For programming enthusiasts - New programming language - Wolfram Language

This is from the chief designer of the Mathematica software application


The link has a short DEMO

http://blog.wolfram.com/2014/02/24/starting-to-demo-the-wolfram-language/

A mobile app designed for RSA conference 2014 attendees has half a dozen security issues.

The RSA Conference 2014 application downloads a SQLite DB [database] file that is used to populate the visual portions of the app (such as schedules and speaker information) but, for some bizarre reason, it also contains information of every registered user of the application -- including their name, surname, title, employer, and nationality. 

The link below has more details:

http://www.cio.com/article/748962/RSA_Conference_Mobile_App_has_Vulnerabilities_Researchers_Say

Hey, what's that burning smell - it's nothing, just a cyberattack setting my computer is on fire.

A cyberattack demonstration "frying the machine" was done by targeting the machine's APC embedded controller through a fake firmware update devised by CrowdStrike that spiked the CPU and turned off the fans.

The point, said Alperovitch, is this is a type of cyberattack that enterprises really can expect to see happen in the future, an attack that is not recoverable in terms of data or the machine itself

The link below has more details:

http://www.cio.com/article/748849/RSA_Security_Attack_Demo_Deep_Fries_Apple_Mac_Components

It is not a bomb - The phone just self-destructed.

For now it is intended for government agencies. 

I have already found another use for this technology.

(Mobile) Phone companies could use  the same tech to self-destruct a phone at the end of the contract period. Hey, they could also ensure (software bug) that phone would still self-destruct even after the contract has been renewed so that the customer would be forced to pay extra bucks for a new phone.

The link below has more details:

http://www.informationweek.com/government/mobile-and-wireless/boeing-unveils-self-destructing-smartphone-/d/d-id/1114049

Sspooks-as-a-service - offering access to cyber intelligence and incident response to customers who lack it.

I guess we should work on a alternate plan just in case this turns out to be "SUCKS-as-a-service"

I am also waiting for CEO--as-a-service , CFO-as-a-service and Senior-Management-as-a-service options.


The link below has more details:

http://www.itworld.com/security/407067/stealthy-attacks-multiply-and-victims-turn-spooks-service

Yahoo webcam users , in case you need a copy of your video or pics please contact Britain's surveillance agency GCHQ. They have a copy.

Britain's surveillance agency GCHQ, with aid from the US National Security Agency, intercepted and stored the webcam images of millions of internet users not suspected of wrongdoing

• 1.8m users targeted by UK agency in six-month period alone
• Optic Nerve program collected Yahoo webcam images in bulk
• Yahoo: 'A whole new level of violation of our users' privacy'
• Material included large quantity of sexually explicit images

The link below has more details:

http://www.theguardian.com/world/2014/feb/27/gchq-nsa-webcam-images-internet-yahoo

Android is almost impenetrable to Malware

 This is according to Google’s Android Security chief Adrian Ludwig

Again, no surprises since, this is coming from Google, 

 Based on the data from tracking over one and a half billion app installs Google obtained convincing evidence that the rate of “potentially harmful apps” installed is stable at about 1,200 per million app installs, or about 0.12%. The classification “potentially harmful apps” include both malware and false positive detections of malware.

The link below has more details:

 http://qz.com/131436/contrary-to-what-youve-heard-android-is-almost-impenetrable-to-malware/

Finally FBI is trying to do something about the Malware - Proposes "interactive malware-analysis system"

FBI directory Comey says, it would be derived from something the FBI already uses called "Binary Analysis Characterization and Storage System." This is an internal malware-analysis tool used by the FBI in its own cybercrime investigations. Comey said the new system for interaction with the public would be called "Malware investigator."

The link below has more details:

http://www.cio.com/article/748899/FBI_Expects_to_Roll_Out_Malware_Analysis_System_to_Help_Businesses_Identify_Attacks

iOS SSL flaw - Bruce's view

Three characteristics of a good backdoor: 

1. Low chance of discovery 
2. High deniability if discovered,
3. Minimal conspiracy to implement

Guess what?
This flaw seem to fit all of them

The link below has more details:

https://www.schneier.com/blog/archives/2014/02/was_the_ios_ssl.html

Malware Analysis Tools.

For those who like to learn or perform research in areas related to Malware
A few useful tools are explained in the linked article





Check the following link:

http://journeyintoir.blogspot.ae/2014/02/linkz-4-mostly-malware-related-tools.html

Someone forgot to test the password function properly for Amazon

So, take as many guesses as you like.

