By Linda McGlasson
Managing Editor
Bank Info Security
November 23, 2009
Bank customers in California, Wisconsin and Missouri are reporting fraudulent ATM withdrawals that police say are tied to transactions conducted with the Hancock Fabrics retail chain.
In California, Napa Police Department spokesman Brian McGovern says 60 residents reported their cards being used by thieves. In one case, a Napa resident reported $840 in cash withdrawals. The Hancock Fabrics store on Imola Avenue in Napa was the "common thread" among the numerous people who reported credit and debit card fraud. McGovern says the store had recently replaced its point-of-sale machines.
At about the same time, as many as 70 Wisconsin victims reported suspicious ATM withdrawals from their accounts, according to Wood and Portage county law enforcement, which also ties the thefts to machines in Hancock Fabrics stores.
And in Missouri, at least 10 customers at Hancock Fabrics in the St.
Louis area reported their debit card numbers and pin numbers stolen during the week of November 9.
Tuesday 24 November 2009
NIST Drafts Cybersecurity Guidance
By J. Nicholas Hoover
InformationWeek
November 23, 2009
Draft guidance from the National Institute of Standards and Technology issued last week, pushes government agencies to adopt a comprehensive, continuous approach to cybersecurity, tackling criticism that federal cybersecurity regulations have placed too much weight on periodic compliance audits.
The guidance, encapsulated in a draft revision to NIST Special Publication 800-37, will likely be finalized early next year. While federal agencies aren't required to follow all of its recommendations, NIST is officially charged with creating standards for compliance with the Federal Information Systems Management Act, (FISMA), which sets cybersecurity requirements in government, so this guidance should at the very least be influential.
As official statistics show attacks on the federal government continuing to rise, the Government Accountability Office and agency inspector generals have repeatedly found the federal government or particular agencies falling short of the spirit of FISMA, if not its letter.
Meanwhile, critics have repeatedly found fault with either FISMA or its implementation in practice, saying that it doesn't do enough to ensure that government agencies remain consistently vigilant about cybersecurity.
The new document puts more onus on applying risk management throughout the lifecycle of IT systems. "This is part of a larger strategy to try to do more on the front end of security as opposed to just on the back end," says NIST's Ron Ross, who is in charge of FISMA guidance at the agency. "We don't think of security as a separate undertaking, but as a consideration we make in our normal lifecycle processes."
[...]
InformationWeek
November 23, 2009
Draft guidance from the National Institute of Standards and Technology issued last week, pushes government agencies to adopt a comprehensive, continuous approach to cybersecurity, tackling criticism that federal cybersecurity regulations have placed too much weight on periodic compliance audits.
The guidance, encapsulated in a draft revision to NIST Special Publication 800-37, will likely be finalized early next year. While federal agencies aren't required to follow all of its recommendations, NIST is officially charged with creating standards for compliance with the Federal Information Systems Management Act, (FISMA), which sets cybersecurity requirements in government, so this guidance should at the very least be influential.
As official statistics show attacks on the federal government continuing to rise, the Government Accountability Office and agency inspector generals have repeatedly found the federal government or particular agencies falling short of the spirit of FISMA, if not its letter.
Meanwhile, critics have repeatedly found fault with either FISMA or its implementation in practice, saying that it doesn't do enough to ensure that government agencies remain consistently vigilant about cybersecurity.
The new document puts more onus on applying risk management throughout the lifecycle of IT systems. "This is part of a larger strategy to try to do more on the front end of security as opposed to just on the back end," says NIST's Ron Ross, who is in charge of FISMA guidance at the agency. "We don't think of security as a separate undertaking, but as a consideration we make in our normal lifecycle processes."
[...]
Symantec Japan website bamboozled by hacker
By John Leyden
The Register
23rd November 2009
A Symantec-run website was vulnerable to Blind SQL Injection problems that reportedly exposes a wealth of potentially sensitive information.
Romanian hacker Unu used off-the-shelf tools (Pangolin and sqlmap) to steal a glimpse at the database behind Symantec's Japanese website. A peek at the Symantec store revealed by the hack appears to show clear-text passwords associated with customer records. Product keys held on a Symantec server in Japan were also exposed by the hack.
Unu has previously exposed similar problems involving the websites of the UK's parliament and Kaspersky, among many others. The grey-hat hacker has published screenshots to back up his latest claims which, if verified, run deeper than shortcomings on the websites of Kaspersky, F-secure and other security firms previously reported by Unu.
Symantec said it was investigating the reported breach, which Unu claims gave him full disk and database access. The security giant said the vulnerability only affected a website used by consumer customers in the Far East. Symantec admitted there was a problem without commenting on how serious the snafu might be, pending the result of an investigation.
The offending site - pcd.symantec.com - has been taken offline pending the addition of extra security defences.
[...]
The Register
23rd November 2009
A Symantec-run website was vulnerable to Blind SQL Injection problems that reportedly exposes a wealth of potentially sensitive information.
Romanian hacker Unu used off-the-shelf tools (Pangolin and sqlmap) to steal a glimpse at the database behind Symantec's Japanese website. A peek at the Symantec store revealed by the hack appears to show clear-text passwords associated with customer records. Product keys held on a Symantec server in Japan were also exposed by the hack.
