Threat Level: green Handler on Duty: Brad Duncan

SANS ISC Information Security News

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Popular News

16 hours ago Talk revealing p0wnable surceillance cams pulled after legal threat

The Register View Synopsis+1
Hard-coded creds, flaws galore, plague pricey peepers

Hack in the Box Swiss researcher Gianni Gnesa says the most popular network surveillance cameras currently sold on Amazon contain easy remote exploitable vulnerabilities that allow hackers to gain admin access and quietly peer through lenses.

13 hours ago Conviction Of Former Reuters Journalist 'Shows American Hacking Laws Are Broken'

Forbes View Synopsis+1
Matthew Keys' case proves yet again that the CFAA hacking laws are inappropriate and open up the possibility of excessive sentences, activists argue. Keys himself tells FORBES CFAA is being used to target journalists.

12 hours ago Top tips to stay safe on public Wi-Fi networks

ZDNet View Synopsis+1
There are a number of quick and easy ways to improve your personal privacy and safety when using public Internet services.

10 hours ago 5 Lessons From the Summer of Epic Car Hacks

WIRED View Synopsis+1

For the last three months, car hackers' terrifying abilities have been on full display. Now we filter out the fear and focus on what we've learned.

The post 5 Lessons From the Summer of Epic Car Hacks appeared first on WIRED.

10 hours ago Information in Your Boarding Pass's Bar Code

Schneier blog View Synopsis+1

There's a lot of information, including the ability to get even more information.

Top News

9 hours ago Appetites for more: Government actions

SC Magazine View Synopsis+1
Cybersecurity is a technical challenge. But it also usually has a legal and regulatory aspect as well.

8 hours ago New Collision Attack Lowers Cost of Breaking SHA1

SecurityWeek View Synopsis+1

A team of researchers has demonstrated that the cost of breaking the SHA1 cryptographic hash function is lower than previously estimated, which is why they believe the industry should accelerate migration to more secure standards.

7 hours ago Hackers in China, South Korea, Germany targeted Clinton's server: AP

Yahoo Security View Synopsis+1

Computer hackers in China, South Korea and Germany tried to attack Democratic presidential candidate Hillary Clinton's private email server after she left the U.S. State Department in February 2013, the Associated Press reported on Thursday. "It was not immediately clear whether the attempted intrusions into Clinton's server were serious espionage threats or the sort of nuisance attacks that hit computer servers the world over," the AP said, citing a congressional document. In a letter to Secnap Network Security Corp, which provided the threat monitoring product connected to the server, U.S. Senate Homeland Security and Government Affairs Committee Chairman Ron Johnson, a Wisconsin Republican, asked the Florida-based cyber security company for documents related to its work with Clinton's server.

1 day ago Do not throw that boarding pass away. Shred it.

IT Toolbox Blogs View Synopsis+1
Read this before you throw away another boarding pass! What?s in a Boarding Pass Barcode? A Lot

1 day ago Angler Ransomware Campaign Disrupted

InfoRiskToday View Synopsis+1
Cybercriminals Earned Millions Annually, Cisco SaysA cybercrime ring that employed the Angler Exploit Kit to earn an estimated $34 million per year - from ransomware infections alone - has been disrupted by security researchers at Cisco's Talos security intelligence and research group.

1 day ago Passing the Sniff (Snort) Test

SANS Reading Room View Synopsis+1
They go by several names: Bloatware. Trialware. Pre-installation-ware. Some of them are completely innocuous. Many are designed to automate harvesting of information from the user. The line between these "unwantedware" and malware is thinning. Whether they arrive in our networks from a less-than-perfect supply chain, or as a natural result from Bring-Your-Own-Device (BYOD) policies, or even as an aggressive customer support "service" from the manufacturer, unwantedware shall exist. On the best of days, network defenders will identify, mitigate, and remove said software from their organization in the hopes that it cannot come back. Unfortunately, these herculean efforts are not enough. Users will ignore warnings from the security administrators. Users will pay lip service to the security training their organization provides. Users will rationalize intrusions into their devices through a myriad of worthless excuses: "I'm really boring", or "Anyone who wants to spy on me will have a lot of nothing to do", or "I'm really ugly, turning on my webcam would hurt THEM." Time and again users have shown that they are incapable of understanding the risks involved, they must be trained to dislike being spied on. In this paper we will examine unwanted data exfiltrations initiated by software we are told to trust, be it prepackaged software, chatty smartphone apps, or smart television applications. We will also present methods for detecting said exfiltrations, determining what data is being sent, and alerting the user in a meaningful way.

12 hours ago SHA1 algorithm securing e-commerce and software could break by year's end

ArsTechnica View Synopsis+1
Researchers warn widely used algorithm should be retired sooner.

1 day ago Pro tip: How to create a stronger passcode in iOS 9

TechRepublic View Synopsis+1
Security-conscious iOS 9 changes let you secure your devices even more. Cory Bohon shows you how it's done.

