[ISN] InfoSec News Mailing List

BlackBerry has spyware risk too, researcher says

InfoSec News: BlackBerry has spyware risk too, researcher says: http://news.cnet.com/8301-27080_3-10448545-245.html
By Elinor Mills InSecurity Complex CNET News February 7, 2010
We've heard a lot about security issues with the iPhone, but the BlackBerry isn't immune to threats from malicious apps.
Tyler Shields, a senior researcher at the Veracode Research Lab, has written a piece of spyware that allowed me to shoot an SMS command to his phone and have his contact list forwarded to my e-mail address in a demonstration. With another short text command, I was able to get his BlackBerry to e-mail me any SMS messages he sends.
And if I had wanted--and he had allowed me--I could have seen a log of all his calls, monitored his inbound text messages, tracked his location in real-time based on the GPS (Global Positioning System) in his device and turned his microphone on to listen to conversations in the room and record them.
"It's trivial to write this type of code using the mobile provider's own API [application programming interface] they provide to any developer," Shields said in an interview in advance of his talk on the spyware scheduled for the ShmooCon security show on Sunday.
[...]

IDF considers using BlackBerry

InfoSec News: IDF considers using BlackBerry: http://www.jpost.com/Israel/Article.aspx?id=167988
By Yaakov Katz The Jerusalem Post 07/02/2010
When Barack Obama was elected president of the United States, he was told he could no longer use his personal BlackBerry to receive e-mails, as it is not secure. [...]

Why CSOs Should Care About ShmooCon

InfoSec News: Why CSOs Should Care About ShmooCon: http://www.csoonline.com/article/533363/Why_CSOs_Should_Care_About_ShmooCon_
By Bill Brenner Senior Editor CSO February 07, 2010
WASHINGTON, D.C. -- Many CSOs view ShmooCon as an event of small importance. You don't see the suits and ties that are on display at RSA. [...]

Biggest hacker training site shut down

InfoSec News: Biggest hacker training site shut down: http://www.chinadaily.com.cn/china/2010-02/08/content_9440667.htm
By Wu Yiyao China Daily 2010-02-08
What is believed to be the country's biggest hacker training site has been shut down by police in Central China's Hubei province.
Three people were also arrested, local media reported yesterday. [...]

CSIIRW Sixth Cyber Security and Information Intelligence Research Workshop

InfoSec News: CSIIRW Sixth Cyber Security and Information Intelligence Research Workshop: Forwarded from: Frederick Sheldon <sheldonft (at) ornl.gov>
CALL FOR ABSTRACTS*
CSIIRW-10 http://www.csiir.ornl.gov/csiirw
April 21-23, 2010
Sixth Cyber Security and Information Intelligence Research Workshop Oak Ridge National Laboratory CSIIRW-09 Proceedings
*My Apology for multiple postings; [...]

GAO Report: NASA Still Facing Weaknesses In IT Security

InfoSec News: GAO Report: NASA Still Facing Weaknesses In IT Security: http://www.darkreading.com/vulnerability_management/security/management/showArticle.jhtml?articleID=222700163
By Tim Wilson DarkReading Feb 05, 2010
NASA made history earlier this week by releasing up-close pictures of Pluto. Here on Earth, however, it's the space agency's IT systems and [...]

Secunia Weekly Summary - Issue: 2010-05

InfoSec News: Secunia Weekly Summary - Issue: 2010-05: ========================================================================
The Secunia Weekly Advisory Summary 2010-01-28 - 2010-02-04
This week: 60 advisories [...]

Fugitive VoIP hacker admits 10 million minute spree

InfoSec News: Fugitive VoIP hacker admits 10 million minute spree: http://www.theregister.co.uk/2010/02/03/voip_hacker_guilty/
By Dan Goodin in San Francisco The Register 3rd February 2010
A Miami hacker has admitted he pocketed more than $1m by selling millions of minutes of voice over IP calls and surreptitiously routing [...]

