Threat Level: green Handler on Duty: Rick Wanner

SANS ISC Information Security News

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Popular News

21 hours ago Massive SIM card hack might have been too sophisticated to be caught in time

Yahoo Security View Synopsis+1
A new Snowden leak a few days ago revealed that the NSA and GCHQ conducted a complex hack operation that focused on obtaining the secure encryption keys that protect mobile communications in devices with SIM cards. A subsequent report revealed that the goal of spy agencies might have been a lot bigger, as they may have been hunting for other security keys that would let them deploy spyware on any mobile device with a SIM card inside, and users would have no idea that anything had happened. FROM EARLIER: Gemalto confirms hack, but denies massive SIM keys theft Gemalto acknowledged the hack, but downplayed it, saying it couldn't have resulted in a mass-theft of SIM card keys. The company also said that

1 day ago Mozilla Firefox 36 Patches Critical Security Issues

SecurityWeek View Synopsis+1

Mozilla patched multiple critical security vulnerabilities in the latest version of its Firefox browser.

19 hours ago China drops leading tech brands for certain state purchases

Yahoo Security View Synopsis+1

By Paul Carsten BEIJING (Reuters) - China has dropped some of the world's leading technology brands from its approved state purchase lists, while approving thousands more locally made products, in what some say is a response to revelations of widespread Western cybersurveillance. Others put the shift down to a protectionist impulse to shield China's domestic technology industry from competition. The lists cover smaller-scale direct purchases of technology equipment, and central government bodies can only buy items not on the list as part of a competitive tender process. Chief casualty was U.S. network equipment maker Cisco Systems Inc, which in 2012 counted 60 products on the Central Government Procurement Center's (CGPC) list, but had none left by late 2014, a Reuters analysis of official data shows.

15 hours ago TalkTalk admits massive data breach

The Register View Synopsis+1
Noticed an increase in scamming late last year

TalkTalk has admitted to a major breach of user information, which may have led to some customers handing over bank information to hackers.

14 hours ago Attackers Use Phishing Emails, Exploits to Hijack Routers

SecurityWeek View Synopsis+1

Cybercriminals have been hijacking the Internet connections of users in Brazil by modifying Domain Name System (DNS) settings in their routers, researchers at Proofpoint reported on Thursday.

Top News

1 hour ago NEWS ALERT: Hacktivists claim to have accessed files from private U.S.-based defense group

SC Magazine View Synopsis+1
A group identifying itself as CyberBerkut claimed, in an email to SC Magazine, to have gained access to files on the mobile device of a Green Group official.

1 day ago New iPhone or iPad? Change these iOS 8 privacy settings immediately

ZDNet View Synopsis+1
Before you sync your iCloud or reinstall your apps, you need to lock down your new iPhone or iPad. Here are the important tweaks you need to protect your privacy.

1 day ago Everyone Wants You To Have Security, But Not from Them

Schneier blog View Synopsis+1

In December, Google's Executive Chairman Eric Schmidt was interviewed at the CATO Institute Surveillance Conference. One of the things he said, after talking about some of the security measures his company has put in place post-Snowden, was: "If you have important information, the safest place to keep it is in Google. And I can assure you that the safest place to not keep it is anywhere else."

The surprised me, because Google collects all of your information to show you more targeted advertising. Surveillance is the business model of the Internet, and Google is one of the most successful companies at that. To claim that Google protects your privacy better than anyone else is to profoundly misunderstand why Google stores your data for free in the first place.

I was reminded of this last week when I appeared on Glenn Beck's show along with cryptography pioneer Whitfield Diffie. Diffie said:

You can't have privacy without security, and I think we have glaring failures in computer security in problems that we've been working on for 40 years. You really should not live in fear of opening an attachment to a message. It ought to be confined; your computer ought to be able to handle it. And the fact that we have persisted for decades without solving these problems is partly because they're very difficult, but partly because there are lots of people who want you to be secure against everyone but them. And that includes all of the major computer manufacturers who, roughly speaking, want to manage your computer for you. The trouble is, I'm not sure of any practical alternative.

That neatly explains Google. Eric Schmidt does want your data to be secure. He wants Google to be the safest place for your data ­ as long as you don't mind the fact that Google has access to your data. Facebook wants the same thing: to protect your data from everyone except Facebook. Hardware companies are no different. Last week, we learned that Lenovo computers shipped with a piece of adware called Superfish that broke users' security to spy on them for advertising purposes.

