Information Security News
GOP Report Stresses Gov't InfoSec Flaws
Days before the Obama administration will release a framework aimed at securing the nation's critical infrastructure, Senate Republicans issued a report detailing vulnerabilities in federal IT, suggesting the White House get its own house in order ...
A bugged phone conversation in which two senior US officials traded offensive remarks about the European Union has ignited a diplomatic free-for-all and raised questions about the ability of the US to protect its sensitive communications from the spy apparatuses of Russia and other countries.
US Assistant Secretary of State for European Affairs Victoria Nuland and Geoffrey Pyatt, the US ambassador to Ukraine, clearly thought they were speaking on a secure line when discussing the political unrest in Ukraine and how the US government should help resolve the crisis. At one point during the January 25 call, Nuland colorfully rejected recent overtures from European Union leaders by telling her colleague: "Fuck the EU."
The four-minute call was posted to YouTube on Thursday. The voice quality is strikingly clear, suggesting the recording was made by a well-positioned source. Among the first people to tweet the link was an aide to Russian Deputy Prime Minister Dmitry Rogozin. US State Department officials quickly seized on the tweet as proof that the Russian government was involved in the eavesdropping, calling the episode a "new low in Russian tradecraft." The Russian government has denied any involvement.
by Ars Staff
Luis von Ahn and colleagues developed CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart) in early 2000 to help fight against computer-generated spam. The test requires users to type in letters from a distorted image to prove that they're human. This system worked great for years, but as with many things on the Internet, there's always a hacker who wants to break the system.
Hackers have found ways to crack the CAPTCHA system—one example involves tricking users into thinking they are entering a CAPTCHA at a completely safe website while the user’s input is used to access another site. So it's up to the computer scientists to figure out how to beat the hackers again.
That's exactly what a team of researchers at Carnegie Mellon University set out to do. (The team consisted of PhD student Jeremiah Blocki, professor Manuel Blum, and associate professor Anupam Datta) The system they developed is called GOTCHA (Generating panOptic Turing Tests to Tell Computers and Humans Apart), and it uses a user-provided password to generate several multi-colored inkblots, with the blotches distributed randomly.
EE rolls out Brightbox fix... but it WON'T stop packet sniffers, DNS meddlers ...
EE rolls out Brightbox fix... but it WON'T stop packet sniffers, DNS meddlers – infosec bod. '2 out of 3' major holes in router plugged: researcher. By John Leyden, 7th February 2014. 2. Related stories. Security 101 fail: 3G/4G modems expose control ...
Also in the news, ISO standard 30111 was published recently (on Jan 21) - a standard for the Vulnerability Handling Processes. The standard was edited by Katie Moussouris, Senior Security Strategist Lead at Microsoft
The standard covers all the basics, including Vulnerability Verification steps, the Vulnerability Handling Process, and of particular interest is that it delineates where vendors should and should not be in the process.
The companion document, ISO 29147 (published in 2013) covers Vulnerability Disclosure. This one is extremely valuable both to security researchers and for any company with a software product. This standard includes guidance on buidling a framework to address vulnerabilities, including a 5 step process that guides vendors through initial receipt and verification of the vulnerability, developing a resolution, releasing the final fix and communication with customers after the fix is released
As with all ISO standards, unfortunately these are not free - both are well worth it if the standards apply to your organization. If your organization writes code, or if you sell hardware that runs code, both of these standards are a must-have.
ISO 30111 can be purchased here: http://www.iso.org/iso/catalogue_detail.htm?csnumber=53231
ISO 29147 can be purchased here: http://www.iso.org/iso/catalogue_detail.htm?csnumber=45170
Posted by InfoSec News on Feb 07http://www.nextgov.com/cybersecurity/2014/02/75-percent-pentagon-contractors-adjusted-security-after-snowden-leaks/78302/
Posted by InfoSec News on Feb 07http://www.eetimes.com/author.asp?section_id=8&doc_id=1320907
Posted by InfoSec News on Feb 07http://blog.erratasec.com/2014/02/that-nbc-story-100-fraudulent.html
Posted by InfoSec News on Feb 07http://www.timesofisrael.com/hack-this-start-up-claims-it-can-stop-all-viruses-permanently/
Posted by InfoSec News on Feb 07http://www.informationweek.com/healthcare/security-and-privacy/texas-hospital-discloses-huge-breach-/d/d-id/1113724