Military Intelligence: IDF is prepared for Cyberwarfare

InfoSec News: Military Intelligence: IDF is prepared for Cyberwarfare: http://dover.idf.il/IDF/English/News/today/10/02/0304.htm
By Arnon Ben-Dror Israel Defense Forces 03 February 2010
In a paper published by the head of the Military Intelligence Directorate, Major General Amos Yadlin, in the Intelligence Research [...]

Report Details Hacks Targeting Google, Others

InfoSec News: Report Details Hacks Targeting Google, Others: http://www.wired.com/threatlevel/2010/02/apt-hacks/
By Kim Zetter Threat Level Wired.com February 3, 2010
Until now we've only known that the attackers got in through a vulnerability in Internet Explorer and that they obtained intellectual property and access to the Gmail accounts of two human rights activists whose work revolves around China. We also know a few details about how the hackers siphoned the stolen data, which went to IP addresses in Taiwan. About 34 mostly undisclosed companies were breached.
Now a leading computer forensic firm is providing the closest look so far at the nature of the attacks, and attackers, that struck Google and others. The report never mentions Google by name, or any other companies, but focuses on information gathered from hundreds of forensic investigations the firm has conducted that are identical to what we know about the Google hack.
What the information indicates is that the attack that hit Google is identical to publicly undisclosed attacks that have quietly plagued thousands of other U.S. companies and government agencies since 2002 and are rapidly growing. They represent a sea change from the kinds of attacks that have commonly hit networks and made headlines.
"The scope of this is much larger than anybody has every conveyed," says Kevin Mandia, CEO and president of Virginia-based computer security and forensic firm Mandiant. "There [are] not 50 companies compromised. There are thousands of companies compromised. Actively, right now."
Mandiant released the report last week at a closed-door cybercrime conference, sponsored by the U.S. Defense Department, in an effort to make companies aware of the threat.
[...]

Black Hat: Microsoft Enhances SDL Offerings

InfoSec News: Black Hat: Microsoft Enhances SDL Offerings: http://www.informationweek.com/news/security/client/showArticle.jhtml?articleID=222601024
By Thomas Claburn InformationWeek February 3, 2010
At the Black Hat security conference in Washington, D.C., on Tuesday, Microsoft introduced new software, a new membership program, and [...]

Hackers Try to Steal $150,000 from United Way

InfoSec News: Hackers Try to Steal $150,000 from United Way: http://www.krebsonsecurity.com/2010/02/hackers-try-to-steal-150000-from-united-way/
By Brian Krebs Krebs on Security February 3rd, 2010
Hackers broke into computer systems at a Massachusetts chapter of the United Way last month and attempted to make off with more than $150,000 [...]

Phishing Scam Cripples European Emissions Trading

InfoSec News: Phishing Scam Cripples European Emissions Trading: http://www.spiegel.de/international/europe/0,1518,675725,00.html
Spiegel Online 02/03/2010
Sneaky cyber-thieves have made millions by fraudulently obtaining European greenhouse gas emissions allowances and reselling them. The scam has hampered trading of the credits, which are seen as an important tool in curbing climate change, in several European countries.
Most Internet users are familiar with the e-mail scam known in the jargon as "phishing." A plausible-looking e-mail arrives in your in-box, supposedly from your bank or a Web site like Ebay, informing you that your account has been "compromised" and that you urgently need to log in to the company's Web site to rectify matters. The catch is that the Web site the e-mail directs you to is a spoof created by the hackers, meaning that anyone who falls for the trick is unwittingly handing over their all-important user names and passwords to the criminals.
Savvy e-mail users know to delete such e-mails straight away. But canny thieves have now used the technique to make money in a very 21st century fashion -- by fraudulently gaining access to companies' greenhouse gas emissions allowances and selling them on.
According to a report in the Wednesday edition of the Financial Times Deutschland, hackers sent e-mails last Thursday to several companies in Europe, Japan and New Zealand which appeared to originate from the Potsdam-based German Emissions Trading Authority (DEHSt), part of the EU's Emission Trading System (EU ETS). Ironically, the e-mail said that the recipient needed to re-register on the agency's Web site to counter the threat of hacker attacks.
[...]

