Showing posts sorted by relevance for query security experts. Sort by date Show all posts
Showing posts sorted by relevance for query security experts. Sort by date Show all posts

Live Hacking Team Release Updated Linux Distro for Penetration Testing

Posted by Avik Sarkar On 4/25/2011 05:44:00 pm

The Live Hacking project, led by Dr. Ali Jahangiri, is pleased to announce an updated version of its security orientated Linux distribution the “Live Hacking DVD”. Designed for penetration testing and ethical hacking, the new release has updated over 140 packages including Metasploit and Firefox.
The Live Hacking Linux distribution is a ‘Live DVD’ meaning that it boots and runs directly from the DVD without needing to be installed on your hard disk. Once it starts you can use the included utilities to perform penetration tests and ethically hack on your own network to ensure that it is secure from outside intruders.
New in this release is Metasploit Framework 3.6 which can be used to test your network using the framework’s internal database of known weaknesses and exploits. New to V3.6 are post-exploitation modules that can be run on exploited systems to perform actions such as gathering additional information, pivoting to other networks and elevating system privileges. V3.6 also adds 15 new exploits making a total of 648 exploit modules, 342 auxiliary modules and 23 post modules.
“The Live Hacking Linux distribution has been a great success. It is downloaded on average 50 times per day and we have had over 4,500 downloads in the first three months of this year alone.” said Dr. Ali Jahangiri the project leader. “We are keen to keep the distro up to date and we are planning to add more features and tools in the future.”
The Live Hacking DVD is part of the Live Hacking family which includes the LiveHacking.com security and penetration testing website. LiveHacking.com is an essential resource for security professionals and those wishing to educate themselves about security. The web site has security related news, features and articles plus educational videos about using some of the security tools found on the Live Hacking DVD.

LiveHacking.com also has information about Dr. Jahangiri’s book “Live Hacking: The Ultimate Guide to Hacking Techniques & Countermeasures for Ethical Hackers & IT Security Experts”, as well as details of the Live Hacking Workshops which Dr Jahangiri runs internationally, to introduce IT professionals to the world of ethical hacking.

 

 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

DARPA Implementing Biometrics With Passwords To Enhance Security For DOD

Posted by Avik Sarkar On 1/17/2012 12:50:00 am


Department of Defense (DOD) implementing more security. They are implementing a new technology which will blend biometric passwords without adding new hardware. DARPA on Friday issued a broad agency announcement (DARPA-BAA-12-06) for the initial phase of the Active Authentication program to develop software-based biometric approaches to verify the identities of authorized DOD computer users not only at login, but also throughout the courses of the users' computer sessions. 
Military information security experts at the U.S. Defense Advanced Research Projects Agency in Arlington,they are asking for industry's help in developing ways to blend biometrics into U.S. Department of Defense (DOD) military cyber security systems without installing new hardware. The intent is no only to save time and money, but also to help bolster existing DOD computer security that relies primarily on requiring uses to type in long and complex passwords. The Active Authentication program seeks to change the DOD's current cyber security focus from user passwords and common access cards when validating identity on DOD computer systems. Instead, the program seeks to focus on software-based user biometrics that does not require installation of new cyber-security software.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

FBI Agent's Laptop Hacked, 12 Million Apple UDID Stolen By Anonymous (#FFF)

Posted by Avik Sarkar On 9/04/2012 10:55:00 pm

FBI Agent's Laptop Hacked, 12 Million Apple UDID Stolen By Anonymous (#FFF)

#Antisec an Offshoot part of infamous hacker collective Anonymous claims to have stolen a file from an FBI laptop which contained more than 12 million unique Apple device indentity numbers. The hackers declares this hack as part of their Friday rampage (#FFF) though the breach did not took place on Friday
The data which hackers stole came from a laptop belonging to Supervisor Special Agent at the FBI, Christopher K. StanglStangl, who joined the FBI in 2003 after graduating from Monmouth University, has been with the agency for nine and a half years and won an award in 2010 for helping bust a cyber crime ring. He was also sucked into another Anonymous stunt earlier this year when at least one of their supporters breached an FBI conference call that had been discussing Anonymous and LulzSec. Stangl was listed among those invited into the call, in an e-mail that was posted on PastebinIn a video posted to Facebook in 2009 (and which will likely be getting a lot more views in the coming days), Stangl is shown wearing a dark suit and tie, speaking to the camera, and calling for “cyber security experts” to join the FBI.

According to the hacker :-

"During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of “NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose."

The data is just part of a larger database of 12,367,232 UDIDs, and personal information such as full names, cellphone numbers, addresses and zipcodes belonging to Apple customers. The data was allegedly stolen via exploiting a Java vulnerability. In a pastebin note, the hacker posted several download links of the hacked database. Several security experts have already stated that the stolen data is correct. For those you are not familiar with the term UDID -Each iOS device (iPhone, iPad, iPod touch) is assigned a unique alphanumeric number known as a UDID. This was previously used by app developers to track data usage for their apps, until Apple decided to reject any apps which sought to gain access to this number in the most recent official iOS update. As well as believing that the FBI was using these identifiers to track people, though AnticSec, in its missive on Pastebin, said it didn't agree with the idea of hardware coded identifiers anyway: "We always thought it (UDIDs) was a really bad idea. That hardware coded IDs for devices concept should be eradicated from any device on the market in the future." To read the full press release of #Antisec click Here




SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

NSA (National Security Agency) is Searching For Good Hackers

Posted by Avik Sarkar On 8/03/2011 05:31:00 pm

 
The National Security Agency has a challenge for hackers who think they’re hot stuff: Prove it by working on the “hardest problems on Earth.”
Computer hacker skills are in great demand in the U.S. government to fight the cyberwars that pose a growing national security threat — and they are in short supply.