Unu has previously exposed similar problems involving the websites of the UK's parliament and Kaspersky, among many others. The grey-hat hacker has published screenshots to back up his latest claims which, if verified, run deeper than shortcomings on the websites of Kaspersky, F-secure and other security firms previously reported by Unu.
Symantec said it was investigating the reported breach, which Unu claims gave him full disk and database access. The security giant said the vulnerability only affected a website used by consumer customers in the Far East. Symantec admitted there was a problem without commenting on how serious the snafu might be, pending the result of an investigation.
The offending site - pcd.symantec.com - has been taken offline pending the addition of extra security defences.
[...]
Inside the Ring - Chinese, Russian cyberwarfare
By Bill Gertz
INSIDE THE RING
November 19, 2009
[...]
Chinese, Russian cyberwarfare
The Pentagon's National Defense University recently published a groundbreaking book that is one of the few U.S. government documents to highlight the cyberwarfare capabilities of both China and Russia.
The book "Cyberpower and National Security" contains a chapter on the issue revealing that China's computer attack capabilities have become "more visible and troubling" in recent years. "China has launched an unknown number of cyber reconnaissance and offensive events with unknown intent against a variety of countries," the chapter said.
Among the most important attacks were the 2005 cyber espionage attacks against Pentagon computer networks that federal investigators code-named Titan Rain. Another Chinese-origin attack involved computer operations against the U.S. Naval War College in 2006 that shut down systems.
According to the chapter, China's military strategists regard cyberwarfare as an important element of "pre-emptive" warfare capabilities.
Chinese military analysts Peng Guangqian and Yao Youzhi are quoted as saying China plans to use several types of pre-emptive attacks in a future conflict, including "striking the enemy's information center of gravity and weakening combat efficiency of his information systems and cyberized weapons" with the goal of weakening information superiority and reducing combat efficiency.
[...]
INSIDE THE RING
November 19, 2009
[...]
Chinese, Russian cyberwarfare
The Pentagon's National Defense University recently published a groundbreaking book that is one of the few U.S. government documents to highlight the cyberwarfare capabilities of both China and Russia.
The book "Cyberpower and National Security" contains a chapter on the issue revealing that China's computer attack capabilities have become "more visible and troubling" in recent years. "China has launched an unknown number of cyber reconnaissance and offensive events with unknown intent against a variety of countries," the chapter said.
Among the most important attacks were the 2005 cyber espionage attacks against Pentagon computer networks that federal investigators code-named Titan Rain. Another Chinese-origin attack involved computer operations against the U.S. Naval War College in 2006 that shut down systems.
According to the chapter, China's military strategists regard cyberwarfare as an important element of "pre-emptive" warfare capabilities.
Chinese military analysts Peng Guangqian and Yao Youzhi are quoted as saying China plans to use several types of pre-emptive attacks in a future conflict, including "striking the enemy's information center of gravity and weakening combat efficiency of his information systems and cyberized weapons" with the goal of weakening information superiority and reducing combat efficiency.
[...]
Microsoft warns of IE exploit code in the wild
By Elinor Mills
InSecurity Complex
CNet News
November 23, 2009
Microsoft on Monday said it is investigating a possible vulnerability in Internet Explorer after exploit code that allegedly can be used to take control of computers, if they visit a Web site hosting the code, was posted to a security mailing list.
Microsoft confirmed that the exploit code affects IE 6 and IE 7, but not IE 8, and it said it is "currently unaware of any attacks trying to use the claimed vulnerability or of customer impact," according to a statement.
The exploit code was published to the BugTraq mailing list on Friday with no explanation.
"The exploit targets a vulnerability in the way Internet Explorer uses Cascading Style Sheet (CSS) information. CSS is used in many Web pages to define the presentation of the sites' content," Symantec wrote in a blog post this weekend.
[...]
InSecurity Complex
CNet News
November 23, 2009
Microsoft on Monday said it is investigating a possible vulnerability in Internet Explorer after exploit code that allegedly can be used to take control of computers, if they visit a Web site hosting the code, was posted to a security mailing list.
Microsoft confirmed that the exploit code affects IE 6 and IE 7, but not IE 8, and it said it is "currently unaware of any attacks trying to use the claimed vulnerability or of customer impact," according to a statement.
The exploit code was published to the BugTraq mailing list on Friday with no explanation.
"The exploit targets a vulnerability in the way Internet Explorer uses Cascading Style Sheet (CSS) information. CSS is used in many Web pages to define the presentation of the sites' content," Symantec wrote in a blog post this weekend.
[...]
Friday 20 November 2009
Palin Calls E-Mail Hack 'Most Disruptive' Campaign Event
By Kim Zetter
Threat Level
Wired.com
November 18, 2009
Never mind the disastrous interview with Katie Couric or the blank stares in response to Charlie Gibson's question about the Bush Doctrine.
Former vice presidential candidate Sarah Palin calls the hacking of her Yahoo e-mail account "the most disruptive and discouraging" incident in last year's presidential campaign.
