Friday, May 29, 2015

Mysterious low-flying plane over Twin Cities raises questions of surveillance

From the StarTribune:


Mysterious low-flying plane over Twin Cities raises questions of surveillance


Aviation buff John Zimmerman was at a weekly gathering of neighbors Friday night when he noticed something peculiar: a small plane circling a route overhead that didn’t make sense to him.

It was dark, so a sightseeing flight didn’t make sense, and when Zimmerman pulled up more information on an aviation phone app he routinely checks, he had immediate concerns.

Orange County Public Schools to monitor students on social media

Not sure about how I feel on this one.  From a professional point of view this is an invasion of privacy. Monitoring a childs social media use is a parents responsibility not a government entities.  The problem originates from parents not being more engaged in their childrens digital lives.  Whether it be cyberbullying, sexting, DDoS'ing your school (all of which I've blogged about in the past 72 hours) parents MUST take active roles in what their children are doing online.


Not sure how to get more involved in your childs digital life - Google it!!!


From ClickOrlando.com:


Orange County Public Schools to monitor students on social media


ORLANDO, Fla. -
The Orange County school district is now monitoring students' social media messages in an effort to curb cyberbullying, crime on campus and suicide.


Orange County Public Schools announced Thursday that it has acquired software to monitor social media "to proactively prevent, intervene and (watch) situations that may impact students and staff."  The district has obtained an annual license with SnapTrends, software that monitors Twitter, Facebook, YouTube and Instagram.

Beacon Health Is Latest Hacker Victim

From Data Breach Today:


Beacon Health Is Latest Hacker Victim


Yet another large hacker attack has been revealed in the healthcare sector. But unlike three recent cyber-attacks, which targeted health insurers, this latest breach, which affected nearly a quarter-million individuals, involved a healthcare provider organization.

PCI: 5 New Security Requirements - New Task Force Created to Assist Smaller Merchants

From Data Breach Today:


PCI: 5 New Security Requirements


Five best practices noted in version 3.0 of the PCI Data Security Standard will become requirements after June 30, and smaller merchants are likely to be the most affected, says one security expert.


That's because the new requirements relate to point-of-sale vulnerabilities that have commonly been linked to exploits at small and mid-sized businesses, says Don Brooks, senior security engineer at security and forensics firm Trustwave.

Isle of Man taxpayers' info leaked due to email error

From Help Net Security:


Isle of Man taxpayers' info leaked due to email error


Email addresses of approximately 5000 customers of the Income Tax Division (ITD) of the Isle of Man - a self-governing British Crown dependency and a tax haven for the rich - have been leaked via email.


 "The mistake happened when, as part of a programme to raise awareness of its new Twitter account, the Income Tax Division sent out ten batches of e-mails, of up to 500 in each batch, but in such a manner that recipients could see all the e-mail addresses in their individual batch," the ITD explained.

If we want strong encryption, we'll have to fight for it

From Help Net Security:


If we want strong encryption, we'll have to fight for it


As digital rights lawyer and special counsel to the Electronic Frontier Foundation Marcia Hofmann correctly noted in her keynote at Hack in the Box Amsterdam 2015 on Thursday, this issue is like a pendulum: sometimes, like in the wake of the 1990s crypto wars, it swings towards strong encryption, but it could now swing in the other direction.

Massive campaign uses router exploit kit to change routers' DNS servers

From Help Net Security:


Massive campaign uses router exploit kit to change routers' DNS servers


Well-known security researcher Kafeine has spotted an active campaign aimed at compromising SOHO routers and changing their DNS settings so that the attackers can seamlessly redirect users to phishing sites, hijack their search queries, intercept their traffic, and more.

This particular campaign apparently targets only users of Google's Chrome browser and ignores others. Chrome users who visit a compromised website are redirected to a site that serves cross-site request forgery (CSRF) code that determines which router model the victims use.

Android factory reset not enough to keep data secure

From Help Net Security:


Android factory reset not enough to keep data secure


If you sell or gift your old Android phone to someone, is it enough to do a factory reset to wipe all your sensitive data? And if your Android gets stolen, how sure are you that your anti-theft solution will do a good job wiping it and/or locking the device?