For that reason an alphabet soup of federal agencies — DOD, DHS, NASA, NSA — are descending on Las Vegas this week for Defcon, an annual hacker convention where the $150 entrance fee is cash only — no registration, no credit cards, no names taken. Attendance is expected to top 10,000.
The NSA is among the keen suitors. The spy agency plays offence and defence in the cyberwars. It conducts electronic eavesdropping on adversaries, and it protects U.S. computer networks that hold super-secret material — a prime target for America’s enemies.

“Today it’s cyberwarriors that we’re looking for, not rocket scientists,” said Richard “Dickie” George, technical director of the NSA’s Information Assurance Directorate, the agency’s cyber-defense side.

“That’s the race that we’re in today. And we need the best and brightest to be ready to take on this cyberwarrior status,” he told Reuters in an interview.
The NSA is hiring about 1,500 people in the fiscal year, which ends Sept. 30, and another 1,500 next year, most of them cybersecurity experts. With a workforce of about 30,000, the Fort Meade-based NSA dwarfs other intelligence agencies, including the CIA.
It also engages in cyber-spying and other offensive operations, something it rarely, if ever, discusses publicly.
But at Defcon, the NSA and other “Feds” will be competing with corporations looking for hacking talent.
The NSA needs cybersecurity experts to harden networks, defend them with updates, do “penetration testing” to find security holes and watch for signs of cyberattacks.
The NSA is expanding its fold of hackers, but George said there is a shortage of those skills. “We are straining to hire the people that we need.”

It might seem to be an odd-couple fit — strait-laced government types with their rules and missions trying to recruit hackers who by definition want to defy authorities.
George said the NSA is an environment where the hacker mind-set fits with “a critical mass of people that are just like them.”
But what about culture rifts?
“When I walk down the hall there are people that I see every day and I never know what color their hair’s going to be,” George said. “And it’s a bonus if they’re wearing shoes. We’ve been in some sense a collection of geeks for a long, long time.”
The agency has long been known for its brilliant, but sometimes eccentric, mathematicians and linguists.
Jeff Moss, a hacker known as Dark Tangent, knows something about bridging the two worlds. He founded Defcon and the companion Black Hat conference for security professionals and is now a member of the Department of Homeland Security’s Advisory Council, which advises the government on cybersecurity.
“They need people with the hacker skill set, hacker mind-set. It’s not like you go to a hacker university and get blessed with a badge that says you’re a hacker. It’s a self-appointed label — you think like one or you don’t,” Moss told Reuters.

-News Source (Washington Post)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Pentagon Assigning More Experts to Boost Cyber Security & Protect U.S. Computer Networks

Posted by Avik Sarkar On 2/06/2013 07:12:00 pm

Pentagon Assigning More Experts to Boost Cyber Security & Protect U.S. Computer Networks

Cyber security has become one of the most sophisticated area of National security and defense, and in order to implement that Pentagon has increased their estimated expense on cyber security. And this deceleration has been made while publishing the budget late in last year. Now that implementation is getting executed as the Pentagon is moving toward a major expansion of its cyber security force to counter increasing attacks on the nation’s computer networks, as well as to expand offensive computer operations on foreign adversaries. This confirmation has came from defense officials. The expansion would increase the Defense Department’s Cyber Command by more than 4,000 people, up from the current 900, an American official said. Defense officials acknowledged that a formidable challenge in the growth of the command would be finding, training and holding onto such a large number of qualified people. The Pentagon “is constantly looking to recruit, train and retain world class cyberpersonnel,” a defense official said Sunday.
As part of the expansion, officials said the Pentagon was planning three different forces under Cyber Command: “national mission forces” to protect computer systems that support the nation’s power grid and critical infrastructure; “combat mission forces” to plan and execute attacks on adversaries; and “cyber protection forces” to secure the Pentagon’s computer systems. Cyber Command’s connections to the NSA are also leading some officials to ask how much of the expansion will be focused domestically, especially considering the opening of the NSA’s new, $2 billion Utah Data Center, scheduled to go live later this year. An unnamed "senior defense official" said that the agency’s efforts would remain focused outside US networks, unless it were asked to assist "another agency with domestic authority, such as the FBI." There is significant overlap between Cyber Command and the NSA — until recently, some employees of the former had nsa.gov email addresses, for instance — and there is some doubt that the nascent offshoot of US Strategic Command will be able to achieve true independence under NSA Director Alexander.



