Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC Information Security News


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Popular News

22 hours ago It's not just the app store - Google Play Books is crawling with scams too

Yahoo Security View Synopsis+1
As we've observed countless times, there are both pluses and minuses to the way Google handles allowing apps onto Google Play. On the plus side, it's insanely easy to get your app added. On the minus side, it's insanely easy for scammers to get malicious apps onto the store as well. Now Android Police has found that it's not just the app store that's a haven for scams - it's Google Play Books as well. Essentially, Android Police discovered that Play Books is loaded with books that are billed as supposed "guides" for games that promise cracked Android application packages (APKs) but that actually deliver malware and phishing scams. "After becoming aware of this problem, we spotted almost a dozen sellers of

1 day ago Google Fixes 51 Vulnerabilities With Release of Chrome 41

SecurityWeek View Synopsis+1

Chrome 41 is available for download. The latest version of Google's Web browser brings new apps and extension APIs, stability and performance improvements, and tens of security fixes.

19 hours ago Building Reliable Disk Volumes Part 1

IT Toolbox Blogs View Synopsis+1
RAID and Drive Redundancy. Redundant disk drives allow non-stop operation in case of a drive failure. The acronym RAID stands for Redundant Array of Inexpensive Disks. Six levels of RAID, 0 through 5, were defined in a paper published by the Universi...

Top News

1 day ago Powercat

SANS Reading Room View Synopsis+1
Powercat started as a proof-of-concept tool that I initially developed.

1 day ago D-Link removes fingers from ears, preps mass router patch

The Register View Synopsis+1
Amnesia strikes as hacker discloses remote code exec flaws

Domestic router Daddy D-Link is patching dangerous remote access flaws in several models of its networking gear.

11 hours ago Now Corporate Drones are Spying on Cell Phones

Schneier blog View Synopsis+1

The marketing firm Adnear is using drones to track cell phone users:

The capture does not involve conversations or personally identifiable information, according to director of marketing and research Smriti Kataria. It uses signal strength, cell tower triangulation, and other indicators to determine where the device is, and that information is then used to map the user's travel patterns.

"Let's say someone is walking near a coffee shop," Kataria said by way of example.

The coffee shop may want to offer in-app ads or discount coupons to people who often walk by but don't enter, as well as to frequent patrons when they are elsewhere. Adnear's client would be the coffee shop or other retailers who want to entice passersby.

[...]

The system identifies a given user through the device ID, and the location info is used to flesh out the user's physical traffic pattern in his profile. Although anonymous, the user is "identified" as a code. The company says that no name, phone number, router ID, or other personally identifiable information is captured, and there is no photography or video.

Does anyone except this company believe that device ID is not personally identifiable information?

10 hours ago Wireless Charging: A Surprising New Way To Track You

Forbes View Synopsis+1
One of the key vendors of wireless charging in public spaces is positioning itself as an intelligence gathering tool for Starbucks, airports and others. The price for watts will be your data.

8 hours ago How Secure Are You?

Dark Reading View Synopsis+1
The NIST Cybersecurity Framework can help you understand your risks.

8 hours ago DNS enhancement catches malware sites by understanding sneaky domain names

ArsTechnica View Synopsis+1
OpenDNS develops filter that can recognize exploit pages before they're served up.

7 hours ago Hillary Clinton's little email fuss: Beyond 'servers in the basement'

ZDNet View Synopsis+1
Did she do anything wrong? Were federal record-keeping laws broken? Was security compromised? Email expert and presidential scholar David Gewirtz deconstructs Hillary Clinton's emailgate.

5 hours ago FREAK flags are waving across the digital landscape

TechRepublic View Synopsis+1
FREAK flags are waving across the digital landscape, now that another SSL bug has appeared. Jack Wallen offers up his take on the latest flaw and how you can test your servers against the vulnerability.

5 hours ago Online Trust Alliance pens letter to Congress over federal data breach notification law

SC Magazine View Synopsis+1
The Online Trust Alliance (OTA) wrote a letter to Congress earlier this week in response to the recently proposed Personal Data Notification & Protection Act.

3 hours ago Clinton's Email Brouhaha and Politics

InfoRiskToday View Synopsis+1
Coverage Focus Segues from Secrecy to SecurityWord that Hillary Clinton maintained a personal email server while secretary of state has elevated cybersecurity and privacy as political issues. But it's just the latest example of such issues grabbing the attention of U.S. voters.