Consumers generally have no insight in how well these features work. Their only option is to trust the manufacturers' and developers' assurances, and wait for security researchers to test the solutions.

Travel smart: Tips for staying secure on the road

From Help Net Security:


Travel smart: Tips for staying secure on the road


Whether you're taking a personal holiday or a business trip, traveling by car or by plane, planning a quick jaunt or preparing for an extended stay, make sure your security best practices are coming along for the ride.

Cybercriminals don't take vacations. In fact, they feast on tourists and travelers, taking advantage of people when their guards are down or when they're distracted by other pursuits. Wombat Security Technologies pulled together four essential tips from our security awareness and training materials that you can use to stay safe when you travel:

How businesses can stem the flow of leaky data

From Help Net Security:


How businesses can stem the flow of leaky data


The privacy and security of corporate data is at risk like never before. Not only are businesses faced with an ever-growing variety of security threats, from sophisticated, targeted attacks, to new zero-day vulnerabilities and state-sponsored espionage, they also need to deal with the sharing habits of their employees.

While it goes without saying that businesses need to be able to communicate freely and effectively with employees, customers and third-parties, they will always run the risk of sensitive corporate information falling into the wrong hands if due consideration isn’t given to security.

The challenges of data classification

Data classification is a very important security control.  All documents retained by your SOHO/SMB should be classified in some way.  This helps to ensure private, confidential or other sensitive material is not unintentionally leaked.


From Help Net Security:


The challenges of data classification


We are living in a data driven society with globalizing economies, data transfer, and ubiquitous access to everything from everywhere. From information gateways, websites, file shares, and web applications, to instant messaging and on-premises and cloud collaboration systems, data is free-flowing both within and outside an organization’s walls.

However, understanding what and where this data is, along with proper classification, will allow an enterprise to set appropriate levels of protection. For example, many companies traditionally apply their security protocols in broad terms, meaning that they use the same security procedures for everything. Companies are now beginning to think about their data – “dark data” in particular – and information about their customers as an unrealized asset. However, much of that data may be lost in file shares or data silos, undiscoverable and unprotected. So what can be seen as a risk may also be viewed as an asset when accessed and protected appropriately.

Yahoo to face class action lawsuit over email spying claims

From Sophos Naked Security:


Yahoo to face class action lawsuit over email spying claims


A US District judge has given the go ahead to a class action lawsuit which accuses Yahoo of illegally accessing and scanning emails - sent to and from its estimated 275 million Yahoo Mail subscribers - without consent.


The suit claims Yahoo intercepted and parsed the content of emails, including attachments, sent to Yahoo Mail customers from non-Yahoo accounts for the purpose of delivering targeted ads.

Facebook tests new "Security Check" tool to fend off account hijacking

From Sophos Naked Security:


Facebook tests new "Security Check" tool to fend off account hijacking


Ever worried that someone else might access your Facebook account?


Facebook helps with this - as well as Google, PayPal and plenty of other platforms, Facebook can send alerts any time there's a new login, and there are various versions of device management that will list all the devices that have accessed your account.


But how many users skip by these tools, if they even know they exist?

20 students charged in school sexting scandal

From Sophos Naked Security:


20 students charged in school sexting scandal


Twenty middle and high-school students in the US are facing charges of privacy invasion after investigators swooped in and collected 27 phones, finding numerous photos of nude and partially nude female students being swapped by male students via text message and social media.


According to the office of the prosecutor in Cape May, New Jersey, the sexting investigation is centered on the Lower Cape May Regional High School and the Richard M. Teitelman Middle School.

Thursday, May 28, 2015

Yup, we really are terrible at those password recovery questions

From Sophos Naked Security:


Yup, we really are terrible at those password recovery questions


We've long known that humans are really, awfully bad at choosing passwords. Just terrible.


Well, it turns out that we're just as bad at answering those secret, security questions like "What was your first pet's name?" or "What's your favourite food?" too.

High schooler allegedly hired third party to DDoS his school district

Not cool dude!


