Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).


+ - Turns out nobody's sure what should count as a Cyber Incident->

Submitted by chicksdaddy
chicksdaddy (814965) writes "Despite a lot of attention to the problem of cyber attacks against the nation's critical infrastructure (, The Christian Science Monitor notes that there is still a lot of confusion about what, exactly, constitutes a "cyber incident" in critical infrastructure circles. The result: many incidents in which software failures affect critical infrastructure may go unreported. (

Passcode speaks to security experts like Joe Weiss, who claims to have a list of around 400 incidents in which failures in software and electronic communications lead to a failure of confidentiality, integrity or availability (CIA) — the official definition of a cyber incident. Few of them are considered cyber incidents within critical infrastructure circles, however.

His list includes some of the most deadly and destructive public sector accidents of the last two decades. Among them: a 2006 emergency shutdown of Unit 3 at the Browns Ferry nuclear plant in Alabama, the 1999 Olympic Gas pipeline rupture and explosion in Bellingham Washington that killed three people and the 2010 Pacific Gas & Electric gas pipe explosion in San Bruno, Calif., that killed eight people and destroyed a suburban neighborhood.

While official reports like this one about the San Bruno pipeline explosion ( duly note the role that the software failure played in each incident, they fail to characterize them as 'cyber incidents' or note the cyber-physical aspects of the adverse event.

Weiss says he has found many other, similar omissions that continue even today. One obstacle to properly identifying such incidents is that the popular understanding of a cyberincident borrows too much from the information technology industry, which focuses on malicious actors and software based threats operating in traditional IT environments. “In the IT world, ‘cyber’ is equated with malicious attacks,” Weiss said. “You’re worried about a data breach and stolen data, or denial of service attacks.”

Weiss argues that applying an IT mindset to critical infrastructure results in operators overlooking weaknesses in their systems. “San Bruno wasn’t malicious, but it easily could have been,” Weiss notes. “It’s a nonmalicious event that killed 8 people and destroyed a neighborhood.”"

Link to Original Source

+ - DHS: Advanced Threats behind most Industrial Control System Hacks Last Ye ->

Submitted by chicksdaddy
chicksdaddy (814965) writes "A new report from the Department of Homeland Security ( reveals that, of 245 reported incidents of cyber attacks on critical infrastructure in 2014, more than half were attributed to sophisticated “APT” type actors.

The revelation comes from DHS’s Industrial Control System Cyber Emergency Response Team (ICS-CERT), which reported on incident response and vulnerability coordination in 2014. ( Among the 245 incidents reported were malware infections on “air-gapped control system networks,” strategic compromises of so-called “watering hole” web sites and the use of previously unknown or “zero day” vulnerabilities in industrial control system software. DHS found 55% involved APT or sophisticated actors. Hactivists, malicious insiders and cyber criminals were behind other incidents. In many other cases, asset owners were unable to determine who or what was attacking them, the report said.

The report from ICS-CERT gives the best picture available of the scope of cyber attacks on critical infrastructure. Firms in the energy sector reported the biggest share of cyber attacks: 79, or 32% of the incident reports. The “critical manufacturing” sector reported the next highest number of incidents: 65, or 27% of the total recorded by ICS-CERT."

Link to Original Source

+ - Stolen Data is a Perishable Commodity->

Submitted by chicksdaddy
chicksdaddy (814965) writes "Ben Franklin famously observed that “guests, like fish, begin to smell after three days.” Hospitality, Franklin realized, was a perishable commodity.

According to a post on Digital Guardian's blog, it may turn out that the same is true of stolen data. The post picks up on new research on cyber criminal networks from The University of Massachusetts (, which finds that “time” is the key element in understanding the behavior of cyber criminals operating within larger cyber criminal marketplaces. Stolen data's “sell by” date actually has a big impact on cybercriminal activity and how such networks operate.

The research is presented in a new paper: “A Multiproduct Network Economic Model of Cybercrime in Financial Services.” ( by Professor Anna Nagurney of the Isenberg School of Management at the University of Massachusetts, Amherst. Nagurney models cybercriminal networks by looking at the interplay between three factors: the supply price, the transaction cost, and demand price functions. Nagurney’s model is novel because it figures in the “average time associated with illicit product delivery at the demand markets” and the tendency of demand price to go down over time.

Of course, the notion that the value of goods decreases over time isn’t unusual. Every butcher or grocer contends with that reality daily. But Nagourney may be the first to attempt to model how the value of stolen data decreases with its “freshness” – the proximity to the theft event.