-Source (NY Times, Washington Post)







SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Android Vulnerability- Hacker Can Gains Complete Control Into Your SmartPhone

Posted by Avik Sarkar On 2/27/2012 07:40:00 pm

Android Vulnerability- Hacker Can Gains Complete Control Into Your SmartPhone  
 
Security experts have discovered a serious flaw in a component of the operating system of Google Inc’s widely used Android smartphone that they say hackers can exploit to gain control of the devices. Researchers at startup cyber security firm CrowdStrike said they have figured out how to use that bug to launch attacks and take control of some Android devices.
CrowdStrike, which will demonstrate its findings next week at a major computer security conference in San Francisco, said an attacker sends an email or text message that appears to be from a trusted source, like the user’s phone carrier. The message urges the recipient to click on a link, which if done infects the device. At that point, the hacker gains complete control of the phone, enabling him or her to eavesdrop on phone calls and monitor the location of the device, said Dmitri Alperovitch, chief technology officer and co-founder of CrowdStrike.
Google spokesman Jay Nancarrow declined comment on Crowdstrike’s claim. Alperovitch said the firm conducted the research to highlight how mobile devices are increasingly vulnerable to a type of attack widely carried out against PCs. In such instances, hackers find previously unknown vulnerabilities in software, then exploit those flaws with malicious software that is delivered via tainted links or attached documents. He said smartphone users need to prepare for this type of attack, which typically cannot be identified or thwarted by mobile device security software.
“With modifications and perhaps use of different exploits, this attack will work on every smartphone device and represents the biggest security threat on those devices,” said Alperovitch, who was vice president of threat research at McAfee Inc before he co-founded CrowdStrike.
Researchers at CrowdStrike were not the first to identify such a threat, though such warnings are less common than reports of malicious applications that make their way to online websites, such as Apple’s App Store or the Android Market.
In July 2009, researchers Charlie Miller and Collin Mulliner figured out a way to attack Apple’s iPhone by sending malicious code embedded in text messages that was invisible to the phone’s user. Apple repaired the bug in the software a few weeks after the pair warned it of the problem.
The method devised by CrowdStrike currently works on devices running Android 2.2, also known as Froyo. That version is installed on about 28 percent of all Android devices, according to a Google survey conducted over two weeks ending February 1. Alperovitch said he expects to have a second version of the software finished by next week that can attack phones running Android 2.3. That version, widely known as Gingerbread, is installed on another 59 percent of all Android devices, according to Google. CrowdStrike’s method of attack makes use of a previously unpublicized security flaw in a piece of software known as webkit, which is built into the Android operating system’s Web browser.


-Source (MyBoradband, Google, CrowdStrike)



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Security firm exploits Chrome zero-day to hack browser, escape sandbox

Posted by Avik Sarkar On 5/10/2011 06:07:00 pm


 French security company Vupen said today that it's figured out how to hack Google's Chrome by sidestepping not only the browser's built-in "sandbox" but also by evading Windows 7's integrated anti-exploit technologies.
Google said it was unable to confirm Vupen's claims.
"The exploit ... is one of the most sophisticated codes we have seen and created so far, as it bypasses all security features including ASLR/DEP/Sandbox," said Vupen in a blog post Monday. "It is silent (no crash after executing the payload), it relies on undisclosed ('zero-day') vulnerabilities and it works on all Windows systems."
Vupen posted a video demonstration of its exploit on YouTube.
According to Vupen, its exploit can be served from a malicious Web site. If a Chrome user surfed to such a site, the exploit executes "various payloads to ultimately download the Calculator from a remote location and launch it outside the sandbox at Medium integrity level."
Vupen used the Windows Calculator only as an example: In an actual attack, the "calc.exe" file would be replaced by a hacker-made payload.
Historically, Chrome has been the most difficult browser to hack, primarily because of its sandbox technology, which is designed to isolate Chrome from the rest of the machine to make it very difficult for a hacker to execute attack code on the PC.
For example, Chrome has escaped unscathed in the last three Pwn2Own hacking contests, an annual challenge hosted by the CanSecWest conference in Vancouver, British Columbia, and sponsored by HP TippingPoint's bug bounty program.
Last March, a team from Vupen walked away with a $15,000 cash prize afterhacking Safari, the Apple browser that, like Chrome, is built on the open-source WebKit browser engine.
But no one took on Chrome at 2011's Pwn2Own, even though Google had offered a $20,000 prize to the first researcher who hacked the browser and its sandbox.
The Vupen attack code also bypassed Windows 7's ASLR (address space layout randomization) and DEP (data execution prevention), two other security technologies meant to make hackers' jobs tougher.
Vupen said it would not publicly release details of the exploit, or the unpatched bug(s) in Chrome. "This code and the technical details of the underlying vulnerabilities will not be publicly disclosed," said Vupen. "They are shared exclusively with our Government customers as part of our vulnerability research services."
Last year, Vupen changed its vulnerability disclosure policies when it announced it would no longer report bugs to vendors, but instead would reveal its research only to paying customers.
Other security experts reacted today to the news of one or more Chrome zero-days, and to Vupen's practice of providing details only to its clients.
"I suppose that means we have a known Chrome 0-day floating around. That's fun," said Jeremiah Grossman, CTO of WhiteHat Security, in a Twitter message today.
"That also means for that the [government] is outbidding Google for bug bounties," Grossman added in a follow-up tweet.
"For now, the [government] still has more money than Google," chimed in Charlie Miller, the only researcher who has won cash prizes at four straight Pwn2Own contests.
Google, like rival browser maker Mozilla, runs a bounty program that pays independent researchers for reporting flaws in Chrome. Last month, Google paid out a record $16,500 in bounties for bugs it patched in a single update. In the first four months of 2011, Google spent more than $77,000 on bug bounties.
Google cited Vupen's policy of not reporting flaws as the reason it could not verify the French firm's assertions.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Zero-day Vulnerability in "Cloud" Revealed at TakeDown Conference