From Sophos Naked Security:


High schooler allegedly hired third party to DDoS his school district


A 17-year-old high school boy may face state and federal charges for allegedly having paid a third party to launch a distributed denial of service (DDoS) attack that crippled the West Ada school district in Idaho, US, for a week and a half earlier this month.


Because he's a minor, he can't be named.

Phones' accelerometers allow you to be tracked on the metro

From Sophos Naked Security:




Phones' accelerometers allow you to be tracked on the metro




We know that we can be tracked using GPS data from mobile phones, which can triangulate location from nearby cell towers.




In fact, US courts have been grappling with whether or not the Fourth Amendment protects geolocation data gleaned from our own phones, among other sources.

Parliamentary insiders clean up MPs' Wikipedia pages

From Sophos Naked Security:


Parliamentary insiders clean up MPs' Wikipedia pages


The steady sound of a spring clean has been coming from UK Parliament.


Buffing up, stripping out, or flat-out ripping to shreds - those were the sounds of the Wikipedia entries for MPs which were glossed to a high, non-embarrassing, election-run-up shine.


Anybody can edit Wikipedia.

1 in 5 experts believe artificial intelligence will pose an 'existential threat'

From Sophos Naked Security:


1 in 5 experts believe artificial intelligence will pose an 'existential threat'


About 18% of experts working in the field of Artificial Intelligence (AI) believe that AI will one day pose an 'existential threat' to humanity, according to a report from Oxford University.


The possibility that AI might be our ultimate undoing has been a hot topic of late, with doom-laden remarks from people like Elon Musk, Bill Gates and Stephen Hawking widely reported.

5 tips to improve your Linux desktop security

From Sophos Naked Security:


5 tips to improve your Linux desktop security


There are lots of Linux servers out there – sufficiently many that it's impossible to give the precise number, and difficult even to come up with a good approximation.


But we're unlikely to offend anyone if we say that at least 20%, probably 40%, and possibly more than 50% of the internet's servers run some flavour of Linux.

We don't cover stupid, says cyber insurer that's fighting a payout

From Sophos Naked Security:


We don't cover stupid, says cyber insurer that's fighting a payout


In 2013, California healthcare provider Cottage Health System discovered that security on one of its servers had been disabled, leaving tens of thousands of patients' files potentially open and exposed on the internet.


Those files included patients' names, addresses, dates of birth, and in a few cases, their diagnosis, lab results and procedures performed.

17% of parents ignore privacy settings but still post hundreds of photos of kids online

From Sophos Naked Security:


17% of parents ignore privacy settings but still post hundreds of photos of kids online


The average parent is like a loving but voracious paparazzi, uploading an eyeball-popping 973 photos of their child on social media by the time he or she reaches the age of 5.


That's the news coming out of online safety site The Parent Zone, which did some research on the subject of children and privacy on behalf of safety campaign knowthenet.


...


Just ask the kitty-stalking Owen Mundy about that type of data: about a year ago, the data analyst/artist/associate professor gathered up photos of cats from images online, the privacy settings for which made APIs publicly available on sites like Flickr, Twitpic, Instagram or the like.


Then he geolocated the pussycats, and he published a map showing where the cats lived.


You could easily swap out cats for kids, and the creepiness of being able to trace a child's photo to his or her address would truly sink in.


...


Many parents also mistakenly believe that they own the rights to their photos.


39% of those polled reported believing that they own the sole rights to images posted on Facebook, and 17% think the same for Instagram.


In fact, the terms and conditions for both of those sites, as well as other social media platforms, state that the companies have the right to use uploaded images to promote their services without explicitly asking the permission of the person that uploaded the photo.

Adult FriendFinder hacked, users' intimate details exposed on Dark Web

From Sophos Naked Security:


Adult FriendFinder hacked, users' intimate details exposed on Dark Web


Adult FriendFinder, a website billed as a way for people to "find friends, sex, flings and hookups," has had a serious data breach.


Millions of people who thought they were using a discreet service to find casual sex have had their private data exposed online - including personal emails, sexual orientation and whether they were looking to cheat on their partners.

