60662499
submission
wiredmikey writes:
Google has launched a new game to teach Web application developers how to spot cross-site scripting (XSS) bugs in their code. This game consists of several levels resembling real-world applications which are vulnerable to XSS. The XSS Game, which requires a modern web browser with JavaScript and cookies enabled, is mainly addressed to Web application developers who don’t specialize in security. However, Google believes that while security experts might find the first levels easy, they could also learn a few things.
Cross-site scripting (CSS) can either be persistent or reflected, and cross-site request forgery (CSRF), where attackers use an authenticated session on one Website to perform unauthorized actions on another site, are also especially dangerous.
The XSS Game is not the first security game from Google. Back in 2010, the company released Gruyere, a small web application designed to teach developers how to identify XSS, CSRF, information disclosure, denial-of-service (DoS), and remote code execution vulnerabilities, and how to protect a website against these types of attacks.
60620961
submission
wiredmikey writes:
Iranian threat actors, using more than a dozen fake personas on popular social networking sites, have been running a wide-spanning cyber espionage operation since 2011, according to a new report. The recently uncovered activity, which iSIGHT Partners calls NEWSCASTER, was a “brazen, complex multi-year cyber-espionage that used a low-tech approach to avoid traditional security defenses–exploiting social media and people who are often the ‘weakest link’ in the security chain.”
Using the fake personas, including at least two (falsified) legitimate identities from leading news organizations, and young, attractive women, the attackers were supported by a fictitious news organization and were successful in connecting or victimizing over 2,000 individuals.
Working undetected since 2011, targets included senior U.S. military and diplomatic personnel, congressional personnel, Washington D.C. area journalists, U.S. think tanks, defense contractors in the U.S. and Israel. “Largely this campaign was about credential harvesting and recon,” Stephen Ward of iSIGHT Partners, told SecurityWeek.
The report from iSIGHT Partners, which has not been publicly released, comes roughly two weeks after a report from FireEye, which suggested that Iranian attackers’ methodologies have “grown more consistent with other advanced persistent threat (APT) actors in and around Iran" following cyber attacks against Iran in the late 2000s.
60543875
submission
wiredmikey writes:
Hector Xavier Monsegur, better known by hacked handle "Sabu", who directed hundreds of cyber attacks on corporations and foreign governments before turning FBI informant walked free Tuesday after being handed a symbolic seven-month sentence.
The original charges could have landed him in prison for decades but the government asked for him to be exempt from even a mandatory minimum sentence given his "extraordinary cooperation."
Before walking out of the US federal court a free man, he told the judge that he would not see him back. "I came a long way I assure you... I am not the same person I was," he said.
In August 2011, Monsegur pleaded guilty to nine counts related to computer hacking, one count of aggravated identity theft, one count of conspiracy to commit bank fraud, and one count related to payment card fraud. He was supposed to be sentenced in August 2012, but the decision has been postponed seven times because of his ongoing collaboration with the government. In addition to helping investigators track down members of the LulzSec hacker group, Monsegur helped law enforcement in preventing cyberattacks. According to FBI estimates, Monsegur helped the agency disrupt or prevent at least 300 separate cyber attacks.
60540485
submission
wiredmikey writes:
An Iranian judge has summoned Facebook founder and CEO Mark Zuckerberg to answer allegations that his company's apps have breached people's privacy, it was reported Tuesday. The court in Fars province ordered that Zuckerberg address unspecified "violation of privacy" claims made by Iranians over the reach of Facebook-owned apps, ISNA news agency reported.
"Based on the judge's verdict, the Zionist manager of Facebook... should report to the prosecutor's office to defend himself and make compensation for damages," Rouhollah Momen-Nasab, a senior Iranian Internet security official, told ISNA.
Access to social networks, including Twitter and Facebook, are routinely blocked by Iranian authorities, as are other websites considered un-Islamic or detrimental to the regime.
60309853
submission
wiredmikey writes:
Silent Circle, a startup providing private encrypted communications solutions, announced on Wednesday that it has raised $30 million in funding and that it was moving its global headquarters from the Caribbean island of Nevis to Switzerland.
