Information Security News
by Peter Bright
The mission of the US' National Institute of Standards and Technology, NIST, is to create technical and measurement standards to make US manufacturing and industry more competitive.
In 1987, the Computer Security Act tasked NIST (then known as the National Bureau of Standards, NBS) with the creation of computer standards to ensure the security of federal computer systems. The best known standard that came from this work is probably the Advanced Encryption Standard (AES) algorithm. NIST held a competition between 1997 and 2000 to pick a symmetric cipher (that is, one where the same key is used for both encryption and decryption). The winner of the competition was Belgian algorithm Rijndael, and accordingly, Rijndael is known as AES.
The CSA explicitly required NIST to seek the advice and guidance of the National Security Agency when creating these standards. The NSA is, after all, where the government's cryptography experts work, and once upon a time, the organization was pretty helpful in this area. Before the CSA, the NSA had helped develop old NBS standards. In the 1970s, NBS created a standard for AES's predecessor, called the Data Encryption Standard (DES).
by Nate Anderson
Ever since Edward Snowden began leaking NSA secrets earlier this year, President Obama has insisted that they weren't "whistleblowing" in any useful sense because they didn't reveal any abuses. Instead, they simply revealed secret programs that were:
For instance, here was Obama at an August 9 press conference at the White House, answering a couple of questions from journalists about the NSA's programs.
And if you look at the reports, even the disclosures that Mr. Snowden's put forward, all the stories that have been written, what you're not reading about is the government actually abusing these programs and, you know, listening in on people's phone calls or inappropriately reading people's e-mails. What you're hearing about is the prospect that these could be abused. Now part of the reason they're not abused is because they're—these checks are in place, and those abuses would be against the law and would be against the orders of the FISC.
As for any needed changes, they were minor. Obama's team already made some small modifications of its own—"some bolts needed to be tightened up on some of the programs," was how he put it. His changes involved things like more "compliance officers." But the programs and the laws they rested on were fine. Still, in the spirit of having a "discussion," Obama agreed that "people may want to jigger slightly sort of the balance between the information that we can get versus the incremental encroachments on privacy" that might be possible "in a future administration or as technology's developed further." (Remember, everything now is fine!)
RIght on schedule (see their lifecycle doc at https://www.pcisecuritystandards.org/pdfs/pci_lifecycle_for_changes_to_dss_and_padss.pdf), the folks at PCI DSS have released a "what to expect" document for PCI 3.0. I'm a bit late commenting on this - somehow I missed this when it was posted in August. Specifically called out in the doc are:
The change document is here: https://www.pcisecuritystandards.org/documents/DSS_and_PA-DSS_Change_Highlights.pdf
It'll be interesting to see what the final document will look like when it's released in November, and what happens when QSA's turn the PCI guidance into audit findings and recommendations.
The National Security Agency (NSA) and its British counterpart have successfully defeated encryption technologies used by a broad swath of online services, including those provided by Google, Facebook, Microsoft, and Yahoo, according to new reports published by The New York Times, Pro Publica, and The Guardian. The revelations, which include backdoors built into some technologies, raise troubling questions about the security that hundreds of millions of people rely on to keep their most intimate and business-sensitive secrets private in an increasingly networked world.
The reports, published simultaneously by the NYT, Pro Publica, and The Guardian, are based on newly disclosed documents provided by former NSA contractor Edward Snowden. They reveal a highly classified program codenamed Bullrun, which according to the reports relied on a combination of "supercomputers, technical trickery, court orders, and behind-the-scenes persuasion" to undermine basic staples of Internet privacy, including virtual private networks (VPNs) and the widely used secure sockets layer (SSL) and transport layer security (TLS) protocols.
"For the past decade, NSA has led an aggressive, multipronged effort to break widely used Internet encryption technologies," the NYT reported, quoting a 2010 memo describing a briefing of NSA capabilities to employees of the Government Communications Headquarters, or GCHQ. "Cryptanalytic capabilities are now coming online. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable."
by Cyrus Farivar
A recent academic paper (PDF) shows “that Tor faces even greater risks from traffic correlation than previous studies suggested.” In other words, one of the world’s best tools for keeping online speech anonymous is at risk in a previously known—but now even clearer—fashion.