Governments are no different. The FBI wants people to have strong encryption, but it wants backdoor access so it can get at your data. UK Prime Minister David Cameron wants you to have good security, just as long as it's not so strong as to keep the UK government out. And, of course, the NSA spends a lot of money ensuring that there's no security it can't break.

Corporations want access to your data for profit; governments want it security purposes, be they benevolent or malevolent. But Diffie makes an even stronger point: we give lots of companies access to our data because it makes our lives easier.

I wrote about this in my latest book, Data and Goliath:

Convenience is the other reason we willingly give highly personal data to corporate interests, and put up with becoming objects of their surveillance. As I keep saying, surveillance-based services are useful and valuable. We like it when we can access our address book, calendar, photographs, documents, and everything else on any device we happen to be near. We like services like Siri and Google Now, which work best when they know tons about you. Social networking apps make it easier to hang out with our friends. Cell phone apps like Google Maps, Yelp, Weather, and Uber work better and faster when they know our location. Letting apps like Pocket or Instapaper know what we're reading feels like a small price to pay for getting everything we want to read in one convenient place. We even like it when ads are targeted to exactly what we're interested in. The benefits of surveillance in these and other applications are real, and significant.

Like Diffie, I'm not sure there is any practical alternative. The reason the Internet is a worldwide mass-market phenomenon is that all the technological details are hidden from view. Someone else is taking care of it. We want strong security, but we also want companies to have access to our computers, smart devices, and data. We want someone else to manage our computers and smart phones, organize our e-mail and photos, and help us move data between our various devices.

Those "someones" will necessarily be able to violate our privacy, either by deliberately peeking at our data or by having such lax security that they're vulnerable to national intelligence agencies, cybercriminals, or both. Last week, we learned that the NSA broke into the Dutch company Gemalto and stole the encryption keys for billions ­ yes, billions ­ of cell phones worldwide. That was possible because we consumers don't want to do the work of securely generating those keys and setting up our own security when we get our phones; we want it done automatically by the phone manufacturers. We want our data to be secure, but we want someone to be able to recover it all when we forget our password.

We'll never solve these security problems as long as we're our own worst enemy. That's why I believe that any long-term security solution will not only be technological, but political as well. We need laws that will protect our privacy from those who obey the laws, and to punish those who break the laws. We need laws that require those entrusted with our data to protect our data. Yes, we need better security technologies, but we also need laws mandating the use of those technologies.

This essay previously appeared on

13 hours ago 20 epic Microsoft Windows Automatic Update meltdowns

IT Toolbox Blogs View Synopsis+1
Windows Update has been a blessing and, often a curse. Many of us have lived thorough every one of these. 20 epic Microsoft Windows Automatic Update meltdowns

12 hours ago What is Gov't Role in Info Sharing?

InfoRiskToday View Synopsis+1
This year could mark a turning point for the sharing of threat intelligence, but only if the government is able to build a framework that instills private-sector trust, says threat researcher Lance James.

11 hours ago Debian security initiative for reproducible builds reaches milestone

TechRepublic View Synopsis+1
A Debian initiative for reproducible builds sheds light on the least transparent part of the open source development process. Find out what's been completed in this security project.

10 hours ago How To Sabotage Encryption Software (And Not Get Caught)

WIRED View Synopsis+1

When crypto researchers set out to discover the best way to undermine encryption software, they did so believing it would help them eradicate backdoors in the future. Here's what they found.

The post How To Sabotage Encryption Software (And Not Get Caught) appeared first on WIRED.

8 hours ago John Prisco Aims To Revolutionize Cyber Security By Attacking At The Source

Forbes View Synopsis+1
A Series of Forbes Insights Profiles of Thought Leaders Changing the Business Landscape:  John Prisco, CEO, Triumfant... What do Target, Home Depot, JP Morgan, eBay and Anthem Healthcare all have in common? These corporate giants have the dubious distinction of being victims of cyber attacks - security breaches in which data from hundreds [...]

5 hours ago FCC Passes Net Neutrality Rules (February 26, 2015)

SANS Newsbites View Synopsis+1

The US Federal Communications Commission (FCC) has passed net neutrality rules, which include reclassifying broadband as a telecommunications service; prohibiting broadband providers from throttling or speeding up connections for a fee; and prohibiting providers from making paid prioritization deals.......

