Threat Level: green Handler on Duty: Russ McRee

SANS ISC Information Security News

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Popular News

9 hours ago PagerDuty Warns Customers of Data Breach

SecurityWeek View Synopsis+1

San Francisco-based operations performance management company PagerDuty informed customers on Thursday that its systems were breached earlier this month.

7 hours ago Anti-Virus Firm BitDefender Admits Breach, Hacker Claims Stolen Passwords Are Unencrypted

Forbes View Synopsis+1
Romanian security firm BitDefender admits to being breached. Whilst it doesn't seem a significant amount of data has been leaked, it appears the anti-virus provider hadn't properly encrypted its customers' information.

1 day ago This Gadget Hacks GM Cars to Locate, Unlock, and Start Them

WIRED View Synopsis+1

Hacker Samy Kamkar shows that the problem of internet-connected cars being vulnerable to hacks just keeps getting bigger.

The post This Gadget Hacks GM Cars to Locate, Unlock, and Start Them appeared first on WIRED.

1 day ago Hackers Could Heist Semis by Exploiting This Satellite Flaw

WIRED View Synopsis+1

Remember the opening scene of the first Fast and Furious film? Heists like these could become easier to pull off.

The post Hackers Could Heist Semis by Exploiting This Satellite Flaw appeared first on WIRED.

1 day ago Major flaw could let lone-wolf hacker bring down huge swaths of Internet

ArsTechnica View Synopsis+1
Latest critical bug in widely used DNS server underscores its fragility.

Top News

5 hours ago Disaster Recovery and the Big Data Application -- Recovery Times

IT Toolbox Blogs View Synopsis+1

Recovery time requirements are also easily defined. The recovery process must have data available for analytics within about 24 hours time. Any longer, and the recovery site may not be able to catch up with the additional daily operational data that must now be loaded.


Database administrators should elicit basic recovery time and recovery point objectives for any big data

5 hours ago HAMMERTOSS: New Russian Malware

Schneier blog View Synopsis+1

Fireeye has a detailed report of a sophisticated piece of Russian malware: HAMMERTOSS. It uses some clever techniques to hide:

The Hammertoss backdoor malware looks for a different Twitter handle each day -- automatically prompted by a list generated by the tool -- to get its instructions. If the handle it's looking for is not registered that day, it merely returns the next day and checks for the Twitter handle designated for that day. If the account is active, Hammertoss searches for a tweet with a URL and hashtag, and then visits the URL.

That's where a legit-looking image is grabbed and then opened by Hammertoss: the image contains encrypted instructions, which Hammertoss decrypts. The commands, which include instructions for obtaining files from the victim's network, typically then lead the malware to send that stolen information to a cloud-based storage service.

Another article. Reddit thread.

4 hours ago Darknet site specialising in child sex abuse material taken down

SC Magazine View Synopsis+1
Details are emerging of the takedown of a Darknet site specialising in the distribution of child sexual abuse materials.

3 hours ago Patch Your GM OnStar iOS App To Avoid A Wireless Car Hack

WIRED View Synopsis+1

GM admits its fix for a wireless OnStar hack was incomplete and is urging iOS users to update their RemoteLink app.

The post Patch Your GM OnStar iOS App To Avoid A Wireless Car Hack appeared first on WIRED.

3 hours ago Clearer, More Stringent Cybersecurity Rules for Government Contractors (July 30, 2015)

SANS Newsbites View Synopsis+1

The White House wants government contractors to have strong, clear, and consistent rules for protecting sensitive data.......

3 hours ago NY village makes ransom payments to keep computers running

Yahoo Security View Synopsis+1
ALBANY, N.Y. (AP) - A village in central New York made ransom payments of $300 and $500 last year to keep its computers running after two official-looking emails released malware throughout its system, state auditors said..

3 hours ago New attack on Tor can deanonymize hidden services with surprising accuracy

ArsTechnica View Synopsis+1
Deanonymization requires luck but nonetheless shows limits of Tor privacy.

2 hours ago Android Stagefright: Exit Stage Left

InfoRiskToday View Synopsis+1
Security Experts Defecting, Should Enterprises Reconsider?In the wake of the severe Stagefright flaw being discovered, numerous security-savvy experts say they now plan to ditch Android. Is it time for enterprises to start blocking unpatched Android devices?

21 minutes ago How blockchain is likely to transform IT and business

ZDNet View Synopsis+1
The technology underpinning the well-known cryptocurrency, Bitcoin, is really the star of the show. Here's why Blockchain will almost certainly lead to a digital transparency and trust revolution near you.

1 day ago Microsoft launches free, 90-day trial of Windows 10

CNET View Synopsis+1
It's the Windows 10 Enterprise edition, but it gives you a chance to test-drive the new OS before deciding if you really want to upgrade from Windows 7 or 8.1. However, there are some key drawbacks.