Scotland Yard was worried The X-Files and Star Trek could inspire anarchy in the UK

From Sophos Naked Security:


Scotland Yard was worried The X-Files and Star Trek could inspire anarchy in the UK


There were a lot of fuzzy-headed predictions of an apocalypse during the lead-up to the year 2000 - remember the fears of a "Y2K" bug leading to a global computer meltdown?


Yes, it was a weird time.

Logjam - New TLS vulnerability


A new vulnerability has been found in the SSL/TLS protocol.  Named Logjam, this new bug lies in the TLS protocol itself and has the potential to affect many different platforms.  Systems that employ SSL/TLS will need to be checked for this vulnerability.  Please contact me for more info.

 

SANS ISC:

Logjam - vulnerabilities in Diffie-Hellman key exchange affect browsers and servers using TLS - https://isc.sans.edu/diary/Logjam+-+vulnerabilities+in+Diffie-Hellman+key+exchange+affect+browsers+and+servers+using+TLS/19717

 

Weakdh.org:

Guide to Deploying Diffie-Hellman for TLS - https://weakdh.org/sysadmin.html (remediation steps available here)

Anatomy of a LOGJAM - another TLS vulnerability, and what to do about it

From Sophos Naked Security:


Anatomy of a LOGJAM - another TLS vulnerability, and what to do about it


Transaction security on the internet is where you can find the funkiest vulnerability names.


They include BEAST, Lucky Thirteen, BREACH, POODLE and Heartbleed.


And, of course, FREAK.


FREAK is where you sit yourself on the network between a client and a server, acting as what's called a Man-in-The-Middle (MiTM).

Practical IT: What is encryption and how can I use it to protect my corporate data?

From Sophos Naked Security:


Practical IT: What is encryption and how can I use it to protect my corporate data?


There’s been a lot of talk about encryption in the media lately.


You hear about who uses encryption, and who doesn’t (lots of companies don’t, to their own detriment).


And you hear about who wants to be able to bypass encryption (some law enforcement and national security agencies), and who doesn’t (Google, Apple, privacy advocates, etc.).

US-CERT Alert: IC3 Issues Internet Crime Report for 2014

From US-CERT:


IC3 Issues Internet Crime Report for 2014


The Internet Crime Complaint Center (IC3) has released its Internet Crime Report for 2014, indicating that scams relating to social media—including doxing, click-jacking, and pharming—have increased substantially over the past five years.

Cyveillance Phishing Report: Top 20 Targets – May 25, 2015

From Cyveillance:


Cyveillance Phishing Report: Top 20 Targets – May 25, 2015


This week saw more than a 15% decrease in phishing activity for the top 20 brands we’re tracking.  CIBC, Battle.net, and Adobe displaced Sparkasse, Comcast, and Lloyds TSB.

IRS believes cyberattack originated in Russia, sources say

From Fox News:


IRS believes cyberattack originated in Russia, sources say


The IRS believes that criminals behind a major security breach that allowed them to access tax information from more than 100,000 U.S. households were based in Russia, sources confirmed to Fox News Wednesday.


A well-placed cyberintelligence source familiar with the investigation into the breach told Fox News that the attack, which breached the IRS system, originated out of Russia. Additionally, the IRS alerted the Department of Homeland Security following the breach, a federal law enforcement official said.

Wednesday, May 27, 2015

Social media elevate school fights to new realm

From the Norwalk Reflector:


Social media elevate school fights to new realm


The student sitting at the front of the class doesn’t know she’s about to be attacked. But others in the room apparently do.


As another teenager approaches her from behind, several students in the class whip out their cellphones. They have no intention of dialing for help, however. Their aim is to record the encounter between the two teenage girls so that they can upload it to Instagram, YouTube and other sites.

Thursday, May 21, 2015

2015-05-21 Link of the Day: Sophos Threat Dashboard

From Sophos:


Sophos Threat Dashboard


Any/all products/services are provided for informational purposes only. The author does not endorse any single product. 

Use these products/services at your own risk.