Writing in her new book, Going Rogue: An American Life, Palin says the intrusion into her personal e-mail account in September 2008 "created paralysis" in her administration, because it cut off easy communication with her "Alaska staff." Presumably, this refers to her staff in the governor's office, which would seem to be an acknowledgment that the personal account was used to conduct critical state work, as alleged in an activist's lawsuit last year.
Threat Level broke the story in September 2008 that someone using the name "Rubico" had obtained access to Palin's Yahoo e-mail account and posted photos -- including two pictures of her children -- and five screen shots of e-mail messages on the whistleblower site WikiLeaks.
Bloggers traced "Rubico" to a 20-year-old Tennessee college student named David Kernell, whose father is a Democratic state legislator.
Kernell is now free on bail awaiting trial for the hack, scheduled for next year.
Palin writes in her book that she was sitting in a Michigan hotel room with her husband Todd when she learned about the intrusion on TV. Just then Steve Schmidt, John McCain's campaign manager, walked in to confirm what she'd just seen on the news.
Threat Level
Wired.com
November 18, 2009
Never mind the disastrous interview with Katie Couric or the blank stares in response to Charlie Gibson's question about the Bush Doctrine.
Former vice presidential candidate Sarah Palin calls the hacking of her Yahoo e-mail account "the most disruptive and discouraging" incident in last year's presidential campaign.
Writing in her new book, Going Rogue: An American Life, Palin says the intrusion into her personal e-mail account in September 2008 "created paralysis" in her administration, because it cut off easy communication with her "Alaska staff." Presumably, this refers to her staff in the governor's office, which would seem to be an acknowledgment that the personal account was used to conduct critical state work, as alleged in an activist's lawsuit last year.
Threat Level broke the story in September 2008 that someone using the name "Rubico" had obtained access to Palin's Yahoo e-mail account and posted photos -- including two pictures of her children -- and five screen shots of e-mail messages on the whistleblower site WikiLeaks.
Bloggers traced "Rubico" to a 20-year-old Tennessee college student named David Kernell, whose father is a Democratic state legislator.
Kernell is now free on bail awaiting trial for the hack, scheduled for next year.
Palin writes in her book that she was sitting in a Michigan hotel room with her husband Todd when she learned about the intrusion on TV. Just then Steve Schmidt, John McCain's campaign manager, walked in to confirm what she'd just seen on the news.
FBI Suspects Terrorists Are Exploring Cyber Attacks
Forwarded from: Richard Forno
The second paragraph undermines the whole article, as such statements tend to do in all articles warning of cyber or terrorist attacks, just as any number of 'stories' citing some new DHS or FBI terror threat that suddenly hits the airwaves periodically during the year.
This entire article simply says -er, repeats- that "terrorists may consider cyber attacks." Yeah. We know that already, and have known about it for quite a while, too. Dare I raise the question "so what's new about that?"
The Hill hearings this week and the resulting stories about cyberwar and cybersecurity, and the advice contained in a recent GAO report about ideas to improve security are nothing more than the newest folks in DC pontificating publicly about the SAME stuff we've been hearing for 10,
15+ years. The only thing that's improved during this time is this
town's ability to spin its wheels while doing nothing to address the problem it claims to worry so much about.
Le mal sigh. :(
The second paragraph undermines the whole article, as such statements tend to do in all articles warning of cyber or terrorist attacks, just as any number of 'stories' citing some new DHS or FBI terror threat that suddenly hits the airwaves periodically during the year.
This entire article simply says -er, repeats- that "terrorists may consider cyber attacks." Yeah. We know that already, and have known about it for quite a while, too. Dare I raise the question "so what's new about that?"
The Hill hearings this week and the resulting stories about cyberwar and cybersecurity, and the advice contained in a recent GAO report about ideas to improve security are nothing more than the newest folks in DC pontificating publicly about the SAME stuff we've been hearing for 10,
15+ years. The only thing that's improved during this time is this
town's ability to spin its wheels while doing nothing to address the problem it claims to worry so much about.
Le mal sigh. :(
Microsoft denies it built 'backdoor' in Windows 7, Hmmm
By Gregg Keizer
Computerworld
November 19, 2009
Microsoft today denied that it has built a backdoor into Windows 7, a concern that surfaced yesterday after a senior National Security Agency
(NSA) official testified before Congress that the agency had worked on the operating system.
"Microsoft has not and will not put 'backdoors' into Windows," a company spokeswoman said, reacting to a Computerworld story Wednesday.
On Monday, Richard Schaeffer, the NSA's information assurance director, told the Senate's Subcommittee on Terrorism and Homeland Security that the agency had partnered with the developer during the creation of Windows 7 "to enhance Microsoft's operating system security guide."
Echoing earlier concerns, Marc Rotenberg, the executive director of the Electronics Privacy Information Center (EPIC), questioned the wisdom of letting the NSA participate in OS development. "The key problem is that NSA has a dual mission, COMPUSEC, computer security, now called cyber security, and SIGINT, signals intelligence, in other words surveillance," Rotenberg said in an e-mail.
Computerworld
November 19, 2009
Microsoft today denied that it has built a backdoor into Windows 7, a concern that surfaced yesterday after a senior National Security Agency
(NSA) official testified before Congress that the agency had worked on the operating system.
