October 31, 2011
"In this paper, they provide a security analysis pertaining to the control interfaces of a large Public Cloud (Amazon) and a widely used Private Cloud software (Eucalyptus). Their research results are alarming: in regards to the Amazon EC2 and S3 services, the control interfaces could be compromised via the novel signature wrapping and advanced XSS techniques. Similarly, the Eucalyptus control interfaces were vulnerable to classical signature wrapping attacks, and had nearly no protection against XSS."
Read more from [marcoramilli] Labels: cloud security, signature wrapping attacks, XSS
"... “These cybercapabilities are still like the Ferrari that you keep in the garage and only take out for the big race and not just for a run around town, unless nothing else can get you there,” one Obama administration official told the NYT."
Read more:
theregister
" ... "I'm amazed I still can't do public key-encrypted email with people in the local community," Berners-Lee said at an RSA Conference press event on Thursday. "The things that public key cryptography promised us are not actually there in practice." ..."
Read more:
zdnetLabels: PGP, public key encryption
"A weakness in XML Encryption can be exploited to decrypt sensitive information, researchers say."
Read more:
computerworldLabels: XML Encryption
October 22, 2011
"A little more than one year after the infrastructure-destroying Stuxnet worm was discovered on computer systems in Iran, a new piece of malware using some of the same techniques has been found infecting systems in Europe, according to researchers at security firm Symantec."
Read more:
wiredLabels: stuxnet
October 15, 2011
"Two years ago, Finisterre, founder of security testing company Digital Munition, found himself swapping emails with a staffer at Idaho National Laboratory's Control Systems Security Program, a project funded by the U.S. Department of Homeland Security that is the first line of defense against a cyberattack on the nation's critical infrastructure."
Read more:
computerworld
"The rating system was put together by Microsoft in conjunction with security researchers and groups such as the Anti-Phishing Working Group (APWG), Identity Theft Council and Online Trust Alliance. Computerworld's Gregg Keizer notes, "Microsoft is a premium member of APWG and on the steering committee of Online Trust Alliance."
Read more:
computerworld
"The SSL certificate authorities like Comodo that have had their security undermined by hackers shouldn't be trusted, and in fact, the way the entire SSL certificate industry of today works can and should be replaced with something better, says Moxie Marlinspike, a security expert who's come up with a plan he says will do that."
Read more:
computerworldLabels: SSL certificate
"A company called CSIdentity is hoping to outsmart hackers in their own territory with its artificial intelligence software that poses as a hacker – or “chatbot.” When a hacker attempts to offload stolen data like credit card numbers, e-mail logins or social security numbers, he’ll often offer dozens for free to prove they’re real. When he gives this information to the robot informant, the informant notifies CSIdentity.
The company then sells the data to banks, cybersecurity companies and anyone else with a stake in quickly discovering which businesses, accounts and/or credit cards have been compromised."
Read more:
dice
"Much as firewalls and IDS/IPS solutions have become critical — and expected —pieces of an enterprise’s security infrastructure, attention must now turn to DNS resolvers as an essential strategic security asset. Secure DNS resolvers function as a firewall for DNS, adding a vital layer of defense to combat the deluge of advanced persistent threats (APT) and other malware that circumvent traditional perimeter defenses."
Read more:
securityweekLabels: advanced persistent threats
"You are the weakest security link but you can be fixed. The fix is simple to say out loud but not so simple to do."
Read more:
zdnet
"The infected computers were part of the ground control system that supports RPA operations. The ground system is separate from the flight control system Air Force pilots use to fly the aircraft remotely; the ability of the RPA pilots to safely fly these aircraft remained secure throughout the incident."
Read more:
theregisterLabels: key-logging virus
"A government surveillance software scandal that erupted in Germany this weekend has spread beyond that nation's borders, raising questions about
how far government officials around the globe might go to monitor citizens through spyware."
Read more:
msnbcLabels: backdoor, spyware
October 12, 2011
"Computers controlling the US Air Force's killer Predator and Reaper drones have been infected by a key-logging virus, according to a mole who spoke to Wired. And the malware is not going away despite serious efforts to nuke it.
...
Sky News also highlighted the risk of introducing malicious electronics or software into military hardware if chips are brought in from foreign sources."
Read more:
theregisterLabels: key-logging virus
"The backdoor includes a keylogger that targets certain applications. These applications include Firefox, Skype, MSN Messenger, ICQ and others.
The backdoor also contains code intended to take screenshots and record audio, including recording Skype calls."
Read more:
f-secureLabels: backdoor
October 06, 2011
"Websites that accidentally distribute rogue code could find it harder to undo the damage if attackers exploit widespread browser support for HTML5 local storage and an increasing tendency for heavy users of Web apps never to close their browser."
Read more:
computerworldLabels: XSS
"The Kerckhoffs' Principle holds that withholding information on how a system works is no security defence. A second accepted principle is that a defender has to defend against all possible attack vectors, whereas the attacker only needs to find one overlooked flaw to be successful, the so-called fortification principle.
However a new research paper from Prof Dusko Pavlovic of Royal Holloway, University of London, applies game theory to the conflict between hackers and security defenders in suggesting system security can be improved by making it difficult for attackers to figure out how their mark works. For example, adding a layer of obfuscation to a software application can make it harder to reverse engineer."
Read more:
theregisterLabels: security by obscurity
October 05, 2011
"During the past five years, the number of reported events has grown from 5,503 in 2006 to 41,776 in 2010.
The main reason agency computers are vulnerable to contamination is departments have failed to implement security controls, according to the audit."
Read more:
nextgov
"The chairman of the House Intelligence Committee on Tuesday accused China of waging an unprecedented campaign of cyber espionage aimed at stealing some of the most important U.S. industrial secrets.
Rep. Mike Rogers, R-Mich., said Chinese efforts to pilfer the United States’ technological know-how via the Internet have reached an “intolerable level,” and called on the U.S. and its allies to pressure Beijing to stop."
Read more:
washingtonpostLabels: cyber espionage
"Globally, security is improving in the payment industry, according to data released this week by The Nilson Report, a California trade publication. For every $100 worth of credit and debit card transactions last year, 4.46 cents were lost to fraud worldwide in 2010, down from 4.71 cents in 2009."
Read more:
reutersLabels: card fraud
"''They can tell one story to the search engine, give a second set of content to a legitimate, routine visitor to the site so it looks kosher, and give someone who comes as a result of doing a search different content,'' he said.
While the website looks fine to those who arrive directly, users who click through to the site via a search engine are redirected to an entirely different website that might either scam them or expose their computer to a virus."
Read more:
brisbanetimesLabels: search engine poison
October 03, 2011
At IDF 2011, Cryptography Research, a semiconductor security R&D division at Rambus, demonstrated how side-channel analysis can be used to interpret power traces on mobile devices and recover secret keys. Josh Jaffe at CR also discusses potential countermeasures.
Source:
engineeringtvLabels: side-channel attack