background preloader

Information Assurance

Facebook Twitter

Cyber insurance market to hit US$10 billion by 2020. Posted on 03 August 2015. Continued and sustained cyberattacks are having a ruinous effect on enterprises and driving up the cost of incident response. With over 900 million reported records exposed in 2014, more companies are seriously starting to consider transferring risks to insurance providers. Despite growing awareness of vulnerability to breaches and risk management strategies however, less than 20% of large enterprises avail themselves of cyber insurance. For small- and medium-sized enterprises, the percentage is even lower, at less than 6%, according to ABI Research. The largest barrier to growth is lack of actuarial data about cyberattacks, but this is quickly changing with continued cyber assaults. Currently, insurers are finding it difficult to assign the proper value to data or systems, or to determine appropriate policies since they are unable to scope the cyber risk environment of an organization.

ABI Research forecasts the market to hit US$10 billion by 2020. Institute| Newsletters - Newsbites. SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible. Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday. Sign Up Now Volume XVII - Issue #58 July 28, 2015 Fiat Chrysler Recall US Power Grid Vulnerable Pakistan Bans Blackberry Enterprise Server Stagefright Vulnerabilities Affect Nearly All Android Devices Malware Could Breach Air-Gap NSA to Lose Access to Section 215 Data Three Sentenced in DNS Changer Case NIST Draft Guidance on Mobile Devices for Healthcare Organizations HORNET Onion Router Network Faster Than Tor Belgian Government Phishing Test Not Thought Through - -- Cyber Defense Summit & Training | Nashville, TN | August 11-18, 2015 | Chaired by Dr.

Dr. Amazon proposes a slice of the sky for commercial drones. Nokia Technologies plans to return to the consumer market, focusing on virtual reality rather than the cell phones that made it famous. The Finnish company -- what was left of the former cell phone giant after Microsoft bought its handset division last year -- on Tuesday night unveiled Ozo, a next-generation camera for capturing 360-degree video and audio. Unveiled at an entertainment industry event in Los Angeles, the orb-shaped camera is designed for professional content creators rather than consumers. "Ozo aims to advance the next wave of innovation in VR by putting powerful tools in the hands of professionals who will create amazing experiences for people around the world," Ramzi Haidamus, president of Nokia Technologies, said in a statement. "We expect that virtual reality experiences will soon radically enhance the way people communicate and connect to stories, entertainment, world events and each other.

Institute| Newsletters - Newsbites. SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible. Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday. Sign Up Now Volume XVII - Issue #58 July 28, 2015 Fiat Chrysler Recall US Power Grid Vulnerable Pakistan Bans Blackberry Enterprise Server Stagefright Vulnerabilities Affect Nearly All Android Devices Malware Could Breach Air-Gap NSA to Lose Access to Section 215 Data Three Sentenced in DNS Changer Case NIST Draft Guidance on Mobile Devices for Healthcare Organizations HORNET Onion Router Network Faster Than Tor Belgian Government Phishing Test Not Thought Through - -- Cyber Defense Summit & Training | Nashville, TN | August 11-18, 2015 | Chaired by Dr.

Dr. The Age of Mercenary Employees. When my grandfather entered the workplace, he started working at a softdrink company. This was right after WWII. Eventually the company got bought out and became Safeway. He retired from Safeway. Effectively one company for an entire career. We don't live in those days any more. I don't think I know any peers who have spent an entire career at one place. Not knowing which way its going to happen means that employees need to take some specific precautions. 1) Keep your skills current. 2) Understand how you provide value. 3) Keep an open mind.

This leads me to the idea of the mercenary employee. A mercenary employee is a person who works on their own terms to meet their own goals. Normally, the mercenary wants a liquid transaction. The breakdown of the ancient (ie. my grandfather's day) work contract has led to the rise of the mercenary employee. In this kind of world, the employee who is counting on the employer to keep them as long as they want to be kept can be caught up short. Commix - Command injection and exploitation tool : netsec. 'GSMem' malware designed to infiltrate air-gapped computers, steal data. July 27, 2015 Israeli researchers detailed a new attack that can steal data from air-gapped computers, which are often seen as a reliably safe.

Newly designed malware could, if properly replicated, allow an attacker to pick up the data of air-gapped computers, which are typically thought of as relatively secure. GSMem, as the researchers call it, exploits electromagnetic radiation (EMR) emissions and forces a computer's memory bus to function similarly to an antenna in order to wirelessly transmit data to a phone over cellular frequencies. The Israeli researchers will open their paper, “GSMem: Data Exfiltration from Air-Gapped Computers over GSM Frequencies” to the public once they present it at the USENIX Security Symposium in August. The malware runs in conjunction with a mobile rootkit embedded in the baseband firmware of a cell phone. It can be installed through social engineering, physical access or a malicious app. Stagefright Android Bug: 'Heartbleed for Mobile' But Harder To Patch. Critical vulnerability in Android's multimedia playback engine is easy to exploit, requires no user interaction, and affects 95 percent of Android devices.