"Microsoft has not and will not put 'backdoors' into Windows," a company spokeswoman said, reacting to a Computerworld story Wednesday.
On Monday, Richard Schaeffer, the NSA's information assurance director, told the Senate's Subcommittee on Terrorism and Homeland Security that the agency had partnered with the developer during the creation of Windows 7 "to enhance Microsoft's operating system security guide."
Echoing earlier concerns, Marc Rotenberg, the executive director of the Electronics Privacy Information Center (EPIC), questioned the wisdom of letting the NSA participate in OS development. "The key problem is that NSA has a dual mission, COMPUSEC, computer security, now called cyber security, and SIGINT, signals intelligence, in other words surveillance," Rotenberg said in an e-mail.
Crypto pioneer and security chief exits Sun
By Gavin Clarke in San Francisco
The Register
19th November 2009
Crypto pioneer and Sun Microsystems' veteran chief security officer Whitfield Diffie has left the company, with database-giant Oracle's acquisition still in the air.
According to Technology Review, Diffie is slated to be a visiting professor at Royal Holloway, University of London, after 18 years at Sun, latterly in the high-profile security role as chief security officer.
It's unclear why Diffie left Sun and whether his exit was related to Oracle's pending takeover or recent layoffs. Oracle, as ever, declined to comment.
Diffie is famous for his ground-breaking invention of public key cryptography - PKI - in 1975. PKI today is taken for granted because it's used so widely to protect emails, documents, and commerce in every-day online communications and business.
It's worth remembering that it was Diffie who helped make this a reality. He sparred with spooks and US politicians, as the government attempted to limit who could use crypto in the interests of "national security."
Diffie joined Sun in 1991 and in 2002 was named chief security officer, with the mission of leading a global initiative to evangelize Sun's security offerings. He was also tasked with talking about major issues in relation to technology security.
[...]
The Register
19th November 2009
Crypto pioneer and Sun Microsystems' veteran chief security officer Whitfield Diffie has left the company, with database-giant Oracle's acquisition still in the air.
According to Technology Review, Diffie is slated to be a visiting professor at Royal Holloway, University of London, after 18 years at Sun, latterly in the high-profile security role as chief security officer.
It's unclear why Diffie left Sun and whether his exit was related to Oracle's pending takeover or recent layoffs. Oracle, as ever, declined to comment.
Diffie is famous for his ground-breaking invention of public key cryptography - PKI - in 1975. PKI today is taken for granted because it's used so widely to protect emails, documents, and commerce in every-day online communications and business.
It's worth remembering that it was Diffie who helped make this a reality. He sparred with spooks and US politicians, as the government attempted to limit who could use crypto in the interests of "national security."
Diffie joined Sun in 1991 and in 2002 was named chief security officer, with the mission of leading a global initiative to evangelize Sun's security offerings. He was also tasked with talking about major issues in relation to technology security.
[...]
Thursday 19 November 2009
In-Q-Tel Invests In Cybersecurity Company
By J. Nicholas Hoover
InformationWeek
November 18, 2009
The independent venture arm of the U.S. intelligence community, In-Q-Tel, has invested in cybersecurity company FireEye, the company announced Wednesday.
In-Q-Tel and FireEye didn't disclose terms of the agreement, or which intelligence agencies are particularly interested in the technology.
However, in a release, they said that the investment "will extend FireEye's cyber security product development and stealth malware technical capabilities to protect against cyber threats."
The intelligence community has a clear interest in cybersecurity investment. At a conference earlier this month, deputy secretary of defense William Lynn said that more than 100 foreign intelligence agencies are actively trying to hack into federal government systems.
The NSA recently announced plans to build a $1.5 billion cybersecurity data center in Utah.
California-based FireEye sells an out-of-band security appliance that monitors all inbound network traffic, employing a blend of signatures and heuristics to analyze traffic for evidence of suspicious behavior.
After identifying suspicious traffic, the appliance captures and replays the traffic on virtual machines running in the appliance, which imitate real PCs. If those PCs are compromised, FireEye alerts administrators.
By routing the traffic to a virtual machine, FireEye claims it is able to mitigate false positives. The virtual machines are invisible to the customer's production network.
InformationWeek
November 18, 2009
The independent venture arm of the U.S. intelligence community, In-Q-Tel, has invested in cybersecurity company FireEye, the company announced Wednesday.
In-Q-Tel and FireEye didn't disclose terms of the agreement, or which intelligence agencies are particularly interested in the technology.
However, in a release, they said that the investment "will extend FireEye's cyber security product development and stealth malware technical capabilities to protect against cyber threats."
The intelligence community has a clear interest in cybersecurity investment. At a conference earlier this month, deputy secretary of defense William Lynn said that more than 100 foreign intelligence agencies are actively trying to hack into federal government systems.
The NSA recently announced plans to build a $1.5 billion cybersecurity data center in Utah.
California-based FireEye sells an out-of-band security appliance that monitors all inbound network traffic, employing a blend of signatures and heuristics to analyze traffic for evidence of suspicious behavior.
After identifying suspicious traffic, the appliance captures and replays the traffic on virtual machines running in the appliance, which imitate real PCs. If those PCs are compromised, FireEye alerts administrators.