Wednesday, May 20, 2015

Should hackers be tolerated to test public systems?

From Network World:


Should hackers be tolerated to test public systems?


The purported veering of a jetliner caused by an onboard hacker points up a larger problem, experts say – airlines and other providers of services may be blind to the value such security researchers can offer in the name of public safety.


While it’s far from clear that security researcher Chris Roberts actually did commandeer the avionics system of an airplane and force it to steer to one side, the story is prompting other security experts to call for better cooperation between white-hat hackers and industries whose infrastructures they probe.

US-CERT Alert: Google Releases Security Update for Chrome

From US-CERT:


Google Releases Security Update for Chrome

Tuesday, May 19, 2015

The cybersecurity domino effect

From Help Net Security:


The cybersecurity domino effect


RedSeal unveiled its survey of high-ranking executives that illustrates widespread concern regarding the potential effects of cyberattacks in corporate America.

Most of the C-level professionals surveyed readily acknowledge that a coordinated assault launched by sophisticated cybercriminals would wreak ongoing havoc on business operations, cause considerable harm to a brand, and potentially affect related companies, even entire industries.

Trojanized, info-stealing PuTTY version lurking online

From Help Net Security:


Trojanized, info-stealing PuTTY version lurking online


A malicious version of the popular open source Secure Shell (SSH) client PuTTY has been spotted and analyzed by Symantec researchers, and found to have information-stealing capabilities.

PuTTY, which is written and maintained primarily by Simon Tatham and can be freely downloaded from the project's
official site, is a popular software with admins and developers looking to connect to remote servers through encrypted means.

Uber in hot water again - this time over plaintext passwords in emails

From Sophos Naked Security:


Uber in hot water again - this time over plaintext passwords in emails


Isabelle Berner has been taking a lot of Uber rides in the UK lately, for somebody who lives in New York City.


At least, as far as her Uber receipts are concerned, that's where she's been Ubering.

Address spoofing vulnerability in Safari Web Browser

From SANS ISC:


Address spoofing vulnerability in Safari Web Browser


A new vulnerability arised in Safari Web Browser that can lead to an address spoofing allowing attackers to show any URL address while loading a different web page. While this proof of concept is not perfect, it could definitely be fixed to be used by phishing attacks very easily.

Monday, May 18, 2015

These are the domains HACKERS use to INFECT unaware GOOGLE users

From CyberWarzone:


These are the domains HACKERS use to INFECT unaware GOOGLE users


Cybercriminals and hackers are always searching for new methods to infect unaware users with their Trojans and malware.


The domains which we have listed below, were found during our search for malicious domains which are used by cybercriminals to infect unaware users.


http://cyberwarzone.com/wp-content/uploads/2015/05/Malware-domains-Google.jpg

April 2015 Cyber Attacks Statistics

From Hackmageddon:


April 2015 Cyber Attacks Statistics


Even if I am little late, I can finally publish the statistics derived from cyber attacks timelines of April (Part I and Part II).

Promoting Cyber Norms of Behavior

From Data Breach Today:


Promoting Cyber Norms of Behavior


To battle nation-state cyberthreats, the United States must work closely with its allies to develop norms of behavior in cyberspace that could then be adopted by other nations.

FBI Hacker Hunt Goes 'Wild West'

Notice the link to The US FBI's Top 10 Cyber Most Wanted at the top of this page.




From Data Breach Today:




FBI Hacker Hunt Goes 'Wild West'




How much money would it take for you to rat out a member of a Russian organized crime gang?


That's one obvious question posed by the FBI's practice of offering big-dollar rewards for people on its "most wanted" list of hackers.

Router Hacks: Who's Responsible?

From Data Breach Today:


Router Hacks: Who's Responsible?


The news that an army of 40,000 small office/home office, or SOHO, routers have been exploited by an Internet-borne worm and used to launch distributed denial-of-service attacks appears to point to networking vendors' culpability. That's because the devices ship with default credentials, which attackers have been able to exploit en masse.

