wiredmikey writes "The overall IT job market has been fairly healthy, and demand for cyber-security professionals remained high in 2013, according to a new jobs study. There were 209,749 national postings for cyber-security jobs in 2013, and the average salary for a cyber-security posting was $93,028, according to the report, which is compiled by reviewing job postings across 32,000 online sites daily. In comparison, the average salary for all IT job postings was $77,642.
Meanwhile, a study released Wednesday by the Urban Institute found that pimps can bring in tens of thousands a week. According to the report, pimps took home anywhere from $5,000 to $33,000 a week, but detailed hefty expenses like hotel rooms, advertisement, and clothing, housing food for their "girls." They typically ran relatively small operations of two to 36 people and sometimes employed drivers, bodyguards, and even nannies, according to the report."Link to Original Source
wiredmikey writes "Microsoft launched a new web site dedicated to sharing the untold story behind its Security Development Lifecycle (SDL). The Security Development Lifecycle, a process for writing more secure software, is now mandatory within Microsoft, and was the work of early security teams and the impact of Bill Gates’ Trustworthy Computing (TwC) memo in 2002.
The dedicated site, hosted at SDLstory.com, provides never-before-seen video footage and photos from many of the SDL’s key players, and uncovers a collection of little-known anecdotes. For example, Microsoft said that in the early 2000s, the company had to bus engineers to the customer support call center to keep up with high call volumes coming in as a result of security incidents. Microsoft also said that in early February 2002 the entire Windows division shut down development and diverted all developers to focus on security."Link to Original Source
wiredmikey writes "Boeing is launching "Boeing Black phone", a self-destructing Android-based smartphone that the company says has no serviceable parts, and any attempted servicing or replacing of parts would destroy the product. "Any attempt to break open the casing of the device would trigger functions that would delete the data and software contained within the device and make the device inoperable," the company explained.
Boeing's website says its device was developed because there was nothing on the market to meet the needs of the US defense and security communities. "Despite the continuous innovation in commercial mobile technology, current devices are not designed from inception with the security and flexibility needed to match their evolving mission and enterprise environment," the website says.
The device should not be confused with the new encrypted Blackphone, developed by the US secure communications firm Silent Circle with Spanish manufacturer Geeksphone."Link to Original Source
wiredmikey writes "Users of iOS devices will find themselves with a new software update to install, thanks to a certificate validation flaw in the mobile popular OS. While Apple provides very little information when disclosing security issues, the company said that an attacker with a “privileged network position could capture or modify data in sessions protected by SSL/TLS."
"While this flaw itself does not allow an attacker to compromise a vulnerable device, it is still a very serious threat to the privacy of users as it can be exploited through Man-in-the-Middle attacks" VUPEN's Chaouki Bekrar told SecurityWeek. For example, when connecting to an untrusted WiFi network, attackers could spy on user connections to websites and services that are supposed to be using encrypted communications, Bekrar said. Users should update their iOS devices to iOS 7.0.6 as soon as possible."Link to Original Source
wiredmikey writes "Kickstarter, a web site that serves as a funding platform for creative projects, said on Saturday that malicious hackers gained unauthorized access to its systems and accessed user data.
Yancey Strickler, Kickstarter’s CEO, said the company was notified by law enforcement on Wednesday night that hackers gained unauthorized access to some of its customers' data. According to Strickler, customer information accessed by the attacker(s) included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords. Strickler said that no credit card data was accessed by the attackers, and that so far only two Kickstarter user accounts have seen evidence of unauthorized activity."Link to Original Source
wiredmikey writes "Apple has published a new secure coding guide designed to help developers of Mac OS and iOS applications build more secure programs by design. “Secure coding is important for all software; if you write any code that runs on Macintosh computers or on iOS devices, from scripts for your own use to commercial software applications, you should be familiar with the information in this document,” Apple advised in the 123-page guide.
According to a study released in Aug. 2013, just 43 percent of respondents said their organizations have a defined software development process in place. Of these, only 69 percent adhere to the defined process, while 21 percent said their organization doesn't. Ten percent were unsure.