By routing the traffic to a virtual machine, FireEye claims it is able to mitigate false positives. The virtual machines are invisible to the customer's production network.
Penetration Testing Grows Up
By Kelly Jackson Higgins
DarkReading
Nov 18, 2009
Penetration testing, once considered a risky practice for the enterprise and even a tool for evil hacking purposes, is becoming more of an accepted mainstream process in the enterprise mainly due to compliance requirements and more automated, user-friendly tools -- and most recently, the imminent arrival of a commercial offering based on the popular open-source Metasploit tool.
Rapid7's purchase of the Metasploit Project last month and its hiring of the renowned creator of Metasploit, HD Moore, demonstrate just how far penetration testing has come over the past 18 months, security analysts say. While some organizations still confuse penetration testing with the more pervasive vulnerability scanning, which searches for and pinpoints specific vulnerabilities and weaknesses, penetration testing is finally about to enter a new phase of commercial deployment, experts say.
Penetration testing basically puts the tester in the shoes of a would-be attacker, using exploits and attack combinations against a network or application to find where the actual exploitable weaknesses lie.
"This is an exciting time because we're starting see even the edgy [penetration testing providers] look to the enterprise as a viable market," says Nick Selby, managing director of Trident Risk Management, a Dallas-based security and consultancy firm. "The technology is more mature so that the more experienced and skilled penetration testers have better toolsets than ever ... and the less experienced ones can do more of the low-hanging fruit work."
DarkReading
Nov 18, 2009
Penetration testing, once considered a risky practice for the enterprise and even a tool for evil hacking purposes, is becoming more of an accepted mainstream process in the enterprise mainly due to compliance requirements and more automated, user-friendly tools -- and most recently, the imminent arrival of a commercial offering based on the popular open-source Metasploit tool.
Rapid7's purchase of the Metasploit Project last month and its hiring of the renowned creator of Metasploit, HD Moore, demonstrate just how far penetration testing has come over the past 18 months, security analysts say. While some organizations still confuse penetration testing with the more pervasive vulnerability scanning, which searches for and pinpoints specific vulnerabilities and weaknesses, penetration testing is finally about to enter a new phase of commercial deployment, experts say.
Penetration testing basically puts the tester in the shoes of a would-be attacker, using exploits and attack combinations against a network or application to find where the actual exploitable weaknesses lie.
"This is an exciting time because we're starting see even the edgy [penetration testing providers] look to the enterprise as a viable market," says Nick Selby, managing director of Trident Risk Management, a Dallas-based security and consultancy firm. "The technology is more mature so that the more experienced and skilled penetration testers have better toolsets than ever ... and the less experienced ones can do more of the low-hanging fruit work."
Hackers descend upon defense website
People's Daily Online
November 19, 2009
Hackers are trying to penetrate the website of China's Ministry of National Defense and have made more than 2 million attacks on it within one month since the site's launch three months ago, People's Daily reported Wednesday.
The efforts are seen as a sign of the increasing vulnerability facing China's official websites.
"Since the first day the defense ministry website went online, it has suffered mass, uninterrupted hacker attacks," Ji Guilin, the editor in chief of the website, told the paper in an interview.
There were more than 2.3 million cyber attacks in the first month alone, especially in the first week, Ji said, though no damage was done to to its operation due to intensified security measures and the back-up systems in place.
Ji did not pinpoint the exact origins of the attacks, but he said the hackers tried to infiltrate the website (www.mod.gov.cn) and cripple its operations.
The Chinese military, the world's largest with 2.3 million troops, has come under frequent accusations of hacking into the websites of foreign governments. The Chinese government has rejected any such involvement.
In an interview last month with the International Herald Leader, affiliated to the Xinhua News Agency, Ji said the national defense ministry website places particular stress on security, and various security measures were in place to choke hacker attacks.
"The website seems to be strong in its defense capabilities against hackers," Liu Yong, a senior editor of China Security Magazine, said.
The possible motives of hackers trying to break into the website were unclear, and the defense ministry declined to speculate.
Fang Binxing, president of Beijing Uni
versity of Posts and Telecommunications and an expert on information security technologies, said some hackers are likely to launch attacks from outside China for provocation purposes.
"Many are jealous of China's growing prosperity and want to embarrass China by attacking some of its popular official websites," he said.
The ministry launched the bilingual website, in Chinese and English, on August 20 in a bid to better promote China's national defense and downplay the West's fears of China's military modernization drive, the defense ministry said.
The launch came just days after the Pentagon unveiled its new website, defense.gov.
China's defense website contains news releases, overviews of defense policies and profiles of leaders. It also features audio and video.
Ji said that the site's total number of page views in the first three months of trial operations reached 1.25 billion, with up to 40 percent of them coming from Beijing, Guangdong and Jiangsu.
Web users from the United States, Australia and Britain made up the most hits on the English version of the website, he said, while most overseas hits on the Chinese-language site come from the US, Australia, Singapore and Japan.
Traffic on the first day reached 70 million users and the next day it climbed to 130 million, he said.