UK Police forces head to cybercrime boot camp to counter growing threat

From IT Pro Portal:


UK Police forces head to cybercrime boot camp to counter growing threat


UK Police forces are taking significant steps to ensure their officers have the necessary skills to properly investigate cybercrime.



This is according to new research conducted by enterprise protection firm Veracode, which submitted a Freedom of Information (FOI) request to examine the number of Police officers committing to cybersecurity training since 2010.

The Cybercrime Carnival in Brazil: Loose Cyberlaws Make for Loose Cybercriminals

From DarkReading:


The Cybercrime Carnival in Brazil: Loose Cyberlaws Make for Loose Cybercriminals


Brazil loses over $8 billion a year to Internet crime, making it the second-largest cybercrime generator in the world.
Just about a decade ago, bringing up Brazil would make most people draw up an associative mental image of colorful festivities in a city where Christ the Redeemer spreads his arms over densely populated favelas and beaches.

Taking A Security Program From Zero To Hero

From DarkReading:


Taking A Security Program From Zero To Hero


Breaking the enigma of InfoSec into smaller bites is a proven method for building up an organization's security capabilities. Here are six steps to get you started.

After many years as a niche profession, security has recently emerged as a mainstream one. Awareness is at an all-time high, and security is now a board-level discussion. With all this attention comes a very real problem for many organizations. The organization needs a mature security program, and they need it yesterday. But building and maturing a security program is a complex undertaking. How can organizations go from zero to hero in a minimal amount of time?

Open Smart Grid Protocol Alliance Plans to Fix its Weak Crypto

From ThreatPost:


Open Smart Grid Protocol Alliance Plans to Fix its Weak Crypto


The Open Smart Grid Protocol Alliance, which recently came under fire for a weak crypto implementation in its protocol, will upgrade existing devices, likely starting in September.


Harry Crijns, secretary of the OSGP Alliance in The Netherlands, said fixes have been developed and are “under [a] stress test.” It said it will then work with standards bodies such as CENELEC and ETSI in Europe to bring smart grids and devices up to speed.

Remotely Exploitable Vulnerabilities in SAP Compression Algorithms

From ThreatPost:


Remotely Exploitable Vulnerabilities in SAP Compression Algorithms


The two primary compression algorithms used by SAP SE products, some of the most popular enterprise and business management software platforms on the market, contain multiple, remotely exploitable security vulnerabilities.


Martin Gallo of Core Security Consulting Services found vulnerabilities in the decompression routines of two compression algorithms deployed across SAP’s line of products. SAP uses proprietary implementations of the Lempel-Ziv-Thomas (LZC) adaptive dictionary compression algorithm and the Lempel-Ziv-Huffman (LZH) compression algorithm. Gallo was able to trigger these exploits in different scenarios in order to remotely and locally execute arbitrary code and cause denial of service conditions.

New Crypto Suites Bring Perfect Forward Secrecy to Windows

From ThreatPost:


New Crypto Suites Bring Perfect Forward Secrecy to Windows


Microsoft yesterday added four cryptographic cipher suites to its default priority ordering list in Windows, a move that brings Perfect Forward Secrecy to the operating system.


Update 3042058 is available for now only on the Microsoft Download Center, affording users the opportunity to test the ciphers before bringing them into their respective IT environments. The updates are available for Windows 7, 8 and 8.1 32- and 64-bit systems, as well as Windows Server 2008 R2 and Windows Server 2012 and 2012 R2 system.

European Internet users urged to protect themselves against Facebook tracking

From Help Net Security:


European Internet users urged to protect themselves against Facebook tracking


In the wake of the revelations about Facebook's tracking of users who do not own a Facebook account, the Belgian Privacy Commission has issued a set of recommendations for both Facebook, website owners and end users.

The recommendations are based on the results of an
extensive analysis of Facebook’s revised policies and terms (rolled out on January 30, 2015) conducted by the inter-university research center EMSOC/SPION, which concluded that the company is acting in violation of European law.

