Thursday, February 28, 2013

International cyberwar intensifies (video)

Newly released reports tie years of cyber attacks against the U.S. to the Chinese military, triggering the potential for more aggressive action from the White House. We look back at a Washington Post special report on how cyberspace has become the modern-day battleground for national security. The Fold/ The Washington Post

more news below

Tuesday, February 26, 2013

FBI employees commit computer crimes

FBI employees, entrusted with stopping computer crimes, commit them too | Ars Technica: " . . . Thanks to the FBI's Office of Professional Responsibility (OPR), which rounds up accounts of these infractions and distributes the cautionary tales to employees each quarter, we get glimpses of the seedier side of life inside the agency. CNN has obtained a recent set of these memos (after obtaining earlier ones last year) that show employees sexting, breaking e-readers, viewing pornography in the office, improperly accessing databases, and even shoplifting "two ties from a local retailer. . . ."

Zendesk Security Breach Affects Twitter, Tumblr and Pinterest | Threat Level | "Customer service software provider Zendesk announced a security breach that allowed attackers into its system, where they could access data from three customers this week. Wired learned those three clients were Twitter, Pinterest and Tumblr. The San Francisco-based company announced the breach in a blog post published early Thursday night. Tumblr notified affected users in a tweet at 6:35 p.m. Pacific time; Twitter and Pinterest are expected to do so shortly. Zendesk declined to comment beyond its blog post, titled, appropriately, “We’ve been hacked.” The post reads in part:

"We’ve become aware that a hacker accessed our system this week. As soon as we learned of the attack, we patched the vulnerability and closed the access that the hacker had. Our ongoing investigation indicates that the hacker had access to the support information that three of our customers store on our system. We believe that the hacker downloaded email addresses of users who contacted those three customers for support, as well as support email subject lines. We notified our affected customers immediately and are working with them to assist in their response."
Exposé of Chinese Data Thieves by Mandiant Reveals Sloppy Tactics | MIT Technology Review: " . . . Mandiant’s report comes a week after President Obama announced a new effort to defend the U.S. against computer attacks that he said were being used to steal corporate secrets and even lay the groundwork for sabotage of energy infrastructure (see “Obama Announces Plan to Shore Up Cyber Defenses”). Mandiant reports that the group it tracked, dubbed APT1, has stolen hundreds of terabytes of sensitive commercial data from at least 141 companies since 2006, and also breached Telvent, a Canadian company whose software is used to remotely manage energy infrastructure. Mandiant alleges that APT1 is part of Unit 61398 of the Chinese army, and is engaged in a campaign to perform industrial espionage to aid Chinese companies and gather intelligence that could be used for computer-based attacks against U.S. energy infrastructure. Most victims were in the U.S. but companies in Canada, the U.K., South Africa, and Israel were also targeted. Mandiant, which helps companies respond to targeted attacks on and infiltration of their computer networks, bases its claims on information from many cases involving the APT1 group over the past six years. In many cases, Mandiant employees covertly watched APT1 operatives at work inside victims’ computers. . . ."

more news below

Saturday, February 23, 2013

Can You Hack Chrome OS? Google Might Give You $3 Million

Can You Hack Chrome OS? Google Might Give You $3 Million | News & Opinion | "Pwnium 3 will take place at the CanSecWest security conference in Vancouver on March 7. Google said it has been working with the Zero Day Initiative (ZDI) on the conference's rules and decided that since Chrome is already featured in the larger Pwn2Own competition, Pwnium 3 will have a new focus: Chrome OS, Google said.Google promised to dole out up to $3.14159 million in rewards, including $110,000 for each browser or system level compromise in guest mode or as a logged-in user, delivered via a Web page; and $150,000 for a each compromise with device persistence - guest to guest with interim reboot, delivered via a Web page. Google might issue partial rewards, depending on what people create."

Inside the Ring: New al Qaeda threat - Washington Times: "A jihadist website posted a new threat by al Qaeda this week that promises to conduct “shocking” attacks on the United States and the West. The posting appeared on the Ansar al Mujahidin network Sunday and carried the headline, “Map of al Qaeda and its future strikes.” The message, in Arabic, asks: “Where will the next strike by al Qaeda be?” A translation was obtained by Inside the Ring. “The answer for it, in short: The coming strikes by al Qaeda, with God’s Might, will be in the heart of the land of nonbelief, America, and in France, Denmark, other countries in Europe, in the countries that helped and are helping France, and in other places that shall be named by al Qaeda at other times,” the threat states. The attacks will be “strong, serious, alarming, earth-shattering, shocking and terrifying.”"

