|
|
|
NEWS:
HEADLINES |
|
|
|
|
|
|
|
|
Two Apple
security sessions axed
Two Apple-related security sessions have been canceled at this
week's Black Hat conference due to confidentiality and marketing
issues, according to a Washington Post article. The first talk,
which was supposed to see Charles Edge discuss FileVault and its
flawed encryption scheme, was axed after he signed an agreement to
keep quiet with the Cupertino company. It seems as though this is
strictly a case of not biting the hand that feeds you, as Edge
states that Apple is his largest client. You can't blame him for
pulling out, but as the Post article points out, this will probably
just further pique the interest of the hacker community, resulting
in the issue being discovered and outed regardless of any agreement.
The second session, which Computerworld has more information on, was
supposed to be given by an Apple engineering team, but was canceled
after he company's marketing department got wind of what the team
was about to do: "Marketing got wind of it, and nobody at Apple is
ever allowed to speak publicly about anything without marketing
approval."
|
|
|
|
|
Black Hat Puts
Spotlight on Security Research
The Black Hat conference will bring with it a crowd of IT security
pros ready to hear about the latest research into malware, rootkits
and hacker tricks. Attendees will hear about attacks on Cisco
routers and from researchers from such vendors as Hewlett-Packard.
IT security pros, analysts and researchers are coming together for
the meeting of the minds that is Black Hat 2008. The popular
security conference officially kicked off Aug. 2 in Las Vegas with a
series of training sessions that wrap up Aug. 5. However, the real
buzz for many attendees will be the technical briefings Aug. 6-7 at
Caesars Palace.
|
|
|
|
|
ICANN Plans for Disaster
VeriSign and the other companies that operate the top-level domains
on the Internet are critical infrastructure. At least some of them
are. What if one of them was to fail somehow? This is the question
ICANN is asking with its proposed gTLD Registry Failover Plan.
eWeek's Larry Seltzer explains what ICANN plans to do in case a
Registry fails.
|
|
|
|
|
DOJ, Secret
Service Move Against International Hacker, ID Theft Ring
The U.S. Attorney and Secret Service claim an international crime
syndicate was behind the identity theft of more than 40 million
credit and debit card numbers from TJX Companies, BJ's Wholesale
Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority,
Forever 21 and DSW. The Department of Justice and Secret Service
allege that the hackers used wardriving to hack networks and sniffer
programs to capture card numbers and customer data. In what is
believed to the largest hacking and identity theft case ever
prosecuted, the Department of Justice said Aug. 5 it has indicted 11
people for the theft and sale of more than 40 million credit and
debit card numbers. Let's not forget that this deals with a
hacker, not an international terrorist.
|
|
|
|
|
U.S.
Government Won't Cede Control Over DNS Root Zone
In a letter to ICANN Board Chairman Peter Dengate Thrush, Meredith
A. Baker, the acting assistant secretary for communications and
information in the Commerce Department's National Telecommunications
and Information Administration, has declared that the U.S.
government has no plans to yield the control it now has over changes
to the Internet's DNS root zone file. ICANN manages the DNS root
zone, but according to terms of an agreement with the NTIA. The
distribution of changes in the zone file to the various root servers
around the world is performed by VeriSign. The authority of the
Internet Corporation for Assigned Names and Numbers to administer
various aspects of the Internet Domain Name System derives from
agreements with the Commerce Department. The current agreement for
that authority, the Joint Project Agreement, is set to expire in
September 2009. ICANN has been gearing up for what comes next with
preparations for taking more complete control. The Baker letter
pulls the rug out from under some of those plans. What a
ridiculous thought: The US rules the Internet and the World. Must
have been conceived by Gore. But wait... wasn't he from the other
party?
|
|
|
|
|
Newly found
hybrid attack embeds Java applet in GIF file
Researchers at NGSSoftware have developed a hybrid attack capable of
hiding itself within an image and intend to present details on the
exploit at the Black Hat security conference next week. New and
esoteric attacks are part and parcel of what Black Hat is about, but
this particular vector could target web sites with a particularly
vulnerable population: MySpace and Facebook. Social networking web
sites tend to attract younger users, and while this particular
attack can be used in a variety of ways, embedding the hook in
profile photos that are then seeded and targeted at the teen crowd
could be a very effective tactic.
|
|
|
|
|
Brazilian
hackers stalk Twitter
Social
websites like Facebook and MySpace have attracted a great deal of
attention as targets of opportunity for phishing scams, but they are
scarcely the only two social networking sites. New information
suggests that hackers have tuned in to the newfound popularity of
microblogging, and are at the very least evaluating Twitter as a
potential target. In a blog post at Kaspersky Labs' Viruslist,
Dmitry Bestuzhev describes the attack and how it functions. The
Twitter profile itself was created specifically for the attack;
profile information is posted in Portuguese. There's nothing on the
page but a link to a video promising hot girl action, actually
clicking on the file redirects the browser and instructs the user to
download a new version of Adobe Flash that's supposedly required to
watch the "film."
