Do you remember the “Pass The Bomb” game? All kids played this game at least once. The principle is simple and funny. There is bomb which is programmed to explode after a random time. Players must pass the bomb from hand to hand and say a new word which must contain letters from a chosen card. The player who has the bomb when it explodes loses. [Note to the NSA: The term "bomb" refers to a game - I'm not a terrorist!]

Today, I had the feeling to see a new kind of “Pass The Bomb” game at acme.org [The names have been changed to protect the innocents]. A mail reporting a security issue arrived in a generic mailbox (something like abuse) with a Cc: to a physical non-tech person. I’m pretty sure that the mail was too technical to be handled by the abuse team. The non-tech person read the message and forwarded it to a first person with more focus on security. Then the mail was forwarded to another person in the team where resides the security issue. Then this person forwarded the message to someone else in the same department. At all steps, the list of Cc: increased. Then, no news… I hope that the bomb did not explode in the mean time!

This story is a good example of a “Pass The Bomb” game in information security. Email is not a proper way to handle such issues. I don’t say that the communication channel is bad (depending on the type of incident) but all communications and actions should be logged into a stronger system (like a ticketing system, a Wiki, a notepad, …) with proper follow-up. Most people have a “FF” reflex (“Forward and Forget“, not “Follow Friday” for the Twitter addicts). I don’t blame them, that’s the human behavior. They have their regular business to be done. But, some people in the chain maybe already started their summer break. What if the mail was forwarded to an out-of-business contact? At the moment, I’m pretty sure that nobody took the lead on this security incident… Tip: have a proper incident handling procedure in place.

Winning project looked at protection for e-payment and e-identity data(author unknown)

Litigation between the two companies will be dismissed(author unknown)

Login Protect allows instant activation of two-factor authentication on any Web page or application area(author unknown)

I'm now on the board of directors of the EFF.

schneier

Previous trading symbol was "COIND"(author unknown)

The short answer is 'Yes'. The long answer is the rest of this post. So. Many. Presentations.

You probably want to go get your reading glasses. Or black-market cyber eyes. Eye strain is a real possibility, and we care about your optic health.

Remember – take care of your eyes and they'll take care of you.

DragonLady: An Investigation of SMS Fraud Operations in Russia
Ryan W. Smith

The Government and UFOs: A Historical Analysis
Richard Thieme

Analyzing and Counter-Attacking Attacker Implanted Devices Case Study:Pwn Plug
Wesley McGrew

Business logic flaws in mobile operators services
Bogdan Alecu

A Password is Not Enough: Why Disk Encryption Is Broken And How We Might Fix It
Daniel Selifonov

PowerPwning: Post-Exploiting By Overpowering PowerShell
Joe Bialek

Doing Bad Things to 'Good' Security Appliances
Phorkus and Evilrob

Collaborative Penetration Testing with Lair
Tom Steele and Dan Kottman

Android WebLogin: Google's Skeleton Key
Craig Young

BoutiqueKit: Playing WarGames with Expensive Rootkits and Malware
Josh "m0nk" Thomas

Hardware Hacking with Microcontrollers: A Panel Discussion
Joe Grand, RenderMan, FirmWarez, LosT and Mark 'Smitty' Smith

This Presentation Will Self-destruct in 45 Minutes: A Forensic Deep Dive into Self-destructing Message Apps
Drea London and Kyle O'Meara

10000 Yen into the Sea
Flipper

Fear the Evil FOCA: IPv6 Attacks in Internet Connections
Chema Alonso

Let's Screw with nmap
Gregory Pickett

Revealing Embedded Fingerprints: Deriving Intelligence from USB Stack Interactions
Andy Davis

The Bluetooth Device Database
Ryan Holeman

C.R.E.A.M. Cache Rules Evidently Ambiguous, Misunderstood
Jacob Thompson

Suicide Risk Assessment and Intervention Tactics
Amber Baldet

Conducting Massive Attacks with Open Source Distributed Computing
Alejandro Caceres

