Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: Information Security News - SANS Internet Storm Center Information Security News


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Popular News

15 hours ago Tackling Quantum Computing Threats to Cryptography

InfoRiskToday View Synopsis+1
Within the next 20 years, quantum computing could be applied to easily crack current approaches to cryptography, according to the National Institute of Standards and Technology, which already is beginning work on new approaches to encryption that can withstand the power of quantum computing.

13 hours ago Military tests unmanned ship designed for seafaring missions

Yahoo Security View Synopsis+1

SAN DIEGO (AP) - The military is starting tests on the world's largest unmanned surface vessel - a self-driving, 132-foot ship designed to travel thousands of miles out at sea without a single crew member on board.

15 hours ago Why did Radiohead erase itself from the internet?

Yahoo Security View Synopsis+1
U.K. band Radiohead are known for doing things unconventionally, but they're also incredibly shrewd marketers who know how to build up hype for themselves and their music. Roughly nine years ago, for example, the bank shocked the world by announcing that fans could pay whatever they wanted for the album  In Rainbows  that was released directly over the band's website. Now it seems Radiohead is engaging in another zany stunt to promote its upcoming ninth studio album by completely erasing its presence online. FROM EARLIER:  "˜Captain America: Civil War' hits $200M at the box office before U.S. premiere As  The Guardian points out , "a visit to Radiohead.com on Sunday offered viewers only a blank page, while the band's six-year-old Twitter feed was also empty... on Facebook , nearly 12 million users 'like' a page with nothing on it." Radiohead have also been sending out leaflets to fans via snail mail, which suggests the band is trying to rely on old-school technology to build up hype for its new release. Maybe the band will have carrier pigeons deliver vinyl copies of the album to everyone who preorders it by contacting them over ham radio? At any rate, one of the better songs from Radiohead's  Kid A was called "How to Disappear Completely," and it seems appropriate to give it a listen in light of the band's disappearance from social media. https://www.youtube.com/watch?v=lAF8D0ugyVk

13 hours ago Bitcoin Claim Ripples Through Virtual Currency World

SecurityWeek View Synopsis+1

The world of virtual currencies was stunned Monday when Australian entrepreneur Craig Wright claimed to be the creator of the Bitcoin.

8 hours ago Miniature car maker drops massive malware

The Register View Synopsis+1
Unpatched Joomla possible entry point for Angler, Cryptxxx combo

Popular die cast car manufacturer Maisto has been slinging the deadly Angler exploit kit which in turn installs the Cryptxxx ransomware on victim machines.

Top News

16 hours ago 3 CRM Blunders You Need to Avoid

IT Toolbox Blogs View Synopsis+1

The global CRM industry is expected to swell to $36.5 billion by 2017 as more companies use this software to harvest data, generate leads and improve their bottom line. Despite this exponential growth, many marketers don't know how to utilize their software, leading to frustration when CRM doesn't provide the results brands expect. Simple CRM mistakes could cost you, leaving you with a system that

11 hours ago Time for Australia to build a cybersecurity industry: Stone & Chalk

ZDNet View Synopsis+1
Fintech incubator Stone & Chalk believes there is an opportunity for Australia to lead in the cybersecurity space both locally and internationally.

3 hours ago Facebook Rewarded 10-Year-Old With $10,000 For Hacking Instagram

Forbes View Synopsis+1
Youngest ever recipient of a Facebook bug bounty was able to delete Instagram comments.

1 hour ago Case Study: How CIS Controls Can Limit the Cascading Failures During an Attack

SANS Reading Room View Synopsis+1
Every day it seems that new information becomes public about the latest data breach.

1 day ago Vulnerabilities in Samsung's SmartThings

Schneier blog View Synopsis+1

Interesting research: Earlence Fernandes, Jaeyeon Jung, and Atul Prakash, "Security Analysis of Emerging Smart Home Applications":

Abstract: Recently, several competing smart home programming frameworks that support third party app development have emerged. These frameworks provide tangible benefits to users, but can also expose users to significant security risks. This paper presents the first in-depth empirical security analysis of one such emerging smart home programming platform. We analyzed Samsung-owned SmartThings, which has the largest number of apps among currently available smart home platforms, and supports a broad range of devices including motion sensors, fire alarms, and door locks. SmartThings hosts the application runtime on a proprietary, closed-source cloud backend, making scrutiny challenging. We overcame the challenge with a static source code analysis of 499 SmartThings apps (called SmartApps) and 132 device handlers, and carefully crafted test cases that revealed many undocumented features of the platform. Our key findings are twofold. First, although SmartThings implements a privilege separation model, we discovered two intrinsic design flaws that lead to significant overprivilege in SmartApps. Our analysis reveals that over 55% of SmartApps in the store are overprivileged due to the capabilities being too coarse-grained. Moreover, once installed, a SmartApp is granted full access to a device even if it specifies needing only limited access to the device. Second, the SmartThings event subsystem, which devices use to communicate asynchronously with SmartApps via events, does not sufficiently protect events that carry sensitive information such as lock codes. We exploited framework design flaws to construct four proof-of-concept attacks that: (1) secretly planted door lock codes; (2) stole existing door lock codes; (3) disabled vacation mode of the home; and (4) induced a fake fire alarm. We conclude the paper with security lessons for the design of emerging smart home programming frameworks.

