SANS ISC

• SANS Site Network
  • Current Site
  • Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • IT Audit
  • Computer Forensics
  • Software Security
  • Government OnSite Training

Information Security News

1 hour ago NEWS ALERT: Hacktivists claim to have accessed files from private U.S.-based defense group

A group identifying itself as CyberBerkut claimed, in an email to SC Magazine, to have gained access to files on the mobile device of a Green Group official.

1 hour ago An Overlooked Basis of Jurisdiction for Net Neutrality: The World Trade Organization Agreement on Basic Telecommunications Services

1 day ago New iPhone or iPad? Change these iOS 8 privacy settings immediately

Before you sync your iCloud or reinstall your apps, you need to lock down your new iPhone or iPad. Here are the important tweaks you need to protect your privacy.

1 day ago Everyone Wants You To Have Security, But Not from Them

In December, Google's Executive Chairman Eric Schmidt was interviewed at the CATO Institute Surveillance Conference. One of the things he said, after talking about some of the security measures his company has put in place post-Snowden, was: "If you have important information, the safest place to keep it is in Google. And I can assure you that the safest place to not keep it is anywhere else."

The surprised me, because Google collects all of your information to show you more targeted advertising. Surveillance is the business model of the Internet, and Google is one of the most successful companies at that. To claim that Google protects your privacy better than anyone else is to profoundly misunderstand why Google stores your data for free in the first place.

I was reminded of this last week when I appeared on Glenn Beck's show along with cryptography pioneer Whitfield Diffie. Diffie said:

You can't have privacy without security, and I think we have glaring failures in computer security in problems that we've been working on for 40 years. You really should not live in fear of opening an attachment to a message. It ought to be confined; your computer ought to be able to handle it. And the fact that we have persisted for decades without solving these problems is partly because they're very difficult, but partly because there are lots of people who want you to be secure against everyone but them. And that includes all of the major computer manufacturers who, roughly speaking, want to manage your computer for you. The trouble is, I'm not sure of any practical alternative.

That neatly explains Google. Eric Schmidt does want your data to be secure. He wants Google to be the safest place for your data ­ as long as you don't mind the fact that Google has access to your data. Facebook wants the same thing: to protect your data from everyone except Facebook. Hardware companies are no different. Last week, we learned that Lenovo computers shipped with a piece of adware called Superfish that broke users' security to spy on them for advertising purposes.

Governments are no different. The FBI wants people to have strong encryption, but it wants backdoor access so it can get at your data. UK Prime Minister David Cameron wants you to have good security, just as long as it's not so strong as to keep the UK government out. And, of course, the NSA spends a lot of money ensuring that there's no security it can't break.

Corporations want access to your data for profit; governments want it security purposes, be they benevolent or malevolent. But Diffie makes an even stronger point: we give lots of companies access to our data because it makes our lives easier.

I wrote about this in my latest book, Data and Goliath:

Convenience is the other reason we willingly give highly personal data to corporate interests, and put up with becoming objects of their surveillance. As I keep saying, surveillance-based services are useful and valuable. We like it when we can access our address book, calendar, photographs, documents, and everything else on any device we happen to be near. We like services like Siri and Google Now, which work best when they know tons about you. Social networking apps make it easier to hang out with our friends. Cell phone apps like Google Maps, Yelp, Weather, and Uber work better and faster when they know our location. Letting apps like Pocket or Instapaper know what we're reading feels like a small price to pay for getting everything we want to read in one convenient place. We even like it when ads are targeted to exactly what we're interested in. The benefits of surveillance in these and other applications are real, and significant.

Like Diffie, I'm not sure there is any practical alternative. The reason the Internet is a worldwide mass-market phenomenon is that all the technological details are hidden from view. Someone else is taking care of it. We want strong security, but we also want companies to have access to our computers, smart devices, and data. We want someone else to manage our computers and smart phones, organize our e-mail and photos, and help us move data between our various devices.

Those "someones" will necessarily be able to violate our privacy, either by deliberately peeking at our data or by having such lax security that they're vulnerable to national intelligence agencies, cybercriminals, or both. Last week, we learned that the NSA broke into the Dutch company Gemalto and stole the encryption keys for billions ­ yes, billions ­ of cell phones worldwide. That was possible because we consumers don't want to do the work of securely generating those keys and setting up our own security when we get our phones; we want it done automatically by the phone manufacturers. We want our data to be secure, but we want someone to be able to recover it all when we forget our password.

We'll never solve these security problems as long as we're our own worst enemy. That's why I believe that any long-term security solution will not only be technological, but political as well. We need laws that will protect our privacy from those who obey the laws, and to punish those who break the laws. We need laws that require those entrusted with our data to protect our data. Yes, we need better security technologies, but we also need laws mandating the use of those technologies.