In the wake of a recent uptick of Tor usage (whether from a botnet or from people inspired by former National Security Agency [NSA] contractor Edward Snowden), a reminder of these risks is certainly germane to today’s Internet.
The new research has shown that a potential adversary with control of Internet Exchange Points (IXPs) or autonomous systems (ASes) that have large-scale network control (like an ISP), could expose and identify a Tor user, given enough time.
by gucci shoes for men
Researchers have found a new theory to explain the sudden spike in computers using the Tor anonymity network: a massive botnet that was recently updated to use Tor to communicate with its mothership.
Mevade.A, a network of infected computers dating back to at least 2009, has mainly used standard Web-based protocols to send and receive data to command and control (C&C) servers, according to researchers at security firm Fox-IT. Around the same time that Tor Project leaders began observing an unexplained doubling in Tor clients, Mevade overhauled its communication mechanism to use anonymized Tor addresses ending in .onion. In the week that has passed since Tor reported the uptick, the number of users has continued to mushroom.
"The botnet appears to be massive in size as well as very widespread," a Fox-IT researcher wrote in a blog post published Thursday. "Even prior to the switch to Tor, it consisted of tens of thousands of confirmed infections within a limited amount of networks. When these numbers are extrapolated on a per country and global scale, these are definitely in the same ballpark as the Tor users increase."
Are you interested in where IPS Systems (Intrusion Prevention Systems) are going over the next few years? Do you think we'll see more HIPs (Host Intrusion Prevention Systems) feeds into IPS consoles, or more integration with SIEMs? Or will we just see better versions of what we have today?
Or are you maybe just wondering if your organization needs an IPS?
Either way, we're interested in our input! We've got a survey running to collect your take on IPS's, and where you expect (or would like) to see them evolve over the next few years: https://www.surveymonkey.com/s/2013SANSNetworkSecuritySurvey
We'll be collecting the results shortly, and will be sharing them in a SANS Analyst Webcast in October - more details here: https://www.sans.org/webcasts/survey-network-security-96967
Looking forward to your views !
With one "extracurricular" project winding up, I figured it was time to start the next one, and playing with the new crop of GPUs for hash and password cracking seems like a fun way to go.
At first glance, using specialized hardware like a GPU would mean that you'd be working in a physical machine, that using a VM is not in the cards. Not so, it's actually pretty easy to make it fly in a VM, with a bit of planning. For me, it also means that I don't need to find a spot for a new server.
First of all, you'll need a short list of "must haves":
For folks like me that are on a budget, there are two main choices in GPUs - NVIDIA and AMD.
While both of these cards perform great for graphics, the AMD has and edge in crypto work - it seems to have better integer computing support, so tools like Hashcat or John the Ripper tend to run quicker.
In a virtual environment, the AMD cards seem to work better with Vt-d (called Device Passthrough in the ESXi interface). If you want to use NVIDIA GPU's, you'll actually install drivers in ESXi, and you'll be confined to the most expensive NVIDIA cards (Quadro 6000, 5000, 4000, or the Tesla or Grid cards). This is actually pretty cool, as you can spread the GPU's across multiple VM's for Virtual Desktop applications like CAD and the like. But splitting the power of a GPU card across multiple VM's defeats the whole point of building a VM for cracking.
For my lab, I chose an AMD RADEON 7970 - it's got great processing power and it was on sale that week. The 7900's seem to be right at the knee of the curve, right where more processing power starts to cost you disproportionally more money.
So, once all the prerequisites are in place, we're ready to go.
1/ First, install your card.
2/ Next, over to ESXi, we'll need to enable Device Passthrough (Vt-d) for our new device. You'll find this in Server Settings / Advanced / Edit. Select the new card (which also selects the PCIe slot that it's in), and save. You'll need to reboot the server after this done.