4 hours ago Cyber Intelligence: Defining What You Know

Dark Reading View Synopsis+1
Too often management settles for security data about things that are assumed rather than things you can prove or that you know are definitely wrong.

1 day ago hijack reportedly pulled off by hack on upstream registrar

ArsTechnica View Synopsis+1
People used hack on to redirect Lenovo and Google traffic.

1 day ago SANS 2015 in Orlando Offers World-Class Cyber Security Training for InfoSec Professionals at All Levels

Yahoo News View Synopsis+1
BETHESDA, Md., Feb. 12, 2015 /PRNewswire-USNewswire/ -- SANS Institute, the global leader in information security training, today announced SANS 2015 in Orlando, FL taking place April 11 - 18. SANS 2015 is one of SANS' most extensive security training events and offers hands-on,...

Latest News

10 minutes ago New Xen vuln triggers Amazon, Rackspace reboot panic redux

The Register View Synopsis+1
Second hypervisor-related cloud meltdown in six months

Newly discovered vulnerabilities in the open source Xen virtualization hypervisor have once again sent major public cloud companies scurrying to patch and reboot their systems before attackers can pull off a massive exploit.

2 hours ago Uber Discloses Data Breach

SecurityWeek View Synopsis+1

New age transportation giant Uber said on Friday that a data breach may have allowed malicious actors to gain access to the driver's license numbers of roughly 50,000 of its drivers.

In a statement posted to the company's website on Friday, Uber said that it had identified a "one-time access of an Uber database" by an unauthorized third party in May 2014.

2 hours ago Researchers investigate link between Axiom spy group, Anthem breach

SC Magazine View Synopsis+1
Anthem breach investigators initially claimed that tools, linked exclusively to Chinese espionage attackers, were used against the health insurer.

2 hours ago Madonna hacker indicted in Israeli court

SC Magazine View Synopsis+1
An Israeli man was charged on four counts in a magistrate's court for hacking Madonna, stealing her unreleased music and selling it.

2 hours ago Uber admits database breach putting driver data at risk

ZDNet View Synopsis+1
Uber said it is notifying impacted drivers now, but it hasn't seen the compromised data actually misused yet.

2 hours ago Clapper: Cyberthreats to Worsen

InfoRiskToday View Synopsis+1
National Intelligence Director Blames Iran for Casino HackThe director of national intelligence, James Clapper, paints a grim picture of the cyberthreats the nation faces, saying as bad as 2014 was, 2015 and the coming years will be worse.

3 hours ago Top Android tablets for children riddled with security lapses, study finds

SC Magazine View Synopsis+1
Bluebox Security analyzed the top nine Android tablets for children and found that the majority had multiple security issues that could put childrens' data at-risk.

3 hours ago Friday Squid Blogging: Humboldt Squid Communicate by Flashing Each Other

Schneier blog View Synopsis+1

Scientists are attaching cameras to Humboldt squid to watch them communicate with each other.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

4 hours ago Aspiring Israeli Singer Indicted for Hacking Madonna Since 2012

WIRED View Synopsis+1

An Israeli man arrested last month for allegedly hacking Madonna's private accounts and stealing demos of her unreleased album first began targeting the singer way back in 2012, according to authorities. He apparently hacked not only cloud storage accounts to steal and sell her music but also breached more than a dozen email accounts associated […]

The post Aspiring Israeli Singer Indicted for Hacking Madonna Since 2012 appeared first on WIRED.

4 hours ago Mobility moves from 'nice to have' to 'must have' for large US healthcare insurer

IT Toolbox Blogs View Synopsis+1
learn how a large US insurance carrier has improved its applications? lifecycle to make enterprise mobility a must-have business strength.

4 hours ago Case Study II: Triple Flattening (LISTAGG UNIQUE, GROUPING SETS)

IT Toolbox Blogs View Synopsis+1
Flattening, or at least compacting, the query as well

5 hours ago <i>Data and Goliath</i> Book Tour

Schneier blog View Synopsis+1

Over the next two weeks, I am speaking about my new book -- Data and Goliath, if you've missed it -- in New York, Boston, Washington, DC, Seattle, San Francisco, and Minneapolis. Stop by to get your book signed, or just to say hello.