Threats to cyber-freedom, domestic and foreign | from the Phillipines Sun.Star: "Cybercrime is certainly a problem that needs to be addressed. We definitely need an Anti-Cybercrime law, but there are good and bad ways to fight cybercrime. Good ways preserve the open, inclusive and dynamic nature of the Internet, while punishing people that exploit that openness for crimes such as fraud or child abuse. Bad ways tackle the issue like a sledgehammer, granting excessive powers to governments or trans-national agencies that infringe civil liberties and stifle innovation. The issues become much clearer when we treat the Internet as we would any other part of the economy, both national and global, and focus on what the overarching, long term goals of our nation (Phillipines) are."

FBI launches $1B ID search program | ZDNet: "The Federal Bureau of Investigation (FBI) is stepping up in its quest to exploit new technology to hunt down criminals, investing in a new system steeped in biometrics. The FBI's $1 billion Next Generation Identification (NGI) program's aim is to significantly improve the existing fingerprint identification service. The ambitious project may raise the hackles of privacy advocates, but the FBI is intent on including facial recognition, iris scanning, DNA analysis and voice identification tech as the new face of criminal investigation -- reliability and accuracy concerns aside."

FBI turns up heat in hunt for Stuxnet leakers | ZDNet: "The FBI and US prosecutors are analysing email accounts and phone records as well as interviewing current and former officials in a search to find links to journalists, according to the report on Saturday. The investigation is likely to centre on a small circle of senior officials, given the highly classified nature of the cyberattacks against Iran, details of which were published in a report by The New York Times in June 2012. The report said Stuxnet was the product of a joint effort between the US government and Israel's military, codenamed 'Olympic Games'. The programme began in the Bush Administration in 2006 and was accelerated under Obama's command."

more news below

Thursday, February 21, 2013

Beware sophisticated Twitter phishing scams

Beware sophisticated Twitter phishing scams | ZDNet: "As most ZDNet readers know, phishing scammers find ways to forge emails from legitimate sites, hoping to get your personal details such as name, social security number, password, and so on. These forged emails often appear to come from financial institutions, so the scammer can access your bank account. The latest variant of this scam uses a hijacked twitter account to send out direct messages that appear completely legitimate. Then message contains a link that sends the recipient to a Twitter login page, which again appears absolutely real. However, in this case, that login page is actually hosted by identity thieves and not by the real Twitter company. In other words, it's a fake Twitter site."

Hackers: The Next American G.I. Joes?: "the Pentagon seeks to vastly expand its cyber warfare efforts, experts and hackers warn that hackers who have the skills to wage this war are not a good fit for America’s straight-laced military culture. In short, potential soldiers in cyber warfare break the military mold. The Defense Department’s Cyber Command plans to add up to 4,900 workers in the coming years. But to fill these positions, the Pentagon will have to tap into an odd recruiting pool: people known more for their distrust of authority and for their belief in open information than their commitment to protecting the country, according to Todd Harrison, a senior fellow for defense budget studies at the Center for Strategic and Budgetary Assessments."

Lots of new 'smart' features for home security systems - By George Avalos
In an era dominated by smart mobile devices, security systems also are becoming more intelligent. They enable customers to use phones, tablets and computers to turn alarms off and on from remote locations, as well as to receive text or other alerts if something is awry in the residence. People can also use their devices to control lights, heating and cooling systems, doors and small appliances. "The idea is a system that lets you control your entire home environment," said Eric Taylor, a vice president with Pacheco-based Bay Alarm.
David Hood, president of Aptos-based First Alarm, adds that the new systems give consumers "real peace of mind that they are connected to their system from anywhere." For example, a person might forget to set the alarm before leaving the house. Or maybe he or she set the alarm, but grandma and grandpa are coming over and don't know the password to turn off the alarm.Now that person can pull out a smartphone or tablet, connect to the alarm system through a secure digital portal, and operate the security network as if at home punching numbers on the alarm box. The systems work with Android- or Apple-based mobile devices, alarm companies say. . . . "

