Threat Level: green Handler on Duty: Didier Stevens

SANS ISC Information Security News

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Popular News

22 hours ago Judge throws antivirus patents back to Hell

The Register View Synopsis+1
Loss of two patents cripples case with Trend Micro, could slash Symantec payout

A US district court has torn the heart out of two patents wielded by Intellectual Ventures against two antivirus makers.

1 day ago Cybersecurity Law Is So Ridiculously Out Of Touch

Forbes View Synopsis+1
Cybersecurity legislation remains in a mess, with a mad dash to get it through risking serious problems.

1 day ago Pro tip: Three ways to gain (or prevent) admin access to OS X

TechRepublic View Synopsis+1
Jesus Vigo goes over three ways to recover admin access (or prevent unauthorized access) to OS X-based devices.

1 day ago The DHS brings its infantile, cyber-fantasy world to RSA 2015

ZDNet View Synopsis+1
OPINION: In his RSA 2015 keynote on national cybersecurity threats, Homeland Security head Jeh Johnson told an audience of cybsersecurity experts something so wildly impossible, it almost went unnoticed.

1 day ago RSA 2015: Keynote addresses online safety risks to increasingly connected youths

SC Magazine View Synopsis+1
Technology can't replace the value of online safety education, the key to keeping kids out of predators' paths, panelists shared.

Top News

1 day ago Op-Ed: In defense of Tor routers

ArsTechnica View Synopsis+1
One InvizBox creator responds to assertion that Tor routers are "ridiculous."

1 day ago The Further Democratization of QUANTUM

Schneier blog View Synopsis+1

From Data and Goliath:

...when I was working with the Guardian on the Snowden documents, the one top-secret program the NSA desperately did not want us to expose was QUANTUM. This is the NSA's program for what is called packet injection­ -- basically, a technology that allows the agency to hack into computers. Turns out, though, that the NSA was not alone in its use of this technology. The Chinese government uses packet injection to attack computers. The cyberweapons manufacturer Hacking Team sells packet injection technology to any government willing to pay for it. Criminals use it. And there are hacker tools that give the capability to individuals as well. All of these existed before I wrote about QUANTUM. By using its knowledge to attack others rather than to build up the Internet's defenses, the NSA has worked to ensure that anyone can use packet injection to hack into computers.

And that's true. China's Great Cannon uses QUANTUM technology.

I continued:

Even when technologies are developed inside the NSA, they don't remain exclusive for long. Today's top-secret programs become tomorrow's PhD theses and the next day's hacker tools.

I could have continued: ...and the next day's homework assignment.

Michalis Polychronakis at Stony Book has assigned building QUANTUM as a homework assignment. It's basically sniff, regexp match, swap sip/sport/dip/dport/syn/ack, set ack and push flags, and add the payload to create the malicious reply. Shouldn't take more than a few hours. Of course, it would take a lot more to make it as sophisticated and robust as what the NSA and China have at their disposal, but the moral is that we need to make the Internet secure against this kind of attack instead of pretending that only the "good guys" can use it effectively.

End-to-end encryption is the solution. Nicholas Weaver wrote:

The only self defense from all of the above is universal encryption. Universal encryption is difficult and expensive, but unfortunately necessary.

Encryption doesn't just keep our traffic safe from eavesdroppers, it protects us from attack. DNSSEC validation protects DNS from tampering, while SSL armors both email and web traffic.

There are many engineering and logistic difficulties involved in encrypting all traffic on the internet, but its one we must overcome if we are to defend ourselves from the entities that have weaponized the backbone.


1 day ago Cybersecurity: Don't Bank On It With 3rd Parties

Dark Reading View Synopsis+1
Not knowing that a contractor's employee had access to system passwords is not a valid excuse when your client's records are stolen.

23 hours ago RSA Conference: Closing Thoughts

InfoRiskToday View Synopsis+1
ISMG Editors Share Final Insights on RSA Conference 2015This year's event was bigger than ever, overwhelming to take in, and no single challenge, strategy or solution emerged as a top priority - very much a reflection of today's information security marketplace.

23 hours ago Understanding Global Differences in Data Breach Laws Critical to Incident Response

SecurityWeek View Synopsis+1

San Francisco -- RSA Conference 2015 -- Examine the Ponemon Institute's '2014 Cost of Data Breach Study' and it becomes clear there is a vast difference in the costs of dealing with a data breach in different parts of the world.

22 hours ago DoD's New "˜Transparent' Policy on Cybersecurity Is Still Opaque

WIRED View Synopsis+1

When the U.S. Secretary of Defense Ashton Carter laid out the Pentagon's new cybersecurity strategy this week, few were expecting it to break news. And, indeed, his talk at Stanford's Hoover Institution on Thursday offered no surprises. But the secretary did set up an expectation during his speech on which he ultimately failed to deliver. […]

The post DoD's New 'Transparent' Policy on Cybersecurity Is Still Opaque appeared first on WIRED.

22 hours ago Five Things Small Business Needs to Know About Compliance

IT Toolbox Blogs View Synopsis+1

By Guest Blogger Vijay Krishna, CEO and founder of SysCloud


As regulations and laws becoming more and more complicated in almost all industries, companies are required to comply all corporate activities and transactions with regulations relating to their business practices. Among

15 hours ago Why Groupon refused to pay a security researcher who discovered serious XSS bugs

Yahoo Security View Synopsis+1
It's very common these days for tech companies Google and Microsoft to offer hackers and security researchers big bucks if they're able to find security vulnerabilities that could pose serious threats to important software and services. Google in particular often hosts its own hacking competition where the search giant puts millions of dollars on the line for anyone savvy enough to skirt around Google's built-in security schemes. Recently, one security researcher found a number of high-level vulnerabilities on Groupon's website. Groupon promptly patched the security holes but, as it turns out, is refusing to pay him. Here's why. DON'T MISS: Google Maps trolls Apple in the most unbelievably inappropriate way A security researcher who goes by the name BruteLogic recently uncovered upwards of 32

19 hours ago US Military Using Tests To Identify Future Cyber Warriors (April 24, 2015)

SANS Newsbites View Synopsis+1

The services are slowly expanding their use of "psychometric" testing to help identify who is best suited to join the military's growing cyber force.......