3/ Next, over to our VM. We'll go to the "Edit Settings / Add Hardware" screen, and add this new PCI device. Once this is done, vMotion and HA will no longer be possible for this VM, since it's tied to a specific PCIe slot in the server. Even a cold migrate (migration with the VM powered off) will involve some jumping through hoops - removing the card, migrating then re-adding the card after the migrate (you'll of course need identical hardware on the destination server once the migration is complete)
4/ After installing the correct AMD driver in the VM, and we see our card! I left the card at stock values for everything, nothing was overclocked or outside of the default settings.
5/ Next we'll need to install then the OpenCL SDK in the VM (Downloaded from AMD).
At this point, you'll be able to use the processing power of the GPU in any app written for it - I'm using Hashcat and John the Ripper, they both work great!
Running the hashcat benchmark (oclHashcat-lite64.exe -b) sees the card as a "Tahiti" (the codename for the 7900 series) gives us some really impressive numbers - for instance 8765.0M/s for MD5 (yes, that's in MILLION Hashes per second). While real throughput on the "no-lite" version will be slightly slower, these numbers are all pretty close to truth.
Just for fun, I installed the identical setup on a similar but PHYSICAL machine (3.5 GHz i7 quard core, as poosed to the 3.3 Ghz XEON quad in my ESXi server). You can see from the table below that the throughput on hash calculations are very close, with the i7 setup a bit slower. It's in situations like this where you'll see the features in "server class" processors make a difference - things like larger CPU cache for instance. My ESXi server was running my kid's Minecraft server (with him and all his friends on it), plus we were streaming video off of another VM running DLNA services for our TV, and hashcat in the VM is still is consistently faster than the physical host running a workstation CPU of similar specs.
The numbers for both the physical and virtual and physical servers are shown below. From this, we can draw a few critical conclusions:
|Hash Type||Benchmark Values|
|On VM||On Physical|
|NetNTLMv1-VANILLA / NetNTLMv1+ESS||7624.8M/s||7034.0M/s|
|vBulletin < v3.8.5||2492.4M/s||2427.9M/s|
|SSHA-1(Base64), nsldaps, Netscape LDAP SSHA||2361.5M/s||2314.3M/s|
|SHA-1(Base64), nsldap, Netscape LDAP SHA||2276.0M/s||2295.8M/s|
|vBulletin > v3.8.5||1697.7M/s||1628.0M/s|
|descrypt, DES(Unix), Traditional DES||47052.0k/s||44934.1k/s|
InfoSec Skills Launches Strategic Partnership with Wisdom Education Group in ...
Watch List News (press release)
London, United Kingdom, September 04, 2013 –(PR.com)– InfoSec Skills (www.infosecskills.com) has announced a new strategic partnership with the Wisdom Education Group, based in the United Arab Emirates (UAE). Wisdom Education is a leading Group ...
InfoSec Skills Launches Strategic Partnership with Wisdom Education Group in ...
PR-BG.com (прессъобщения) (press release)
InfoSec Skills (www.infosecskills.com) has announced a new strategic partnership with the Wisdom Education Group, based in the United Arab Emirates (UAE). Wisdom Education is a leading Group of Institutions in UAE having branches in Dubai, Abu Dhabi, ...
Posted by InfoSec News on Sep 05http://www.csoonline.com/article/739117/aggressive-social-engineering-campaign-uncovered-in-europe
Posted by InfoSec News on Sep 05http://www.computerworld.com/s/article/9242086/Amazon_hiring_top_secret_IT_staff_as_it_fights_for_CIA_work
Posted by InfoSec News on Sep 05http://www.nextgov.com/cybersecurity/2013/09/are-your-g20-briefings-laced-spyware/69888/
Posted by InfoSec News on Sep 05Forwarded from: nullcon <nullcon (at) nullcon.net>
Posted by InfoSec News on Sep 05http://www.forbes.com/sites/andygreenberg/2013/09/04/startup-bugcrowd-raises-1-6-million-to-pay-hacker-hordes-to-hunt-clients-bugs/
Posted by InfoSec News on Sep 05http://20committee.com/2013/09/04/snowden-nsa-and-counterintelligence/
Posted by InfoSec News on Sep 05http://www.wired.com/threatlevel/2013/09/nsa-router-hacking/