"The website is sound in terms of structure, but it lacks in-depth and detailed content compared with many non-governmental online forums featuring military topics," Hou Lei, a 24-year-old military enthusiast in Beijing, said.
November 19, 2009
Hackers are trying to penetrate the website of China's Ministry of National Defense and have made more than 2 million attacks on it within one month since the site's launch three months ago, People's Daily reported Wednesday.
The efforts are seen as a sign of the increasing vulnerability facing China's official websites.
"Since the first day the defense ministry website went online, it has suffered mass, uninterrupted hacker attacks," Ji Guilin, the editor in chief of the website, told the paper in an interview.
There were more than 2.3 million cyber attacks in the first month alone, especially in the first week, Ji said, though no damage was done to to its operation due to intensified security measures and the back-up systems in place.
Ji did not pinpoint the exact origins of the attacks, but he said the hackers tried to infiltrate the website (www.mod.gov.cn) and cripple its operations.
The Chinese military, the world's largest with 2.3 million troops, has come under frequent accusations of hacking into the websites of foreign governments. The Chinese government has rejected any such involvement.
In an interview last month with the International Herald Leader, affiliated to the Xinhua News Agency, Ji said the national defense ministry website places particular stress on security, and various security measures were in place to choke hacker attacks.
"The website seems to be strong in its defense capabilities against hackers," Liu Yong, a senior editor of China Security Magazine, said.
The possible motives of hackers trying to break into the website were unclear, and the defense ministry declined to speculate.
Fang Binxing, president of Beijing Uni
versity of Posts and Telecommunications and an expert on information security technologies, said some hackers are likely to launch attacks from outside China for provocation purposes.
"Many are jealous of China's growing prosperity and want to embarrass China by attacking some of its popular official websites," he said.
The ministry launched the bilingual website, in Chinese and English, on August 20 in a bid to better promote China's national defense and downplay the West's fears of China's military modernization drive, the defense ministry said.
The launch came just days after the Pentagon unveiled its new website, defense.gov.
China's defense website contains news releases, overviews of defense policies and profiles of leaders. It also features audio and video.
Ji said that the site's total number of page views in the first three months of trial operations reached 1.25 billion, with up to 40 percent of them coming from Beijing, Guangdong and Jiangsu.
Web users from the United States, Australia and Britain made up the most hits on the English version of the website, he said, while most overseas hits on the Chinese-language site come from the US, Australia, Singapore and Japan.
Traffic on the first day reached 70 million users and the next day it climbed to 130 million, he said.
"The website is sound in terms of structure, but it lacks in-depth and detailed content compared with many non-governmental online forums featuring military topics," Hou Lei, a 24-year-old military enthusiast in Beijing, said.
NSA helped with Windows 7 development , Who wants a Windows 7 Now ???
By Gregg Keizer
Computerworld
November 18, 2009
The National Security Agency (NSA) worked with Microsoft on the development of Windows 7, an agency official acknowledged yesterday during testimony before Congress.
"Working in partnership with Microsoft and elements of the Department of Defense, NSA leveraged our unique expertise and operational knowledge of system threats and vulnerabilities to enhance Microsoft's operating system security guide without constraining the user to perform their everyday tasks, whether those tasks are being performed in the public or private sector," Richard Schaeffer, the NSA's information assurance director, told the Senate's Subcommittee on Terrorism and Homeland Security yesterday as part of a prepared statement.
"All this was done in coordination with the product release, not months or years later during the product lifecycle," Schaeffer added. "This will improve the adoption of security advice, as it can be implemented during installation and then later managed through the emerging SCAP standards."
Security Content Automation Protocol, or SCAP, is a set of standards for automating chores such as managing vulnerabilities and measuring security compliance. The National Institute of Standards and Technologies (NIST) oversees the SCAP standards.
Computerworld
November 18, 2009
The National Security Agency (NSA) worked with Microsoft on the development of Windows 7, an agency official acknowledged yesterday during testimony before Congress.
"Working in partnership with Microsoft and elements of the Department of Defense, NSA leveraged our unique expertise and operational knowledge of system threats and vulnerabilities to enhance Microsoft's operating system security guide without constraining the user to perform their everyday tasks, whether those tasks are being performed in the public or private sector," Richard Schaeffer, the NSA's information assurance director, told the Senate's Subcommittee on Terrorism and Homeland Security yesterday as part of a prepared statement.
"All this was done in coordination with the product release, not months or years later during the product lifecycle," Schaeffer added. "This will improve the adoption of security advice, as it can be implemented during installation and then later managed through the emerging SCAP standards."
Security Content Automation Protocol, or SCAP, is a set of standards for automating chores such as managing vulnerabilities and measuring security compliance. The National Institute of Standards and Technologies (NIST) oversees the SCAP standards.
PS3s used to capture child pornographers
By Tom Magrino
GameSpot
Nov 17, 2009
The PlayStation 3 has been used for a variety of altruistic tasks following its launch in 2006. Perhaps the most high-profile of these ventures is the Folding@home project, which uses spare processing power from idling, networked PS3s to undertake the arduous task of simulating protein folding in order to study the causes of various diseases.
