Archive | Other Industry News RSS for this section

Added Security for Twitter Users to Come Soon!

Two-Factor Authentication

From spam to ham, Twitter deals with a lot of security issues on a daily basis. What about viruses/malware? I’m sure, yes. But, more importantly: account security. What do Twitter users need? Security assurance!

Therefore, Twitter is developing and perfecting a two-factor authentication method that will allow Twitter to not only ask for a password, but also a different credential to be sure of who is accessing your account.

From recent issues with Twitter accounts being hacked, it is best to have this in place, before it happens to other high profile organizations. Some of the recent organizations hacked were high profile including the Associated Press‘s account, CBS 60 Minutes account, and the BBC’s account.

Expect a shift in all online high profile websites switching to two-factor authentication. Apparently, it is the go-to emergency security solution.

Advertisements

Free Software Pioneer Richard Stallman calls Ubuntu ‘Spyware’

Richard Stallman, the pioneer of free software, has asked a South American free software association to not promote Ubuntu at any event, giving reasons that it “spies on its users” by collecting desktop search activity, and then handing it over to Amazon.

Canonical, developers of Ubuntu, a Linux-based operating system, released version 12.10 with the desktop search last October. Users can opt out of this, in which Canonical claims it retrieves anonymous user data, which is shared with third parties.

After calling Ubuntu spyware, it seems it might be a ridiculous banter by Stallman. It may not be spyware, but it’s no surprise any software collects data. Wouldn’t you be shocked if you found out software didn’t collect data?

A lot of heated criticism has been over this desktop search, however, Stallman’s request was declined. The FLISOL event organizer stated that users should have freedom of choice. As we know, limited freedom of choice is bad when it comes to software.

Whether Stallman wants Ubuntu promoted anymore is irrelevant to the fact that Ubuntu is one of the fastest growing distros of Linux.

Google disallowing Ad-Blockers in Play store

While Google Play has operated in an odd fashion, by mostly approving apps correctly, except for a few slipping by. But, it has also approved ad-blocking apps. Most of the time these apps either operated in browser environment (like Firefox add-on: AdBlock Plus) or in a rooted environment (which helps disable all device ads).

Google says no more, as many report on social networks that ad blockers are removed from Google Play. Most of the time, the reason for removal: “Violation of section 4.4 of the Developer Distribution Agreement.”

Supposed that Google is disallowing updates to current versions, which means that even if you have ad blockers on your device, they will eventually dysfunction, if not already.

Pwn2Own (2013) Contest a Blast – FULL Results

CanSecWest is a conference, and 2013’s conference once again involved the Pwn2Own contest for hackers, an elite (1337) competition. The concept remained simple and will always that if you pwn a fully-patched browser running on a fully-patched laptop, you get to keep the laptop.

However, different rules applied this year. It involved successfully demonstrating the exploit, providing the sponsor (HP) the fully functioning exploit, and all details involved with the vulnerability used in the attack. If there were many vulnerabilities, multiple reports are needed, etc.

The work couldn’t be sold to anyone else, and proof of concept would belong to HP once sold. Basically, HP buys the winning exploits for own use. Their idea of reward money was the following:

  • Google Chrome on Windows 7 = $100,000
  • IE10 on Windows 8 = $100,000 or IE9 on Windows 7 = $75,000.
  • Mozilla Firefox on Windows 7 = $60,000
  • Apple Safari on Mac OS X Mountain Lion = $65,000
  • Adobe Reader XI and Flash Player = $70,000
  • Oracle Java = $20,000

It was assuredly a blast at the competition, no doubt about it.

DAY ONE: Java, Chrome, IE10, and Firefox PWNED!!!

(Where’s Safari, right? It survived!)

The idea behind each attack is the ability to browse to an untrusted website where you’re able to inject and run arbitrary code outside of the browsing environment.

Of course, one of the rules is: “A successful attack … must require little or no user interaction and must demonstrate code execution… If a sandbox is present, a full sandbox escape is required to win.”

ie-ff-chrIn addition to Chrome, Firefox, and IE10 being pwned, Java was pwned three times on the first day. Once by James Forshaw, Joshua Drake, and VUPEN Security. VUPEN Security also led a lot of the pack of issues by successfully exploiting IE10 and Firefox as well.

The only other exploit was by Nils & Jon, where both successfully exploited Chrome.

The day after the first day of Pwn2Own, Mozilla and Google patched the exploits that were pushed out. Amazingly fast, Firefox went on to version 19.0.2 (which you should’ve been updated automatically), and Chrome went on to version 25.0.1364.160 (effectively patching 10 vulnerabilities).

“We received the technical details on Wednesday evening and within less than 24 hours diagnosed the issue, built a patch, validated the fix and the resulting builds, and deployed the patch to users,” said Michael Coates, Mozilla’s director of security assurance, in a Thursday blog.

