Information Security News
When thousands of access credentials and email addresses of Adobe customers were breached back in October, we expected that phishing attacks that make use of the stolen information would follow. Surprisingly, it seems to have taken the bad guys quite a while to kick off anything serious - the only mails we got so far on a compromised address that we converted into an Adobe phishing honeypot were the usual spam emails peddling the usual goods. But today, Adobe themselves issued a warning http://blogs.adobe.com/psirt/2013/12/20/alert-adobe-license-key-email-scam/ suggesting that something more nefarious must be going on. If you have a sample of this email, please share via our contact form.
Since the Adobe and now the Target breach both affected about 40 million people .. odds are that half a million or so might be on both lists. So if you are getting an email from "Target" on the email address that you used for Adobe, you might want to be extra careful, too ...(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
by Peter Bright
Security company RSA was paid $10 million to use the flawed Dual_EC_DRBG pseudorandom number generating algorithm as the default algorithm in its BSafe crypto library, according to sources speaking to Reuters.
The Dual_EC_DRBG algorithm is included in the NIST-approved crypto standard SP 800-90 and has been viewed with suspicion since shortly after its inclusion in the 2006 specification. In 2007, researchers from Microsoft showed that the algorithm could be backdoored: if certain relationships between numbers included within the algorithm were known to an attacker, then that attacker could predict all the numbers generated by the algorithm. These suspicions of backdooring seemed to be confirmed this September with the news that the National Security Agency had worked to undermine crypto standards.
The impact of this backdooring seemed low. The 2007 research, combined with Dual_EC_DRBG's poor performance, meant that the algorithm was largely ignored. Most software didn't implement it, and the software that did generally didn't use it.
Security experts are calling for the removal of a National Security Agency employee who co-chairs an influential cryptography panel, which advises a host of groups that forge widely used standards for the Internet Engineering Task Force (IETF).
Kevin Igoe, who in a 2011 e-mail announcing his appointment was listed as a senior cryptographer with the NSA's Commercial Solutions Center, is one of two co-chairs of the IETF's Crypto Forum Research Group (CFRG). The CFRG provides cryptographic guidance to IETF working groups that develop standards for a variety of crucial technologies that run and help secure the Internet. The transport layer security (TLS) protocol that underpins Web encryption and standards for secure shell (SSH) connections used to securely access servers are two examples. Igoe has been CFRG co-chair for about two years, along with David A. McGrew of Cisco Systems.
Igoe's leadership had largely gone unnoticed until reports surfaced in September that exposed the role NSA agents have played in "deliberately weakening the international encryption standards adopted by developers." Until now, most of the resulting attention has focused on cryptographic protocols endorsed by the separate National Institute for Standards and Technology. More specifically, scrutiny has centered on a random number generator that The New York Times, citing a document leaked by former NSA contractor Edward Snowden, reported may contain a backdoor engineered by the spy agency.
Credit and debit card accounts stolen in the massive data breach that recently hit retail giant Target are flooding the underground markets frequented by criminals, who are paying as much as $100 per card, according to KrebsonSecurity reporter Brian Krebs.
In a post published Friday, Krebs said he first learned of the breach after a fraud analyst at a major bank said his team bought a large number of the bank's cards on a well-known "card shop." The analyst's team was then able to work its way backward and independently confirm Target had been breached. Krebs went on to break the story, and Target eventually confirmed that about 40 million cards may have been compromised during a breach that extended from November 27 to December 15. In Friday's post, Krebs continued:
There are literally hundreds of these shady stores selling stolen credit and debit cards from virtually every bank and country. But this store has earned a special reputation for selling quality “dumps,” data stolen from the magnetic stripe on the backs of credit and debit cards. Armed with that information, thieves can effectively clone the cards and use them in stores. If the dumps are from debit cards and the thieves also have access to the PINs for those cards, they can use the cloned cards at ATMs to pull cash out of the victim’s bank account.
At least two sources at major banks said they’d heard from the credit card companies: More than a million of their cards were thought to have been compromised in the Target breach. One of those institutions noticed that one card shop in particular had recently alerted its loyal customers about a huge new batch of more than a million quality dumps that had been added to the online store. Suspecting that the advertised cache of new dumps were actually stolen in the Target breach, fraud investigators with the bank browsed this card shop’s wares and effectively bought back hundreds of the bank’s own cards.
When the bank examined the common point of purchase among all the dumps it had bought from the shady card shop, it found that all of them had been used in Target stores nationwide between Nov. 27 and Dec. 15. Subsequent buys of new cards added to that same shop returned the same result.
Krebs's account is consistent with the findings of fraud prevention service Easy Solutions. On Thursday, the company reported that its Detect Monitoring Service (DMS) had recently sensed some unusual activity.
10 tips for building secure mHealth apps
There are a number of tools within the infosec community that can be openly leveraged to help mitigate risks. Despite being relatively new, the iMAS library provides iOS developers with a set of easy-to-use tools to accomplish various security tasks in ...
"Информзащита": Приглашает принять участие в Infosec CTF
RB.ru - деловая сеть
Соревнования по информационной безопасности Infosec CTF пройдут с 20-го по 23-е декабря 2013-го года. Организатором является компания "Информзащита", техническим партнером - Check Point Software Technologies. Победителю ...
«Информзащита» приглашает принять участие в Infosec CTF
Posted by InfoSec News on Dec 20http://www.csoonline.com/article/744905/inside-knowledge-likely-in-target-breach-experts-say
Posted by InfoSec News on Dec 20http://www.nextgov.com/cio-briefing/wired-workplace/2013/12/dhs-opens-100-cyber-internships-college-students/75734/
Posted by InfoSec News on Dec 20http://www.haaretz.com/news/diplomacy-defense/.premium-1.564492
Posted by InfoSec News on Dec 20http://www.shanghaidaily.com/article/article_xinhua.aspx?id=188746
Posted by InfoSec News on Dec 20http://arstechnica.com/security/2013/12/bitcoin-only-poker-site-resets-user-credentials-after-42000-passwords-leak/
2014 Predictions: Information Security
For the channel, even customers with reduced IT budgets still managed to find cash for information security products. According to analyst Canalys, even though global InfoSec spending had a healthy six percent growth, EMEA was the slowest-growing ...