Hackin9

Bob Walder and Chris Morales of NSS Labs published an interesting brief. Based on last year IPS, firewall and endpoint protection tests, the effectiveness of the best device scored was 98.5%. While this is considered excellent, there is still ~2 percent of attacks that make it through the perimeter and host layer defences. Two of their proposals is to attempt to control the attacker by redirecting the attack against a target you can watch and control (i.e. tarpit the attacker) and to regularly test your network to detect problems before someone else does and exploit that system.

They have listed several recommendations but one that I think is worth focussing is be "Prepare to operate at 60 percent capacity in order to withstand a breach, which will reduce, but not eliminate, critical services." [1]

It is very likely the impact will be affecting users, customers and business. Who is prepared to continue to operate at 60% capacity without affecting business or the bottom line?

The eleven page report can be downloaded here.

[1] https://www.nsslabs.com/system/files/public-report/files/Cyber%20Resilience_0.pdf
[2] https://www.nsslabs.com/blog/cyber-resilience-%E2%80%93-it%E2%80%99s-not-98-you-catch-matters-it%E2%80%99s-2-you-miss

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
More than 1,000 major enterprise networks and small and medium businesses in the U.S. have been compromised by a recently discovered malware package called "Backoff" and are probably unaware of it, the U.S. Department of Homeland Security (DHS) said in a cybersecurity alert on Friday.
 
Google has acquired Gecko Design, which will become part of the Internet company's unit developing cutting-edge products like Glass and balloons for Internet access.
 
Oregon has filed a long-expected lawsuit against Oracle over its role developing the state's troubled health insurance exchange website.
 
Early sales of Apple's iPhone 6 will likely be 'tremendous,' buyback vendors said today, basing their predictions on recent activity by consumers locking in prices for their old smartphones.
 
It took some time and considerable internal effort, but SAP says it has made good on a pledge to simplify its software pricing and licensing model.
 
By electronically manipulating the flight muscles of moths, scientists are one step closer to creating biobots that could fly over a disaster area and spot survivors or hazards.
 
TimThumb 'timthumb.php' CVE-2010-5303 Cross Site Scripting Vulnerability
 
TimThumb 'timthumb.php' CVE-2010-5302 Cross Site Scripting Vulnerability
 
Widely accepted projections of a shortage of mobile spectrum may not be as dire as many analysts in the mobile and tech sectors are making it out to be, according to a new study.
 
Microsoft is helping hardware makers build low-priced Windows PCs to combat Chromebooks, and the early results of that effort are hitting the market.
 
ModSecurity 'mod_headers' module Security Bypass Vulnerability
 

Richard Porter --- ISC Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
V8 JavaScript Engine Denial of Service Vulnerability
 
Google Android CVE-2013-6272 Remote Security Bypass Vulnerability
 

Richard Porter --- ISC Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Posted by InfoSec News on Aug 22

http://www.koreaherald.com/view.php?ud=20140822000949

By koreaherald.com
2014-08-22

Unidentified hackers, suspected to be based in China, have been caught
trying to steal data from media reporters covering South Korea's Ministry
of National Defense, ministry officials said Friday.

"We've confirmed that a handful of reporters covering the ministry have
received an e-mail which carries the malicious code this week," a...
 

For those of us who are using GPUs to turn hashes into passwords and other useful info, the folks at hashcat.net have released a new version of OCLHashCat.

What's new?
Performance increases in almost every algorithm

New hashing algorithms:
md5($salt.md5($pass))  (added just for  Mediawiki B)
Mediawiki B type
Kerberos 5 AS-REQ Pre-Auth etype 23 as fast algorithm (reimplementation)
Android FDE
scrypt
Password Safe v2
Lotus Notes/Domino 8

New parsers
Skype
PeopleSoft

Full release notes here: https://hashcat.net/forum/thread-3627.html
Download here:  http://hashcat.net/oclhashcat/

Posted on Behalf of Rob.

~Richard

--Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The increased adoption of mobile, social and cloud computing is driving growth in security spending among organizations that are also becoming more aware of threats on all those fronts.
 
When a British Ars reader went to delete his Ashley Madison account, this is what he saw.

Earlier this week, Ars got an e-mail from a reader named Rob Plant. “I think most right-thinking people have been dismayed by the tactics of charging for picture take downs—what is worrying to me is that these practices now seem to have been taken up by more legitimate websites.”

