Information Security News
The Washington Post's servers were penetrated by hackers who accessed employees' user names and password data in a breach that marked the third intrusion in as many years, the paper reported.
Security personnel still don't know the full extent of the loss, an article published Wednesday said. The intrusion was discovered by outside security consultant Mandiant, which reported it to Washington Post officials Wednesday. Compromised data includes employees' user names and passwords that were "stored in encrypted form," which typically means as a cryptographic hash. Post officials, working under the assumption that a fair percentage of hashed passwords can be cracked, planned to direct all employees to change their passwords.
There's no evidence yet that subscriber information such as credit card data or home addresses was accessed. There was also no immediate sign that hackers had accessed the paper's publishing system, employee e-mail databases, or sensitive personal information belonging to workers. Wednesday's article cited a Washington Post official as saying investigators believe the intrusion lasted at most a few days.
by Cyrus Farivar
According to the Wall Street Journal and independent journalist Brian Krebs, retail giant Target was hit with a major theft of customers’ credit-card and debit-card data captured in stores during the Black Friday weekend.
The company has nearly 1,800 stores in the United States and over 100 in Canada.
"The Secret Service is investigating—we have no further comment as it is an ongoing investigation," Brian Leary, a Secret Service spokesperson, told Ars.
by Peter Bright
A common pastime among the residents of the Internet's seedy underbelly is spying on people through their webcams then using the pictures to harass and blackmail the victims. This kind of hacking went mainstream when Miss Teen USA Cassidy Wolf was named as a victim of a blackmail attempt.
In addition to standard computer security advice given to combat this behavior—keep your computer patched, don't install malware, and so on—it's commonly suggested that you only use webcams where the activity LED is hardwired to light up whenever the camera is active. Among others, Apple's line of laptops has been identified as having such hardwired LEDs. However, researchers at Johns Hopkins University have published a paper, first reported on by the Washington Post, demonstrating that even this isn't good enough. Some hardwired LEDs turn out to be, well, software controlled after all.
As with just about every other piece of modern hardware, the webcams in the computers that the researchers looked at—an iMac G5 and 2008-vintage MacBooks, MacBook Pros, and Intel iMacs—are smart devices with their own integrated processors, running their own software. The webcams have three main components: the actual digital imaging sensor, a USB interface chip with both an integrated Intel 8051-compatible microcontroller and some RAM, as well as a little bit of EEPROM memory.
SANS' Tenth Annual Holiday Hacking Challenge is Now Live!
PR Newswire (press release)
SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet's early warning system—the Internet Storm Center. At the heart of SANS are the many security ...
A presidential advisory committee today recommended that the US government stop any efforts to undermine encryption standards or attack commercial software.
The panel's report (full text at Whitehouse.gov) comes in response to the National Security Agency leaks of Edward Snowden and makes 46 recommendations. Number 29 should please IT security researchers:
We recommend that, regarding encryption, the US Government should:
(1) fully support and not undermine efforts to create encryption standards;
(2) not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software; and
(3) increase the use of encryption, and urge US companies to do so, in order to better protect data in transit, at rest, in the cloud, and in other storage.
We reported in September on the NSA's uneasy relationship with encryption researchers, detailing how the agency has helped improve the encryption standards that secure Internet communications while in other cases undermining them. Government officials have routinely joined security researchers at technology conferences—this year, they were asked to stay away from DefCon, one of those annual events.While the White House isn't obligated to accept the advisory panel's recommendations, doing so could end any current or future efforts to insert backdoors into encryption standards. Security experts, including Bruce Schneier, have warned that the NSA's work has undermined the security of the Internet.
Computer scientists have devised an attack that reliably extracts secret cryptographic keys by capturing the high-pitched sounds coming from a computer while it displays an encrypted message.
The technique, outlined in a research paper published Wednesday, has already been shown to successfully recover a 4096-bit RSA key used to decrypt e-mails by GNU Privacy Guard, a popular open source implementation of the OpenPGP standard. Publication of the new attack was coordinated with the release of a GnuPG update rated as "important" that contains countermeasures for preventing the attack. But the scientists warned that a variety of other applications are also susceptible to the same acoustic cryptanalysis attack. In many cases, the sound leaking the keys can be captured by a standard smartphone positioned close to a targeted computer as it decrypts an e-mail known to the attackers.
"We devise and demonstrate a key extraction attack that can reveal 4096-bit RSA secret keys when used by GnuPG running on a laptop computer within an hour by analyzing the sound generated by the computer during decryption of chosen ciphertexts," the researchers wrote. "We demonstrate the attack on various targets and by various methods, including the internal microphone of a plain mobile phone placed next to the computer and using a sensitive microphone from a distance of four meters [a little more than 13 feet]."
by Dan Goodin
It's true that the Tor anonymity service helps people cover their tracks on the Internet. But when it's not used carefully, it can be the very thing that tips off the people the user wants to evade, as was demonstrated in a federal investigation earlier this week.