Global black markets and the underground economy

From Help Net Security:


Global black markets and the underground economy


There are a number of different types of digital black markets that fraudsters use. Much like in the real world, each type has their own prominent entity. The ways in which these are accessed usually differs, depending on the types or services or products offered. For example, in the physical black market world (e.g. illegal physical products such as guns, drugs or other non-digital services ) the majority of markets are hosted via the TOR network. This is a platform that makes users anonymous, allowing both clients and hosts to hide their locations, ensuring that their activities and identities cannot be tracked.

There’s no security without trust

From Help Net Security:


There’s no security without trust


Trust. It’s a small word but it conveys a lot. To many it is the cornerstone of security, because without trust there can be no security.

To operate securely in the online world, businesses need to trust the technology they use. These same organizations need to trust their partners and suppliers, especially when they have access to the organization’s data and systems. They need to trust their staff to follow policies, to apply what they learn from security awareness sessions, and to use the tools provided to them to keep their activities secure.

Rogue GTA 5 mods carry password-stealing malware

From Help Net Security:


Rogue GTA 5 mods carry password-stealing malware


Gamers who choose to play Grand Theft Auto V (GTA 5) on their PC should be carefull not to install two game mods that have been found to be bundled with malware.

According to
thread on the GTA forums, the two mods in question are Angry Planes and No-Clip.

United Airlines: Hack our site for free miles (just don't mess with onboard systems)

From Sophos Naked Security:


United Airlines: Hack our site for free miles (just don't mess with onboard systems)


United Airlines is offering up to 1 million free air miles in a new bug bounty program that rewards hackers who discover security flaws in the airline's websites, apps and databases.


The program is the "first of its kind within the airline industry," United proclaims on its website.

Former virus writer open-sources his DIY combination lock-picking robot

From Sophos Naked Security:


Former virus writer open-sources his DIY combination lock-picking robot


Back in 2005, a youngster called Samy Kamkar wrote and unleashed a JavaScript virus on MySpace.


You probably remember MySpace: back in 2005, it was the the place to be online, making it the place to try out social networking malware.

FBI affidavit claims security expert admitted to briefly hacking flight controls

From Fox News:


FBI affidavit claims security expert admitted to briefly hacking flight controls


An FBI affidavit claims that a security expert who was pulled off a flight last month for sending tweets about hacking into a plane's controls admitted to briefly taking control of an aircraft and causing it to fly sideways.

Sunday, May 17, 2015

United Airlines Offers Air Miles in New Bug Bounty Program

From Security Week:

United Airlines Offers Air Miles in New Bug Bounty Program

United Airlines has announced the launch of a bug bounty program, offering independent researchers who identify security holes in the company’s online services the chance to earn air miles.

The list of vulnerabilities eligible for a reward includes authentication bypass, information disclosure, cross-site scripting (XSS), cross-site request forgery (CSRF), remote code execution, timing attacks exposing the existence of a user, reservation or repository, and the ability to conduct brute-force attacks on PINs, passwords, MileagePlus numbers, and reservations.

Security Firm Releases Details of Unpatched Google App Engine Flaws

From Security Week:

Security Firm Releases Details of Unpatched Google App Engine Flaws

Security Explorations has published details and proof-of-concept (PoC) code for several unconfirmed and unpatched vulnerabilities impacting Google App Engine for Java.

Leveraged by companies such as Rovio, Best Buy and Feedly, Google App Engine is a platform-as-a-service (PaaS) offering that allows developers to host, manage and run their apps on Google’s infrastructure.

Saturday, May 16, 2015

Understanding data protection needs for ROI

From SC Magazine:

Understanding data protection needs for ROI

This editorial product was produced by the SC editorial team and underwritten by Informatica.  It is part one of a three-part series.
 Building a return-on-investment (ROI) argument can be difficult enough when dealing with known information security technology, but creating an argument persuasive enough to convince a board when trying to look three to five years down the road can be daunting.

TeslaCrypt used to extort over $76K in recent months

From SC Magazine:

TeslaCrypt used to extort over $76K in recent months

Cybercriminals have pocketed substantial payments from victims infected by TeslaCrypt, a relatively new ransomware threat known for being distributed through the Angler Exploit Kit (EK). Between its emergence in February and April 2015, attackers extorted $76,522 from 163 victims, researchers at FireEye found.