DOJ Seeks Delay of Sprint-Softbank Deal, Cites National Security | News & Opinion | "Justice Department has asked that the Federal Communications Commission pause its review of the pending merger of Softbank and Sprint, citing national security. . . . Jennifer Rockoff, an attorney adviser with the DOJ's national security division, said the DOJ, FBI, and Department of Homeland Security requests that the FCC "defer action" on the Sprint-Softbank merger because the agencies are "currently reviewing this matter for any national security, law enforcement, and public safety issues, but have not yet completed that effort." The DOJ wants the FCC to hold off until that review is complete, but did not indicate how much more time it would need. "DOJ, FBI, and DHS will advise the Commission promptly upon completion of our review," Rockoff wrote."

more news below

Tuesday, February 19, 2013

US Gov urged to pardon Gary McKinnon and recruit more hackers

Pardon Gary McKinnon and recruit more hackers, US government urged | World news | " . . . A leading military thinker has urged President Barack Obama to pardon the British computer hacker Gary McKinnon as part of a wider bid to recruit "master hackers" to US Cyber Command. John Arquilla, a professor of defence analysis at the US Naval Postgraduate School, said forgiving McKinnon – who faced extradition for hacking into Pentagon and Nasa systems – could encourage other hackers to become government cyber warriors. "If the notion of trying to attract master hackers to our cause is ever to take hold, this might be just the right case in which President Obama should consider using his power to pardon," Arquilla wrote in the journal Foreign Policy. "One presidential act of mercy, such as in the case of McKinnon, won't entirely repair relations or build trust between hackers and the government, but it would be a strong signal of officialdom's growing awareness of the wisdom of embracing and employing the skills of these masters of their virtual domain. . . ."

Crowdsourcing Continues to Aid in Solving Crimes - Daily Crowdsource: " . . . When the site was launched in April 2011, the FBI received countless tips from the crowd. Some believed that the notes have something to do with driving directions which the victim wrote on the paper (e.g. “tun-se” = turn south east, “rne” = right north east). Many think that Rick McCornick dealt drugs and that the codes were his customer’s addresses. One amateur code-cracker guessed that the code was an unfinished song, since it contained rhythmic elements as well as traces of rhymes . Another one guessed that the author of the code could be dyslexic, since people suffering from the disorder often omit certain letters. Still, others were able to decode the word “place”. Standard routes of cryptanalysis seem to have hit brick walls. Maybe someone with a fresh set of eyes might come up with a brilliant new idea. . . . McCornick´s murder still ranks among the top unsolved murder cases in the US. In the meantime, the FBI created its own crowdsourcing website where you can read about victims and follow investigations. Anyone with an Internet connection can get cryptography tips and make an attempt at cracking the code. . . . "

Protect your laptop from theft and hackers - CBS News: " . . . there are some fairly painless things you can do to dramatically enhance security. Secure it. There's no better way to keep your laptop from disappearing than to lock it down using an ordinary Kensington-style lock. They come in both key and combo varieties, and you can use a lock to secure your laptop in the office, in a hotel room or even at the coffee shop. Password-protect Windows . . . ." Read full article at link above.

Google's Chrome Browser Issues Malware Warnings For Major Sites: "Those trying to reach major web sites ranging from The Huffington Post to CNET and using Google’s Chrome browser may be getting blocked, as Chrome puts up a “Danger: Malware Ahead” warning."

After Evasi0n, iOS Hackers Have More Exploits In Store For Apple - Forbes: "But in the end, the evad3rs didn’t replace just one component of their jailbreak before releasing it. According to David Wang, one of the four hackers who worked on evasi0n, the team was able to swap out all of it with lower-value exploits except one element targeting a bug used for executing code in an iOS device’s kernel, the deepest, most protected part of the operating system. All the other bugs used in evasi0n are “redundant,” he says, meaning the hackers have found similar, backup bugs they can use even if the newly exposed ones are patched by Apple."

more news below

Saturday, February 16, 2013

Yandex email for secure communications?