Latest News

20 minutes ago University of Connecticut says hit by hackers from China

Yahoo Security View Synopsis+1
By Richard Weizel MILFORD, Conn. (Reuters) - The social security numbers and credit card details of up to 6,000 University of Connecticut students, faculty and others may have been stolen by cyberhackers from China, the university said on Friday. Officials detected a potential breach of the School of Engineering's network in March and an investigation uncovered that hackers may have gained access to it as early as September, 2013, spokesman Tom Breen said. Breen said the hack has been traced to China "based on the type of cyber-attack that was launched, and the software used." He added the FBI and several state agencies have been notified.

20 minutes ago Optimizing Your Sales Pipeline with CRM

IT Toolbox Blogs View Synopsis+1

Your sales pipeline defines distinct stages of your sales process, from the time the lead goes into your system to the time they convert into a customer. It's essentially your revenue forecasting blueprint for the sales department. A customer relationship management (CRM) tool provides a number of benefits for your sales pipeline, such as analyzing prospects in each pipeline stage and determining

20 minutes ago Federal Court's data breach decision shows new tilt toward victims, class-action lawsuits

ZDNet View Synopsis+1
Federal courts beginning to recognize possibility of on-going harm to those who lose financial, personal data in a breach

20 minutes ago "‹U.S. District Judge rules mobile-phone tracking does require a warrant

ZDNet View Synopsis+1
It's a tug of war for cell-phone privacy as U.S. District Judge Lucy Koh rules mobile-phone tracking does requires a warrant.

39 minutes ago Dozens of Clinton emails censored for security reasons

Yahoo Security View Synopsis+1

WASHINGTON (AP) - Dozens of emails that traversed Hillary Clinton's private, unsecure home server contain national security information now deemed too sensitive to make public, according to the latest batch of records released Friday.

46 minutes ago FDA warns of security flaw in Hospira infusion pumps

Yahoo Security View Synopsis+1
By Jim Finkle BOSTON (Reuters) - The U.S. Food and Drug Administration on Friday advised hospitals to stop using Hospira Inc's Symbiq infusion system, saying a security vulnerability could allow cyber attackers to take control of the system remotely. The agency issued the advisory some 10 days after the U.S. Department of Homeland Security warned of the vulnerability in the pump, which is used to deliver medications directly into the bloodstream of patients. The FDA and DHS cited research from independent cyber security expert Billy Rios, who found that remote attacks could be launched on patients by accessing a hospital's network.

46 minutes ago Report delves into RAT videos on YouTube

SC Magazine View Synopsis+1
Remote Access Trojans (RATs) proliferate through YouTube tutorials and hacker forums, a new report from Digital Citizens Alliance suggested.

52 minutes ago How Do Hackers Learn Their Craft?

Forbes View Synopsis+1
How Do Hackers Learn Their Craft? This question was originally answered on Quora by Kim Guldberg.

1 hour ago The Benefits and Challenges of Mobile Passwords at Work

IT Toolbox Blogs View Synopsis+1

Businesses have reason to be worried about their data security. In just the past few years, major security breaches have hit companies like Target, Home Depot, Sony, Snapchat, and more. Even a minor attack can deal a lot of damage, not just to a company's data and infrastructure but to their reputation.

1 hour ago Tor Project, Library Freedom Project to establish Tor exit nodes in libraries

SC Magazine View Synopsis+1
Tor Project and Library Freedom Project aim to help library patrons and staff protect their right to digital free expression by creating Tor exit nodes in libraries.

1 hour ago PagerDuty requires password change for all customers following breach

SC Magazine View Synopsis+1
PagerDuty detected an unauthorized intrusion by an attacker who gained access to customer information.

1 hour ago Schneier Speaking Schedule

Schneier blog View Synopsis+1

I'm speaking at an Infoedge event at Bali Hai Golf Club in Las Vegas, at 5 PM on August 5, 2015.

I'm speaking at DefCon 23 on Friday, August 7, 2015.

I'm speaking -- remotely via Skype -- at LinuxCon in Seattle on August 18, 2015.

I'm speaking at CloudSec in Singapore on August 25, 2015.

I'm speaking at MindTheSec in São Paulo, Brazil on August 27, 2015.

I'm speaking on the future of privacy at a public seminar sponsored by the Institute for Future Studies, in Stockholm, Sweden on September 21, 2015.

I'm speaking at Next Generation Threats 2015 in Stockholm, Sweden on September 22, 2015.

I'm speaking at Next Generation Threats 2015 in Gothenburg, Sweden on September 23, 2015.

I'm speaking at Free and Safe in Cyberspace in Brussels on September 24, 2015.

I'll be on a panel at Privacy. Security. Risk. 2015 in Las Vegas on September 30, 2015.

