2015-02-22

Google for VA, Security Scanning

Commendable move by Google. Helping website owners find security flaws in their own websites.

Gemalton's SIM encryption keys hacked (?)

The Intercept claims that NSA hacked and stole the encrustation keys across all sim cards manufactured by Gemalto.
The Dutch company supplies 2 billion SIM cards per year to a range of Tier 1 carriers, including Verizon Communications, Vodafone Group and China Mobile.
It is a known fact that NSA likes to hold on to as many encryption keys as they can. However, this is just going too far.

2015-02-21

MITM on Lenovo Computers - Introducing Superfish

A tool deployed by default to help push 'relevant' advertisements, has been found to be doing MITM attack to grasp HTTPS website data. The tool internally uses a password called 'komodia'.
[Sighh... why do security researchers give out the exploits on a silver platter?]

Full Story

2015-02-17

Introducing Carbanak Group

The story:
Kaspersky researchers have discovered the theft of $1 billion from 30 banks over the past two years....
..... criminal activity did not end here. In other cases, the cyberattackers "penetrated right into the very heart of the accounting systems," Kaspersky says. The criminals were able to inflate account balances before fraudulently transferring the money.

NIST Releases Cybersecurity Framework

From NIST:
In February 2013, President Obama issued Executive Order 13636: Improving Critical Infrastructure Cybersecurity. The order calls for the development of a voluntary, risk-based Cybersecurity Framework—a set of existing standards, guidelines and practices to help organizations manage cyber risks. The resulting framework, created through public-private collaboration, provides a common language to address and manage cyber risk in a cost-effective way based on business needs, without placing additional regulatory requirements on businesses.

2015-02-14

What is a 'sophisticated attack?'

What is common to majority of the big names getting hacked recently? They all claim they were victims of a "sophisticated attack".

Here is an article that breaks down this PR's default statement.
The truth, however, is that these attacks seem sophisticated only when you compare them to the unsophisticated security programs that fail to defend against them.
It always sounds like an attempt to forgive the victim for having insufficient protection, detection and reaction capabilities in place, both technical and nontechnical.

Pwn2Own Contest 2015

HP TippingPoint's Pwn2Own is back in Mar-2015.
The prize pool for this year's edition is 28% smaller than the record $645,000 of 2014.
The 2015 edition of Pwn2Own will offer cash awards to researchers who demonstrate exploits of previously-unknown vulnerabilities in Google's Chrome, Mozilla's Firefox, Microsoft's Internet Explorer 11 (IE11) or Apple's Safari browsers, or the Adobe Reader or Adobe Flash Player browser plug-ins.
Those targets are the same as the last two years, with the exception of Oracle's Java, which was dropped for 2015's contest.
Update 21-Mar-15:  Final results
The final count for vulnerabilities exploited this year stands as follows: five flaws in the Windows OS, four in Internet Explorer 11, three each in Mozilla Firefox, Adobe Reader, and Flash Player, two in Apple Safari and one in Google Chrome.

2015-02-08

Anthem hacked of 80m records

2nd largest health insurance company in US, Anthem got hacked and lost personal and medical data of its clients. China is suspected here (as well?).