Information Security News
RSA Highlights the Changing Face of Infosec
CSO Magazine (blog)
"If you look a the demographics of where those people are from, the companies their from – it's not just big financial services companies or Fortune 100s, it people from utilities. If you asked who were the most progressive people in infosec you would ...
Researches have released a paper describing several vulnerabilities in TLS (Transport Layer Security). Some of the attacks have been known for a while, but the paper combines and explains them nicely, and also adds a couple of really clever new ideas. The tricks rely on cutting sessions off and re-starting them in a way that client and server end up with a different (security) state. The full research is available here https://secure-resumption.com/. The good news is that (a) the main impact is apparently limited to connections that use client-side certificates, which is rare, and (b) the researchers have informed the browser vendors early on, and some browsers and TLS libraries are already patched.(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Privacy Act audits will consider infosec budgets
The Australian Privacy Commissioner will take into account the size of an organisation's wallet when it cracks down on hacked companies under the tougher Privacy Act set to come into force next week. Small organisations across Australia with revenues ...
Hundreds of open source packages, including the Red Hat, Ubuntu, and Debian distributions of Linux, are susceptible to attacks that circumvent the most widely used technology to prevent eavesdropping on the Internet, thanks to an extremely critical vulnerability in a widely used cryptographic code library.
The bug in the GnuTLS library makes it trivial for attackers to bypass secure sockets layer (SSL) and Transport Layer Security (TLS) protections available on websites that depend on the open source package. Initial estimates included in Internet discussions such as this one indicate that more than 200 different operating systems or applications rely on GnuTLS to implement crucial SSL and TLS operations, but it wouldn't be surprising if the actual number is much higher. Web applications, e-mail programs, and other code that use the library are vulnerable to exploits that allow attackers monitoring connections to silently decode encrypted traffic passing between end users and servers.
The bug is the result of commands in a section of the GnuTLS code that verify the authenticity of TLS certificates, which are often known simply as X509 certificates. The coding error, which may have been present in the code since 2005, causes critical verification checks to be terminated, drawing ironic parallels to the extremely critical "goto fail" flaw that for months put users of Apple's iOS and OS X operating systems at risk of surreptitious eavesdropping attacks. Apple developers have since patched the bug.
Flexcoin, which proclaimed itself to be the "world's first bitcoin bank" and the solver of "nearly every problem that exists with the Bitcoin currency today," says it has shut down after a robbery. An attacker made off with 896 bitcoins, the equivalent of about $620,000 at today's exchange rates.
A statement on Flexcoin's website read as follows:
On March 2nd 2014 Flexcoin was attacked and robbed of all coins in the hot wallet. The attacker made off with 896 BTC, dividing them into these two addresses:
As Flexcoin does not have the resources, assets, or otherwise to come back from this loss, we are closing our doors immediately.
The "hot wallet" is what exchanges use to pay out withdrawals instantly. Bitcoins deposited by users are put into "cold storage." Flexcoin said it will help these users get their coins back. "Users who put their coins into cold storage will be contacted by Flexcoin and asked to verify their identity," the bank said. "Once identified, cold storage coins will be transferred out free of charge. Cold storage coins were held offline and not within reach of the attacker."
Posted by InfoSec News on Mar 04http://www.lasvegassun.com/news/2014/feb/28/las-vegas-sands-some-customer-data-was-stolen-hack/
Posted by InfoSec News on Mar 04http://www.itproportal.com/2014/03/04/are-we-about-to-witness-a-full-on-cyber-war-between-russia-and-ukraine/
Posted by InfoSec News on Mar 04http://www.v3.co.uk/v3-uk/news/2331953/hackers-hijack-300-000-soho-routers-with-man-in-the-middle-attacks