Financial sector welcomes info-sharing with govt, panel says

From SC Magazine:

Financial sector welcomes info-sharing with govt, panel says

Information sharing between the financial sector and government is “extremely dear” to NASDAQ, according to Louis Modano, the exchange's senior vice president and global head of infrastructure services.

That was a sentiment echoed by other members of a Friday panel on private and public sector responses to cyber risks in the financial sector at the Conference on Internet Governance and Cyber-Security hosted by Columbia University's School of International and Public Affairs (SIPA).

The 15 worst data security breaches of the 21st Century

From CSO Online:

The 15 worst data security breaches of the 21st Century

Data security breaches happen daily in too many places at once to keep count. But what constitutes a huge breach versus a small one? For some perspective, we take a look at 15 of the biggest incidents in recent memory. Helping us out are security practitioners from a variety of industries, including more than a dozen members of LinkedIn's Information Security Community, who provided nominations for the list.

The things end users do that drive security teams crazy

From CSO Online:

The things end users do that drive security teams crazy (Slide show)

There are times as a security professional you can only put your head in your hands and cry. The things people do that put the company at risk can sometimes amaze you. Here are some real-life scenarios provided by CISOs.

Lost in the clouds: Your private data has been indexed by Google

From CSO Online:

Lost in the clouds: Your private data has been indexed by Google

Our lives are digital now.

Everything we do online leaves a trail that leads directly to us; something privacy advocates are fighting to eliminate. However, we're our own worst enemy when it comes to privacy, and personal cloud adoption has done nothing to help the situation.

Five tips to comply with the new PCI requirements

From CSO Online:

Five tips to comply with the new PCI requirements

At the end of June, merchants that accept payment cards have five new security requirements to comply with -- and significant fines and other costs if they don't.

The new rules are part of the new Payment Card Industry Data Security Standard. Here is some advice from Trustwave Holdings, a PCI compliance consulting firm.

Confronting the widening infosec skills gap

From CSO Online:

Confronting the widening infosec skills gap

Estimates of the shortage of qualified information security professionals needed to fill available jobs in the next several years range into the multiple millions. A number of organizations are trying to change that. But they say it will likely be years before the gap is closed

VENOM - Does it live up to the hype?

From SANS ISC:

VENOM - Does it live up to the hype?

Unless you have been hiding under a rock this week you have heard about VENOM.  The first article that I saw was from ZDNet with the headline of "Bigger than Heartbleed, 'Venom' security vulnerability threatens most datacenters".  Pretty provocative stuff.  Is VENOM really worth that much hype?

China Blamed for Penn State Breach

From Data Breach Today:

China Blamed for Penn State Breach

Penn State University's College of Engineering computer network has been victimized by two sophisticated cyberattacks, with at least one originating from China.

The university revealed the breaches on May 15, although the FBI notified the school of the attacks on Nov. 21. An investigation by the cybersecurity firm Mandiant concluded that the first intrusion occurred as early as September 2012, with one of the attacks originating in China.

BitTorrent releases free P2P private voice and text app

From Help Net Security:

BitTorrent releases free P2P private voice and text app

After an initial pre-alpha release in July 2014, BitTorrent's peer-to-peer private voice and text app Bleep is finally available for curious Windows, Mac, iOS and Android users to test it out.

The app offers end-to-end encryption of all communication (calls are connected directly), and you don't have to pay to use it. You also don't have to provide any information about yourself in order to use it - a random nickname is enough, and a Bleep key will be created to identify the device for other users to be able to contact you.

Practical applications of machine learning in cyber security

From Help Net Security:

Practical applications of machine learning in cyber security

As more and more organizations are being targeted by cyber criminals, questions are being raised about their planning, preparedness, and investment into cyber security in order to tackle such incidents. The adoption of cloud technologies and the invasion of social media platforms into the workspace have added to the problem. Experts believe that most organizations’ cyber-security programs are not a match for the attackers’ persistence and skills. Does the answer to this problem lie in machine learning and artificial intelligence?