Resting on Your Laurels Will Get You Pwned: Effectively Code Reviewing REST Applications to Avoid Getting Powned
Abraham Kang and Dinis Cruz

Fast Forensics Using Simple Statistics and Cool Tools
John Ortiz

Forensic Fails - Shift + Delete Won't Help You Here
Eric Robi and Michael Perklin

EDS: Exploitation Detection System
Amr Thabet

HiveMind: Distributed File Storage Using JavaScript Botnets
Sean Malone

OTP, It won't save you from free rides!
bughardy and Eagle1753

Utilizing Popular Websites for Malicious Purposes Using RDI
Daniel Chechik and Anat (Fox) Davidi

gitDigger: Creating Useful Wordlists From Public GitHub Repositories
Jaime Filson (WiK) and Rob Fuller (Mubix)

Evolving Exploits Through Genetic Algorithms
soen

Proliferation
Ambassador Joseph DeTrani

The Growing Irrelevance of US Government Cybersecurity Intelligence Information
Mark Weatherford

Meet the VCs
Ping Li, Matt Ocko, Phil Paul, Eileen Burbridge

From Nukes to Cyber - Alternative Approaches for Proactive Defense and Mission Assurance
Lt Gen Robert Elder, USAF (Retired

An Open Letter - The White Hat's Dilemma: Professional Ethics
Alex Stamos

The Policy Wonk Lounge
Sameer Bhalotra, Robert Brese, Lt. Gen. Robert Elder, Bruce McConnell, Mark Weatherford

(author unknown)

07/01/2013 - IBM is seeking qualified Java professionals in the following cities: Baton Rouge, LA Charlotte, NC Dallas, TX Lanham, MD Lansing, MI Mechanicsburg,...(author unknown)

Two weeks ago, the Guardian published two new Snowden documents. These outline how the NSA's data-collection procedures allow it to collect lots of data on Americans, and how the FISA court fails to provide oversight over these procedures.

The documents are complicated, but I strongly recommend that people read both the Guardian analysis and the EFF analysis -- and possibly the USA Today story.

Frustratingly, this has not become a major news story. It isn't being widely reported in the media, and most people don't know about it. At this point, the only aspect of the Snowden story that is in the news is the personal story. The press seems to have had its fill of the far more important policy issues.

I don't know what there is that can be done about this, but it's how we all lose.

schneier

Shadowcrew.com was an illegal online marketplace that trafficked in at least 1.5 million stolen credit and bank card numbers(author unknown)

Resources

• SSL: Intercepted today, decrypted tomorrow – news.netcraft.com
  Millions of websites and billions of people rely on SSL to protect the transmission of sensitive information such as passwords, credit card details, and personal information with the expectation that encryption guarantees privacy.

Tools

• ResponseCoder – Manipulation of HTTP Response Headers – blog.cyberis.co.uk
  ResponseCoder is designed to allow you to easily manipulate HTTP response headers – specifically to identify weaknesses in perimeter filtering appliances such as web proxies and next generation firewalls.
• Penetration Testing for iPhone Applications Part 5 – resources.infosecinstitute.com
  In the first part of the article, we discussed traffic analysis for iPhone applications. The second, third and fourth parts of the article covered an in-depth analysis of insecure data storage locations on the iPhone. In this part, we will take a look at runtime analysis of iOS applications.
• Adding Vulnerability Scanning Capabilities to Nmap with NSE Vulscan 1.0 – toolswatch.org
  Vulscan is a module which enhances nmap to a vulnerability scanner. The nmap option -sV version detection per service which is used to determine potential flaws according to the identified product.

Techniques

• Spidering WordPress.org for Security Fixes – infosec4breakfast.blogspot.se
  I first saw this concept in Australia at Ruxcon 2012, which basically comprised of looking at change logs and other available information online to derive vulnerabilities for earlier versions of web applications.
• Old Exploits Still Do the Trick – blog.spiderlabs.com
  We are all aware that patching is very important. Many websites, however, take the risk of not updating their software for various reasons: it requires manual modifications, adjustment of the current code to work with the changes, the layout gets broken… In other words- they are lazy.