Her research puts weight behind the oft-stated (but not studied) notion that cyber criminals aren’t shadowy super villains, but rational, economic agents. They make decisions about which targets to pursue by calculating the difference between the demand price that products (such as credit and debit cards) fetch and the associated costs of stealing and transacting them.

The goal is to identify ways to make it harder to attack financial organizations, thus raising the cost of obtaining the data – or ‘increasing transaction costs’ to use the language of economics. Her model allows researchers to show, graphically, how increasing or decreasing demand for stolen goods will affect the functioning of the criminal enterprise, overall."

Link to Original Source

+ - Survey: Trust in Public Key Encryption Nearing Breaking Point->

Submitted by itwbennett
itwbennett (1594911) writes "A Ponemon survey of more than 2,000 IT professionals in the U.S., U.K. Germany, France and Australia finds increased reliance on and fading faith in Public Key encryption — a dangerous combination. Data collected in the survey found that the number of keys and certificates deployed within organizations has grown by 34% to almost 24,000 per enterprise. At the same time, 54% percent of organizations surveyed acknowledged that they did not know where all their keys and certificates are located, the report said."
Link to Original Source

+ - Anthem Blocking Federal Auditor from Doing Vulnerability Scans->

Submitted by chicksdaddy
chicksdaddy (814965) writes "File this one under "suspicious behavior." Anthem Inc., the Indiana-based health insurer has informed a federal auditor, the Office of Personnel Management, that it will not permit vulnerability scans of its network — even after acknowledging that it was the victim of a massive breach that leaked data on tens of millions of patients.

According to this article (, Anthem is citing "company policy" that prohibits third party access to its network in declining to let auditors from OPM's Office of the Inspector General (OIG) conduct scans for vulnerable systems. OPM's OIG performs a variety of audits on health insurers that provide health plans to federal employees under the Federal Employee Health Benefits Program, or FEHBP. Insurers aren't mandated to comply — though most do.

This isn't Anthem's first time saying "no thanks" to the offer of a network vulnerability scan. The company also declined to let OIG scan its network in 2013. A partial audit report issued at the time ( warned that the company, then known as WellPoint, "provided us with conflicting statements" on issues related to information security, including Wellpoint's practices regarding regular configuration audits and its plans to shift to IBM's Tivoli Endpoint Manager (TEM) platform."

Link to Original Source

+ - NIST: Crystal Pattern Matching Recovers Obliterated Serial Numbers from Metal->

Submitted by chicksdaddy
chicksdaddy (814965) writes "Criminals beware: researchers at the National Institute of Standards and Technology (NIST) have figured out how to recover serial numbers obliterated from metal surfaces such as firearms and automobiles — a common problem in forensic examinations.

Law enforcement agencies use serial numbers to track ownership of firearms and build criminal cases. But serial numbers can be removed by scratching, grinding or other methods. Analysts typically try to restore the numbers with acid or electrolytic etching or polishing, because deformed areas behave differently from undamaged material. But these methods don’t always work.

According to this report ( NIST researchers used a technique called electron backscatter diffraction (EBSD) to read, in the crystal structure pattern, imprints on steel that had been removed by polishing.

In EBSD, a scanning electron microscope scans a beam of electrons over the surface of a crystalline material such as a metal. The electrons strike atoms in the target and bounce back. Because the atoms are arranged in a regular pattern, the scattered electrons interact and form patterns that reveal the crystal’s structure on a scale down to tens of nanometers. The more perfect the crystal structure, the stronger and clearer the pattern. Software can then calculate the pattern quality to reveal crystal damage; areas with more damage produce lower quality patterns.

In the NIST experiments, described in Forensic Science International,* researchers hammered the letter “X” into a polished stainless steel plate. The letter stamps were as deep as 140 micrometers, meeting federal regulations for firearm serial numbers. The researchers then polished the metal again to remove all visible traces of the letters, and collected the EBSD diffraction patterns and pattern quality data and analyzed them for evidence of the imprints."

Link to Original Source

+ - Federal Court: Theft of Medical Records Not An 'Imminent Danger' To Victim->

Submitted by chicksdaddy
chicksdaddy (814965) writes "A federal court in Texas ruled last week that a massive data breach at a hospital in that state didn’t put patients at imminent risk of identity theft, even when presented with evidence that suggested stolen patient information was being used in attempted fraud and identity theft schemes.