Russia’s Yandex stacks up against Google - John Dvorak's Second Opinion - MarketWatch: " . . . What makes these offerings so interesting to me? For one thing, they are less susceptible to U.S. government snooping, which according to most sources, is rampant. Nobody has convinced me that the government is not looking at all electronic communications all the time. Most Americans do not seem to care about their privacy, but some do. Google shows an ever growing number of requests by the government to obtain information about all web activity of various individuals. Not that the Russians would be any better, but they are probably more like our government and more interested in snooping on their own people rather than snooping on cautious Americans. . . . Executives and investors often need secure back channel communications. It’s hard to know what is secure, but sometimes you can be secure by being obscure. Yandex, right now, fills that bill."

Cyber crime a security problem
The Australian
JULIA Gillard's nomination of cyber security as a key national defence priority has been affirmed by the startling disclosures emerging of the extent to which Chinese hackers have forensically targeted some of the world's most influential newspapers ...

Latest Cyber Attack By Alleged 'Chinese Hackers' May Be The Most Dangerous ...
Business Insider
Heads of state all across the globe have both expressed concern for cyber related espionage as well as put forward legislation to stand up military and government cyber security arms. Washington has even gone so far as to state that a cyber attack on ...

Amidst Cyber Attacks, Japan Hosts First Hackathon
PC Magazine
But in recent months, Japan has faced a number of cyber attacks, including a January attack on the Japanese Ministry that resulted in the theft of 3,000 classified documents. The hacks came after Japan purchased the Senkaku/Diaoyu islands, ... Similar ...

US may use preemptive cyber strikes
Saudi Gazette
WASHINGTON — A secret legal review has concluded that the US president has the power to order preemptive cyber strikes if the United States discovers credible evidence of a major digital attack against it is in the offing, The New York Times reported ...

Saudi Gazette

Obama can 'order pre-emptive cyber-attack' if US faces threat
... cyber-attack' if U.S. faces threat. Summary: According to a source speaking to The New York Times, President Obama can authorize a 'pre-emptive strike' against a nation if U.S. national security is at risk. ... At a time where the U.S. continues to ...


US law permits pre-emptive cyber strikes
Sydney Morning Herald
If the president approves, it can attack adversaries with a destructive code - even if there is no declared war. The review came as the US approved a five-fold expansion of its cyber-security force over the coming years in a bid to increase its ability ...

Sydney Morning Herald

more news below

Thursday, February 14, 2013

FCC botched cyber-security planning after breach

FCC botched cyber-security planning after breach, report says
Washington Post (blog)
(Rick Wilking — Reuters). The Federal Communications Commission mishandled the early part of acyber-security plan it initiated after a network breach in September 2011, according to a recent report from Congress's watchdog agency. An analysis from ...

NY Times Privately Repels China's Cyber Attack
The way to handle Cyber Security is through the efficient, expert private sector. ... But we have forCyber Security a far better model to emulate – the military ...

Top Israeli Venture Firm to Open Cyber Security Incubator in May
Private Equity Hub (press release)
Six years ago, Jerusalem Venture Partners created a digital media incubator, and the experiment has gone so well that this May, the 20-year-old firm — among Israel's best known and most successful venture outfits — is opening its second incubator.

Executives overrate cyber security level
Bangkok Post
A recent study of information security shows that executives globally are overconfident of the cyber security levels of their own companies, increasing the risk for cyber crime. In its 10th annual survey, Global State of Information Security 2013, the ...

Cyber security infra to be established soon
Times of India
NEW DELHI: The National Security Council headed by the prime minister is set to approve the final draft of a national cyber security architecture in the next few weeks, even as cyber intrusions, mostly from China, continue to target government networks.

Times of India

Obama's Cyber Defense Leaves the Back Door Open
The Fiscal Times
He warned that foreign cyber actors are probing our critical infrastructure, creating “tools to attack these systems and cause panic and destruction and even the loss of life.” His comments were also intended to drum up support for ... Sadly, most who ...

The Fiscal Times

Cyber attack hits Bashas' chain of stores
Pinal County authorities said hundreds of reports of fraudulent credit/debit card transactions have been linked to a cyber attack on a chain of grocery stores. ... "Bashas' is and has been compliant with all Payment Card Industry (PCI) security ...

Researchers warn of cyber flaws in Honeywell control systems
Yahoo! News (blog)
The Niagara control system from Honeywell International Inc's Tridium division are configured to connect to the Internet by default, even though that is not necessary for them to function, two researchers from security firm CyLance said at a security ...