Researchers have uncovered a remote code execution Android vulnerability that could be exploited with only a malicious media file and a phone number. The bug in Android's Stagefright multimedia playback engine leaves 95 percent of Android devices worldwide critically exposed. It is being called "Heartbleed for mobile," but will be prove harder than Heartbleed to fully fix. The vulnerability was discovered by Joshua J. The worst of the exploits requires no user interaction: the maliciously crafted media file could be delivered via an MMS message, and the user wouldn't even need to open it.

"This is Heartbleed for mobile -- a remotely exploitable vulnerability that affects millions of Android-based phones and tablets," says Chris Wysopal, CTO and CISO of Veracode. Wysopal says attackers will be creating and distributing exploits soon. Institute| Newsletters - Newsbites. SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible. Spend five minutes per week to keep up with the high-level perspective of all the latest security news.

New issues are delivered free every Tuesday and Friday. Sign Up Now Volume XVII - Issue #57 July 24, 2015 July 21, 2015, is likely to be remembered as the first day of the "era of cyber liability. " The Era Of Cyber Liability: Appeals Court Overturns Neiman Marcus Dismissal US Legislators Want to Increase DHS's Cyber Authority FBI Probes 'Hundreds' of China Spy Cases ************************ Sponsored By Splunk **************************** No matter how effective you think your security technology is, attackers will find a way to penetrate your organization. . - -- Looking for training in your own community?

Dr. Dr. Institute| Newsletters - Newsbites. SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible. Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday. Sign Up Now Volume XVII - Issue #57 July 24, 2015 July 21, 2015, is likely to be remembered as the first day of the "era of cyber liability. " The Era Of Cyber Liability: Appeals Court Overturns Neiman Marcus Dismissal US Legislators Want to Increase DHS's Cyber Authority FBI Probes 'Hundreds' of China Spy Cases ************************ Sponsored By Splunk **************************** No matter how effective you think your security technology is, attackers will find a way to penetrate your organization.

. - -- Looking for training in your own community? Dr. Dr. Mobile penetration testing on Android using Drozer : netsec. Foreign hackers briefly commandeer German missile systems. Kali Linux 2 Release Date Set: August 11th : netsec. Underwriters Laboratories To Launch Cyber Security Certification Program. Meanwhile, UL is also in discussion with the White House on its plans to foster standards for Internet of Things security.

It appears the White House's vision of an Underwriters Laboratories-type certification for Internet of Things products could become a reality: a UL official says the organization is involved with the US government's initiative to promote such security certification standards. "We are involved with those initiatives," says Maarten Bron, director of innovations at UL, of the White House's interest in coming up with a UL-type program for increasingly Internet-connected consumer devices. "The White House is trying to achieve is to foster collaboration between private and government sectors to come up with these standards … Plans are still in the making from the White House" side, he says, so he can't share any additional details at this time.

UL, meanwhile, also is putting the final touches on a test and certification program of its own for IoT products, Bron says. Media Streaming Company Plex Hacked, Blackmailed. The creators of Plex, the popular suite of software and services used for organizing and streaming digital media, are advising customers to change their passwords after a hacker breached at least one of the company’s servers. In a security notice sent out to affected customers, Plex says the compromised server hosts its forums and blog. The attacker gained access to IP addresses, email addresses, hashed and salted passwords, and private messages. Credit card and other payment data is not stored on the company’s servers.

Elan Feingold, chief technical officer and co-founder of Plex, noted on Reddit that since the company uses single sign-on (SSO) technology, the attacker can use the forum passwords to log in to Plex.tv accounts as well, assuming he/she can crack the hashes. So far Plex has only confirmed that the server hosting the forum has been compromised, but the investigation is ongoing. The Plex forum has been shut down while the incident is being investigated. MasterCard to trial using selfies as authentication. MasterCard users may soon be able to pay for online purchases with their face or finger, with the payments giant to begin experimenting with facial-scan technology as well as fingerprint identification in an attempt to eliminate digital fraud.

According to a report by CNNMoney, MasterCard will launch a pilot program with 500 participants over the next few months to develop the infrastructure to approve purchases without the need to enter a password. MasterCard currently employs a SecureCode service that requires customers to enter a password upon checkout in an effort to protect against unauthorised credit card use when shopping online. While biometric recognition technology is the next step in convenience, it still requires an authentication procedure.

According to the report, authorisation will be done via one of two methods. "The new generation, which is into selfies ... I think they'll find it cool. Malware on Tactical Assault Gear website targets customer information. June 29, 2015 North Carolina-based LC Industries, Inc., which operates the Tactical Assault Gear website, is notifying thousands of customers that malware discovered on the website was being used to gain access to personal information. How many victims? 3,754. What type of personal information? Names, email addresses, website account usernames, passwords, credit card numbers, security codes, and expiration dates. What happened?

What was the response? Details: The malware was discovered on or about June 2. LC Industries has reason to believe that there have been attempts to misuse the compromised information of certain customers. Quote: “We have discovered that there was an intrusion into our servers that runs the website that may have compromised personal information about you,” a notification letter said. ClamXav: Transition to Commercial Product : netsec. Find Your Passion. Nothing sucks worse than giving a presentation that you're not passionate about.