According to this post over at Digital Guardian's blog ( Beverly Peters was one more than 400,000 patients of St. Joseph Hospital whose information was stolen by hackers in an attack that took place between December 16 and 18, 2013. Peters alleged that her personal information had been exposed in the breach and then disseminated in the public domain, where it was being “misused by unauthorized and unknown third parties.” Specifically: Peters reported that, subsequent to the breach at St. Josephs, her Discover credit card was used to make a fraudulent purchase and that hackers had tried to infiltrate her account — posing as her son. Also: telemarketers were using the stolen information. Peters claimed that, after the breach, she was besieged with calls and solicitations for medical products and services companies, with telemarketers asking to speak to her and with specific family members, whose contact information was part of the record stolen from St. Joseph's.

As a result, Peters argued that she faced an “imminent injury” due to “increased risk” of future identity theft and fraud because of the breach at St. Joseph, and wished to sue the hospital for violations of the Fair Credit Reporting Act (FCRA).

But the court found otherwise, ruling that Peters lacked standing to bring the case in federal court under Article III of the Constitution. That was because she hadn’t been able to prove any direct damages from the attempted identity theft that occurred in the past (Discover reversed the fraudulent charge), while the threat she faced in the future was not “imminent.”

As this article notes (, the ruling turns on a high profile case involving government surveillance and the now-infamous FISA courts dating back to the Carter administration: Clapper v. Amnesty International USA. ( In that case, the U.S. Supreme Court ruled against the human rights group and a collection of lawyers and reporters in a challenge to part of the Foreign Intelligence Surveillance Act (FISA). The plaintiffs said they feared that their sources, colleagues and clients would be targets of U.S. government surveillance, and the threat would force them to take expensive security measures to keep their communications private. The High Court ruled otherwise, saying the threat of government surveillance was hypothetical, but not “certainly impending.”

In his 15 page ruling (, U.S. District Judge Kenneth Hoyt said the same logic applied to Peters’ suit as well. “Under Clapper, Peters must at least plausibly establish a “certainly impending” or “substantial” risk that she will be victimized,” Hoyt wrote. “The allegation that risk has been increased does not transform that assertion into a cognizable injury.”"

Link to Original Source

+ - After White House Cyber Summit a Consensus - on Pessimism->

Submitted by chicksdaddy
chicksdaddy (814965) writes "Even with a high-profile summit in the heart of Silicon Valley, partisan gridlock back in Washington D.C. will make progress on cyber security impossible, the Security Ledger reports.

Last week's “Whitehouse Summit on Cybersecurity and Consumer Protection” ( ) made much of the need for better cooperation between the government and private sector, especially in sharing information about cyber attacks and threats. Speaking at the event, President Obama issued an Executive Order ( instructing the Secretary of Homeland Security (Secretary) to “strongly encourage the development and formation of Information Sharing and Analysis Organizations (ISAOs)” that would facilitate such sharing.

But critics note that the President’s reliance on an Executive Order was just one sign of the trouble ahead – with a familiar culprit: gridlock. “I know people on both sides – Republicans and Democrats, people on the Hill and the Whitehouse who deal with these policy matters,” said John Dickson, a Principal at Denim Group. “I’ll tell you one thing, they are not talking to each other at all.”

The result is efforts on cyber security that are more symbol than action: calls for information sharing without the legal changes to enable it. “Obviously, the lynch pin for information sharing is getting some comfort for commercial entities about liability and how that is defined,” Dickson said. “And that simply was not addressed."

Not that Republicans are doing any better: with control of both the House and Senate, the GOP hasn't made any effort to put forward comprehensive reforms, despite bi-partisan support and good prospects for passage and a Presidential signature. Neither side, it seems, wants the other to "win," Dickson observed."

Link to Original Source

+ - Privacy: The 21st Century's Newest Luxury Item->

Submitted by chicksdaddy
chicksdaddy (814965) writes "There is a report today on the 21st century's newest luxury item: online privacy.

The Christian Science Monitor writes about the growing market for premium privacy protection tools available to tech-savvy consumers with the desire for online anonymity- and the means to pay for it. (

The piece profiles new tools from companies like Abine ( that deliver everything from self-destructing e-mail messages to the 21st century’s equivalent of Kleenex: one-off “throwaway” online identities to keep advertisers, merchants and government snoops at bay.

Privacy experts, however, doubt that the new tools will tip the scales of online privacy in favor of consumers and away from governments and advertisers. "Consumers really don’t have a fighting chance,” says Andrea Matwyshyn of Princeton University. “Technology moves entirely too fast." She and others see the need for both bigger fixes and the level of Internet infrastructure and law. "As a consumer protection matter, there needs to be a floor,” she said. "Just as there are laws protecting renters from substandard housing, or car buyers from 'lemons,' there need to be regulations that create a buffer between consumers and companies.""