If users enter their password incorrectly 10 times on the Amazon.com website, the company requires them to solve the squiggle of characters known as a CAPTCHA 

But Amazon.com did not show a CAPTCHA on its mobile applications for the iOS and Android platforms, allowing unlimited guesses, according to FireEye researchers Min Zheng, Tao Wei and Hui Xue.

The link below has more details:

http://www.pcworld.com/article/2102640/amazoncom-security-slip-allowed-unlimited-password-guesses.html

Google, Microsoft agree: Cloud is now safe enough to use

Why not after all these companies stand to benefit from cloud adoption

(I like Schneier's view)

Schneier said that the way to make the cloud more secure depends entirely on the ability of companies to build strong bonds of trust.

"Fundamentally, 'cloud' means to me your data on somebody else's hard drive. Do I trust that other legal entity with my data on their hard drive?"

"It's not an all-or-nothing strategy," Feigenbaum said. He described three kinds of data that most companies produce: public data, sensitive data, and top secret data. The first two, he said, are acceptable for the cloud.

(I don't know if I would agree with the "SENSITIVE" part)

The link below has more details:

http://news.cnet.com/8301-1009_3-57619615-83/google-microsoft-agree-cloud-is-now-safe-enough-to-use

WATCHOUT - IE 9 and 10 Users - If you haven't applied the temporary fix, do it now.

security researchers from Symantec said Tuesday in a blog post. "We've observed trends suggesting that attacks targeting this vulnerability are no longer confined to advanced persistent threats (APT) -- the zero-day attacks are expanding to attack average Internet users as well."

"If the attack is successful, the exploit drops a banking Trojan that steals login details from certain banks," the Symantec researchers said.

The link below has more details:

http://www.csoonline.com/article/748788/ie-zero-day-exploit-being-used-in-widespread-attacks

360 million account credentials found in the wild

A cybersecurity company said Tuesday it has obtained a list of 360 million account credentials for Web services, likely collected through multiple data breaches.

One batch of 105 million details, discovered about 10 days ago by the company, included email addresses and corresponding passwords, but it isn't clear what Web services the credentials

My Thoughts:

We not only lose our credentials, The hackers also get to know how we determine the process of creating passwords (Ex: P@55w0rd would disclose that I am replacing alphabets with similar looking characters)

The link below has more details:

http://www.computerworld.com/s/article/9246604/360_million_account_credentials_found_in_the_wild_says_security_firm

IRS Exposing Social Security Numbers Online - Is it their fault ? (Yes/No).

Identity Finder uncovered an estimated 630,000 Social Security numbers exposed online in form 990 tax returns.

The most affected group were tax preparers--many of which used their personal SSN rather than their PTIN (preparer tax identification number). However, directors, trustees, employees, donors, and scholarship recipients were all impacted as well.

The sensitive data on the publicly available tax returns is not limited to Social Security numbers, either. Some of the tax returns analyzed by Identity Finder included scholarship recipient names, complete addresses, and detailed transaction information.

Here is the catch:
There is no requirement within a form 990 for a Social Security number to be provided in the first place, and the IRS document is clearly labelled "Open to Public Inspection" as a warning that the information will be available to the general public

The link below has more details:

http://www.cio.com/article/748760/IRS_Exposing_Social_Security_Numbers_Online

Intrusion Deception - Sounds like a nice catchy sales buzz word(s).

Traditional security solutions seek to detect Malware at the point of initial infection, which is largely ineffective for detecting zero-day attacks

Argon Secure is designed to address the current gap in security solutions by identifying advanced Malware both at, and after, the point of initial infection when it attempts to propagate, find valuable data and exfiltrate that data from the network.

The solution will include more than 50 deception techniques embedded in the network infrastructure to force malware to expose itself even after entering a network. For example, malware once installed will start scanning the internal network in search of files that look useful. This action provides an opportunity to detect an attacker in the enterprise by creating a fake network process that emulates network share drives so when malware touches the files, Argon Secure can instantly identify them and push fake files.