According to the company, it will use the new injection of cash to accelerate its growth and momentum in the secure communications market and to meet the “overwhelming demand” for Blackphone – its fully encrypted smartphone designed to thwart snooping governments and other attackers.
"The move to Switzerland is extremely important for us as a company serving a global customer base. Switzerland's strong privacy laws, legendary neutrality, and economic business advantages will allow us the ability to scale to Silent Circle's rapid adoption by businesses, governments and individual pro-sumers around the world," said Vic Hyder, Silent Circle Chief of Revenue.
Last year, Silent Circle shut down its encrypted email service to avoid becoming a target after the US government subpoenaed the records of Lavabit.
SilentCircle was co-founded by former Navy SEAL sniper Mike Janke, and PGP creator Phil Zimmermann, and has created a platform for encrypted text, mobile phone, video teleconferencing and file transfer services through a secure, proprietary network and set of applications.
60057161
submission
wiredmikey writes:
Sony Pictures Entertainment has acquired the rights to the new book by journalist Glenn Greenwald about fugitive US intelligence leaker Edward Snowden, the studio said Wednesday. James Bond franchise producers Michael Wilson and Barbara Broccoli will make the movie version of "No Place to Hide," described as "a political film that will resonate with today's moviegoers."
The book, subtitled "Edward Snowden, the NSA and the US Surveillance State," was just recently published in Britain by Hamish Hamilton and in the United States by Metropolitan Books.
60013463
submission
wiredmikey writes:
A team of global IT experts have urged Estonia to drop electronic voting from this month's European elections, saying they had identified major security risks, noting that the system's operational security is lax, transparency measures are insufficient and the software design is vulnerable to cyber attacks.
"Estonia's Internet voting system blindly trusts the election servers and the voters' computers," said US computer scientist J. Alex Halderman, a co-author of the report released Tuesday. "Either of these would be an attractive target for state-level attackers, such as Russia."
Dubbed E-stonia, the ex-Soviet Baltic nation of just 1.3 million people has made a name for itself for being a trailblazer in technology, notably pioneered e-voting in 2005 and playing host to NATO's cyber defense center.
59721109
submission
wiredmikey writes:
Protecting data isn't cheap, but neither is dealing with a data breach. According to the Ponemon Institute's ninth annual global study on data breach costs, the average total price tag of a breach increased 15 percent to $3.5 million. The research, which focused on 314 companies across 10 countries, found that the cost incurred for each lost or stolen record containing sensitive and confidential information stood at $145, nine percent more than the cost noted in the previous report.
The U.S. and Germany paid the most for breaches caused by malicious or criminal attacks, with a price tag of $246 and $215 per compromised record, respectively. The cost per record for that kind of breach was lowest in India, where it averaged $60 per record.
59693343
submission
wiredmikey writes:
As Europe powered up its most ambitious ever cybersecurity exercise this month, doubts were being raised over whether the continent's patchwork of online police was right for the job. The exercise, called Cyber Europe 2014, involved 200 organizations and 400 cybersecurity professionals from both the European Union and beyond.
Yet some critics argued that herding together normally secretive national security agencies and demanding that they spend the rest of 2014 sharing information amounted to wishful thinking. Others questioned whether the law enforcement agencies taking part in the drill should be involved in safeguarding online security, in the wake of American whistleblower Edward Snowden's revelations of online spying by western governments.
Eurostat figures show that, by January 2012, only 26 percent of EU enterprises had a formally defined information technology security plan in place. One industry insider said the view in Brussels is that EU cybersecurity was "like teenage sex: everyone says they are doing it but not that many actually are."
59397963
submission
wiredmikey writes:
Researchers from FireEye have discovered a nasty zero-day exploit that bypasses the ASLR and DEP protections in Microsoft Windows and is being used in targeted attacks.
The campaign is currently targeting US-based firms tied to the defense and financial sectors, a FireEye spokesperson told SecurityWeek, and is specifically targeting IE9 through IE11. FireEye warned that the attackers are “extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure.”