5 hours ago Breach costs at $162 million, Target reports

ZDNet View Synopsis+1
Retailer has collected $90 million in payouts on $100 million of network-security insurance coverage

5 hours ago China Removes Tech Companies from Approved for Government Use List (February 26, 2015)

SANS Newsbites View Synopsis+1

China has taken several high-profile US technology companies off its list of products approved for use by Chinese government agencies.......

5 hours ago Firefox 36 Addresses Critical Flaws, Adds Support for HTTP/2 (February 24, 25, & 26, 2015)

SANS Newsbites View Synopsis+1

Mozilla has released Firefox 36, which includes fixes for 17 security issues.......

5 hours ago WordPress Slimstat Plug-in Vulnerability (February 25 & 26, 2015)

SANS Newsbites View Synopsis+1

A vulnerability affecting the WordPress WP-Slimstat plugin could be exploited through SQL injection attacks to steal data from vulnerable sites.......

5 hours ago HP Buying Aruba? Waste of Money - Maybe

IT Toolbox Blogs View Synopsis+1
HP is probably already trapped in a perpetual catch-up treadmill behind Cisco/Meraki. Acquiring Aruba Networks will assist with market consolidation, but will certainly not fill the gap between their own product lines and Cisco?s.

6 hours ago How to Sabotage Encryption Software (And Not Get Caught)

WIRED View Synopsis+1

When crypto researchers set out to discover the best way to undermine encryption software, they did so believing it would help them eradicate backdoors in the future. Here's what they found.

The post How to Sabotage Encryption Software (And Not Get Caught) appeared first on WIRED.

6 hours ago This One Clause In The New Net Neutrality Regs Would Be A Fiasco For The Internet

Forbes View Synopsis+1
I don't trust Internet Service Providers. I've focused much of my research since 2008 on ways in which the Internet fails due to ISP misbehavior, including detecting how ISPs can inject adds into content, how ISPs blocked BitTorrent, how ISPs have manipulated a key Internet protocol for ads and profit, [...]

6 hours ago Canadian Executive Lobbies To Ban VPN

Forbes View Synopsis+1
There are times in this world where I would like to read an article and say, "Yes, the Onion totally nailed it" and not discover afterwards that it in fact was a legitimate news piece. While a pair of Llamas had the world sitting on the edge of their seats [...]

7 hours ago What The Sony Hack Can Teach About Cyber Security

Forbes View Synopsis+1
Sony's misfortune could be a teaching experience for other businesses both big and small.

7 hours ago Network Vision Fixes Code Injection Vulnerability in IntraVUE Software

SecurityWeek View Synopsis+1

Organizations that use the IntraVUE network visualization software from Network Vision are advised to update their installations as soon as possible because older versions of the solution are plagued by a critical vulnerability.

7 hours ago Lenovo Promises: No More Bloatware

InfoRiskToday View Synopsis+1
PC Maker Offers Clean Windows Builds, Full TransparencyLenovo, the world's largest PC manufacturer, promises to stop preinstalling any software on its Windows laptops that doesn't need to be there. The move comes following security alerts relating to the Superfish adware the company had been preinstalling.

7 hours ago Panel Addresses Union Budget, Security

InfoRiskToday View Synopsis+1
Security leaders expect the new Union budget to give a needed boost to cybersecurity education, as well as increased investment in critical infrastructure, biometrics and surveillance to fight cybercrime.

7 hours ago Kaspersky Lab Launches Security Startup Accelerator

SecurityWeek View Synopsis+1

Security firm Kaspersky Lab officially announced a new initiative designed to support security startups and provide expertise and advice to foster much needed talent for the IT security industry.

8 hours ago Lenovo promises to stop bundling crapware on PCs

ZDNet View Synopsis+1
Following on from the Superfish debacle the company found itself embroiled in earlier this month, PC maker Lenovo is promising to bring to an end to the practice of pre-loading crapware onto systems.

9 hours ago Lenovo: We SWEAR we're done with bloatware, adware and scumware

The Register View Synopsis+1
By Windows 10 launch our systems will be PURE, honest

Barely a week after the breaking of the Superfish scandal, Lenovo has done a complete reverse ferret on bloatware - promising that by the time Windows 10 comes out its systems will be as pure as they can be.