US to complete elaboration of cyber war doctrine
The Voice of Russia
A top-secret document, the cyber warfare doctrine was specifically hammered out by Deputy National Security Advisor for Homeland Security and Counterterrorism John O. Brennan, who will soon become the new CIA director. Earlier, it was Brennan who ...

The Voice of Russia

The cloud creates cyber-security concerns
Fleet Owner (blog)
“The lack of appropriate security has already allowed a number of destructive cyber-attacks to lay waste to some of the most high-profile companies in the oil and gas industry,” added Michela Menting, senior cyber security analyst for consulting firm ...

Fleet Owner (blog)

Cyber Terrorism Will Be the Greatest National Security Threat in the 21st Century
The “cyber threat” is the single greatest threat to the national security of the U.S., as it appears now and in the future; the infrastructure of warfare is changing. The foundation of all things combative is the internet. Every creature comfort we ...


White House Cyber Security Order Expected ... - SANS NewsBites
The Bit9 Trust-based Security Platform continuously monitors and records activity on servers and endpoints to detect and stop cyber threats that evade traditional security defenses. Learn more ... FBI agents and Energy Department officials are investigating the attack on servers at the Washington headquarters of the National Nuclear Security Administration at the U.S. Department of Energy. They believe the sophisticated penetration attack was not ...
SANS NewsBites

more news below

Tuesday, February 12, 2013

Google's Eric Schmidt on drone wars, virtual kidnaps and privacy for kids

Google's Eric Schmidt: drone wars, virtual kidnaps and privacy for kids | Technology | "Google's chairman has sketched out a future world in which cyberterrorists are targeted by government drone strikes, online identities are taken hostage and held for ransom, and parents explain online privacy to their children long before the subject of sex. Eric Schmidt also said that his recent trip to North Korea had shown that the population there lives in an "utter information blackout" – but that change was certain to come, as well as for the 5 billion people worldwide not yet connected to the internet, for whom connectivity would bring enormous benefits and transform their lives. Speaking to an audience at Cambridge University, in the first of a number of speeches outlining his view of the technological future, Schmidt said that he thought change would come "slowly and incrementally" to North Korea as the use of mobile phones spread, and with it information. Google has already updated its maps of the country since Schmidt's visit using "citizen mappers" inputting information to its Mapmaker software. . . . "

On the eve of a battle to confirm his pick for America's CIA chief, President Barack Obama agreed Wednesday to let a small group of lawmakers look at a long-sought, classified Justice Department opinion explaining his administration's legal justification for targeting killings of American terror suspects in other countries.The secret legal memo has became a flash point in the nomination of White House counterterrorism chief John Brennan to become director of the Central Intelligence Agency. Lawmakers this week wrote to Mr. Obama demanding the release of Justice Department documents that they first began seeking soon after a U.S. missile struck the vehicle carrying the radical, American-born cleric Anwar al-Awlaki in September 2011, killing him.

Kaspersky antivirus update cripples Internet for thousands of Windows XP machines - The Next Web: " . . . The good news is that Kaspersky issued an update on Tuesday morning to address the problem. The bad news is that in many cases it will require user intervention: the update should install automatically but some users will have to disable the Web protection component first. For its part, Kaspersky responded in the forum about three hours after the initial post with an apology. Two hours later, the company apologized again, released the fix and accompanying instructions. The security firm asked users to first “please disable the Web AV component of your protection policy for your managed computers”. . . . "

Microsoft and Symantec Take Down Bamital Botnet That Hijacks Online Searches - The Official Microsoft Blog - Site Home - TechNet Blogs: "As reported by Reuters earlier today, the Microsoft Digital Crimes Unit, in collaboration with Symantec, has taken down the dangerous Bamital botnet which hijacked people’s search results and took them to potentially dangerous websites that could install malware onto their computer, steal their personal information, or fraudulently charge businesses for online advertisement clicks. Microsoft and Symantec’s research shows that in the last two years, more than eight million computers have been attacked by Bamital, and that the botnet’s search hijacking and click fraud schemes affected many major search engines and browsers, including those offered by Microsoft, Yahoo and Google. Because this threat exploited the search and online advertising platform to harm innocent people, Microsoft and Symantec chose to take action against the Bamital botnet to help protect people and advance cloud security for everyone."