“The exploit leverages a previously unknown use-after-free vulnerability, and uses a well-known Flash exploitation technique to achieve arbitrary memory access and bypass Windows’ ASLR and DEP protections,” FireEye wrote in a blog post Saturday. Microsoft also issued a security advisory on Saturday.
FireEye warned that the attackers are “extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure.”
59245645
submission
wiredmikey writes:
Technology giants including Microsoft, Google, Intel, and Cisco are banding together to support and fund open source projects that make up critical elements of global information infrastructure. The new Core Infrastructure Initiative brings technology companies together to identify and fund open source projects that are widely used in core computing and Internet functions, The Linux Foundation announced today. Formed primarily as the industry's response to the Heartbleed crisis, the OpenSSL library will be the initiative's first project. Other open source projects will follow.
The funds will be administered by the Linux Foundation and a steering group comprised of the founding members, key open source developers, and other industry stakeholders. Anyone interested in joining the initiative, or donating to the fund can visit the Core Infrastructure Initiative site.
59173015
submission
wiredmikey writes:
Verizon has published the latest version of its highly respected and always anticipated Verizon Data Breach Investigations Report. Point-of-sale (PoS) attacks are declining, while Web application attacks and cyber-espionage is increasing, according to the 2014 Verizon Data Breach Investigations Report (DBIR).
The highlight of this year's report, however, is not the data breach numbers, but the industry-by-industry analysis of various threat types. In previous years, the highly regarded report from Verizon focused on actual data breaches investigated by either Verizon's security team or by one of its global partners. This year, the team decided to expand the report definition to include security incidents that didn't result in breaches in order to "gain a better understanding of the cybersecurity landscape," Marc Spitler, a senior risk analyst with Verizon's RISK team, told SecurityWeek.
"This evolution of the DBIR reflects the experience of many security practitioners and executives who know that an incident needn’t result in data exfiltration for it to have a significant impact on the targeted business," the report said.
Verizon RISK team researchers found that 92 percent of security incidents from the past 10 years could be categorized in one of nine "threat patterns," or attack types. The full report is available online in PDF format.
59080399
submission
wiredmikey writes:
Security nightmares sparked by the Heartbleed OpenSSL vulnerability continue. According to Mandiant, now a unit of FireEye, an attacker was able to leverage the Heartbleed vulnerability against the VPN appliance of a customer and hijack multiple active user sessions. The attack bypassed both the organization’s multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software.
“Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users,” Mandiant’s Christopher Glyer explained. “With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated."
After connecting to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization, Mandiant said.
58159941
submission
wiredmikey writes:
Russian government officials have swapped their iPads for Samsung tablets to ensure tighter security, the telecoms minister told news agencies on Wednesday. Journalists spotted that ministers at a cabinet meeting were no longer using Apple tablets, and minister Nikolai Nikiforov confirmed the changeover "took place not so long ago." He said the ministers' new Samsungs were "specially protected devices that can be used to work with confidential information." This isn't the first time Russian powers have had concerns over mobile. In August 2012, Russia unveiled a prototype tablet with its own "almost Android" mobile OS that has the remarkably familiar feel of an Android but with bolstered encryption. In an even more paranoid move, this past July a Russian state service in charge of safeguarding Kremlin communications was looking to purchase an array of old-fashioned typewriters to prevent leaks from computer hardware.
58108367
submission
wiredmikey writes:
Less than a week after announcing that it would suspended service indefinitely due to a conflict with an unnamed security researcher and ongoing legal threats, The Full Disclosure mailing list is coming back.
Gordon Lyon (aka Fyodor), who operates several Internet security resources and other mailing lists, has created a replacement list with the blessing of John Cartwright, one of of the creators of Full Disclosure, which served as a forum for the discussion of vulnerabilities and exploitation techniques and other security topics.
Because the list is getting a fresh start and no previous subscriber information appears to be headed to Lyon, interested users will have to manually subscribe which can be done here.
"Some have argued that we no longer need a Full Disclosure list, or even that mailing lists as a concept are obsolete," Lyon said. "I disagree. Mailing lists create a much more permanent record and their decentralized nature makes them harder to censor or quietly alter in the future."