Vendor/Software Patches

• HP Storage – lolware.net
  HP’s D2D product line, which has recently been rebranded “StoreOnce”, is effectively an expensive software platform.
• Auditing Security Checklist for AWS Now Available – blogs.aws.amazon.com
  Based on feedback from our customers, AWS has published an Auditing Security Checklist to help you and your auditors assess the security of your AWS environment in accordance with industry or regulatory standards.

Solution includes up to 4 Gbps throughput and a range of content security and management options(author unknown)

Findings will help researchers distinguish between human players and automated “bots”(author unknown)

The NIST has published a voluntary framework to reduce cyber risk to critical infrastructure as a result of a directive inside the President's execute order for improving critical infrastructure cybersecurity. The core of this framework is composed of a function matrix and a framework implementation level matrix. The function matrix contains the five top-level cybersecurity functions, noreply@blogger.com (Seguridad de la Información)

Prepared by: The Open Empowerment Initiative (OEI) Cyberspace is fundamentally rewiring the ways groups, individuals and states engage with politics, economics, social action and governance across Latin America. With some 40% of the region's population now online, connectivity is expanding faster than in any other part of the world. Most of that expansion is happening amongst the young noreply@blogger.com (Seguridad de la Información)

El tráfico mundial en la nube se sextuplicará durante los próximos cinco años, con una tasa de crecimiento del 44% de 2011 a 2016. Esta explosión del tráfico en la nube plantea dudas sobre la capacidad de las empresas de gestionar la seguridad de la información. Cada vez resulta más difícil para las empresas ignorar la virtualización y la nube. La TI evoluciona hacia las nubes híbridas. noreply@blogger.com (Seguridad de la Información)

The NSA has published some new symmetric algorithms:

Abstract: In this paper we propose two families of block ciphers, SIMON and SPECK, each of which comes in a variety of widths and key sizes. While many lightweight block ciphers exist, most were designed to perform well on a single platform and were not meant to provide high performance across a range of devices. The aim of SIMON and SPECK is to fill the need for secure, flexible, and analyzable lightweight block ciphers. Each offers excellent performance on hardware and software platforms, is flexible enough to admit a variety of implementations on a given platform, and is amenable to analysis using existing techniques. Both perform exceptionally well across the full spectrum of lightweight applications, but SIMON is tuned for optimal performance in hardware, and SPECK for optimal performance in software.

It's always fascinating to study NSA-designed ciphers. I was particularly interested in the algorithms' similarity to Threefish, and how they improved on what we did. I was most impressed with their key schedule. I am always impressed with how the NSA does key schedules. And I enjoyed the discussion of requirements. Missing, of course, is any cryptanalytic analysis.

I don't know anything about the context of this paper. Why was the work done, and why is it being made public? I'm curious.

schneier

Search queries involving Malaysian domain names were poisoned this morning, leading visitors to temporary sites with a message from what appears to be a hacker protesting against the treatment of Bangladeshi workers in the country.
 
Affected sites included Dell Malaysia (.com.my), all Microsoft sites on the .my suffix -- notably MSN Malaysia (.com.my), Skype Malaysia (.com.my) and Bing Malaysia (.com.my) -- as well as antivirus site Kaspersky (.com.my). Google Malaysia (.com.my), YouTube Malaysia (.com.my) and a few other .my domain sites.
 

Tags: SecurityMalaysial33tdawg

Guest Blog(author unknown)

A security update issued by Microsoft on Tuesday isn't playing nicely with other software, prompting Microsoft to pull it from its download center.

Dustin Childs, group manager of Microsoft Trustworthy Computing, revealed the problem in a blog post late yesterday:

Tags: MicrosoftSecurityl33tdawg