3 hours ago "Developer Security Awareness: How To Measure"

Appsec Streetfighter Blog View Synopsis+1
In the previous post (What Topics To Cover), we laid the foundation for your developer security awareness-training program. Now let's talk about the metrics we can collect to help improve our program.It's all about the metricsAs we previously mentioned, establishing a common baseline for the entire development team would be helpful. A comprehensive application security assessment should be performed before awareness training begins. For example, the SANS Software Security team has a free web based security assessment knowledge check: http://software-security.sans.org/courses/assessment. A knowledge check such as this allows you to create a baseline, establish core strengths and weaknesses, and steer the types ...

1 day ago Why Clinton's Private Email Server Was Such a Security Fail

WIRED View Synopsis+1

Hillary Clinton's homebrew email solution potentially left the communications of the top US foreign affairs official vulnerable to state-sponsored hackers.

The post Why Clinton's Private Email Server Was Such a Security Fail appeared first on WIRED.

Latest News

17 minutes ago Mandarin Oriental Hotels Hit in Credit Card Breach

SecurityWeek View Synopsis+1

Mandarin Oriental Hotel Group has confirmed the credit card systems at a number of its hotels in the United States and Europe have been accessed by hackers.

54 minutes ago Clinton's use of private email spawns security, transparency debate

SC Magazine View Synopsis+1
Hillary Clinton used a private email account during her tenure as secretary of state.

54 minutes ago Android 'Gazon' worm proliferates through texts, infects more than 4k phones

SC Magazine View Synopsis+1
The worm has gained traction through spam text messages that promise users an Amazon giftcard.

54 minutes ago Ramirez: FTC focus on data security, fraud, cross device tracking

SC Magazine View Synopsis+1
FTC Chairwoman Edith Ramirez says the agency will continue to ramp up its expertise to protect consumer privacy.

54 minutes ago How to Set Up PHP, HTML & MySql Development on Mac OS X

IT Toolbox Blogs View Synopsis+1
The following are instructions for setting up a development environment on a Mac that can be used for HTML, PHP and MySQL.

54 minutes ago The weak link in Apple Pay's strong chain is bank verification. Who's to blame?

ArsTechnica View Synopsis+1
Fraud on Apple Pay is identity-theft based, so banks and Apple Pay must work together.

1 hour ago Hillary Clinton email trove under review for release

Yahoo Security View Synopsis+1

WASHINGTON (AP) - The government will review a huge cache of Hillary Rodham Clinton's emails for possible release after revelations she conducted official business as secretary of state in the shadows of a private account. The disclosure has raised questions in the buildup to her expected presidential run about whether she adhered to the letter or spirit of accountability laws.

2 hours ago Why You Should Not Use The New Smartphone Fingerprint Readers

Forbes View Synopsis+1
New smartphone fingerprint authentication technology promises improvements over Apple's TouchID, but it still presents *serious* risks. Here is what you need to know.

2 hours ago Canadian bloke refuses to hand over phone password, gets cuffed

The Register View Synopsis+1
What the Canuck?

A 38-year-old Canadian citizen has been arrested for refusing to hand over his smartphone's password to border agents.

3 hours ago New Model Uses 'Malicious Language Of The Internet' To Find Threats Fast

Dark Reading View Synopsis+1
OpenDNS's new NLPRank tool may identify malicious domains before they are even put to nefarious use.

3 hours ago South Africa to investigate spy allegations

Yahoo Security View Synopsis+1
JOHANNESBURG (AP) - The South African government said Thursday that it is investigating allegations, posted on a website, that the head of the state watchdog agency and opposition figures spied for the U.S.

3 hours ago 'Building AI is like launching a rocket': Meet the man fighting to stop artificial intelligence destroying humanity

ZDNet View Synopsis+1
Skype's co-founder wants to keep humankind safe from the existential threats of artificial intelligence.

3 hours ago PoS Malware Family Targeting SMBs Operated Under the Radar

SecurityWeek View Synopsis+1

Point-of-sale (PoS) malware has become one of the chief weapons used by attackers to steal credit and debit card data, and now researchers at Trend Micro say they have found yet another threat to add to the list of tools in criminals' toolboxes.  

3 hours ago Canadian bloke refuses to hand over phone password, gets arrested

The Register View Synopsis+1
What the Canuck?

A 38-year-old Canadian citizen has been arrested for refusing to hand over his smartphone's password to border agents.