I'm speaking at the Privacy + Security Forum, October 21-23, 2015 at The Marvin Center in Washington, DC.

I'm speaking at the Boston Book Festival on October 24, 2015.

I'm speaking at the 4th Annual Cloud Security Congress EMEA in Berlin on November 17, 2015.

2 hours ago OwnStar: Researcher hijacks remote access to OnStar [Updated]

ArsTechnica View Synopsis+1
Hack of OnStar Remotelink lets attacker unlock, remote-start, and track cars.

2 hours ago A New Hope for Victims of Data Breaches

WIRED View Synopsis+1

Victims of data breaches have a small reason to rejoice this week.

The post A New Hope for Victims of Data Breaches appeared first on WIRED.

2 hours ago Patch Your OnStar iOS App to Avoid Getting Your Car Hacked

WIRED View Synopsis+1

GM admits its fix for a wireless OnStar hack was incomplete and is urging iOS users to update their RemoteLink app.

The post Patch Your OnStar iOS App to Avoid Getting Your Car Hacked appeared first on WIRED.

3 hours ago Flaw in Fingerprint Access Devices Could Make It Easy to Open Doors

SecurityWeek View Synopsis+1

Fingerprint access controllers developed by Taiwan-based Chiyu Technology are plagued by a vulnerability that could allow hackers to make it easier to open the doors protected by these devices, a researcher has warned.

3 hours ago Suspicious Safari Updates (July 29, 2015)

SANS Newsbites View Synopsis+1

Malwarebytes found that some shady websites are telling visitors that their versions of Safari are out of date and offering updates.......

3 hours ago French Television Broadcaster Still Feeling Fallout from April Cyberattack (July 30, 3015)

SANS Newsbites View Synopsis+1

French television broadcast company TV5Monde suffered a major cyber attack in April.......

3 hours ago Fix Available for Critical Vulnerability in BIND Servers (July 30, 2015)

SANS Newsbites View Synopsis+1

A vulnerability in the BIND DNS protocol could be exploited to launch denial-of-service (DoS) attacks and take down large portions of the Internet.......

3 hours ago 10 Most Addictive Flash Games Ever Made

IT Toolbox Blogs View Synopsis+1
We all play them sometimes. You got some time to kill or want to relax a little, open up a fun game on the web and play it for a couple of minutes. Flash games are an important part of our daily web routine and we all love them.

5 hours ago Tech Experts Think You Should Take A Sledgehammer To Your Old Phone

Forbes View Synopsis+1
Every day, more than 80,000 used smartphones are for sale online. But if you wipe all your personal data from your phone, is it really gone and unrecoverable? Tech experts say no.

5 hours ago Could Facebook Sue The Police For Violating Its Terms Of Service?

Forbes View Synopsis+1
Last week, Facebook lost a bid to protect 381 users from search warrants issued by the Manhattan District Attorney in connection with an alleged Social Security disability fraud case. Facebook argued both that search warrants were overly broad and that the users in question should have been notified about them. [...]

7 hours ago Cisco Patches DoS Vulnerability in ASR Routers

SecurityWeek View Synopsis+1

Cisco has released software updates to address a high severity denial-of-service (DoS) vulnerability affecting Cisco ASR 1000 Series Aggregation Services Routers.

8 hours ago Tor connection vulnerability uncloaks hidden web services

ZDNet View Synopsis+1
Can "circuit fingerprinting" reveal the true location of Tor websites and services?

9 hours ago Banks Brace for Fraud Migration

InfoRiskToday View Synopsis+1
Julie Conroy of the Aite Group analyzes why a new report shows most top-tier North American banking institutions expect to increase their spending on online and mobile fraud mitigation in the next two years.

9 hours ago Unintentional Mistakes The Biggest Insider Threat: Survey

SecurityWeek View Synopsis+1

Contrary to many headlines across the cyber realm, not all security incidents are a result of malicious intent.

According to the results of a recent survey, 70 percent of U.S. survey respondents and 64 percent of German respondents said that more security incidents are caused by unintentional mistakes rather than intentional and/or malicious acts.

10 hours ago Back Doors Won't Solve Comey's Going Dark Problem

Schneier blog View Synopsis+1
At the Aspen Security Forum two weeks ago, James Comey (and others) explicitly talked about the "going dark" problem, describing the specific scenario they are concerned about. Maybe others have heard the scenario before, but it was a first for me. It's centers around ISIL operatives abroad and ISIL-inspired terrorists here in the US. The FBI knows who the Americans are, can get a court order to carry out surveillance on their communications, but cannot eavesdrop on the conversations because they are encrypted. They can get the metadata, so they know who is talking to who, but they can't find out what's being said. "ISIL's M.O. is to broadcast on Twitter, get people to follow them, then move them to Twitter Direct Messaging" to evaluate if they are a legitimate recruit, he said. "Then they'll move them to an encrypted mobile-messaging app so they go dark to us."