“Security is not something that can be added to software as an afterthought; just as a shed made out of cardboard cannot be made secure by adding a padlock to the door, an insecure tool or application may require extensive redesign to secure it,” Apple said in the guide. The Secure Coding Guide from Apple is available in HTML format or as a PDF file."Link to Original Source
wiredmikey writes "Security researchers from FireEye have discovered a new IE 10 Zero-Day exploit (CVE-2014-0322) being used in a watering hole attack on the US Veterans of Foreign Wars’ website. According to FireEye, attackers compromised the VFW website and added an iframe to the site’s HTML code that loads the attacker’s page in the background. When the malicious code is loaded in the browser, it runs a Flash object that orchestrates the remainder of the exploit.
Dubbed “Operation SnowMan” by FireEye, the attack targets IE 10 with Adobe Flash. According to a recently-released report from CrowdStrike, Strategic Web Compromises (SWC), where attackers infect strategic Websites as part of a watering hole attack to target a specific group of users, were a favorite attack method for groups operating out of Russia and China. FireEye believes the attackers behind the campaign, thought to be operating out of China, are associated with two previously identified campaigns: Operation DeputyDog and Operation Ephemeral Hydra. “A possible objective in the SnowMan attack is targeting military service members to steal military intelligence,” FireEye said."Link to Original Source
wiredmikey writes "The FBI has placed malware on its shopping list, and is turning to third parties to help the agency build a massive library of malicious software. According to a 'Request for a Quote' posted on the Federal Business Opportunities website, the FBI is looking for price quotes for malware for the Investigative Analysis Unit of the agency's Operational Technology Division (OTD). The unit's mission is to "Provide technical analysis of digital methods, software and data, and provide technical support to FBI investigations and intelligence operations that involve computers, networks and malicious software," according to the document.
The FBI did not say precisely how the malware will be used, but the document calls the collection of malware from law enforcement and research sources "critical to the success of the IAU's mission to obtain global awareness of malware threat.""Link to Original Source
wiredmikey writes "The Sryrian Electronic Army claimed that it took control over the domain Facebook.com, Wednesday evening, likely through hacking into the domain administrator account at the social network's Domain Registrar. In a Tweet Wednesday evening, the hackers wished Facebook founder Mark Zuckerberg a happy birthday, along with an extra note: "Happy Birthday Mark! Facebook.com owned by #SEA," the Tweet read.
A check of the domain WHOIS showed that details of the three domain contacts were modified to be "email@example.com", though the domain name servers were not modified. Around 7:00PM ET, the registrant contact details were restored to "firstname.lastname@example.org", indicating that MarkMonitor and Facebook were able to react quickly before any damage was done. The hackers said that in response to being hacked, MarkMonitor took down the domain management portal, and also posted a screenshot."Link to Original Source
wiredmikey writes "Adobe on Tuesday released an out-of-band security update to address a critical security vulnerability in Adobe Flash Player that could allow an attacker to remotely take control of an affected system.
Adobe said that the vulnerability (CVE-2014-0497), reported to Adobe by Alexander Polyakov and Anton Ivanov of Kaspersky Lab, has an exploit that exists in the wild. Interestingly, Kaspersky Lab said earlier this week that it has been investigating a sophisticated malware that leverages high-end exploits, and includes a bootkit and rootkit, and also has versions for Mac OS and Linux. Neither Adobe nor Kaspersky Lab disclosed if the vulnerability patched today by Adobe has any connection to the cyber-espionage operation that Kaspersky Lab is calling “one of the most advanced threats at the moment”.
“Adobe is aware of reports that an exploit for this vulnerability exists in the wild, and recommends users update their product installations to the latest versions,” the company said in a security advisory. If there is any connection between CVE-2014-0497 and the operation dubbed "The Mask" by Kaspersky Lab, it will not likely be disclosed until the company shares the details of its findings at the Kaspersky Security Analyst Summit next week."Link to Original Source
wiredmikey writes "President Barack Obama has nominated a US Navy officer, Vice Admiral Michael Rogers, to take over as head of the embattled National Security Agency, the Pentagon said Thursday. Rogers, 53, would take the helm at a fraught moment for the spy agency, which is under unprecedented pressure after leaks from ex-intelligence contractor Edward Snowden revealed the extent of its electronic spying.
If confirmed by lawmakers, Rogers would also take over as head of the military's cyber warfare command. Rogers, who trained as an intelligence cryptologist, would succeed General Keith Alexander, who has served in the top job since 2005. He currently heads the US Fleet Cyber Command, overseeing the navy's cyber warfare specialists, and over a 30-year career has worked in cryptology and eavesdropping, or "signals intelligence."