The link below has more details:

http://www.theipsguy.com/juniper-networks-adds-intrusion-deception-firewall-protect-enterprises-advanced-malware

Free Security Training Courses - From SAFECode

New course available for immediate viewing include:

1. Product Penetration Testing 101: This course provides a foundation for security penetration testing of products. It reviews the important penetration testing concepts and shares insight into common elements of an attacker's mindset.
2. Cross Site Scripting (XSS) 101: This course provides viewers with a basic understanding of the core concepts behind XSS. It will help viewers recognize where in a web application they may expect to find XSS and provide guidance on preventing and remediating XSS.
3. Secure Java Programming 101: This course provides a basic introduction to secure coding in Java. Viewers will be introduced to the most frequent attacks and pitfalls that a Java programmer may encounter, along with techniques to avoid them. It is designed to be a starting point for those new to Java security.

The link below has more details:

http://www.darkreading.com/management/safecode-releases-free-online-software-s/240166324

IBM used to be a Hardware & Software company, Looks like they are going to Be a Software, Cloud and Services company in future (Mainframe being an exception)

 Revenue from IBM's systems and technology business, which sells mainframes, servers, and other hardware, fell 26 percent to $4.3 billion in the fourth quarter, while cloud-related revenue rose 69 percent to $4.4 billion.


The software business as a whole is the company's second-largest income source, raking in $25.9 billion last year, more than a quarter of IBM's total revenue


The link below has more details:

http://www.infoworld.com/d/the-industry-standard/ibm-says-bye-bye-hardware-and-hello-the-cloud-237043

Don't leave your (so called) smartphone at home, you might not be able to use your credit card

 Just kidding,  This would (potentially) apply only when the phone and the card use locations are in two different countries. 

The link below has more details:

http://news.cnet.com/8301-1009_3-57619532-83/mastercard-to-boost-credit-card-security-with-smartphones

Google Glasshole Incident

OMG so you'll never believe this but...I got verbally and physically asaulted[sic] and robbed last night in the city, had things thrown at me because of some wanker Google Glass haters, then some *bleeeeeeeeeep* tore them off my face and ran out with them then and when I ran out after him his *bleeeeeeep* friends stole my purse, cellphone walet[sic] and everything,"

Google is trying to train Glassers on best practices when it comes to public use of the device. Last week, the company released a dos and don'ts guide for Glass use. Some of the guidelines include asking for permission to use the device in public, don't expect to wear Glass and be ignored, and don't be "creepy or rude (aka, a 'Glasshole')."

The link below has more details:

http://news.cnet.com/8301-1023_3-57619527-93/google-glass-blamed-for-melee-in-sf-bar

Check Point's new concept - ""Software-Defined Protection"

T o integrate valuable threat information provided by other vendors through a set of APIs

According to Gabi Reish, vice president of product development at Check Point, it envisions three main security layers for security enforcement, control and management. The goal is for Check Point to introduce a new type of management console by midyear that would integrate threat information from multiple sources for the purpose of applying preventive measures both through Check Point products, such as its firewalls, and participating vendors supporting the architecture.

The link below has more details:

http://www.cio.com/article/748762/Check_Point_Unveils_Security_Architecture_for_Threat_Intelligence_Sharing

Interesting Read - Securosis Paper on the future of Security

(According to the Paper) Six Trends Changing the Face of Security: 

1. Hypersegregation: 
2. Operationalization of Security. 
3. Incident Response
4. Software Defined Security
5. Active Defense
6.  Closing the Action Loop

You can download the PDF  for both the executive overview and the full paper file from the link in the article.


The link below has more details:

https://securosis.com/blog/new-paper-the-future-of-security-the-trends-and-technologies-transforming-s

WATCHOUT - Win32/Spy.Zbot.AAU trojan in fake e-ticket from British Airways

If you have received an unexpected email, claiming to come from British Airways, about an upcoming flight that you haven’t booked – please be on your guard.


Online criminals are attempting to infect innocent users’ computers with a variant of the malicious Win32/Spy.Zbot.AAU trojan, by disguising their attack as an e-ticket from the airline


The link below has more details:

http://www.welivesecurity.com/2014/02/25/british-airways-e-ticket-malware-attack-launched-via-email

Results from Tufin survey of 169 security professionals

90% felt that organizations rely too heavily on network security products and tools at the expense of good network architecture and design

biggest barrier to effective network security is - 40% say complexity; 25% say collaboration; 20% say constant changes

89% of the respondents reported that between 20-60% of security policy changes in their organization need to be corrected after the fact

"It is clear that virtualization and the cloud deliver great benefits but also introduce greater complexity and unforeseen risks that must be addressed," said Kitov



The link below has more details:

http://www.darkreading.com/management/tufin-survey-reveals-91-of-security-mana/240166291

Bromium Researcher's statement on Microsoft EMET - "By 100 percent bypass, we mean all the protections of EMET were enabled, and we bypassed them,"

The research from isn't just purely theoretical, said Kashyap, adding that the techniques the company discovered to bypass EMET can in fact be turned into a weapon by an attacker. Kashyap noted that in Bromium's research paper, a use-after-free vulnerability in Microsoft's Internet Explorer (IE) Web browser that has already been patched, is leveraged to bypass all EMET protections.