The FBI can get court-approved access to Twitter exchanges, but not to encrypted communication, Comey said. Even when the FBI demonstrates probable cause and gets a judicial order to intercept that communication, it cannot break the encryption for technological reasons, according to Comey.

If this is what Comey and the FBI is actually concerned about, they're getting bad advice -- because their proposed solution won't solve the problem. Comey wants communications companies to give them the capability to eavesdrop on conversations without the conversants' knowledge or consent; that's the "back door" we're all talking about. But the problem isn't that most encrypted communications platforms are security encrypted, or even that some are -- the problem is that there exists at least one securely encrypted communications platform on the planet that ISIL can use.

Imagine that Comey got what he wanted. Imagine that iMessage and Facebook and Skype and everything else US-made had his back door. The ISIL operative would tell his potential recruit to use something else, something secure and non-US-made. Maybe an encryption program from Finland, or Switzerland, or Brazil. Maybe Mujahedeen Secrets. Maybe anything. (Sure, some of these will have flaws, and they'll be identifiable by their metadata, but the FBI already has the metadata, and the better software will rise to the top.) As long as there is something that the ISIL operative can move them to, some software that the American can download and install on their phone or computer, or hardware that they can buy from abroad, the FBI still won't be able to eavesdrop.

And by pushing these ISIL operatives to non-US platforms, they lose access to the metadata they otherwise have.

Convincing US companies to install back doors isn't enough; in order to solve this going dark problem the FBI has to ensure that an American can only use back-doored software. And the only way to do that is to prohibit the use of non-back-doored software, which is the sort of thing that the UK's James Cameron said he wanted for his country in January:

But the question is are we going to allow a means of communications which it simply isn't possible to read. My answer to that question is: no, we must not.

And that, of course, is impossible. Jonathan Zittrain explained why. And Cory Doctorow outlined what trying would entail:

For David Cameron's proposal to work, he will need to stop Britons from installing software that comes from software creators who are out of his jurisdiction. The very best in secure communications are already free/open source projects, maintained by thousands of independent programmers around the world. They are widely available, and thanks to things like cryptographic signing, it is possible to download these packages from any server in the world (not just big ones like Github) and verify, with a very high degree of confidence, that the software you've downloaded hasn't been tampered with.


This, then, is what David Cameron is proposing:

* All Britons' communications must be easy for criminals, voyeurs and foreign spies to intercept.

* Any firms within reach of the UK government must be banned from producing secure software.

* All major code repositories, such as Github and Sourceforge, must be blocked.

* Search engines must not answer queries about web-pages that carry secure software.

* Virtually all academic security work in the UK must cease -- security research must only take place in proprietary research environments where there is no onus to publish one's findings, such as industry R&D and the security services.

* All packets in and out of the country, and within the country, must be subject to Chinese-style deep-packet inspection and any packets that appear to originate from secure software must be dropped.

* Existing walled gardens (like IOs and games consoles) must be ordered to ban their users from installing secure software.

* Anyone visiting the country from abroad must have their smartphones held at the border until they leave.

* Proprietary operating system vendors (Microsoft and Apple) must be ordered to redesign their operating systems as walled gardens that only allow users to run software from an app store, which will not sell or give secure software to Britons.

* Free/open source operating systems -- that power the energy, banking, ecommerce, and infrastructure sectors -- must be banned outright.

As extreme as it reads, without all of that the ISIL operative will be able to communicate securely with his potential American recruit. And all of this is not going to happen.

Last week, former NSA director Mike McConnell, former DHS secretary Michael Chertoff, and former deputy defense secretary William Lynn published a Washington Post op ed opposing back doors in encryption software. They wrote:

Today, with almost everyone carrying a networked device on his or her person, ubiquitous encryption provides essential security. If law enforcement and intelligence organizations face a future without assured access to encrypted communications, they will develop technologies and techniques to meet their legitimate mission goals.

I believe this is true. Already one is being talked about in the academic literature: lawful hacking.

Perhaps the FBI's reluctance to accept this is based on their belief that all encryption software comes from the US, and therefor is under their influence. Back in the 1990s, during the First Crypto Wars, the US government had a similar belief. To convince them otherwise, George Washington University surveyed the cryptography market in 1999 and found that there were over 500 companies in 70 countries manufacturing or distributing non-US cryptography products. Maybe we need a similar study today.

This essay previously appeared on Lawfare.

10 hours ago Anthem Attackers Tied to Espionage

InfoRiskToday View Synopsis+1
Attributing the Anthem, OPM and other breaches to specific attackers might be useful for government-level diplomatic efforts. But organizations must prioritize blocking all types of espionage and cybercrime attacks, says Symantec's Vikram Thakur.