Research website. News article -- copy and paste into a text editor to avoid the adblocker blocker..

21 hours ago Samsung Smart Home flaws let hackers make keys to front door

ArsTechnica View Synopsis+1
Don't rely on SmartThings for anything security related, researchers warn.

Latest News

6 hours ago Google Patches 40 Vulnerabilities in Android

SecurityWeek View Synopsis+1

Google's May 2016 security update for the Android operating system patches a total of 40 vulnerabilities, including many rated critical and high severity.

8 hours ago Move over drones, driverless cars _ unmanned ship up next

Yahoo Security View Synopsis+1

SAN DIEGO (AP) - It's not only drones and driverless cars that may become the norm someday - ocean-faring ships might also run without captains or crews.

35 minutes ago Tagging Data to Prevent Data Leakage (Forming Content Repositories)

SANS Reading Room View Synopsis+1
In order to protect sensitive data, it must be secured at rest, during transit and when in use (Aaron, 2013).

49 minutes ago Does piracy pay? Not for the Pirate Bay

ZDNet View Synopsis+1
Copyright holder arguments concerning revenue might not hold up when you see how much the Pirate Bay earns per day in donations.

1 hour ago SmartThings Flaws Expose Smart Homes to Hacker Attacks

SecurityWeek View Synopsis+1

A team of researchers from the University of Michigan and Microsoft conducted an analysis of a smart home platform from Samsung-owned SmartThings and discovered vulnerabilities that could be exploited for remote attacks. SmartThings says it has taken steps to address the flaws, but downplayed the risk.

1 hour ago Mexico, on the Edge of Now

Forbes View Synopsis+1
This article was originally published at Stratfor.com. By Reva Goujon I recommend never leaving for a trip without bringing a literary companion along. If an onslaught of meetings awaits me at my destination, a collection of short stories or some poetry will do a fine job of filling the crevices of a [...]

1 hour ago 10-Year-Old Hacks Instagram; Wins $10K From Facebook

Forbes View Synopsis+1
Youngest ever recipient of a Facebook bug bounty was able to delete Instagram comments.

1 hour ago Registration for 2016 ICS Cyber Security Conference Now Open

SecurityWeek View Synopsis+1

Largest and Longest Running ICS Cyber Security Conference Opens Registration for 2016 Event

1 hour ago Enterprise Survival Guide for Ransomware Attacks

SANS Reading Room View Synopsis+1
Ransomware or cryptolocker is a type of malware that can be covertly installed on a computer without knowledge or intention of the user.

2 hours ago 10-Year-Old Hacks Instagram; Facebook Rewards Him $10K

Forbes View Synopsis+1
Youngest ever recipient of a Facebook bug bounty was able to delete Instagram comments.

3 hours ago Establishing a Brand: 3 Steps You Should Take

IT Toolbox Blogs View Synopsis+1
There are several important key factors that you have to cover, to simply have some chances of successfully creating a brand.

3 hours ago The subtext around accounting text in manual journals

IT Toolbox Blogs View Synopsis+1
This often slighted and overlooked characteristic of the manual journal is something that continues to plague ever accounting system. Immediate relevance is obscure, but in the long term you will be glad you incorporated long text into the posting.

3 hours ago Linux Foundation launches badge program to boost open source security

ZDNet View Synopsis+1
The initiative is designed to improve the security of open-source projects and push tech firms to adopt best practices.

4 hours ago Paying a PoS*, USA? Your chip-and-PIN means your money's safer...

The Register View Synopsis+1
... except not online. Sorry America

The value of online fraudulent transactions is expected to reach $25.6bn by 2020, up from $10.7bn last year, according to a new study from industry analysts Juniper Research. The researchers predict that by the end of the decade, $4 in every $1,000 of online payments will be fraudulent.

4 hours ago Is single sign-on the answer to your cloud computing security worries?

ZDNet View Synopsis+1
The downside of the cloud is a password and username overload -- but there are technologies available to help.

4 hours ago MongoDB on breaches: Software is secure, but some users are idiots

The Register View Synopsis+1
When will you lazy louts learn to configure your instances?

You shouldn't expect to see any end to data breaches caused by misconfigured instances of MongoDB soon, the company's strategy veep has told The Register.

8 hours ago Minature car maker drops massive malware

The Register View Synopsis+1
Unpatched Joolma possible entry point for Angler, Cryptxxx combo

Popular die cast car manufacturer Maisto has been slinging the deadly Angler exploit kit which in turn installs the Cryptxxx ransomware on victim machines.