The link below has more details:

http://www.eweek.com/security/microsofts-emet-security-technology-isnt-impenetrable-bromium.html

From Tripwire - A free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks .

If you are a SMB, this might be good for you.


The link below has all details:
http://www.tripwire.com/state-of-security/top-security-stories/securescan-free-cloud-based-vulnerability-management-service/

This one frustrates me - Medical equipment runs Windows XP ChkDsk - Really????

XP has served long and Microsoft has announced its support withdrawal long time back
So, I don't understand why important institutions like hospitals and clinics still using XP.



The link below has all details:
http://grahamcluley.com/2014/02/pregnant-wifes-medical-equipment-windows-xp-chkdsk/

Six targeted attacks and lessons that could be learnt from them.

APT war story No. 2 is kind of funny and reiterates the fact that "Targeted attacks" are not really "APTs".

The more advanced APTs these days build their own search engines, sometimes with their own APIs or borrowing the APIs of other well-known search engines, to search for specific data.

The link below has all details:
http://www.csoonline.com/article/748680/6-lessons-learned-about-the-scariest-security-threats

Interested in Free tools for Windows?

In case you are not aware of them or would like to get your hands on few of these

The link below has more details:
http://www.networkworld.com/news/2014/022414-free-tools-windows-server-278899.html?source=nww_rss

Another case of "Malvertisement"

The drive-by-download attack was distributed via adverts shown on the YouTube website, and used an exploit kit to infect Windows PCs with a version of the Caphaw banking Trojan.

Bromium worked with the Google security team over the weekend to resolve the issue on YouTube.

However, it’s quite possible that some users have still had their computers infected by the malware attack, and could be having their banking credentials stolen as a result.

More details are in the link below:
http://labs.bromium.com/2014/02/21/the-wild-wild-web-youtube-ads-serving-malware/

Exxon CEO - Is he an hypocrite?

A key and critical function of Mr. Tillerson’s day job is to do all he can to protect and nurture the process of hydraulic fracturing—aka ‘fracking’—so that his company can continue to rack in billions via the production and sale of natural gas.

(So far so good I thought then, the following lines totally confused me)

Tillerson—ExxonMobil CEO and proud proponent of fracking as a key to both America’s and his company’s great energy future—has joined a lawsuit seeking to shut down a fracking project near Mr. and Mrs. Tillerson’s Texas ranch.


http://www.forbes.com/sites/rickungar/2014/02/22/exxon-ceo-profits-huge-as-americas-largest-natural-gas-producer-but-frack-it-in-his-own-backyard-and-he-sues/

WIG - Another webapp information Gatherer

OS identification is done by using the value of the ‘server’ and ‘X-Powered-By’ in the response header.

The version detection is based on md5 checksums of statics files, regex and string matching. OS detection is based on headers and packages listed in the ‘server’ header

http://www.darknet.org.uk/2014/02/wig-webapp-information-gatherer-identify-cms/

Here is another way to make a few bucks - Sell Hospital data

A report by a major UK insurance society discloses that it was able to obtain 13 years of hospital data – covering 47 million patients – in order to help companies “refine” their premiums.

http://www.telegraph.co.uk/health/healthnews/10656893/Hospital-records-of-all-NHS-patients-sold-to-insurers.html

Now it is begining to scare me - South Korea to develop Stuxnet-like cyberweapons

This is not my statement, this is a BBC Headline

The South Korean military will carry out missions using the software, the defense ministry said.

One computer security expert said that using cyber weapons could be "very dangerous".

The defense ministry reported its plan to the government on 19 February, the Yonhap news agency reported.


 http://www.bbc.co.uk/news/technology-26287527#story_continues_2

H1-Visa fraud:I thought this used to happen 20 years back but it seems this still continues

At the time, according to the report, the vast majority of fraudulent applications came from the southern city of Hyderabad

Officials uncovered a scheme where Hyderabadis were claiming to work for made-up companies in Pune so the Mumbai consulate would be less suspicious about their applications. “The Hyderabadis claimed that they had opened shell companies in Bangalore because ‘everyone knows Hyderabad has fraud and Bangalore is reputable,’” according to the internal communiqué.

http://www.globalpost.com/dispatch/news/regions/asia-pacific/india/140121/india-H1B-fraud-con-artist

Cryptography Breakthrough Could Make Software Unhackable - Really?