Fed Says Hackers Breached Internal Site | Fox Business: "OpLastResort, which is linked to Anonymous, a loosely organized group of hacker activists who have claimed responsibility for scores of attacks on government and corporate sites over the past several years. OpLastResort is a campaign that some hackers linked to Anonymous have started to protest government prosecution of computer prodigy Aaron Swartz, who committed suicide on January 11. The Fed declined to identify which website had been hacked. But information that it provided to bankers indicated that the site, which was not public, was a contact database for banks to use during a natural disaster. A copy of the message sent by the Fed to members of its Emergency Communication System (ECS), which was obtained by Reuters, warned that mailing address, business phone, mobile phone, business email, and fax numbers had been published."

more news below

Saturday, February 9, 2013

The Password is Broken

Google Declares War on the Password | Wired Enterprise | "2012 may have been the year that the password broke. It seemed like everyone on the internet received spam e-mail or desperate pleas for cash — the so-called “Mugged in London” scam — from the e-mail accounts of people who had been hacked. And Wired’s own Mat Honan showed everyone just how damaging a hack can be. The guys who hacked Honan last August deleted his Gmail account. They took over his Twitter handle and posted racist messages. And they remote-wiped his iPhone, iPad, and laptop computer, deleting a year’s worth of e-mails and photographs. In short, they erased his digital life. Passwords are a cheap and easy way to authenticate web surfers, but they’re not secure enough for today’s internet, and they never will be."

Google 'Ad Cops' Police Web for Bad Advertisements | " . . . Google employs a mix of machines and humans to catch bad ads. Its first line of defense is software that searches for ads with specific attributes Google finds unsavory. For example, ads related to online gambling automatically get snagged because the practice is illegal in the U.S. Because the automated system isn’t perfect, Google also relies on actual humans to determine some ads’ legitimacy. And even then, about 2% to 3% of accounts that are shut down are overturned after being mistakenly suspended. . . . "

Microsoft Security Essentials fails anti-virus certification test, Redmond challenges results | The Verge: "Microsoft's popular Security Essentials anti-virus software has failed to gain the latest certificate from the AV-TEST institute. In antimalware testing against a range of products, AV-TEST failed to certify AhnLab V3 Internet Security 8.0, Microsoft Security Essentials 4.1, and PC Tools Internet Security 2012 out of a total of 25 different vendors. Microsoft's own anti-virus software failed to adequately protect against 0-day malware attacks, scoring an average of 71 percent vs. the industry average of 92 percent."

more news below

Thursday, February 7, 2013

DHS Unable To Define 'Homeland Security'

Department of Homeland Security Unable To Define 'Homeland Security' | Techdirt: "The problem with large government agencies is "feature creep." If given a broad enough area to cover, years of territorial expansion and absorption of "related" entities will render the agency nearly unrecognizable from its original form. Not only that, but any stated directive or focus will have been lost, abandoned or hopelessly mutated as well. If the government agency was crafted in "response" to a tragic event, the problem is both magnified and accelerated. As Wired reports, slightly more than a decade on from its formation, the Department of Homeland Security is having trouble defining the very thing it's in charge of. What is “homeland security?” The federal bureaucracy doesn’t know, and that’s problematic for a government that has been fighting the ill-defined “war on terror” following 9/11, according to a new report from the Congressional Research Service. "

California AG has privacy recommendations for mobile industry - " . . . California's top law enforcement officer on Thursday issued a list of recommended "best practices" for app developers, advertising networks and others in the mobile Internet industry. The recommendations from Attorney General Kamala Harris are believed to be the first to come from a state-level official in this country, at a time when the industry and federal authorities are wrestling with growing concerns about the amount of personal data that is transmitted and shared when people play online games or use other services. "Obviously there are a lot of incentives for people to collect more data," said Lee Tien of the Electronic Frontier Foundation, citing online businesses that gather consumers' personal data and then use it to deliver highly personalized services and advertising messages. "It's hard to say exactly what impact these recommendations will have, but I think they're pretty useful." In a 22-page report titled "Privacy on the Go," Harris urges app developers to consider measures that go beyond the state's legal requirement for online services to display a basic privacy policy to users. As an example, the report suggests creating brief notices that appear when consumers take certain actions, just before data is collected, so they can opt not to proceed. . . . "