His confirmation hearings in the Senate are likely to be dominated by the ongoing debate about the NSA's espionage, and whether its sifting through Internet traffic and phone records violates privacy rights and democratic values."Link to Original Source
wiredmikey writes "Microsoft on Friday said that attackers breached the email accounts of a “select number” of employees, and obtained access to documents associated with law enforcement inquiries. According to the company, a number of Microsoft employees were targeted with attacks aiming to compromise both email and social media accounts
“..We have learned that there was unauthorized access to certain employee email accounts, and information contained in those accounts could be disclosed,” said Adrienne Hall, General Manager at Microsoft's Trustworthy Computing Group. “It appears that documents associated with law enforcement inquiries were stolen,” Hall said.
Targeted attacks like this are not uncommon, especially for an organization like Microsoft. What’s interesting about this is that the incident was significant enough to disclose, indicating that a fair number of documents could have been exposed, or that the company fears some documents will make their way to the public if released by the attackers—which may be the case if this was a “hacktivist” attack."Link to Original Source
wiredmikey writes "High-end department store Neiman Marcus said on Thursday that between July 16 and October 30, 2013, hackers using sneaky point-of-sale malware were able to obtain details of roughly 1,100,000 customer payment cards.
So far, Visa, MasterCard and Discover told the retailer that approximately 2,400 unique customer payment cards used at Neiman Marcus and Last Call stores were used fraudulently. Based on the investigation so far, social security numbers and birth dates were not compromised, the company said. Fortunately, Neiman Marcus does not use PIN pads its retail locations, so PINs are not at risk, unlike the recent data breach at Target where attackers obtained PIN data.
On Thursday afternoon, Reuters reported that the had FBI issued a warning to U.S. retailers, saying they should prepare for more cyber attacks after discovering about 20 cases over the past year that involved point of sale malware."Link to Original Source
wiredmikey writes "Russian attackers targeted energy sector targets and a Chinese nexus intrusion group infected foreign embassies with malware using watering hole tactics in 2013, CrowdStrike researchers found in its first-ever Global Threat Report. CrowdStrike's Intelligence Team tracked more than 50 different threat actor groups believed to be behind the majority of sophisticated threats against enterprises in 2013. These groups operated out of China, Iran, India, North Korea, and Russia. In its Global Threat Report, CrowdStrike identified many of the tactics, techniques, and procedures used by these groups to craft and launch sophisticated attacks against major targets around the world. CrowdStrike outlined details of how these groups carried out their attacks and what tools were used in the report, released Wednesday.
Attackers are human, which means “they make mistakes, and they have habits,” said Adam Meyers, vice-president of Intelligence at CrowdStrike. Attack tools, no matter how sophisticated, have specific “marks” that can be used to track back to the humans who created them, he said. The marks can be something like password reuse, a certain string that appears frequently in code, or even the name of the registrar hosting the domain name. These marks cannot be obfuscated and CrowdStrike researchers rely on these clues to connect different attacks and campaigns to each other.
CrowdStrike believes organizations have an “adversary problem, not a malware problem,” Meyers said. The best way to understand the types of threats the organization is facing is to focus on the tactics and tools used by the adversaries instead of getting bogged down trying to detect and identify every type of malware the group may use."Link to Original Source
wiredmikey writes "Figuring out where to store massive amounts of data collected by the NSA is a major challenge the US faces in curtailing its massive surveillance program, officials said Sunday.
The president directed CIA chief James Clapper and US Attorney General Eric Holder to give him proposals by the end of March on which entity ought to maintain the sensitive information. Major telecommunications firms have made clear, however, that they are reticent to keep the data.
Key US lawmakers, including Senate Intelligence Committee Chairwoman Dianne Feinstein, have expressed concerns that the information would not be readily available to the officials who need it if held by non-governmental entities. "The whole purpose of this program is to provide instantaneous information, to be able to disrupt any plot that may be taking place," she told NBC television's "Meet the Press" program.
Congressman Michael McCaul, who chairs the House Committee on Homeland Security, agreed that it was key to determine where to house the NSA "metadata." "I think metadata most significantly won't be dismantled, but put in the hands of an outside third party," he told ABC." "It can't be at Target or at any of these places that end up being hacked into," he said, referring to the recent data breach that exposed up to 110 million customers."Link to Original Source