It sucks for you the presenter. But it sucks even more for your entire audience who has to sit there and listen do you drone on about... whatever. One of the things that makes great speakers great is that they can communicate a deep sense of passion about their topics. As audience members, we walk away inspired, motivated, changed. Ok. But that doesn't give you a hall pass on passion. Let's just say you have to give a presentation in a week. Some people are natural emotional broadcasters. But there is another way. If you can feel passion, as a listener, I think I can pick that up in you. It never hurts if you are an introvert, and this is a very internal, personal thing for you to open up the shutters a bit and let the rest of us see a little more than you might normally (this will be work for you, make no mistake - but it will be worth it).

Everyone has passion. Photo courtesy of Brixie. CIA-funded spy data safe Palantir doubles in value in 18 months. CIA-backed Big Data analytics outfit Palantir is about to embark on a fundraising round that will value the biz at $20bn (£13bn), according to reports. The funding comes off the back of bumper forward revenues this year, sources have told The Financial Times [paywall]. It means Palantir will become one of the most valuable private companies in Silicon Valley, the un-named blabber-mouths told the paper. Palantir is best known for running data centres for US intelligence and military services. However, its tech is also used for analysing large amounts of data from disparate sources, and it lists its main clients as government, financial institutions and pharma companies.

The technology is intended to be used for tasks including detecting insider trading, tracking people and identifying weaknesses in IT infrastructure. The company is partly backed by In-Q-Tel, the CIA's investment wing. The firm has obviously been doing well for some time, as it offers its interns over $7,000 a month. Detect/Block BeEF hooks in Chrome PoC and walk-through : netsec. First look at the Pwn Pad 3, the latest in mobile security mayhem. SCADA Systems Offered for Sale in the Underground Economy. NIST issues 'don't be stupid' security guidelines for contractors. Polish LOT aeroplanes grounded by computer hack. WikiLeaks says it's leaking over 500,000 Saudi documents.

We Don't Need No Stinkin' PSExec - TrustedSec : netsec. Black Hat Arsenal USA 2015 Speakers Lineup. Gcat - A stealthy Python based backdoor that uses Gmail as a C&C server : netsec. Union: Hackers have personnel data on every federal employee. Verizon release DBIR Attack Graph Analysis tool : netsec. Hacker Can Send Fatal Dose to Hospital Drug Pumps. Heartland Payment Systems Suffers Data Breach. A fundamental shift in security spending. North Korean hackers 'could kill', warns key defector. Feedback Friday: Industry Reactions to Wassenaar Arrangement. FUD Watch: The Marketing Of Security Vulnerabilities. Insurer tells hospitals: You let hackers in, we're not bailing you out. Stegosploit - Hacking with Pictures : netsec. Complex security solutions are exposing companies to risk.

Arms control treaty could land security researchers like me in jail. Study: Average cost of data breach is $6.5M. 1.1 Million Affected by CareFirst BlueCross BlueShield Breach. Researchers publish developer guidance for medical device security. Hacker leaks sensitive info of millions of Adult FriendFinder users. Why So Many Data Breach Lawsuits Fail. Cuba says in advanced talks with China's Huawei over telecoms. Security Product Liability Protections Emerge. 'Pixie Dust' attack cracks WPS in seconds : netsec. Rapid7 Picks Up NTObjectives. The one killer app that could make us all want a smartwatch. Payload Mask v1.0 – Payload Generator for Bypass WAF. Social Engineering Defenses: Reducing The Human Element. FireEye reports 1Q loss. Health insurer Anthem's profit beats as Medicaid enrollments rise. A Day in the Life of a Stolen Healthcare Record. Social Engineering: Attackers' Reliable Weapon.

OWASP ZAP v2.4.0 Released. US hospitals to treat medical device malware with AC power probes. What’s Your Security Maturity Level? Licence to chill: Ex-CIA spyboss Petraeus gets probation for leaking US secrets to his mistress. Defense Secretary Outlines New Cybersecurity Strategy. RSA 2015: It's end of days for email forgers claim DMARC champions. The Current State of Insecurity: Strategies for Inspecting SSL Traffic. Pillage the Village - The PowerShell version : netsec.

Don’t Be Fodder for China’s ‘Great Cannon’ Red team tradecraft for pen tests : netsec. TrueCrypt Not Plagued by Backdoors, Severe Design Flaws: Auditors. Check Point to acquire mobile security company Lacoon. Simple Phishing Toolkit (rebirth) : netsec. Auxilio to Acquire Redspin. 5 Breach Lawsuits Filed Against Premera. Reverse Shell Cheat Sheet : netsec. Former Tesla Intern Releases $60 Full Open Source Car Hacking Kit For The Masses.

Macro-based malware continues to gain traction.

Security Papers

Security Hardware. 2010 Incident Handling. Finally, A Decent Use Of Cloud Computing: Software Security | Bu. Automatic web encryption (almost) everywhere - The H Security: N.