According to federal prosecutors, Tor played a key role in helping FBI agents identify a Harvard student suspected of e-mailing a hoax bomb threat to university officials so he wouldn't have to take a final exam. To conceal his Harvard IP address, he used Tor, but in a fatal mistake, he also used the school's Wi-Fi network to connect to the anonymity service. Investigators, according to a criminal complaint, took a hard look at everyone who used Tor at the time the threats were sent and ultimately fingered 20-year-old Eldo Kim of Cambridge, Massachusetts as the perpetrator.
"This is one of the problems of using a rare security tool," security analyst Bruce Schneier observed in a blog post published Wednesday. "The very thing that gives you plausible deniability also makes you the most likely suspect. The FBI didn't have to break Tor; they just used conventional police mechanisms to get Kim to confess."
[анонс] Соревнования по информационной безопасности Infosec
С 20-го по 23-е декабря 2013 года пройдут соревнования по информационной безопасности Infosec CTF. Организатором является компания «Информзащита», техническим партнером – Check Point Software Technologies. Победителю ...
«Информзащита» приглашает принять участие в Infosec CTF
It's been two years since Nadim Kobeissi unleashed his user-friendly, feline-themed chat software, Cryptocat. At the time, Kobeissi felt that there wasn't exactly a great deal of enthusiasm for his program. "Two years ago not a lot of people cared," he comments. But times have changed. "Now a lot of people care."
Kobeissi's challenge to make encrypted online messaging user-friendly has long been a bugbear of the crypto community. A paper, written in 1999, demonstrated that the encryption program PGP completely baffled most users in a series of tests. The study, now 14 years old, is still frequently cited today as a long-unanswered call to arms.
And even though the level of security offered by PGP is slowly becoming more accessible, thanks to initiatives like the Enigmail Project, for most people it's still too esoteric and finicky. The challenges for making encryption more user-friendly are often referred to as UX headaches, which many view as being more or less insurmountable. Indeed, those who publicly advocate better interfaces for encryption feel that they represent a small minority within the wider crypto community.
Eight weeks after hackers compromised the official PHP website and laced it with attack code, outside security researchers have uncovered evidence that some visitors were exposed to malware that's highly unusual, if not unique.
Israel-based Seculert said about 6,500 computers are infected by DGA.Changer, a malware title whose sole job is to surreptitiously download other malware onto compromised systems. One of five distinct malware types served to visitors of php.net from October 22 to October 24, DGA.Changer employs a novel way of evading detection and takedown attempts. Like previous trojans equipped with domain-generation algorithms, DGA.Changer is able to make on-the-fly changes to the command-and-control (C2) domain names that infected machines contact to send data and receive instructions. That stymies takedown campaigns that simply take control of the C2 domain names. DGA.Changer takes this evasive move one step further by allowing operators to change the algorithm "seed" that generates a specific set of pseudo-random domains.
"As a result, they're extremely difficult to detect by traditional security methods (i.e. those that only use a sandbox), since the initial sample will reveal the domain name streams before the change—which no longer resolve to the C2 server," Seculert researcher and CTO Aviv Raff wrote in a blog post published Wednesday. Researchers typically use Cuckoo Sandbox and similar automated malware analysis systems to run recently discovered malware samples in a controlled environment. If the DGA.Changer seeds in the sandboxes don't match those of versions running in the wild, researchers can't continue to monitor communications sent to the C2 servers.
My 5 Wishes For Security In 2014
Year-end security predictions are really hard for InfoSec practitioners, in no small part because so many security matters linger for years without improvement or resolution. I've chosen five issues that have long legs (think "wine"). Here's my wish ...
Posted by InfoSec News on Dec 18http://www.eurekalert.org/pub_releases/2013-12/pm-fcs121613.php
Posted by InfoSec News on Dec 18http://www.thedenverchannel.com/news/local-news/social-security-numbers-addresses-of-18800-state-workers-in-missing-thumb-drive
Posted by InfoSec News on Dec 18http://analysisintelligence.com/cyber-defense/cyber-operations-against-oil-industry/
Posted by InfoSec News on Dec 18http://www.tennessean.com/article/20131216/NEWS/312160048/1972/NEWS02?nclick_check=1&utm_content=buffer58453
Posted by InfoSec News on Dec 18http://www.darkreading.com/monitoring/5-protocols-that-should-be-closely-watch/240164357