Anyone with some basic software knowledge will know this is not true however, "obfuscation" can make it harder to hack.

The article does have good information related to this idea (if you can ignore the screaming and misleading headline)

http://www.wired.com/wiredscience/2014/02/cryptography-breakthrough/

Neiman Marcus CC # theft - 60,000 Alerts ignored.

Here is an reason/excuse from the company spokeswoman - “These 60,000 entries, which occurred over a three-and-a-half month period, would have been on average around 1 percent or less of the daily entries on these endpoint protection logs, which have tens of thousands of entries every day,”

A company that receives 60,000x100 alerts a day has a problem defining what an ALERT is or, the spokeswomen does not know what an ALERT means or why it is generated in the first place.

http://www.businessweek.com/articles/2014-02-21/neiman-marcus-hackers-set-off-60-000-alerts-while-bagging-credit-card-data

Smartphone for $25?

Mozilla and China-based chip maker Spreadtrum Sunday unveiled a chipset designed for $25 smartphones running the open source Firefox operating system.

http://www.computerworld.com/s/article/9246519/Mozilla_shows_25_Firefox_OS_based_smartphone_running_Spreadtrum_chips

Wearable Tech - Recall

Wearable Tech - Some are all excited about using them.

It is also time for us to get used to the word "RECALL"

http://www.cio.com/article/748608/Fitbit_is_Recalling_its_Force_Activity_Tracking_Wristbands_After_Verifying_Skin_Rash_Issues

Maybe it is time for EC-Council web administrators to attend a security course

EC-Council run several courses and certifications related to security. Looks like their web team has been skipping these courses.

http://www.securityorb.com/2014/02/ec-council-website-hacked-swondens-passport-site/

Shoes - That could guide you to your destination. (or at least it makes you to believe so)

Besides its use for navigation, Lechal can also be utilized as a fitness tracking system, as it's able to count steps, track calories burned, and create interactive workouts. It'll also buzz your shoes to let you know you've left your phone behind, or if you're traveling and are near points of interest – in the latter situation, you'd proceed to check the app display to see what the point of interest is.


http://www.gizmag.com/lechal-haptic-feedback-navigation-shoes/30939/

Poorly managed SSH keys pose serious risks for most companies - Why is this a surprise?

Three in four have no processes for managing keys that provide access to critical servers.

In the Ponemon survey, about 74% of the respondents said they allow administrators to independently control and manage SSH keys. As a result, enterprise security teams often have very little visibility into the scale of the problem and even less information about how to manage it.

http://www.computerworld.com/s/article/9246512/Poorly_managed_SSH_keys_pose_serious_risks_for_most_companies?source=rss_news_analysis

What could happen if you would remove Admin privileges in windows, for the account that you regularly use for your day-to-day work?

The article states that you can mitigate:
96% of critical vulnerabilities affecting Windows operating systems;
91% critical vulnerabilities affecting Microsoft Office
100% of vulnerabilities in Internet Explorer.


http://www.darkreading.com/attacks-breaches/removing-admin-rights-mitigates-92-of-cr/240166264

AT&T Transparency Report - Not So Transparent

Snippets from the Article:

An accurate transparency report should include a line indicating that AT&T has turned over information on each and every one of its more than 80 million-plus customers. It doesn’t;

The end result, observes Kevin Bankston, the policy director of the New America Foundation’s Open Technology Institute, is that Obama’s so-called reform has spawned a misleading report that provides false comfort to AT&T customers — and all Americans.


http://www.wired.com/threatlevel/2014/02/ma-bell-non-transparency/

A solution that is trying to solve a non-existent problem

I don't live alone in an island and I have a lot of friends. I have never once heard anyone that needed something like this.


http://www.thecarconnection.com/news/1090467_volvos-roam-delivery-service-puts-junk-in-your-trunk-while-youre-not-around

Spyware supposedly created exclusively for Governments

We know that there are organizations that survive on government contracts , how about one, that sells spyware to governments (for now, maybe later to private enterprises)

http://www.washingtonpost.com/business/technology/foreign-regimes-use-spyware-against-journalists-even-in-us/2014/02/12/9501a20e-9043-11e3-84e1-27626c5ef5fb_story.html