Latest News

6 hours ago Microsoft: Forcing us to share data will harm US-EU relations

ZDNet View Synopsis+1
The company has already been served a contempt of court order for refusing to hand over the foreign data to the US government.

7 hours ago Akhter twins sentenced to prison for hacking State Dept.

SC Magazine View Synopsis+1
Twin brothers Muneeb and Sohaib Akhter were sentenced to prison by the Eastern District of Virginia for an array of offenses, including conspiracy to commit wire fraud, conspiracy to access a protected computer without authorization, conspiracy to access a government computer without authorization, and obstruction of justice.

8 hours ago Webcam spyware voyeur sentenced to community service

The Register View Synopsis+1
Nabbed in operation targeting 'low-skilled' crooks

A UK voyeur who hacked webcams to spy on victims has avoided going to prison for his crimes.

8 hours ago High-Tech Bridge identifies XSS vulnerability in WordPress plugin

SC Magazine View Synopsis+1
IT security company High-Tech Bridge issued a security advisory on Wednesday for two reflected cross-site scripting (XSS) vulnerabilities in the Calls to Action WordPress plugin.

8 hours ago Microsoft Pays $24,000 To Researcher For Preventing Dangerous Outlook Worm

Forbes View Synopsis+1
Webmail security sucks. But at least researchers can make big money by making a mockery of it, thanks to Microsoft's generous bug bounty program.

5 hours ago SHA-1 Freestart Collision

Schneier blog View Synopsis+1

There's a new cryptanalysis result against the hash function SHA-1:

Abstract: We present in this article a freestart collision example for SHA-1, i.e., a collision for its internal compression function. This is the first practical break of the full SHA-1, reaching all 80 out of 80 steps, while only 10 days of computation on a 64 GPU cluster were necessary to perform the attack. This work builds on a continuous series of cryptanalytic advancements on SHA-1 since the theoretical collision attack breakthrough in 2005. In particular, we extend the recent freestart collision work on reduced-round SHA-1 from CRYPTO 2015 that leverages the computational power of graphic cards and adapt it to allow the use of boomerang speed-up techniques. We also leverage the cryptanalytic techniques by Stevens from EUROCRYPT 2013 to obtain optimal attack conditions, which required further refinements for this work. Freestart collisions, like the one presented here, do not directly imply a collision for SHA-1.

However, this work is an important milestone towards an actual SHA-1 collision and it further shows how graphics cards can be used very efficiently for these kind of attacks. Based on the state-of-the-art collision attack on SHA-1 by Stevens from EUROCRYPT 2013, we are able to present new projections on the computational/financial cost required by a SHA-1 collision computation. These projections are significantly lower than previously anticipated by the industry, due to the use of the more cost efficient graphics cards compared to regular CPUs. We therefore recommend the industry, in particular Internet browser vendors and Certification Authorities, to retract SHA-1 soon. We hope the industry has learned from the events surrounding the cryptanalytic breaks of MD5 and will retract SHA-1 before example signature forgeries appear in the near future. With our new cost projections in mind, we strongly and urgently recommend against a recent proposal to extend the issuance of SHA-1 certificates by a year in the CAB/forum (the vote closes on October 16 2015 after a discussion period ending on October 9).

Especially note this bit: "Freestart collisions, like the one presented here, do not directly imply a collision for SHA-1. However, this work is an important milestone towards an actual SHA-1 collision and it further shows how graphics cards can be used very efficiently for these kind of attacks." In other words: don't panic, but prepare for a future panic.

This is not that unexpected. We've long known that SHA-1 is broken, at least theoretically. All the major browsers are planning to stop accepting SHA-1 signatures by 2017. Microsoft is retiring it on that same schedule. What's news is that our previous estimates may be too conservative.

There's a saying inside the NSA: "Attacks always get better; they never get worse." This is obviously true, but it's worth explaining why. Attacks get better for three reasons. One, Moore's Law means that computers are always getting faster, which means that any cryptanalytic attack gets faster. Two, we're forever making tweaks in existing attacks, which make them faster. (Note above: "...due to the use of the more cost efficient graphics cards compared to regular CPUs.") And three, we regularly invent new cryptanalytic attacks. The first of those is generally predictable, the second is somewhat predictable, and the third is not at all predictable.

Way back in 2004, I wrote: "It's time for us all to migrate away from SHA-1." Since then, we have developed an excellent replacement: SHA-3 has been agreed on since 2012, and just became a standard.

This new result is important right now:

Thursday's research showing SHA1 is weaker than previously thought comes as browser developers and certificate authorities are considering a proposal that would extend the permitted issuance of the SHA1-based HTTPS certificates by 12 months, that is through the end of 2016 rather than no later than January of that year. The proposal argued that some large organizations currently find it hard to move to a more secure hashing algorithm for their digital certificates and need the additional year to make the transition.

As the papers' authors note, approving this proposal is a bad idea.

More on the paper here.

5 hours ago DHS cybersecurity mandates get push in House

SC Magazine View Synopsis+1
The Department of Homeland Security (DHS) will be required to put in place a formal cybersecurity strategy, following passage earlier this week of a House bill.