ARS TECHNICA
|
|
|
|
|
Hap-snap
McAfee snaps up Reconnex to add deeper data loss
prevention capabilities. The move, which follows several
acquisitions in the DLP space by Symantec, EMC and others in 2007,
is part of a broader data protection strategy for McAfee.
|
|
|
|
|
China listens
in on 'foreign devils'
It's almost 8.8.2008! And China is listening. And blocking, by the
way. Smart phones, blackberries and laptop computers will offer up
sensitive personal and business information to officials who monitor
China's state-controlled telecommunications carriers. China's Public
Security Bureau is making overtime. China's security policies
clashed with Olympic norms on Thursday, when IOC officials said they
were embarrassed by last-minute disclosures by the Chinese
government that media covering the August 8-24 Olympics would not
have unfettered access to the Internet. On Tuesday, U.S. Sen. Sam
Brownback, a Kansas Republican, said China had installed
Internet-spying equipment in all the major hotel chains serving the
Olympics. Citing hotel documents he received, Brownback said
journalists, athletes' families and others attending the Olympics
next month "will be subjected to invasive intelligence-gathering" by
China's Public Security Bureau.
|
|
|
|
|
U.S. Agents
Can Seize Laptops (and listens in on domestic devils as well)
Notebooks and other devices can be seized without reason and held
indefinitely.
U.S. federal agents have been given new powers to seize travelers'
laptops and other electronic devices at the border and hold them for
unspecified periods the Washington Post reported on Friday. Under
recently disclosed Department of Homeland Security policies, such
seizures may be carried out without suspicion of wrongdoing, the
newspaper said, quoting policies issued on July 16 by two DHS
agencies. Agents are empowered to share the contents of seized
computers with other agencies and private entities for data
decryption and other reasons, the newspaper said. DHS officials said
the policies applied to anyone entering the country, including U.S.
citizens, and were needed to prevent terrorism. The measures have
long been in place but were only disclosed in July, under pressure
from civil liberties and business travel groups acting on reports
that increasing numbers of international travelers had had their
laptops, cellphones and other digital devices removed and examined.
The policies cover hard drives, flash drives, cell phones, iPods,
pagers, beepers, and video and audio tapes -- as well as books,
pamphlets and other written materials, the report said. The policies
require federal agents to take measures to protect business
information and attorney-client privileged material. They stipulate
that any copies of the data must be destroyed when a review is
completed and no probable cause exists to keep the information.
|
|
|
|
|
OSS voices
must be heard in national security debate
At the OSCON open-source software convention last week, the
Foresight Institute's Christine Peterson—the individual
credited with conceiving the term "open source"—urged technology
enthusiasts to help redefine the way that society responds to
security threats. The stakes are high, she claims, and the cost of
failing to act could be enormous. She began her presentation
by discussing the multitude of serious problems that have emerged
from the adoption of electronic voting machines in the United
States. Although electronic voting was originally devised to
simplify elections and increase the accuracy of ballot tabulation,
the voting machines in use today are disastrously unreliable and
insecure. The hardware failures and demonstrable susceptibility to
tampering exhibited by these devices is undermining the transparency
and credibility of American democracy.
Resistance, however, is not enough. In order to overcome such
challenges, technology enthusiasts must find better ways to address
the underlying problems that seemingly necessitate the faulty
solutions. According to Peterson, the area where there is the
greatest need for action is in national security. The federal
government's controversial use of secret surveillance raises serious
questions and poses a very real threat to privacy. She believes that
the government has adopted this risky top-down approach to security
because it lacks the tools it needs to address the problem in a more
responsible way.
Instead of using secret spying, "we need to track the problem, not
the people." The best way to combat the problem is to redefine the
solution space. The answer is to drive innovation and deliver new
technologies that can guarantee both privacy and security. Tools
must be built that can detect security threats while also imposing
verifiable limitations on government intrusion. In order to prevent
abuse, these tools must be utterly transparent and perpetually
subjected to the highest level of public scrutiny. Her mantra is "no
secret software for public sensing data."
The people who will build such tools, she insists, need to have a
deep understanding of security, privacy, functionality, and freedom.
She is completely convinced that the open-source software community
has the values and expertise needed to lead the way.
|
|
|
|
|
|
|
|
Router Security
Strategies - Securing IP Network Traffic Planes |
Order with publisher