Link to Original Source

+ - Tech Industry in Search of Leadership At WhiteHouse Cyber Summit->

Submitted by chicksdaddy
chicksdaddy (814965) writes "President Obama travels to Stanford University on Friday to join Apple CEO Tim Cook in talking about the need for more private-public sector cooperation to fight cyber crime. But technology industry executives attending the White House Summit on Cybersecurity and Consumer Protection ( complain that a major obstacle to cooperation is a lack of legislative action that clarify the rules of the road for private firms when it comes to sharing information about customers with the government and each other.

The controversy over government surveillance has put the ball in the government's court, said Michael Brown, RSAs Global Public Sector Vice President. "They need to articulate what amount of access to private information is “appropriate and legal” for law enforcement and the government. “They really need to articulate a rationale for that,” Brown said. “It’s not just about ‘when, where, and how.’ They also need to clearly articulate ‘why’ – for example: this is a matter of public safety and this is the only way we can get this information.”

Also on the to-do list say executives: a re-writing of the 80s era Computer Fraud and Abuse Act ( and a federal data breach notification law that creates a consistent, national standard.( Currently, 48 states have passed such laws, creating a compliance mess for private firms that discover they have leaked customer data."

Link to Original Source

+ - DHS is Struggling to Fulfill its Cyber Mission->

Submitted by chicksdaddy
chicksdaddy (814965) writes "It's always interesting to listen to what politicians say on their way out of office — after the pressure to get re-elected and say "on message" has been lifted. Eisenhower's historic farewell address in 1961 warned Americans about the influence of the Military-Industrial Complex. ( Twenty years later, Jimmy Carter warned of the distorting influence of "single-issue groups and special interest organizations" on the political process. (
And, this week, outgoing Sen. Tom Coburn (R-OK) used his final days in office to issue a blistering report on the Department of Homeland Security. Coburn argued that DHS was failing on each of its five, critical missions, among them: cyber security. (

The report, “A Review of the Department of Homeland Security’s Missions and Performance,” ( was released on Saturday. In it, the outgoing Senator said that DHS’s strategy and programs “are unlikely to protect us from the adversaries that pose the greatest cybersecurity threat.”

Despite spending $700 million annually on a range of cybersecurity programs, Coburn said it is hard to know whether the Department’s efforts to assist the private sector in identifying, mitigating or remediating cyber incidents provide “significant value” or are worth the expense. DHS programs are still heavily weighted towards software vulnerability mitigation, Coburn says, an activity that “will not protect the nation from the most sophisticated attacks and cybersecurity threats.”"

Link to Original Source

+ - Investigation IDs Crew of 6 Behind Hack of Sony, Including Former Employee->

Submitted by chicksdaddy
chicksdaddy (814965) writes "Alternative theories of who is responsible for the hack of Sony Pictures Entertainment have come fast and furious ( recent weeks- especially since the FBI pointed a finger at the government of North Korea last week. ( But Norse Security is taking the debate up a notch: saying that they have conclusive evidence pointing to group of disgruntled former employees as the source of the attack and data theft.

The Security Ledger quotes Norse Vice President Kurt Stammberger saying that Norse has identified a group of six individuals — in the U.S., Canada, Singapore and Thailand — that it believes carried out the attack, including at least one 10 year employee of SPE who worked in a technical capacity before being laid off in May.(

Rather than starting from the premise that the Sony hack was a state sponsored attack, Norse researchers worked their investigation like any other criminal matter: starting by looking for individuals with the "means and motive" to do the attack. HR files leaked in the hack provided the motive part: a massive restructuring in Spring, 2014, in which many longtime SPE employees were laid off.

After researching the online footprint of a list of all the individuals who were fired and had the means to be able to access sensitive data on Sony's network, Norse said it identified a handful who expressed anger in social media posts following their firing. They included one former employee — a 10 year SPE veteran who he described as having a “very technical background.” Researchers from the company followed that individual online, noting participation in IRC (Internet Relay Chat) forums where they observed communications with other individuals affiliated with underground hacking and hacktivist groups in Europe and Asia.

According to Stammberger, the Norse investigation was eventually able to connect an individual directly involved in conversations with the Sony employee with a server on which the earliest known version of the malware used in the attack was compiled, in July, 2014.