9 hours ago New mystery Windows-smashing RAT found in corporate network

The Register View Synopsis+1
Tin foil VXer wraps new Trojan in cloak and evasion tricks

Malware man Yotam Gottesman has found a somewhat mysterious remote access Trojan on a corporate network that sports highly capable evasion techniques.

9 hours ago The fake LinkedIn recruiter network hackers are using to reel in business users

ZDNet View Synopsis+1
Hackers known to use Zeus malware to hack critical infrastructure targets have developed an elaborate network of fake recruiter profiles for phishing on LinkedIn.

10 hours ago More start menu tricks for Windows 10

IT Toolbox Blogs View Synopsis+1
Some more tips on customizing and using Windows 10

10 hours ago Windows 10 Resources from Toymaster

IT Toolbox Blogs View Synopsis+1
Toymaster has published a handy compilation of resources for Windows 10. Hope it helps. Windows 10 Resources

5 minutes ago Phone-fondling docs, nurses sling patient info around willy-nilly

The Register View Synopsis+1
Anyone ever heard of encryption?

UK doctors and nurses routinely share sensitive patient information via their smartphones, we're told.

38 minutes ago Analyzing ONC's Interoperability Roadmap

InfoRiskToday View Synopsis+1
10-Year Plan Shines Spotlights Privacy, Security ChallengesThe protection of patients' health data is a fundamental principle deeply woven throughout federal regulator's new 10-year roadmap for interoperable health data exchange. While some experts say the plan is on the right track, others say more work is needed.

1 hour ago Why the Pending U.S. EMV Liability Shift Deadline Is Almost Meaningless

InfoRiskToday View Synopsis+1

The shift to the EMV standard in the U.S. has drawn incredible media attention for more than a year as everyone witnesses the approach of the looming liability shift deadline. But what does it really mean for merchants, consumers, and hackers? I say the answer is actually very little, and in as few words as possible, I will tell you why.

1 hour ago Cloud Security: Job Opportunities

InfoRiskToday View Synopsis+1
With organizations increasingly moving to the cloud, more security professionals are needed to help secure those environments as well as manage incident response. Cloud forensics expert Neha Thethi outlines must-have skills, qualifications and certifications.

1 hour ago WikiLeaks Wants to Pay $50K for Video of the Kunduz Hospital Bombing

WIRED View Synopsis+1

The secret-spilling group is ramping up its leak bounty program.

The post WikiLeaks Wants to Pay $50K for Video of the Kunduz Hospital Bombing appeared first on WIRED.

2 hours ago How to Assess Voice Quality on a VOIP Network

IT Toolbox Blogs View Synopsis+1
When using a landline telephone, most people don?t really think about quality unless they are on their cellphone and notice a drop in service.

2 hours ago WikiLeaks Wants to Pay $50K for Video of the Kunduz Bombing

WIRED View Synopsis+1

The secret-spilling group is ramping up its leak bounty program.

The post WikiLeaks Wants to Pay $50K for Video of the Kunduz Bombing appeared first on WIRED.

2 hours ago Backdoor infecting Cisco VPNs steals customers' network passwords

ArsTechnica View Synopsis+1
Dozens of successful attacks detected that install malicious code on company portals.

4 hours ago Attackers Target Organizations via Cisco WebVPN

SecurityWeek View Synopsis+1

A Cisco VPN product has been targeted by malicious actors looking to steal sensitive credentials and maintain access to compromised networks, according to incident response and threat intelligence company Volexity.

6 hours ago Threat Intelligence is Not Intellectual Property

SecurityWeek View Synopsis+1

The breadth and depth of threat intelligence is a primary differentiating factor for security vendors is a widely held assumption in the security industry that we collectively need to disprove and change our perspective on.

6 hours ago Clinton server hack attempts came from China, Korea, Germany

Yahoo Security View Synopsis+1

WASHINGTON (AP) - Hillary Rodham Clinton's private email server, containing an electronic inventory of some 55,000 pages of emails from her stint as secretary of state, was repeatedly hit by attempted cyberattacks originating in China, South Korea and Germany in 2014, according to a congressional document obtained by The Associated Press.

9 hours ago What C-Suite Executives Need To Know About Digital Strategy and Emerging Technologies

Forbes View Synopsis+1
I sit in the C-Suite. (Not now, but I used to.) I am not the CIO or CTO. (Not now, but I used to be.) I am a retailer (for my purposes here). I was just asked three questions at an investor conference: "What's your technology plan?" "What new technologies are you tracking?" "How will these [...]

10 hours ago The Aristocratic Roots Of The European Obsession With Privacy

Forbes View Synopsis+1
The European concept of "privacy" has a lot more to do with controlling one's image than with keeping the government from snooping on your affairs.

11 hours ago Fretting about Stagefright on Galaxy S5? CyanogenMod's stable release has a fix

ZDNet View Synopsis+1
CyanogenMod has squished both Stagefright bugs in its latest stable release of the custom ROM.