Posted by Avik Sarkar On 4/11/2012 08:54:00 am

 Zero-Day Vulnerability in "Cloud" Revealed at TakeDown Conference
 
Almost every IT companies across the globe acknowledging "Cloud" technology to store large amount of data while reducing the cost. Also almost 99% of them assumes that data is being stored offsite it is securely preserved and they no longer have to worry about risk. But this assumption proved wrong when security experts at TechDown Conference reveled zero-day vulnerability in Cloud. “Au contraire. Risk cannot be outsourced,” says professional ethical hacker, Dave Chronister of Parameter Security (St. Louis, MO). Mr. Chronister went onto say, “It’s because of this mindset that hackers are preying upon the cloud and are gaining control of huge stores of information through a single attack” - which is exactly what Mr. Chronister recently did. Mr. Chronister went onto say, “During a recent cloud security audit, I was able to identify a zero day exploit and within minutes gained access to the cloud sphere and every system that was on that cloud—giving me complete control. Needless to say, the client was shocked because they were touting their cloud offering as 100% secure.”
Bringing his real-world cloud hacking experience to event goers at TakeDownCon in Dallas in May, his presentation entitled The Cloud is a Smoke Screen provides eye-opening information about the false sense of security cloud providers and users possess. Specifically, Chronister’s presentation will:-
  • Expose various cloud vulnerabilities
  • Address cloud security issues
  • Provide insight into selecting cloud providers and questions to ask with     regards to data security, risk and incident response
  • Offer ways to successfully implement your own cloud solution and mitigate risk
  • Share his real-world experiences hacking multiple cloud environments
  • And much more


-Source (TechDown)



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Criminals and foreign spy agencies launched more than 1,000 cyber attacks on the MOD last year

Posted by Avik Sarkar On 6/08/2011 03:47:00 pm





Criminals and foreign spy agencies launched more than 1,000 cyber attacks on the Ministry of Defence last year in an effort to steal secrets and disrupt services, Liam Fox has revealed.
In a speech on Tuesday night, the defence secretary laid out the growing threat to the country from cyberspace, saying that government departments were now under sustained attack.
He underlined the problem by saying that "across the core defence networks there were an average of over a million security alerts every day".
These comprise mainly of spam emails that are blocked before entering government computer systems. But many turn out to be deliberate attempts to infiltrate and steal from the MoD's computer systems.
Last week the Guardian revealed that the UK is now developing a cyber weapons programme to give ministers an attacking capability in cyberspace.
It also emerged that the FBI is investigating allegations that the Google mail accounts of senior US government officials have been attacked by Chinese hackers.
In his speech, Fox set out why the government had committed an extra £650m for cyber security in last year's Strategic Defence and Security Review. He also warned more would need to be done to protect the UK's core infrastructure from cyber attack.
"Between 2009 and 2010, security incidents more than doubled," he said: "Was this in Afghanistan? No. This was in cyberspace and the target was the MoD. I and my senior colleagues are routinely alerted to incidents that could have had severe consequences if they'd not been stopped.
"Our systems are targeted by criminals, foreign intelligence services and other malicious actors seeking to exploit our people, corrupt our systems and steal information.

"To give you an idea of the challenge, last year we in the MoD blocked and investigated over 1,000 potentially serious attacks. "
Fox described it as the "war of the invisible enemy" and said the boundaries between government, business and every individual internet user were becoming blurred."This threat is growing in scale and sophistication. My department is a prime target. Across the core defence networks there were an average of over a million security alerts every day."
He said the opening of a new Global Operations and Security and Control Centre would help to coordinate the Whitehall response to cyber attacks, but conceded that government could not do this alone.
"We now see weekly reports of cyber attacks against businesses, institutions and networks used by people going about their daily lives," he said. "The cost to the UK economy of cyber crime is estimated to be in the region of £27bn a year and rising. These are attacks against the whole fabric of our society.
"There is no Maginot Line in cyber space ... our national intellectual property in defence and security industries is at risk from a systematic marauding. Not only could it severely affect the future success of British industry, our economic advantage, and the country's financial recovery, but also directly impacts upon our national security today."
Last week, the US government said it was intending to rewrite its military rule book to make cyber-attacks a possible act of war. In May, the chancellor George Osborne said foreign intelligence agencies were carrying out cyber-attacks on the Treasury, targeting it with programs designed to steal information.
Some experts have warned against government's over-exaggerating the problems in cyberspace, noting that 80 per cent of all such attacks can be thwarted with better computer 'hygiene' – such as people using less obvious passwords. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

