China. But it sounds like the United States didn’t give up much new information on U.S. doctrine for the use of cyberweapons. (Sanger states that “elements of the doctrine can be pieced together from statements by senior officials and a dense “Presidential Decision Directive” on such activities signed by Mr. Obama in 2012.”) More importantly, the United States can in theory benefit from unilateral disclosure of doctrine and weapons capabilities even if China doesn’t reciprocate, for the unilateral disclosure might assist China in interpreting, and not misinterpreting, USG actions in the cyber realm – all to the USG’s advantage. As Sanger says, “American officials say their latest initiatives were inspired by Cold-War-era exchanges held with the Soviets so that each side understood the “red lines” for employing nuclear weapons against each other.” In theory, unilateral information disclosure to China about the nature of USG cyberoperations can help China interpret USG actions properly, and can thereby help tamp down on the possibility of mistaken escalation by China; and the USG might also in this manner help China to see the benefits to itself in disclosure to the USG. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] The good hacker: the wonderful life and strange death of Barnaby Jack

http://metromag.co.nz/current-affairs/the-good-hacker-barnaby-jack/ By Donna Chisholm @Donna_Chisholm metromag.co.nz March 18, 2014 From schoolboy dropout to world-famous hacker, Auckland-born Barnaby Jack lived hard and died young. On the way, he changed the technological world. The Jagermeister shot glasses are piling up along with the stories in the outside bar of Galbraith’s in Mt Eden Rd. It’s a stormswept Sunday in January, the six-month anniversary of the death of Barnaby Jack. A dozen of his friends are here to remember him in a pub he loved. Tonight, to them, he’s “Barnes”, their mate, not Barnaby Jack, the man the world knew as the elite hacker who could make ATM machines spew money, insulin pumps inject a lethal dose and heart pacemakers explode at a single command from a laptop


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Are we about to witness a full-on cyber-war between Russia and Ukraine?

http://www.itproportal.com/2014/03/04/are-we-about-to-witness-a-full-on-cyber-war-between-russia-and-ukraine/ By Fahmida Y. Rashid ITProPortal 04 Mar 2014 Russia has invaded Ukraine. Well, at least the province of Crimea. Are we about to see cyber-war unfold? After months of hearing about cyber-war, cyber-espionage, and attacks against critical infrastructure, it’s only natural to wonder if the physical conflict between Russia and Ukraine is about to spill over into cyberspace. Most countries, the United States included, have cadre of forces trained in digital attacks and defences, and this kind of provocation seems like the perfect scenario to unleash them. Also, it wouldn’t be anything new for the Russians, since they have already been accused of coordinating their military activities with cyber-attacks (namely distributed denial-of-service attacks) in their conflicts with Georgia and Estonia back in 2007 and 2008. Ukraine, cyber-spy However, much of the cyber-activity in this conflict may come from the Ukrainians. “While the Ukraine is inferior in conventional warfare, they have phenomenal hackers who can steal intelligence from the Russians, intelligence that could become very valuable as the Ukraine reaches out for help from the international community,” said McCall Paxton, a SOC analyst at Rook Security. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] EC-Council Website Defaced Twice In A Weekend [Updated]

http://www.infosecnews.org/ec-council-website-defaced-twice-in-a-weekend/ By William Knowles Senior Editor InfoSec News February 23, 2014 Today’s defacement of the EC-Council (the second time this weekend) by Eugene Belford (a.k.a. The Plague) threatens the compromise of the 60,000+ security professionals who currently hold CEH certifications. Individuals who have achieved EC-Council certifications include the US Army, the FBI, Microsoft, IBM, the United Nations, National Security Agency (NSA). Also the United States Department of Defense has included the EC-Council Certified Ethical Hacker program into its Directive 8570, making it as one of the mandatory standards to be achieved by Computer Network Defenders Service Providers (CND-SP) In the most recent defacement, Eugene Belford has stated that “P.S It seems like lots of you are missing the point here, I’m sitting on thousands of passports belonging to LE (and .mil) officials” leading the InfoSec News staff to believe considering the mail on the defacement page is from Edward Snowden’s Yokota Air Base e-mail asking for an exam code, with a copy of his U.S. Passport and a letter from John A. Niescier, an Information Security Officer with the Department of Defense Special Representative, Japan stating that he has verified Edward J. Snowden has at least five years professional information security experience in the required domains. Eugene Belford has potentially sixty thousand other similar statements from undercover law enforcement agents, intelligence professionals, and members of the United States Military, creating an additional quagmire and has you wondering why the EC-Council has all this personally identifiable information sitting unprotected online? […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Moderators Note for December 2013 – New mailing list

Over the last few months I have been fielding questions from subscribers wondering if there is any way to get complete news articles, akin to how InfoSec News was run in the past. The reason the list only forwards four paragraphs of a story was because of Righthaven’s [1] business model and the fear of getting sued by copyright holders. Under the advice of legal counsel, we went with this format. [1] https://en.wikipedia.org/wiki/Righthaven So I am researching a paid version of InfoSec News, as companion to the free list, complete news articles with no advertising signature at the bottom, or moderators notes, unless there would be a brief service interruption. Archived only for subscribers of the paid service. If you’re interested in this new list, please reply if you, or your organization would be interested in this service, if paying $50 or $100 a year (or more) to receive five to seven messages a day, five to seven times a week would be a good value to you. A few other options available to readers of InfoSec News, InfoSec News on Twitter https://twitter.com/infosecnews_ Shop InfoSec News – Best Selling Security Books & More! http://www.shopinfosecnews.org/ Looking for a new security opportunity or trying to find a new security rockstar for your company? Visit Hot InfoSec Jobs – http://www.hotinfosecjobs.com/ The proceeds from viewing jobs, posting jobs or buying books help keep the lights on InfoSec News, and donations are always welcome! Thank you for your time! Sincerely, William Knowles @ InfoSec News www.infosecnews.org


Facebooktwittergoogle_plusredditpinterestlinkedinmail