While Stammberger admits that some clues in the investigation seemed to point to attackers in one of the Koreas, he says those paths all turned into dead ends, and that Norse investigators found no convincing evidence of North Korean involvement in the incident.

According to Stammberger, the company is briefing the FBI on its investigation on Monday. I'd love to be a fly on the wall in that room!"

Link to Original Source

+ - Vessel Identification and Tracking System Is Profoundly Insecure->

Submitted by chicksdaddy
chicksdaddy (814965) writes "Researchers from the firm Trend Micro are warning that the Automated Identification System (or AIS) — a monitoring system that is used on over 400,000 ocean-going vessels — is profoundly insecure and vulnerable to both software and radio-based hacks, The Security Ledger reports. (

AIS is a global system for tracking the movement of vessels. It is intended to supplement marine radar and relies on ship, land and satellite-based systems to exchange data on ships’ position, course and speed and is used for everything from collision avoidance to security, ship-to-ship communications and weather forecasting.

AIS is required to be deployed on all passenger vessels and on international-voyaging ships with gross tonnage of 300 or more. However, researchers Marco Balduzzi and Kyle Wilhoit found that AIS is rife with exploitable software- and protocol vulnerabilities. Chief among them are flaws in the AIS protocol which was developed in a “hardware epoch” and lacks even basic security features such as authentication and message integrity checks. While hacks of radio-based systems like AIS would have been expensive and difficult to conduct 10 or 15 years ago, the advent of tools like Software Defined Radio make it possible to craft sophisticated attacks with just a small investment, the researchers discovered.

In their work, Balduzzi and Wilhoit – working with an independent security researcher – were able to use software-defined radio based attacks to trigger a range of phony messages, from false SOS and “man in the water” distress beacons to fake CPA (or Closest Point of Approach) alert and collision warnings on an AIS system set up in a lab environment. A copy of their ACSAC presentation slides can be found here:

The two have written about AIS vulnerabilities before, including susceptibility of AIS to man-in-the-middle attacks ( Their latest work expands the list of attacks and vulnerabilities found in AIS to include both software and RF-based hacks, SQL injection, buffer overflow and so on."

Link to Original Source

+ - Sony Attackers Took A Page From The Shamoon Playbook->

Submitted by chicksdaddy
chicksdaddy (814965) writes "The story about the disastrous hack of Sony is the gift that keeps on giving. There's been a wealth of revelations about Sony Pictures Entertainment's internal culture: its tendency to pay male executives more than their female counterparts (, tepid enthusiasm of employees about SPE's output ( and a kind of compulsive transparency within its IT operations ( There have also been revelations about the attacks themselves, including analysis that shows both that the malware used was tailored specifically to Sony's network ( and that the attackers apparently took a page from the 2012 attack on Saudi Aramco known as "Shamoon." Specifically: both the Sony malware and “Disstrack” (the malware used in the “Shamoon” attack on Saudi Aramco) relied on the same commercial tool to access and erase the hard drive, a program called RawDisk by the company Eldos, according to a source with knowledge of the attack, the Christian Science Monitor reported today."
Link to Original Source

+ - FBI Analysis of Wiper Malware Finds Korean Language Packs, Hard Coded Targets-> 1

Submitted by chicksdaddy
chicksdaddy (814965) writes "A copy of the FBI's recent five page FLASH alert reveals that the malware alleged to have wiped out systems at Sony Pictures Entertainment deployed a number of malicious modules, including a version of a commercial disk wiping tool on target systems. Samples of the malware obtained by the FBI were also found to contained configuration files created on systems configured with Korean language packs.

The use of Korean could strengthen theories that the destructive cyber attacks have links to North Korea, though it is hardly conclusive. It does appear that the attack was targeted at a specific organization. The malware analyzed by the FBI contained a hard coded list of IP addresses and computer host names.

Media reports have linked the malware to the destructive attack on Sony Pictures Entertainment, though the FBI FLASH alert does not name Sony or any other organization. A group calling itself #GOP – for Guardians of Peace – took responsibility for that attack last week.

Theories about the purpose of the attack on Sony abound. One of the more colorful explanations has the destructive cyber attack as retribution for The Interview, a new Sony film due out at Christmas starring Seth Rogen and James Franco. ( two play western journalists who score an interview with North Korean dictator Kim Jong Un, and are then instructed by the U.S. Central Intelligence Agency to assassinate him. The government of the Democratic Peoples Republic of Korea (DPRK) publicly criticized Sony for plans to release the film and lodged a complaint with the United Nations.("

Link to Original Source

Is your job running? You'd better go catch it!