The latest effort to harness the PS3's processing power for good comes from the US Immigration and Customs Enforcement Cyber Crimes Center. As reported by Axcess News, the Cyber Crimes Center (C3) is using networked PS3s to capture sexual predators by cracking passwords on computers suspected of containing child pornography.
The report notes that while law enforcement agents can execute a warrant to secure the physical computers, the Fourth Amendment protects suspected predators from surrendering passwords and other encryption material. As such, the agency attempts to crack the passwords by using a program that tries all possible key combinations. The report notes that a six-digit password has nearly 282 trillion possible permutations, and the networked PS3 can attempt 4 million guesses per second.
The fight against kiddie porn has a new ally.
"Bad guys are encrypting their stuff now, so we need a methodology of hacking on that to try to break passwords," said C3 senior special agent Claude E. Davenport. "The PlayStation 3--its processing component--is perfect for large-scale library attacks."
GameSpot
Nov 17, 2009
The PlayStation 3 has been used for a variety of altruistic tasks following its launch in 2006. Perhaps the most high-profile of these ventures is the Folding@home project, which uses spare processing power from idling, networked PS3s to undertake the arduous task of simulating protein folding in order to study the causes of various diseases.
The latest effort to harness the PS3's processing power for good comes from the US Immigration and Customs Enforcement Cyber Crimes Center. As reported by Axcess News, the Cyber Crimes Center (C3) is using networked PS3s to capture sexual predators by cracking passwords on computers suspected of containing child pornography.
The report notes that while law enforcement agents can execute a warrant to secure the physical computers, the Fourth Amendment protects suspected predators from surrendering passwords and other encryption material. As such, the agency attempts to crack the passwords by using a program that tries all possible key combinations. The report notes that a six-digit password has nearly 282 trillion possible permutations, and the networked PS3 can attempt 4 million guesses per second.
The fight against kiddie porn has a new ally.
"Bad guys are encrypting their stuff now, so we need a methodology of hacking on that to try to break passwords," said C3 senior special agent Claude E. Davenport. "The PlayStation 3--its processing component--is perfect for large-scale library attacks."
Monday 19 October 2009
delay in extradition proceedings for Pentagon hacker Gary McKinnon
By Team Register
The Register
18th October 2009
The Home Office has agreed to a delay in extradition proceedings for Pentagon hacker Gary McKinnon while Home Secretary Alan Johnson and government lawyers reconsider evidence in the case.
Washington has been demanding McKinnon go on trial in the US for breaking into Pentagon computer systems back in 2002. He has never denied tapping into US military systems, saying he was looking for evidence of UFOs.
McKinnon, 42, was refused leave to appeal to the UK's newly minted supreme court earlier this month, with judges ruling his extradition was lawful and proportionate.
At that time he had 14 days to make any further representations to the European Court of Human Rights, though his options were extremely limited.
The Register
18th October 2009
The Home Office has agreed to a delay in extradition proceedings for Pentagon hacker Gary McKinnon while Home Secretary Alan Johnson and government lawyers reconsider evidence in the case.
Washington has been demanding McKinnon go on trial in the US for breaking into Pentagon computer systems back in 2002. He has never denied tapping into US military systems, saying he was looking for evidence of UFOs.
McKinnon, 42, was refused leave to appeal to the UK's newly minted supreme court earlier this month, with judges ruling his extradition was lawful and proportionate.
At that time he had 14 days to make any further representations to the European Court of Human Rights, though his options were extremely limited.
"Tuesday, October 20 2009, 11:00 a.m. EDT, Secretary Napolitano will deliver a live webcast address about the urgent need to counter the threat of cyber attacks, and the shared responsibility in staying safe online. Visit www.dhs.gov on Tuesday to watch this live address.
Increasing the general public's awareness about computer and online risks is a critical part of Cybersecurity Awareness Month, recognized in October."
Increasing the general public's awareness about computer and online risks is a critical part of Cybersecurity Awareness Month, recognized in October."
PayChoice Suffers Another Data Breach
By Brian Krebs
Security Fix
The Washington Post
October 15, 2009
Payroll services provider PayChoice took its Web-based service offline for the second time in a month on Wednesday in response to yet another data breach caused by hackers.
Moorestown, N.J. based PayChoice, provides direct payroll processing services and licenses its online employee payroll management product to at least 240 other payroll processing firms, serving 125,000 organizations. On Thursday morning, the company sent a notice to its customers saying it had once again closed onlineemployer.com - the portal for PayChoice's online payroll service -- this time after some clients began noticing bogus employees being added to their payroll.
"After investigation, we determined that valid user credentials for an Online Employer user were used in an unauthorized manner to add these fictitious employees in an attempt to have payments made to fraudulent bank accounts," the company said in an e-mail alert to their clients sent Thursday.
This week's attack appears to be the second stage of a sophisticated cyber assault launched last month against PayChoice customers. In that attack, hackers broke into the company's servers and stole customer user names and passwords. The attackers then included that information in e-mails to PayChoice's customers warning them that they needed to download a Web browser plug-in in order to maintain uninterrupted access to onlineemployer.com. The supposed plug-in offered in that e-mail was instead malicious software designed to steal the victim's user names and passwords.
[...]