White House sends Congress a long-awaited cybersecurity proposal

Posted by Avik Sarkar On 5/13/2011 11:44:00 pm



The White House on Thursday sent Congress a formal proposal for cybersecurity legislation to help Senate lawmakers craft a passable bill from 50-some measures currently pending in both chambers.
The long-awaited framework would formally grant the Homeland Security Department oversight of cybersecurity operations within civilian federal agencies -- a role it has played in practice since last summer. Given the dearth of cyber experts in civilian agencies, the proposal would give DHS the same flexibility the Pentagon currently has to rapidly hire skilled professionals at competitive salary levels, Obama administration officials told reporters during a Thursday conference call.
The guidelines, which were expected to be released later on Thursday, largely rely on industry's know-how and willing compliance to certify their systems are safe and ask for federal assistance when attacked.
The proposal is silent on several sticking points, including cyberwarfare, classified information and the criteria for so-called critical infrastructure -- or systems that, if disrupted, could wreak havoc on national security. Such networks would be subject to greater regulation under a key Senate bill sponsored by the leaders of the Homeland Security and Governmental Affairs Committee. The White House framework also stays clear of a dispute over whether the president should have the power to hit a "kill switch," shutting down the Internet during emergencies.
The guidelines were prompted by a request from Senate Majority Leader Harry Reid, D-Nev., and chairmen of the committees with jurisdiction over computer security for input from President Obama on the various congressional proposals, White House officials said. The HSGAC and commerce panels passed comprehensive cybersecurity legislation about a year ago, while numerous other congressional panels and individual members have introduced their own piecemeal measures. The executive branch took about a year to reach consensus on which provisions agencies would support and what new ones they would propose.
The proposal would make so-called intrusion prevention systems a permanent fixture in the federal government, according to a fact sheet. As opposed to intrusion detection systems, which flag attacks and alert the appropriate responders, prevention software can actively respond by blocking intrusions. The guidelines say DHS should have the authority to supervise all such programs, including the existing "Einstein" tool. Internet service providers also would have to use the applications for any government traffic they manage.
The White House plan touches on one security element of a growth area in government IT: cloud computing. The practice allows organizations to access computer power, storage and software stored on the Internet by a third-party provider, rather than build on-site server farms. Administration officials are concerned that state protectionist measures are hampering the cloud industry, so the proposal would block state governments from requiring that companies in their states build data centers there, unless authorized by federal law, the fact sheet stated.
The guidelines would enable industry to obtain immediate assistance from Homeland Security in responding to an intrusion, if they wish, officials said. Currently, when organizations ask DHS to review logs to determine when a hacker attacked, the department's ability to intervene is slowed by legal uncertainty. To protect individuals, if a firm or local government wants to share such information with DHS, the organization must first strip out identifying information that is irrelevant to the infraction, according to the fact sheet.
Companies and local governments would be granted immunity for sharing information with the federal government about new computer viruses and cyber events that have compromised their systems. Should entities choose to provide such information, their customers' privacy would not be violated, according to the proposal.
White House officials said their proposal focuses on transparency and incentives to ensure companies managing networks for critical infrastructure in industries like energy and banking are accountable for service continuity. The draft bill directs Homeland Security and the private sector to jointly figure out which operations are the most critical and prioritize the most important threats to those services. An outside commercial auditor would assess the company's plans for mitigating such vulnerabilities.
On the consumer side, the proposal would require that businesses notify customers of certain data breaches to reduce the risk of identity theft. Sony recently took heat for not immediately telling customers that perpetrators had infiltrated the company's online gaming and music networks. The administration's plan would loop together a patchwork of 47 state laws on data breach reporting.
Many in the legislative branch and business community applauded the White House plan on Wednesday.
"The Senate and the White House are on the same track to make sure our cyber networks are protected against an attack that could throw the nation into chaos," HSGAC Chairman Joe Lieberman, I-Conn., ranking Republican Susan Collins, R-Maine, and Federal Financial Management Subcommittee Chairman Tom Carper, D-Del., said in a joint statement. The Senate and the administration "both recognize that the government and the private sector must work together to secure our nation's most critical infrastructure, for example, our energy, water, financial, telecommunications and transportation systems. We both call for risk-based assessments of the systems and assets that run that infrastructure."
The trio agreed with the administration that Homeland Security should take the lead in safeguarding civilian cybersecurity. Other lawmakers, particularly in the House, say the Defense Department, with its established expertise and deep pockets, should play a larger role in guarding U.S. networks. Currently, the Pentagon can monitor only the .mil domain and many civil liberties advocates would like to keep it that way.
Commerce Committee leaders also largely praised the proposed measure. "The White House has presented a strong plan to better protect our nation from the growing cyber threat," Chairman John D. "Jay" Rockefeller, D-W.Va., said in a statement. "I look forward to continuing to work with the White House, and my colleagues in the House and Senate, to pass a comprehensive cybersecurity bill this year."
Ranking member Sen. Olympia Snowe, R-Maine, said, "While the administration's delay in providing critical input to the legislative process is regrettable, it is my understanding that the administration proposal parallels many of the objectives, particularly pertaining to modernizing the public-private partnership, that Sen. Rockefeller and I have advocated."
Officials with trade group TechAmerica generally supported Obama's framework but said they had lingering questions about the flexibility the proposal grants firms to tailor their security strategies.
"The administration's proposal is a clear step forward in the process and we hope that it strikes the right balance between accountability and innovation in this shared responsibility between the public and private sectors," TechAmerica President Phil Bond said in a statement.
"We encourage Congress and the administration to draw a bright line between critical and noncritical infrastructure," Bond said. "Industry and government need to work together to make the right determinations for what is critical, and what the implications are for that designation."
Should the government require firms to take certain actions, the law must provide liability protections to shelter companies from any unanticipated consequences, he said.
Given that the Senate has been pursuing cybersecurity legislation in a bipartisan fashion, and both parties in the House last year actually passed elements of the White House proposal, the expectation is that a law could be enacted this year.
Disagreements over engagement in cyberwar or the job of the Pentagon's National Security Agency and the new U.S. Cyber Command likely will be worked out in separate legislation. Pending House defense and intelligence authorization bills, for instance, address cyberwarfare and require the development of systems for detecting unauthorized activities on classified networks.
But talks on the civilian-oriented bill may take months, especially since all sides appear to want industry involved in the vetting process. One item overlooked in the White House proposal that Congress wants -- the creation of a Senate-confirmed cyber czar -- may take some time to negotiate. And Congress has never considered some of the information-sharing measures the White House introduced on Thursday.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Samsung Galaxy S3, S2 & HTC Android Phones are Vulnerable to 'remote wipe' Hack