This essay previously appeared on Forbes.com.

13 hours ago 20 epic Microsoft Windows Automatic Update meltdowns

Windows Update has been a blessing and, often a curse. Many of us have lived thorough every one of these. 20 epic Microsoft Windows Automatic Update meltdowns

12 hours ago What is Gov't Role in Info Sharing?

This year could mark a turning point for the sharing of threat intelligence, but only if the government is able to build a framework that instills private-sector trust, says threat researcher Lance James.

11 hours ago Debian security initiative for reproducible builds reaches milestone

A Debian initiative for reproducible builds sheds light on the least transparent part of the open source development process. Find out what's been completed in this security project.

10 hours ago How To Sabotage Encryption Software (And Not Get Caught)

When crypto researchers set out to discover the best way to undermine encryption software, they did so believing it would help them eradicate backdoors in the future. Here's what they found.

The post How To Sabotage Encryption Software (And Not Get Caught) appeared first on WIRED.

8 hours ago John Prisco Aims To Revolutionize Cyber Security By Attacking At The Source

A Series of Forbes Insights Profiles of Thought Leaders Changing the Business Landscape:  John Prisco, CEO, Triumfant... What do Target, Home Depot, JP Morgan, eBay and Anthem Healthcare all have in common? These corporate giants have the dubious distinction of being victims of cyber attacks - security breaches in which data from hundreds [...]

5 hours ago FCC Passes Net Neutrality Rules (February 26, 2015)

The US Federal Communications Commission (FCC) has passed net neutrality rules, which include reclassifying broadband as a telecommunications service; prohibiting broadband providers from throttling or speeding up connections for a fee; and prohibiting providers from making paid prioritization deals.......

4 hours ago Cyber Intelligence: Defining What You Know

Too often management settles for security data about things that are assumed rather than things you can prove or that you know are definitely wrong.

1 day ago Lenovo.com hijack reportedly pulled off by hack on upstream registrar

People used hack on Webnic.cc to redirect Lenovo and Google traffic.

1 day ago SANS 2015 in Orlando Offers World-Class Cyber Security Training for InfoSec Professionals at All Levels

BETHESDA, Md., Feb. 12, 2015 /PRNewswire-USNewswire/ -- SANS Institute, the global leader in information security training, today announced SANS 2015 in Orlando, FL taking place April 11 - 18. SANS 2015 is one of SANS' most extensive security training events and offers hands-on,...

10 minutes ago New Xen vuln triggers Amazon, Rackspace reboot panic redux

Second hypervisor-related cloud meltdown in six months

Newly discovered vulnerabilities in the open source Xen virtualization hypervisor have once again sent major public cloud companies scurrying to patch and reboot their systems before attackers can pull off a massive exploit.

2 hours ago Uber Discloses Data Breach

New age transportation giant Uber said on Friday that a data breach may have allowed malicious actors to gain access to the driver's license numbers of roughly 50,000 of its drivers.

In a statement posted to the company's website on Friday, Uber said that it had identified a "one-time access of an Uber database" by an unauthorized third party in May 2014.

2 hours ago Researchers investigate link between Axiom spy group, Anthem breach

Anthem breach investigators initially claimed that tools, linked exclusively to Chinese espionage attackers, were used against the health insurer.

2 hours ago Madonna hacker indicted in Israeli court

An Israeli man was charged on four counts in a magistrate's court for hacking Madonna, stealing her unreleased music and selling it.

2 hours ago Uber admits database breach putting driver data at risk

Uber said it is notifying impacted drivers now, but it hasn't seen the compromised data actually misused yet.

2 hours ago Clapper: Cyberthreats to Worsen

National Intelligence Director Blames Iran for Casino HackThe director of national intelligence, James Clapper, paints a grim picture of the cyberthreats the nation faces, saying as bad as 2014 was, 2015 and the coming years will be worse.

3 hours ago Top Android tablets for children riddled with security lapses, study finds

Bluebox Security analyzed the top nine Android tablets for children and found that the majority had multiple security issues that could put childrens' data at-risk.

3 hours ago Friday Squid Blogging: Humboldt Squid Communicate by Flashing Each Other

Scientists are attaching cameras to Humboldt squid to watch them communicate with each other.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

3 hours ago How I Accessed Uber's Admin Screens

4 hours ago Net neutrality could hinder efforts to safeguard Web, worry security experts

4 hours ago Aspiring Israeli Singer Indicted for Hacking Madonna Since 2012

An Israeli man arrested last month for allegedly hacking Madonna's private accounts and stealing demos of her unreleased album first began targeting the singer way back in 2012, according to authorities. He apparently hacked not only cloud storage accounts to steal and sell her music but also breached more than a dozen email accounts associated […]

The post Aspiring Israeli Singer Indicted for Hacking Madonna Since 2012 appeared first on WIRED.

