Information Security News
GCI to distribute BCS-accredited IA training to combat skills shortage
IDG News Service
o Nermin Bajric 06.09.2013 kl 13:16 | ARN. Tweet. IT examination services provider, Global Certifications Institute (GCI), has introduced a range of new Information Assurance (IA) examinations in partnership with InfoSec Skills to combat local skills ...
by Dan Goodin
Thursday's revelation that US and British intelligence agencies are able to decode most Internet traffic was a transforming moment for many, akin to getting definitive proof of intelligent extraterrestrial life. It fundamentally changed the assumptions that many of us have about the tools hundreds of millions of people rely on to shield their most private information from prying eyes. And it challenged the trust placed in the people who build and provide those tools.
But the reporting from the New York Times, ProPublica, and The Guardian was short on technical details about exactly how cryptographic technologies such as virtual private networks and the secure sockets layer (SSL) and transport layer security (TLS) protocols are bypassed. As stated recently by Edward Snowden, the former National Security Agency (NSA) contractor who leaked highly classified documents leading to the reports, "Encryption works. Properly implemented strong crypto systems are one of the few things you can rely on." How is it, then, that agents from the NSA and its British counterpart known as the Government Communications Headquarters (GCHQ) are reportedly able to bypass the crypto protections provided by Internet companies including Google, Facebook, Microsoft, and Yahoo?
The short answer is almost certainly by compromising the software or hardware that implements the encryption or by attacking or influencing the people who hold the shared secrets that form one of the linchpins of any secure cryptographic system. The NYT alludes to these techniques as a combination of "supercomputers, technical trickery, court orders, and behind-the-scenes persuasion." The paper went on to refer to technologies that had been equipped with backdoors or had been deliberately weakened. Snowden put it slightly differently when he said: "Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around" encryption. Exploiting the implementations or the people behind these systems can take many forms. What follows are some of the more plausible scenarios.
Microsoft released its pre-announcement for the upcoming patch Tuesday. The summary indicates 14 bulletins total, 4 are critical all with remote code execution and 10 Important with a mix of remote code execution, Denial of Service and elevation of privileges. The announcement is available here.
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
by ghd hair straighteners
InfoSec Skills Partners with Global Certification Institute (GCI) to ...
InfoSec Skills has entered into a partnership agreement with Australia's leading certification and examination services provider to launch a new certification scheme in Information Assurance for the Asia Pacific marketplace. This incorporates ...