Ars has long covered the scourge of “revenge porn,” in which seedy websites post revealing photos of unwilling people and then charge those victims a fee to take the photos down. But Plant was writing about a site called Ashley Madison, which markets itself as a dating website for married people to find accomplices in extra-marital affairs. (Its slogan is blunt: “Life is short. Have an affair.”) The website has been around since 2001, and although it's taken some guff for allegations that it populates its network with fake profiles of women, it still boasts 29 million users worldwide, most of whom are presumably not fake.

The way it works is this: Ashley Madison allows people to sign up for free with "Guest" accounts, which permit users to send and receive photos and “winks.” Guest accounts can also reply to messages sent by a member. To become a "Full Member," one must buy credits, as opposed to, say, paying a monthly subscription. Full Members can initiate messages and chats with their credits, and women can send messages “collect." After first contact (and guidelines of the Prime Directive permitting) messages between the two users are free.

Read 23 remaining paragraphs | Comments

 

Posted by InfoSec News on Aug 22

http://www.defenseone.com/technology/2014/08/amazon-expands-its-cloud-services-us-military/92090/

By Frank Konkel
Nextgov.com
August 21, 2014

Amazon Web Services has become the first commercial cloud provider
authorized to handle the Defense Department’s most sensitive unclassified
data.

Today’s announcement that AWS has achieved a provisional authority to
operate under DOD’s cloud security model at impact levels 3-5 is a major
win...
 

Posted by InfoSec News on Aug 22

http://www.infosecnews.org/sekurity-is-hard-technicaleducation-cisco-com-vulnerable-to-xss/

By William Knowles @c4i
Senior Editor
InfoSec News
August 22, 2014

On 21 of August 2014 the security researcher E1337 reported to XSSposed
(XSS exposed) that technicaleducation.cisco.com has an XSS (Cross-Site
Scripting) vulnerability which currently has 2 vulnerabilities in total
reported by security researchers).

Cross-Site Scripting (XSS) inserts...
 

Posted by InfoSec News on Aug 22

http://www.govinfosecurity.com/interviews/michael-daniels-path-to-white-house-i-2422

By Eric Chabrow
Gov Info Security
August 21, 2014

Michael Daniel sees his lack of technical expertise in IT security as an
asset in his job as White House cybersecurity coordinator.

"Being too down in the weeds at the technical level could actually be a
little bit of a distraction," Daniel, a special assistant to the
president, says in an...
 

Posted by InfoSec News on Aug 22

http://www.reuters.com/article/2014/08/22/us-usa-crime-kleiner-idUSKBN0GM03J20140822

BY SARAH MCBRIDE
SAN FRANCISCO
Reuters.com
Aug 21, 2014

California detectives are investigating a July computer theft at storied
venture capital-firm Kleiner Perkins Caufield & Byers, a spokeswoman for
the Menlo Park police said on Thursday.

The theft may put Kleiner in jeopardy of losing valuable financial data
and making the firm the latest in a long...
 
[security bulletin] HPSBST03098 rev.1 - HP StoreEver MSL6480 Tape Library running OpenSSL, Remote Unauthorized Access or Disclosure of Information
 
[SECURITY] [DSA 3009-1] python-imaging security update
 
[CVE-2014-5335] CSRF in Innovaphone PBX
 
DoS attacks (ICMPv6-based) resulting from IPv6 EH drops
 
A week after Microsoft pulled a Patch Tuesday update that crippled some Windows 7 PCs, the company has yet to provide a working fix for either the original flaw or the resulting problem.
 
With its exceptional build quality and outstanding (and flexible) display, Lenovo's new ThinkPad Yoga 11e Chromebook is a meaningful notch above the rest.
 
Want to Google the name of a restaurant in English and then ask for the weather in Japanese? On Android it no longer requires switching back and forth between language settings.
 
Some car manufacturers are delaying their rollout of CarPlay, the software platform from Apple that synchronizes an iPhone to a vehicle's infotainment system.
 
Given that at least five top-flight smartphones will be launched in September, would-be buyers will have plenty of choices.
 

Australian infosec spend to hit $1.9B in 2014: Gartner
ZDNet
Gartner has forecast that Australia's spending on information security this year will hit AU$1.9 billion, an increase of 13.5 percent over last year, and edge towards AU$2.1 billion in 2015. The Australian spending forecast comes as the IT research and ...
Worldwide infosec spending to grow in 2014Help Net Security

all 26 news articles »
 
Internet Storm Center Infocon Status