4 hours ago Mobility moves from 'nice to have' to 'must have' for large US healthcare insurer

learn how a large US insurance carrier has improved its applications? lifecycle to make enterprise mobility a must-have business strength.

4 hours ago Case Study II: Triple Flattening (LISTAGG UNIQUE, GROUPING SETS)

Flattening, or at least compacting, the query as well

5 hours ago Maximum Overkill Two - From Format String Vulnerability to Remote Code Execution

5 hours ago <i>Data and Goliath</i> Book Tour

Over the next two weeks, I am speaking about my new book -- Data and Goliath, if you've missed it -- in New York, Boston, Washington, DC, Seattle, San Francisco, and Minneapolis. Stop by to get your book signed, or just to say hello.

5 hours ago Breach costs at $162 million, Target reports

Retailer has collected $90 million in payouts on $100 million of network-security insurance coverage

5 hours ago China Removes Tech Companies from Approved for Government Use List (February 26, 2015)

China has taken several high-profile US technology companies off its list of products approved for use by Chinese government agencies.......

5 hours ago Firefox 36 Addresses Critical Flaws, Adds Support for HTTP/2 (February 24, 25, & 26, 2015)

Mozilla has released Firefox 36, which includes fixes for 17 security issues.......

5 hours ago WordPress Slimstat Plug-in Vulnerability (February 25 & 26, 2015)

A vulnerability affecting the WordPress WP-Slimstat plugin could be exploited through SQL injection attacks to steal data from vulnerable sites.......

5 hours ago HP Buying Aruba? Waste of Money - Maybe

HP is probably already trapped in a perpetual catch-up treadmill behind Cisco/Meraki. Acquiring Aruba Networks will assist with market consolidation, but will certainly not fill the gap between their own product lines and Cisco?s.

6 hours ago How to Sabotage Encryption Software (And Not Get Caught)

When crypto researchers set out to discover the best way to undermine encryption software, they did so believing it would help them eradicate backdoors in the future. Here's what they found.

The post How to Sabotage Encryption Software (And Not Get Caught) appeared first on WIRED.

6 hours ago This One Clause In The New Net Neutrality Regs Would Be A Fiasco For The Internet

I don't trust Internet Service Providers. I've focused much of my research since 2008 on ways in which the Internet fails due to ISP misbehavior, including detecting how ISPs can inject adds into content, how ISPs blocked BitTorrent, how ISPs have manipulated a key Internet protocol for ads and profit, [...]

6 hours ago Canadian Executive Lobbies To Ban VPN

There are times in this world where I would like to read an article and say, "Yes, the Onion totally nailed it" and not discover afterwards that it in fact was a legitimate news piece. While a pair of Llamas had the world sitting on the edge of their seats [...]

7 hours ago What The Sony Hack Can Teach About Cyber Security

Sony's misfortune could be a teaching experience for other businesses both big and small.

7 hours ago Network Vision Fixes Code Injection Vulnerability in IntraVUE Software

Organizations that use the IntraVUE network visualization software from Network Vision are advised to update their installations as soon as possible because older versions of the solution are plagued by a critical vulnerability.

7 hours ago Lenovo Promises: No More Bloatware

PC Maker Offers Clean Windows Builds, Full TransparencyLenovo, the world's largest PC manufacturer, promises to stop preinstalling any software on its Windows laptops that doesn't need to be there. The move comes following security alerts relating to the Superfish adware the company had been preinstalling.

7 hours ago Panel Addresses Union Budget, Security

Security leaders expect the new Union budget to give a needed boost to cybersecurity education, as well as increased investment in critical infrastructure, biometrics and surveillance to fight cybercrime.

7 hours ago Kaspersky Lab Launches Security Startup Accelerator

Security firm Kaspersky Lab officially announced a new initiative designed to support security startups and provide expertise and advice to foster much needed talent for the IT security industry.

8 hours ago Lenovo promises to stop bundling crapware on PCs

Following on from the Superfish debacle the company found itself embroiled in earlier this month, PC maker Lenovo is promising to bring to an end to the practice of pre-loading crapware onto systems.

9 hours ago Lenovo: We SWEAR we're done with bloatware, adware and scumware

By Windows 10 launch our systems will be PURE, honest

Barely a week after the breaking of the Superfish scandal, Lenovo has done a complete reverse ferret on bloatware - promising that by the time Windows 10 comes out its systems will be as pure as they can be.