Report is here:

more news below

Tuesday, February 5, 2013

China’s Cyberattacks — a policy discussion

China’s Cyberattacks — At What Cost? | ChinaFile: " . . . if U.S. policy is in part to advocate for human rights in China by enabling dissidents to communicate and subvert Chinese censorship--i.e., to do something to protect the very sorts of people who the Chinese hackers appear to have been looking for--then we have very little interest in international rules to restrict hacking. Presumably you don't hear about U.S. hacking in China because the National Security Agency’s tradecraft is a lot more solid (and it's lost in the noise of the tremendous insecurity and noise in domestic Chinese networks), as well as because the target set in our case is more focused on national security rather than economics. Furthermore, the activist hacking from the U.S. that isn't directly promoted by the U.S. government is hard to expose because if it is detected, as it must be often, then to publicize it the Chinese would have to publicly talk about internet controls which don't officially exist. . . . "

Twitter hacked, 250,000 users affected | ZDNet: "According to Bob Lord, Twitter's Director of Information Security, the attack was the work of professionals, and Twitter is actively cooperating with law enforcement in an attempt to prevent further damage caused by these attackers. What can you do to protect your Twitter account? Ensure that in case you receive a password-reset email from Twitter, it indeed points to Twitter's domain, as opportunistic cybercriminals could easily start impersonating Twitter, and mass mail millions of emails in an attempt to gain access to your account. If you do receive a password-reset email from Twitter, ensure  that you're using a strong password, and that you've changed it from a malware-free host."

50 million cameras exposed to hackers due to massive security breach — RT: " . . . Internet routers that use a protocol called Universal Plug and Play (UPnP) allow network-connected devices such as computer and printers to make themselves easily discoverable, but new research by the security firm Rapid7 shows that this discoverability can be exploited by hackers. Many routers are set to use the UPnP by default, thereby subjecting all network-enabled devices using the router to the damage that hackers are able to inflict. As many as 50 million unique devices can be exploited and about 6,900 products are vulnerable to software bugs that have already been found in three different implementations of the protocol. Vendors including Cisco’s Linksys, Belkin, D-Link, and Netgear produce routers that make themselves and their connected devices susceptible to software bugs. . . . "

more news below

Saturday, February 2, 2013

Why crapware still exists

Why does crapware still exist? Follow the Silicon Valley money trail | ZDNet: "Oracle this week released an update for its widely used Java software, fixing a zero-day vulnerability that was being actively exploited to install malware via drive-by downloads. But before you begin patting Oracle on the back for its quick response, note two things about that update: It might not actually fix the underlying security issues. Along with the must-install security update, Oracle continues to include crapware. Yes, adding insult to injury, Oracle is actually making money and cheapening your web browsing experience by automatically installing the Ask toolbar, which in turn tries to change your default search engine and home page. I'm ready to move Oracle's Java to the top of my Foistware Hall of Shame, alongside Adobe, for crap like this."

Password life expectancy down to seconds | ZDNet: "Deloitte touched on some of the same issues that Forrester analyst Eve Maler called out last week in her report on passwords, the fact that end-users, unfairly, bear the burden of onerous password creation rules. Maler argued that passwords are not going away and that companies need to come up with better strategies for managing passwords and password policies. Deloitte offered its own solutions, including multi-factor authentication that incorporates tokens, biometrics, and out-of-band authentication such as messages sent to a mobile phone. Deloitte also recommended best practices such as security policies and monitoring as ways to protect passwords. . . ."

VXers exploit users' confusion over Java to punt fake update • The Register: " . . . ads for a Java exploit that supposedly attacks a brand-new vulnerability were offered for sale through an underground hacking forum at $5,000 a pop. The ad has since been pulled. Although the claim from cybercrooks that they have discovered yet another unpatched Java security hole remains unsubstantiated, the potential threat is all too credible. Metasploit founder HD Moore reckons that Oracle is sitting on a backlog of Java flaws that will take up to two years to patch, even without the appearance of further problems. . . . "

more news below

Cybersecurity - Google News

Malware - Google News

National Security - Google News

"Security Threats" - Google News

Maritime security - Google News

The State of Security

TSA - Google News

Homeland Security - Google News