Microsoft has decided to wait until next week’s Patch Tuesday run of updates to push out the fix for the Internet Explorer exploit on IE10.

DAY TWO: Adobe Reader and Flash Player PWNED!!! Java PWNED AGAIN!!!

The last day of Pwn2Own 2013 went with a BANG!fl-ar-ja

Flash Player…exploited by VUPEN Security (any surprise?). Adobe Reader PWNED by George Hotz. Java once again was exploited, this time proxied by Ben Murphy.

Who’re the overall prize winners?

  • James Forshaw, Ben Murphy, and Joshua Drake for Java – each $20,000
  • VUPEN Security for IE10 + Firefox + Java + Flash – $250,000
  • Nils & Jon for Google Chrome – $100,000
  • George Hotz for Adobe Reader – $70,000

Of course, George Hotz is best known for jailbreaking the iPhone and PlayStation 3. He’s still in progress with a lawsuit with Sony over the issue for PS3.

It’s amazing to see that Java was PWNED 4 times in just two days, but is it any surprise based on the number of vulnerabilities Oracle has dealt with for Java?

Now in its eighth year, Pwn2Own contest had $480,000 in payouts, a record year. Amazing!

Got any vibe on this issue? Post comment below! 🙂

RSA Conference Details Unfold in this Super Writeup!

The RSA conference is a yearly security conference where various internet security topics are discussed. Well, this year’s discussions are quite intense, and involve many of the latest problems.

  1. Security training is an important thing for any person. Teaching people about the seriousness of threats is highly important. Not just about some of the basics of threats, like an IP address, firewalls, or antivirus software. But, more than that, more focused on trends in computer security, social engineering, etc. With the increase of people using tablets, smartphones, etc., there is a big need for understanding cybersecurity. (Secure Connexion has their own ventured school, SecuSchool, hosted on a sister website.)
  2. Cybersecurity on Planet Earth is in big trouble! Experts state that the internet was designed to be build without security concerns. However, with password theft, business attacks, fraud, phishing, etc. – this makes internet security far more important. Problem is, attackers are also getting organized with their criminal activity. With that, there is a need for counterintelligence methods.
  3. “Too big to be good” is how most security companies are being stated as. By the time new businesses are started fighting new cyberthreats, criminals already have new plans being carried out.
  4. Free personal data (in numbers of petabytes) are out there in social media and analytics. Scams, fraud, and phishing scams can be built with the free information available online.
  5. Mobile malware on the rise. An apparent 30% of malware submissions (not necessarily new) are reported to come from mobile platforms.
  6. Cyberespionage is on the rise big time!  Governments are spying on each other, gathering information, stealing secrets, and preparing to construct cyberattacks.
  7. There are a lot of good security startups, which are making steady advances toward the future of cybersecurity. We’re just one of those startups.

Today, continuing in RSA, keynote speeches will be posed from Vint Cerf of Google, Philippe Courtot of Qualys with special guess John Pescatore of SANS Institute, Christopher Young of Cisco, Mike Fey of McAfee, and Jimmy Wales of Wikipedia.

Last year’s conference highlights were as follows:

  • Application, cloud, data, and mobile  security
  • Cryptography
  • Hacking and other threats
  • Governance & laws
  • Risk & compliance
  • Professional development
  • Strategy & architecture
  • Technology infrastructure

We will most likely have more details about RSA 2013 in the coming days. The conference runs from February 25-March 1 in San Francisco.

Cybersecurity Order Signed by President Obama – Now What?

It’s been studied for months to issue an Executive Order for Cybersecurity on information sharing of cybersecurity threats between companies. It’s been talked about for years. It’s a pressing issue that with high-level attacks going on targeting critical infrastructures, that information sharing between companies is important. President Barack Obama agrees that this should take effect.

One core problem in information sharing is that data on new threats to security and other cybercrime attacks need to be shared when it happens rather than in the middle of an attack. Usually, some companies will provide some info to other companies, but put it on low priority where the other company (on the receiving end) receive it too late to do anything about it.

As we reported back in late December, 46 US House of Representatives Republicans joined in a letter (PDF) to urge President Barack Obama not to issue the executive order on cybersecurity. The letter of urgency, led by Representatives Marsha Blackburn (Tennessee) and Steve Scalist (Louisiana) was aimed at helping to reduce the amount of government involvement in cyberwar, in hopes not to stir rages with hackers and other pests.

However, if companies don’t band together to help defeat the cybersecurity problems scattering aggressively on the Internet, then every normal internet user will be doing some information and credit card sharing, which could cause money to be robbed out of the pockets of millions of people everyday. But, with this Executive Order, at least companies can share information about cybersecurity threats and prevent people from being robbed, and clean up the situations of data and identity theft.