3 hours ago How To Put People At The Center Of Enterprise Security

Forbes View Synopsis+1
By Paul Proctor and Tom Scholtz Gartner, Inc. Employees carry a range of mobile devices to work these days that they expect to connect to corporate email, sites and services. As an IT professional, you give them access, loaded with the latest security protocols. But how much of the real risk for [...]

4 hours ago Radware Introduces New DDoS Attack Mitigation Platform

SecurityWeek View Synopsis+1

Radware, a provider of application delivery DDoS attack protection solutions, this week unveiled its latest attack mitigation platform designed to help carriers and cloud providers protect against high volume DDoS attacks.

5 hours ago Emailgate: How media mistakes created Hillary Clinton's fake, fake identity

ZDNet View Synopsis+1
The media creates mythology. David Gewirtz looks at how the AP created a new, completely false Hillary Clinton myth about a fake identity, how it's sticking, and where it all went wrong.

5 hours ago Apple's rivals hope its Watch will boost their own wearable tech

Yahoo Security View Synopsis+1

By Harro Ten Wolde BARCELONA (Reuters) - Apple's rivals want to benefit from its magic, hoping that its long awaited new smartwatch will finally conjure demand for wearable technology that has so far generated more buzz about its potential than actual sales. Gizmos that users wear on their bodies have yet to live up to the hype as the next big thing in technology. "If Apple is successful, it'll create a rising tide that will lift the whole market," said Ben Wood, a top gadget reviewer at technology market research firm CCS Insight. His company predicts Apple will sell 20 million of its new smart watches this year, helping spur 150 percent growth in the wearable technology sector to 75 million gadgets, rising to 350 million by 2018.

5 hours ago Kony Visualizer puts mobile apps design control in hands of those closest to the business

IT Toolbox Blogs View Synopsis+1
Explore the latest in enterprise mobility explores advancements in applications design and deployment technologies across the full spectrum of edge devices and operating environments.

5 hours ago The Year of the Linux Smart Phone

IT Toolbox Blogs View Synopsis+1
The ?Year of the Linux desktop? has almost become a running joke in the Linux community. This idea refers to the year when Linux will claim the dominant market-share percentage from operating systems such as Windows and OSX. While I am not sure if Linux on the desktop will ever become dominant, one thing is for certain: Linux has already outpaced all of the other competitors in the mobile market.

6 hours ago How to Put People at the Center of Enterprise Security

Forbes View Synopsis+1
By Paul Proctor and Tom Scholtz Gartner, Inc. Employees carry a range of mobile devices to work these days that they expect to connect to corporate email, sites and services. As an IT professional, you give them access, loaded with the latest security protocols. But how much of the real risk for [...]

7 hours ago Emailgate: How media mythology created Hillary Clinton's fake, fake identity

ZDNet View Synopsis+1
The media creates mythology. David Gewirtz looks at how the AP created a new, completely false Hillary Clinton myth about a fake identity, how it's sticking, and where it all went wrong.

7 hours ago Sales up at NSA SIM hack scandal biz Gemalto

The Register View Synopsis+1
Dutch biz points to 'challenges' experienced last year

Sales at the world's biggest SIM card maker, Gemalto, which was last month revealed to have been hacked by the NSA and GCHQ, rose by five per cent to €2.5bn (£1.8bn) in 2014.

8 hours ago Which Apps Should You Secure First? Wrong Question.

Dark Reading View Synopsis+1
Instead, develop security instrumentation capability and stop wasting time on '4 terrible tactics' that focus on the trivial.

9 hours ago Experimental DNS catches malware sites by understanding sneaky domain names

ArsTechnica View Synopsis+1
OpenDNS develops filter that can recognize exploit pages before they're served up.

10 hours ago Bit9 CEO on Data Breach Defense

InfoRiskToday View Synopsis+1
The CEO of Bit9 speaks from experience: His firm was hacked, sensitive data stolen and customers put at risk. And what's happened since represents his mission to fend off attackers, even as they refine their hacks.

10 hours ago OCC Expands on Third-Party Cyber-Risks

InfoRiskToday View Synopsis+1
Director Offers Review of New Cyber-Resiliency GuidanceKevin Greenfield, director of bank IT for the Office of the Comptroller of the Currency, says FFIEC agencies are working to help financial institutions shore up cybersecurity, and a big focus for regulators is third-party risks.