Posted by Avik Sarkar On 9/29/2012 02:33:00 am

Samsung Galaxy S3, S2 & HTC Android Phones are Vulnerable to 'remote wipe' Hack

Yet again a large number of Android users have been warned of a security hole. Security experts have uncovered that millions of Android handsets including the Samsung Galaxy S3, Galaxy S2, HTC One X and HTC Desire can be wiped just by visiting a malicious website that embeds particular code in weblinks. A user with a vulnerable handset who visits a page and clicks a link containing the malicious code would see their phone wiped, losing personal data such as photos and texts as well as repleaceable data such as contact details and apps. The flaw is caused by a security hole in some versions of Android's dialler software, which allows the "tel:" URL prefix to be used on a webpage to perform functions on the phone's dialling software. Normally that is useful for functions such as initiating a call on the handset directly from a site. But the tel: prefix can also be used to pass a string of non-numeric data to the dialler.
Special strings of characters can perform other functions; for example typing #06# on the dialler will display a phone's IMEI number. The flaw exploits a string that activates a factory reset of some phones because they do not force a user interaction before carrying out the function encoded in the string. The code would have to be embedded as a link to cause the user to activate it - but it would be easy to represent it as an innocent link to Google or any site. Pressing the link would initiate the wipe.
Users of vulnerable handsets may be able to install a third-party dialler and make that the default as protection against the "remote wipe" attack. Experts also pointed out that not all Android handsets have the capability for a remote wipe built in - although the number of models discovered with the vulnerability has grown since it became known on Tuesday.
Dylan Reeve, a New Zealand-based TV editor who first brought the flaw to wide notice, says that Samsung Galaxy phones which use Android 4.1 will be safe from the hack. But that still leaves millions of Galaxy S2 and some S3 models which will not have had the correct revision of the firmware rolled out to them and which could be hit.  
Though the vulnerability was fixed in Android's core code earlier this year, that code has not been propagated to every handset in use. The fact that the flaw existed in handsets from Samsung and HTC - the two biggest vendors of Android handsets - also suggests that a huge number of existing handsets could include the outdated code.

Samsung said in a statement that it has already provided a patch for the Galaxy S3, but it is not clear how long that will take for operator approval and rollout. In general software updates to any phone have to first be tested and approved by the carrier supporting the phone. Samsung said it is testing a patch for the Galaxy S2, but had no information on when it will be available or how it will be distributed. But HTC has issued a statement saying that "our devices do not support a USSD code to factory reset option." This means that they should not be vulnerable to the exploit described below.


-Source (Guardian)



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Indian Authorities Seized Their Servers Linked With "Duqu" Virus

Posted by Avik Sarkar On 10/31/2011 05:02:00 pm


Indian authorities seized computer equipment from a data center in Mumbai as part of an investigation into the Duqu malicious software that some security experts warned could be the next big cyber threat. Two workers at a web-hosting company called Web Werks told Reuters that officials from India's Department of Information Technology last week took several hard drives and other components from a server that security firm Symantec Corp told them was communicating with computers infected with Duqu.
News of Duqu first surfaced last week when Symantec said it had found a mysterious computer virus that contained code similar to Stuxnet, a piece of malware believed to have wreaked havoc on Iran's nuclear program. Government and private investigators around the world are racing to unlock the secret of Duqu, with early analysis suggesting that it was developed by sophisticated hackers to help lay the groundwork for attacks on critical infrastructure such as power plants, oil refineries and pipelines. The equipment seized from Web Werks, a privately held company in Mumbai with about 200 employees, might hold valuable data to help investigators determine who built Duqu and how it can be used. But putting the pieces together is a long and difficult process, experts said.
"This one is challenging," said Marty Edwards, director of the U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team. "It's a very complex piece of software." He declined to comment on the investigation by authorities in India, but said that his agency was working with counterparts in other countries to learn more about Duqu. Two employees at Web Werks said officials from India's Department of Information Technology came to their office last week to take hard drives and other parts from a server.
They said they did not know how the malware got on to Web Werks' server. "We couldn't track down this customer," said one of the two employees, who did not want to be identified for fear of losing their jobs. An official in India's Department of Information Technology who investigates cyber attacks also declined to discuss the matter. "I am not able to comment on any investigations," said Gulshan Rai, director of the Indian Computer Emergency Response Team, or CERT-In.