As we reported late last month, critical infrastructure vulnerabilities are getting out of hand.

“The cyber war has been under way in the private sector for the past year,” says Israel Martinez, a board member of the U.S. National Cyber Security Council, a nonprofit group composed of federal government and private sector executives.

“We’re finding espionage, advanced persistent threats (APTs), and other malware sitting in networks, often for more than a year before it’s ever detected,” Martinez says.

With this information paired with the Department of Defense wanting more cybersecurity workers, the state of National Security will improve along with cybersecurity.

According to Wired Magazine Online, The order, which runs eight pages (.pdf), directs the Attorney General’s office, the office of Homeland Security Secretary Janet Napolitano and the Director of National Intelligence to issue instructions to their agencies that would “ensure the timely production of unclassified reports of cyberthreats to the U.S. homeland that identify a specific targeted entity” to Congress and also develop a program for providing “classified cyber threat and technical information from the Government to eligible critical infrastructure companies or commercial service providers that offer security services to critical infrastructure,” according to the document.

With the government wanting to expand operations to handle critical infrastructure vulnerabilities implementing more workers, to expediting security clearances, they have this to say in the Order:

“It is the policy of the United States Government to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats.”

Some worry about this order, and hope this is the right thing to do.

“I am concerned that the order could open the door to increased regulations that would stifle innovation, burden businesses, and fail to keep pace with evolving cyberthreats,” Republican Representative Michael McCaul, of Texas, said in a statement.

“The president’s executive order rightly focuses on cybersecurity solutions that don’t negatively impact civil liberties,” ACLU legislative counsel Michelle Richardson said in a statement. “Greasing the wheels of information sharing from the government to the private sector is a privacy-neutral way to distribute critical cyber information.”

We’ll see the state of the internet security landscape as time goes on, as this is just the beginning. In efforts to see this thing through, congress will be keeping a close eye on this issue, and perhaps start adding other measures to support it.

All-Out Cyberwar is Going On in the Dark, Pentagon Increasing Cybersec Teams

Could there be a “cyber 9/11”? Would there be an all-out cyberwar happening right now? There is a war going on, a cyber one at that, going on here in the states. If you work for a defense contractor, bank, train and plane transportation providers (also including RTAs and other digitally-depending transportation methods), power company, water and utilities plants, etc. are in direct line of fire of potential cyberwar problems.

A brewing cyberwar has been going on in the past year, and usually people view it as governments going head to head (like it would in actual wars). However, there is more of a cyberwar against governments, corporations, and of course the entities we named above.

With seeing government threats, like Stuxnet, Flame, etc., to cybercrime units like Red October, Rustock, even Virut/Waledec – seems like the threat is getting out of hand. With the use of tactics like from these malware powerhouses, our worry for a severe (life-threatening) attack should be a lot greater…mainly to the fact that the US should seriously prepare itself.

“The cyber war has been under way in the private sector for the past year,” says Israel Martinez, a board member of the U.S. National Cyber Security Council, a nonprofit group composed of federal government and private sector executives.

“We’re finding espionage, advanced persistent threats (APTs), and other malware sitting in networks, often for more than a year before it’s ever detected,” Martinez says.

Martinez studies different issues, such as US entities being targeted by fronts from China, Iran for intellectual property theft to other cybercrimes such as stealing identities or cash.

When we look at Stuxnet for example, the US and Israel crafted it jointly to disrupt Iranian nuclear facilities. Problem here is, doing that may have just been a provoking edge to the cybcerwar for Iran to develop something else and revenge. Doing this caused Iran then, to strike back with cyber attacks on US banks. Some have thought Iran was behind the Shamoon virus as well, which wipes out 30K hard drives and taking computers offline at Saudi Aramco for several weeks.

Defense firms in the US are hoping that some of the Fortune 500 cybersecurity companies have a good plan to counterattack and defend for the US to these opponents.

The Pentagon has come back with newer accounts of management for this cyberwar by planning to increase cybersecurity teams. The Senate is continually pushing for legislation for information sharing on threats and cyber attacks. President Obama prepares to issue executive order on cybersecurity, so the Department of Defense is looking for a massive increase in the number of trained cybersecurity personnel helping to defend our country’s public and even private networks.

The government has had trouble in the past looking for the right personnel, since most are employed by agencies that don’t discuss operations publicly (due to the risk of the information getting in to the wrong hands). The Pentagon is planning to push up the number of security professionals up to 5,000 in the next few years (which is up from a little under 1,000). They’re hoping for both military and civilian security personnel to join up, so the diversity helps the US prepare for any issue.

Expect a better take charge situation by corporate, government, and private firms in this cyberwar situation!

%d bloggers like this: