Tag Archives: cybersecurity

Frustrated bug hunters to expose a flaw a day for a month

0
Posted by Tech Paranoia on January 12, 2010 – 2:00 pm
Filed under Software, exploit
Tagged as , ,

A Russian security firm has pledged to release details of previously undisclosed flaws in enterprise applications it has discovered every day for the remainder of January.

Intevydis intends to publish advisories on zero-day vulnerabilities in products such as Zeus Web Server, MySQL, Lotus Domino and Informix and Novell eDirectory between 11 January and 1 February, security blogger Brian Krebs reports.

As an opener, Intevydis published a crash bug in Sun Directory Server 7.0, along with exploit code. The final line-up of zero-days is still being finalised, but the MySQL buffer overflows and IBM DB2 root vulnerability flaws on the provisional menu sound much tastier than Intevydis’s somewhat bland opener. Advisories are due to be published on the Intevydis blog here.

Intevydis said it launched its campaign after becoming more and more disillusioned with foot-dragging by vendors when confronted by security flaws in their products. “After working with the vendors long enough, we’ve come to conclusion that, to put it simply, it is a waste of time,” Evgeny Legerov, a founder of Intevydis told Krebs. “Now, we do not contact with vendors and do not support so-called ‘responsible disclosure’ policy.”

Only one software vendor, Zeus, reportedly worked with Intevydis in developing a patch to be released at the same time as an upcoming advisory from the Russian security firm. Intevydis’s stance is likely to reboot the long running debate about the responsible disclosure of security vulnerabilities.

Full article at: The Register

Industry Group Plans Cyber Attack Simulation

0
Posted by Tech Paranoia on January 8, 2010 – 1:00 pm
Filed under Security
Tagged as ,

A financial services industry group is planning to simulate a series of cyber attacks to test how well banks, payment processors and retailers deal with online threats.

The Financial Services Information Sharing and Analysis Center (FS-ISAC), a group formed in response to a 1998 Presidential security directive, on Tuesday invited financial institutions, retailers, card processors, and businesses of all sizes to participate in its Cyber Attack against Payment Processes (CAPP) Exercise.

“FS-ISAC in conjunction with a variety of industry partners is testing their members’ emergency response, notification, and communication procedures in response to a number of different types of cyber attacks against payment processes,” the group’s Web site says. “The three-day exercise will simulate a different attack scenario each day. Detailed result collection is kept confidential.”

The CAPP event is scheduled for February 9 through 11, 2010. Participants will be expected to activate their incident response procedures in accordance with the scenario presented and to complete an anonymous survey to evaluate their organization’s response.

“When cyber security threats occur, swift and well-planned reactions can mean the difference between business continuity and business catastrophe,” said Bill Nelson, FS-ISAC’s president and CEO in a statement. “This is especially true with cyber attacks against payment processes. FS-ISAC is eager to provide payment systems participants with this unique opportunity to test their readiness to respond to major cyber attack incidents.”

The incidence of such incidents has been rising.

The Internet Crime Complaint Center (IC3) said in November that the FBI had seen a significant increase in online banking fraud.

On Tuesday, in its 2009 Annual Malware Report, Panda Labs said that it had seen 25 million new malware variants created during the year, 166% more than the 15 million variants recorded by the company over the rest of its 20-year history.

Most of the new malware samples detected by the company (66%) were online banking trojans.

Source: DarkReading

Cybersecurity expert: Job guaranteed

0
Posted by Tech Paranoia on January 6, 2010 – 11:00 am
Filed under Security
Tagged as

Computer security used to be regarded as a boring and less important field of computer science, but with the proliferation of computer threats (from malware to active attacks) it has become one whose experts are in great demand and has gained quite an aura of “coolness”.

At the moment, there is a serious lack of cybersecurity experts in the U.S., so if your knowledge is up to speed, you are practically guaranteed a job.

Case in point: of the eight students from California State Polytechnic University, Pomona, that beat five other university teams in a challenge that had them defending a business computer network from cyber threats, six seniors got job offers from Boeing.

According to the New York Times, the demand is for experts is great, but luckily, schools and universities have noticed it and have rushed to open programs: the N.Y.U. Polytechnic, Carnegie Mellon, Purdue and George Mason are just some of the universities offering a master’s degree in cybersecurity. Georgia Tech is planning to start an online degree in information security later this year.

Businesses and the military have faith in the fact that the new generations are so familiar with what the online world has to offer, that they will be challenged by the notion of solving security problems and, therefore, interested in a career in cybersecurity. Another thing that they might find attractive is the pay. Professor Naris Memon of N.Y.U. Poly says that a starting pay for someone with a master’s degree in the field ranges from $60,000 to $80,000

Source: Help Net Security

As attacks increase, U.S. struggles to recruit computer security experts

0
Posted by Tech Paranoia on December 30, 2009 – 9:00 am
Filed under Security
Tagged as

The federal government is struggling to fill a growing demand for skilled computer-security workers, from technicians to policymakers, at a time when network attacks are rising in frequency and sophistication.

Demand is so intense that it has sparked a bidding war among agencies and contractors for a small pool of special talent: skilled technicians with security clearances. Their scarcity is driving up salaries, depriving agencies of skills, and in some cases affecting project quality, industry officials said.

The crunch hits as the Pentagon is attempting to staff a new Cyber Command to fuse offensive and defensive computer-security missions and the Department of Homeland Security plans to expand its own “cyber” force by up to 1,000 people in the next three years. Even President Obama struggled to fill one critical position: Seven months after Obama pledged to name a national cyber-adviser, the White House announced Tuesday that Howard Schmidt, a former Bush administration official and Microsoft chief security officer, will lead the nation’s efforts to better protect its critical computer networks.

The lack of trained defenders for these networks is leading to serious gaps in protection and significant losses of intelligence, national security experts said. The Government Accountability Office told a Senate panel in November that the number of scans, probes and attacks reported to the Department of Homeland Security’s U.S. Computer Emergency Readiness Team has more than tripled, from 5,500 in 2006 to 16,840 in 2008.

Full Article: The Washington Post

Howard Schmidt set to be confirmed as Obama’s White House cybersecurity coordinator

0
Posted by Tech Paranoia on December 22, 2009 – 12:00 pm
Filed under News
Tagged as ,

Various media reports have claimed that Howard Schmidt, president of the Information Security Forum (ISF), is to be named as President Obama’s cybersecurity coordinator today.

The Guardian claimed that he will be given responsibility for overseeing the online defences provided by the Pentagon and intelligence agencies, while the Washington Post claimed that Schmidt was chosen after a long process in which dozens of people were sounded out but many declined the post, largely out of concern that the job conferred much responsibility with little true authority.

His appointment has also been unofficially confirmed by Reuters and the Associated Press, with the latter claiming that Obama will make the announcement today, according to a senior White House official, who spoke on condition of anonymity because the decision had not been made public yet.

The New York Times said that Schmidt will report to the National Security Council – not both to the council and to the National Economic Council, as previously planned. The official said that Schmidt will ‘have regular access to the President’.

The official also said that Obama was personally involved in the selection process and chose Schmidt because of his unique background and skills.

Source: SC Magazine UK

Microsoft CAT.NET v1.1.1.9 – Binary Code Analysis Tool .NET

0
Posted by Tech Paranoia on December 15, 2009 – 5:00 pm
Filed under Software
Tagged as

CAT.NET is a binary code analysis tool that helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors such as Cross-Site Scripting (XSS), SQL Injection and XPath Injection.

CAT.NET is a snap-in to the Visual Studio IDE that helps you identify security flaws within a managed code (C#, Visual Basic .NET, J#) application you are developing. It does so by scanning the binary and/or assembly of the application, and tracing the data flow among its statements, methods, and assemblies.

This includes indirect data types such as property assignments and instance tainting operations. The engine works by reading the target assembly and all reference assemblies used in the application — module-by-module — and then analyzing all of the methods contained within each. It finally displays the issues its finds in a list that you can use to jump directly to the places in your application’s source code where those issues were found.

The following rules are currently support by this version of the tool

* Cross Site Scripting

* SQL Injection

* Process Command Injection

* File Canonicalization

* Exception Information

* LDAP Injection

* XPATH Injection

* Redirection to User Controlled Site

System Requirements

Supported Operating Systems: Windows Vista; Windows XP

OS: XP, Vista Software: .NET Framework 2.0, Visual Studio 2005 or 2008.

You can download CAT.NET here:

CATNETx32.msi

Or read more here.

32 Million RockYou accounts compromised

0
Posted by Tech Paranoia on December 15, 2009 – 3:00 pm
Filed under Hacks
Tagged as , , ,

It’s no secret that most people use the same password over and over again for most of the services they sign up for. While it’s obviously convenient, this becomes a major problem if one of those services is compromised. And that looks to be the case with RockYou, the social network app maker.

Over the weekend, the security firm Imperva issued a warning to RockYou that there was a serious SQL Injection flaw in their database. Such a flaw could grant hackers access to the the service’s entire list of user names and passwords in the database, they warned. Imperva said that after it notified RockYou about the flaw, it was apparently fixed over the weekend. But that’s not before at least one hacker gained access to what they claim is all of the 32 million accounts. 32,603,388 to be exact. The best part? The database included a full list of unprotected plain text passwords. And email addresses. Wow.

The hacker has posted a sample of what they found. They have blanked out the passwords for now, but warns, “Don’t lie to your customers, or i will publish everything.”

Source: Tech Crunch

Hackers Take Aim At COFEE With DECAF

1
Posted by Tech Paranoia on December 15, 2009 – 11:00 am
Filed under Software
Tagged as , ,

A pair of hackers says it has developed a defense for a popular computer forensics tool used by many law enforcement agencies.

The anti-forensics tool, which is called DECAF, is designed to obstruct Computer Online Forensic Evidence Extractor (COFEE), a cybercrime forensics tool that is broadly distributed by Microsoft for use by law enforcement agencies.

“DECAF provides real-time monitoring for COFEE signatures on USB devices and running applications,” the hackers say on their Website. “Upon finding the presence of COFEE, DECAF performs numerous user-defined processes, including COFEE log clearing, ejecting USB devices, drive-by dropper, and an extensive list of Lockdown Mode settings. The Lockdown mode gives the user an automated approach to locking down the machine at the first sign of unusual law enforcement activity.

“DECAF is highly configurable, giving the user complete control to on-the-fly scenarios,” the Website continues. “In a moment’s notice, almost every piece of hardware can be disabled, and predefined files can be deleted in the background. DECAF also gives the user an opportunity to simulate COFEE’s presence by sending the application into a ‘Spill the cofee’ type mode. Simulation gives the user an opportunity to test his or her configuration before going live.”

The two hackers plan to enhance DECAF over time, the Website says. “Future versions will have text message and email triggers, so in case the computer needs to enter into lockdown mode, the user can do it remotely,” the site says. “It will also have notification services where in the case of an emergency, someone can be notified. DECAF’s next release is going to be available in a more lightweight version and/or a Windows service.”

Source: DarkReading

Symantec CEO: We don’t employ hackers

1
Posted by Tech Paranoia on December 11, 2009 – 5:00 pm
Filed under Security
Tagged as

Ethical hacking has a definite role to play in keeping businesses secure, according to the Symantec’s CEO Enrique Salem, but the company will not hire known hackers to carry out the service.

Responding to Computerworld questions at a media conference in Sydney, Salem said the issue of hackers playing both ethical ‘white hat’ roles as well as criminal ‘black hat’ roles to become effectively ‘grey hats’ was an issue in the security industry.

“You always worry about [grey hats]. Symantec has a standing policy that we don’t hire anyone to be a part of our company who has done any kind of known hacking,” he said. “We will not employ hackers.”

Despite the policy of not employing active hackers, the company still had strong internal resources to keep up with new threats developed by black hats, Salem said

Source: Computerworld

Badvertising: Stop the 5 Biggest Threats to Online Privacy

0
Posted by Tech Paranoia on December 4, 2009 – 12:00 pm
Filed under Privacy
Tagged as ,

Beginning next week, the FTC will hold a series of public roundtables covering the growing number of challenges to consumer privacy on the Internet. Dubbed “Exploring Privacy,” the daylong discussions will focus on “the collection and use of information by retailers, data brokers, third-party applications, and other diverse businesses.” Hold that yawn. Behavioral tracking and ad targeting have everything to do with the pesky “Warning!” pop-up blinking behind your browser window right now. The one that could shatter your online privacy.

Read the full article at Fast Company