To know more about Duqu Click Here


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Linux/Cdorked.A: One of The Most Sophisticated Apache Backdoor Targets Millions of Websites

Posted by Avik Sarkar On 5/05/2013 03:11:00 pm

Linux/Cdorked.A: One of The Most Sophisticated Apache Backdoor Targets Millions of Websites to Serve Blackhole Exploit

ESET one of the world renowned security firm headquartered in Bratislava have figured out what it called a malicious cyber rampage targeting millions of cPanel-based servers. Since last few months security experts have been tracking server level compromises that have been utilizing malicious Apache modules to inject malware into websites and  redirecting some of its requests to the infamous Blackhole Exploit packs. On cPanel-based servers, instead of adding modules or modifying the Apache configuration, the attackers started to replace the Apache binary (httpd) with a malicious one. This new backdoor is very sophisticated and this new malware has been dubbed "Linux/Cdorked.A." Several analysis reveals that it is a sophisticated and stealthy backdoor meant to drive traffic to malicious websites. According to the official blog post of ESET - Linux/Cdorked.A is one of the most sophisticated Apache backdoor's we have seen so far. The backdoor leaves no traces of compromised hosts on the hard drive other than its modified httpd binary, thereby complicating forensics analysis. All of the information related to the backdoor is stored in shared memory. The configuration is pushed by the attacker through obfuscated HTTP requests that aren't logged in normal Apache logs. This means that no command and control information is stored anywhere on the system.
This malicious cyber rampage was first detected by another security firm named 'Sucuri' and later ESET published a detailed analysis of the issue. But still there are thoughtful matter as already thousands of websites get infected. The attack is particularly dangerous as Apache web servers are among the most well-known and widely-used in the world and are used by numerous companies. This means that a successful security breach can affect numerous different businesses across a diverse range of industries.
As this malware also known as Linux/Cdorked.A has already been spotted in the wild, so on behalf of cyber media, we urge all the concern system administrator, security analyst to take care of the above issue while to checking their servers and verify that they are not affected by this threat. Detailed instructions to perform this check are provided in the ESET blog.





SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

New Privacy & Security Updates of Adobe Flash Player 11

Posted by Avik Sarkar On 9/24/2011 04:06:00 pm


Adobe announced this week that it's putting the finishing touches on a new version of Flash Player that will provide new security and privacy enhancements on both the desktop and mobile versions of its application. Notably, Flash Player 11--set to debut in early October--adds desktop support for SSL socket connections, as well as a secure, random number generator, both of which should help developers to better secure users' information. "Flash Player previously provided a basic, random number generator through Math.random. This was good enough for games and other lighter-weight use cases, but it didn't meet the complete cryptographic standards for random number generation," said Adobe

New Security Features in Flash Player 11:-


On the security front, Adobe is introducing several new features that will allow developers to better protect customer data. The first major new feature being added by Adobe is support for SSL socket connections, which will make it easier for developers to protect the data they stream over the Flash Player raw socket connections.
Adobe is  also adding a secure random number generator. Flash Player previously provided a basic, random number generator through Math.random. This was good enough for games and other lighter-weight use cases, but it didn’t meet the complete cryptographic standards for random number generation. The new random number generator API hooks the cryptographic provider of the host device, such as the CryptGenRandom function in Microsoft CAPI on Windows, for generating the random number. The native OS cryptographic providers have better sources of entropy and have been peer reviewed by industry experts.

Lastly, the introduction of 64-bit support in Flash Player 11 brings with it some security side-benefits: If you are using a 64-bit browser that supports address space layout randomization (ASLR) in conjunction with the 64-bit version of Flash Player, you will be protected by 64-bit ASLR. Traditional 32-bit ASLR only has a small number of bits available in the memory address for randomizing locations. Memory addresses based on 64-bit registers have a wider range of free bits for randomization, increasing the effectiveness of ASLR.
Overall, Adobe security and privacy roadmap still has much more to come, and Adobe is already working on the next generation of features for upcoming releases. To take a look at the many new features in Flash Player 11—whether it be the advancements for gaming, media and data-driven applications, the security enhancements or the new mobile privacy features—check out the release candidate of Flash Player 11 for desktops now available on Adobe Labs or watch for an announcement once Flash Player 11 for desktops and Android devices becomes available in early October.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Apple releases anti-virus update for infected 120,000 Mac users

Posted by Avik Sarkar On 5/26/2011 12:26:00 pm


Apple has finally come clean and admitted that its software can be turned over by a virus.
The malware has been confusing Mac users for more than a week because it is a central belief in the dogma of Apple that only Windows users suffer from malware and get recruited into botnets.  We guess some of them must believe that they accidently downloaded Windows and became instantly infected as Steve said they would.
Matters have been made worse because Apple instructed its customer care teams to fudge the problem if customers rang them up.  The Tame Apple Press has also been in full swing trying to downplay the matter.  Apple fanboys have been targeting hacks who write about it, claiming that it was software that people were tricked into downloading, it was not malware, which shows how ignorant Apple followers are when it comes to security matters,
The Malware, MacProtector and MacSecurity, warns a victim that his or her computer is infected and goes through a complex installation process. It spends most of its life trying to snuffle for credit card information.
Zdnet  believes that more than 120,000 of Apple's US followers have been infected by a credit card stealing virus and dubbed Apple's approach to the problem as Orwellian.
Now Apple has said that it will deal with the malware using a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants.
The update will also help protect users by providing an explicit warning if they download this malware.
Jobs' Mob have posted instructions on how to avoid installing the Mac Defender malware as well as how to remove it from an affected computer.
Given the success of the malware it would appear that Apple followers are a soft touch. The malware plague was caused by enough of them downloading the bogus software and not being aware that there was something wrong.
For years security experts have been worried that the lack of security on Apple machines would eventually result in hackers trying to turn it over. While Windows 7 has had years of security proofing, under stress, Apple has not focused on this problem and its much needed onboard security scanner only finds one bit of malware,