Security Fix
The Washington Post
October 15, 2009
Payroll services provider PayChoice took its Web-based service offline for the second time in a month on Wednesday in response to yet another data breach caused by hackers.
Moorestown, N.J. based PayChoice, provides direct payroll processing services and licenses its online employee payroll management product to at least 240 other payroll processing firms, serving 125,000 organizations. On Thursday morning, the company sent a notice to its customers saying it had once again closed onlineemployer.com - the portal for PayChoice's online payroll service -- this time after some clients began noticing bogus employees being added to their payroll.
"After investigation, we determined that valid user credentials for an Online Employer user were used in an unauthorized manner to add these fictitious employees in an attempt to have payments made to fraudulent bank accounts," the company said in an e-mail alert to their clients sent Thursday.
This week's attack appears to be the second stage of a sophisticated cyber assault launched last month against PayChoice customers. In that attack, hackers broke into the company's servers and stole customer user names and passwords. The attackers then included that information in e-mails to PayChoice's customers warning them that they needed to download a Web browser plug-in in order to maintain uninterrupted access to onlineemployer.com. The supposed plug-in offered in that e-mail was instead malicious software designed to steal the victim's user names and passwords.
[...]
Q&A: Defcon's Jeff Moss on cybersecurity, government's role
By Elinor Mills
InSecurity Complex
CNet News
October 16, 2009
As a hacker and organizer of Defcon, at event at which computer security vulnerabilities and exploits are routinely unveiled, Jeff Moss seemed an unusual choice when he was named to the Homeland Security Advisory Council in June.
But his background and lack of government experience brings a fresh, outsider's perspective to a public sector plagued by a fast-changing threat landscape, perpetual turf wars, and bureaucratic inertia.
With National Cyber Security Awareness Month under way, CNET News discussed with Moss his new role, his thoughts on the national ID card debate, and how the government wants to use social media sites for public emergency alerts. This edited interview is the first of two parts. Part two will run on Monday.
Q: So, how's it going on the Homeland Security Advisory Council?
Moss: It's going pretty well, it's pretty exciting actually. Recently we did a recommendation, I'm sure you read about it, the homeland security color codes. There are the five color codes. Normally the country is on like yellow or orange. I think we've only been to red once. But we've never been to the two lowest, blue and green. So the system was up for review. It turns out that the color codes work really well for industry and government. They have procedures in place. They do things automatically when the color codes are changed. It is actually successful for them but for the third group that uses them, civilians, it actually doesn't work well at all.
[...]
InSecurity Complex
CNet News
October 16, 2009
As a hacker and organizer of Defcon, at event at which computer security vulnerabilities and exploits are routinely unveiled, Jeff Moss seemed an unusual choice when he was named to the Homeland Security Advisory Council in June.
But his background and lack of government experience brings a fresh, outsider's perspective to a public sector plagued by a fast-changing threat landscape, perpetual turf wars, and bureaucratic inertia.
With National Cyber Security Awareness Month under way, CNET News discussed with Moss his new role, his thoughts on the national ID card debate, and how the government wants to use social media sites for public emergency alerts. This edited interview is the first of two parts. Part two will run on Monday.
Q: So, how's it going on the Homeland Security Advisory Council?
Moss: It's going pretty well, it's pretty exciting actually. Recently we did a recommendation, I'm sure you read about it, the homeland security color codes. There are the five color codes. Normally the country is on like yellow or orange. I think we've only been to red once. But we've never been to the two lowest, blue and green. So the system was up for review. It turns out that the color codes work really well for industry and government. They have procedures in place. They do things automatically when the color codes are changed. It is actually successful for them but for the third group that uses them, civilians, it actually doesn't work well at all.
[...]
38 Oracle security patches coming next week
By Robert McMillan
October 16, 2009
IDG News Service
After a record-setting week of Microsoft and Adobe security patches, Oracle is gearing up for a major update of its own next week.
Next Tuesday, the database vendor will release its quarterly Critical Patch Update, which "contains 38 security vulnerability fixes across hundreds of Oracle products," according to an advance notification posted to Oracle's Web site.
As usual, Oracle's most-patched product next week will be its flagship database, which will get 16 bug fixes. Six of these flaws may be exploitable over a network without any type of authentication, Oracle said.
Also in the mix are eight fixes for the company's E-Business Suite, three for Oracle Application Server and one for the Industry Applications Products Suite.
Patches are also planned for Oracle's BEA, PeopleSoft and JD Edwards software
October 16, 2009
IDG News Service
After a record-setting week of Microsoft and Adobe security patches, Oracle is gearing up for a major update of its own next week.
Next Tuesday, the database vendor will release its quarterly Critical Patch Update, which "contains 38 security vulnerability fixes across hundreds of Oracle products," according to an advance notification posted to Oracle's Web site.
As usual, Oracle's most-patched product next week will be its flagship database, which will get 16 bug fixes. Six of these flaws may be exploitable over a network without any type of authentication, Oracle said.
Also in the mix are eight fixes for the company's E-Business Suite, three for Oracle Application Server and one for the Industry Applications Products Suite.
Patches are also planned for Oracle's BEA, PeopleSoft and JD Edwards software
Sunday 18 October 2009
Subscribe to:
Posts (Atom)