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

San Diego College of California is Offering Degree On Information Systems Security Emphasis

Posted by Avik Sarkar On 8/24/2011 03:31:00 pm


The world today is experiencing a growing reliance upon technology, which presents challenges such as the necessity of protecting vital information systems and the sensitive information they hold. The need for competent, qualified computer science professionals who have a strong foundation in programming and networking, but also bring expertise in the field of information systems security, is growing. In response to this rising need, California College San Diego now offers a Bachelor of Science in Computer Science with Information Systems Security Emphasis.
The program includes courses such as networking concepts, networking communication, programming fundamentals, electronic communication management, and web design to develop students’ programming and networking skills. Students are also given instruction on the concepts of cryptography, computer law, computer forensics, ethical hacking, threats, defense mechanisms, and IT security management, so that they can learn how to identify threats that compromise IT systems and take preventive actions against said threats. Another facet of this degree is its emphasis on helping students succeed professionally in any industry—the curriculum also includes courses such as economics, interpersonal communication, U.S. history, entrepreneurship, motivation psychology, and professional development.
The duration of the degree is 36 months, but it can be completed in as few as 30 months on California College San Diego’s FastFlex schedule. Upon graduation, students should be qualified for employment in the entry-level to mid-level positions of project manager, network administrator, systems analyst, web developer, computer programmer, or software engineer. Graduates may also be eligible for posts within law enforcement, intelligence agencies, banks, software development companies, and more, as computer security specialists, information security systems analysts, malware and spyware programmers, and digital forensics experts. Admission criteria to the program include a high school diploma or an equivalent GED® credential.
For more information on California College San Diego's Computer Science Degree Program with Information Systems Security Emphasis you may visit http://www.cc-sd.edu/

-News Source (PR Online Media & San Diego)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Sony: Credit data at risk in PlayStation hacking Network shut down; info on 77 million users said compromised halted

Posted by Avik Sarkar On 4/27/2011 10:40:00 pm


Sony Corp. said Tuesday that the credit card data of PlayStation users around the world may have been stolen in a hack that forced it to shut down its PlayStation Network for the past week, disconnecting 77 million user accounts.
Some players brushed off the breach as a common hazard of operating in a connected world, and Sony said some services would be restored in a week. But industry experts said the scale of the breach was staggering and could cost the company billions of dollars.
"Simply put, one of the worst breaches we've seen in several years," said Josh Shaul, chief technology officer for Application Security Inc., a New York-based company that is one of the country's largest database security software makers.
Sony said it has no direct evidence credit card information was taken, but said, "we cannot rule out the possibility."
It said the intrusion was "malicious" and the company had hired an outside security firm to investigate. It has taken steps to rebuild its system to provide greater protection for personal information and warned users to contact credit agencies and set up fraud alerts.
"Our teams are working around the clock on this, and services will be restored as soon as possible," it said in a blog post Tuesday.
The company shut down the network last Wednesday after it said account information, including names, birth dates, e-mail addresses and log-in information was compromised for certain players in the days prior.
Sony says people in 59 nations use the PlayStation network. Of the 77 million user accounts, about 36 million are in the U.S. and elsewhere in the Americas, 32 million in Europe and 9 million in Asia, mostly in Japan.
Purchase history and credit card billing address information may also have been stolen, but the intruder did not obtain the three-digit security code on the back of cards, Sony said. Spokesman Satoshi Fukuoka said the company has not received any reports yet of credit card fraud or abuse resulting from the breach.
Shaul said that not having direct proof of credit card information theft should not instill a sense of security, and could mean Sony just didn't know what files were touched.
"They indicated that they're worried about it, which is probably a very strong indication that everything was stolen," he said.
If the intruder successfully stole credit card data, the heist would rank among the biggest known thefts of financial data.
Recent major hacks included some 130 million card numbers stolen from payment processor Heartland Payment Systems. As many as 100 million accounts were lifted in a break-in at TJX Cos., the chain that owns discount retailers T.J. Maxx and Marshalls, and some 4.2 million card numbers were stolen from East Coast grocery chain Hannaford Bros. Those attacks allegedly involved a single person: Albert Gonzalez, a Miami hacker who was sentenced last year to 20 years in prison for the attacks.
The Ponemon Institute, a data-security research firm, estimated that the cost of a data breach involving a malicious or criminal act averaged $318 per compromised record in 2010, up 48 percent from the year earlier.
That could pin the potential cost of the PlayStation breach at more than $24 billion.
Alan Paller, director of research for the SANS Institute, a security training organization, said that even if credit numbers weren't stolen, knowing someone's name, e-mail address and which games he or she likes can lead to expertly crafted scam e-mails. Knowing billing histories can be even more harmful, since they can identify big spenders.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Related Posts Plugin for WordPress, Blogger...

Site search