PACAF stands up Information Protection Directorate

InfoSec News: PACAF stands up Information Protection Directorate: http://www.pacaf.af.mil/news/story.asp?id=123188985
Pacific Air Forces Public Affairs 2/3/2010
JOINT BASE PEARL HARBOR HICKAM, Hawaii -- As the cyberspace battlefield broadens, Pacific Air Forces leadership created the Directorate of Information Protection to effectively protect information across the enterprise.
The structure is mirrored at each wing across the area of responsibility.
The organization goal is to provide an enterprise-wide approach to prevent compromises, loss, unauthorized access, disclosure, destruction, distortion or non-accessibility of information over the life cycle of information and ensure commanders have effective processes and the right people in place to provide a focused, seamless, functional and supportive environment for protecting information at all levels to conduct effective air, space and cyberspace operations.
Information protection refers to the collective policies, processes and use of risk management and mitigation actions instituted to prevent the compromise, loss or unauthorized access of information over its life cycle, regardless of physical form or characteristics.
Information protection encompass multiple disciplines and programs, such as Information security, Personnel Security, Industrial Security, Physical Security, Security Education Training, Classification/Declassification management, Original Classification Authority training, Operation Security, Communication Security, Sensitive Compartmental Information, Special Programs, Technical Communication, Foreign Disclosure, Public Release, and Restricted Data. These processes are executed through a collaborative established Security Advisor Groups at each installation.
"We want to change the culture of our personnel and make information protection methodologies routine and transparent to our business processes to correctly protect vital information on behalf of our warfighter," said Johnny Bland, PACAF/IP director. "Our goal is not only to protect sensitive information, controlled unclassified information and classified information, but to ensure every PACAF personnel understand the importance of protecting information. Information protection affects every PACAF active-duty member, Reservist, Guardsman, civil servant and contract employee, regardless of rank or position. We all have information protection responsibilities."
Senior leaders all agree that when Information protection staffs are fully mature, they will serve as a single entity to develop and execute policies and procedures to safeguard all levels and types of information using an enterprise-wide approach.
For more information, call DSN 449-2801/2802/2804.

ITL BULLETIN FOR JANUARY 2010

InfoSec News: ITL BULLETIN FOR JANUARY 2010: Forwarded from Lennon, Elizabeth B. <elizabeth.lennon (at) nist.gov>
ITL BULLETIN FOR JANUARY 2010
SECURITY METRICS: MEASUREMENTS TO SUPPORT THE CONTINUED DEVELOPMENT OF INFORMATION SECURITY TECHNOLOGY
Shirley Radack, Editor Computer Security Division Information Technology Laboratory [...]

Swiss Banks Achilles Heel Is Workers Selling Data

InfoSec News: Swiss Banks Achilles Heel Is Workers Selling Data: http://www.bloomberg.com/apps/news?pid=20601109&sid=akmcfUr7TqHs&pos=11
By Warren Giles Bloomberg.com Feb. 2, 2010
(Bloomberg) -- Swiss banks are discovering that the biggest threat to client privacy is their own workers.
German Chancellor Angela Merkel said yesterday her government may buy [...]

Researchers Uncover Security Vulnerabilities in Femtocell Technology

InfoSec News: Researchers Uncover Security Vulnerabilities in Femtocell Technology: http://www.eweek.com/c/a/Security/Researchers-Uncover-Security-Vulnerabilities-in-Femtocell-Technology-760682/
By Brian Prince eWEEK.com 2010-02-01
Two Trustwave security consultants report they have uncovered hardware and software vulnerabilities in femtocell devices that can be used to [...]

Oracle Hacker Gets The Last Word

InfoSec News: Oracle Hacker Gets The Last Word: http://www.forbes.com/2010/02/02/hacker-litchfield-ellison-technology-security-oracle.html
By Andy Greenberg Forbes.com 02.02.10
ARLINGTON, Va. -- In 2001, Larry Ellison brashly proclaimed in a keynote speech at the computing conference Comdex that his database software was "unbreakable. [...]

At Black Hat, a search for the best response to China

InfoSec News: At Black Hat, a search for the best response to China: http://www.computerworld.com/s/article/9151018/At_Black_Hat_a_search_for_the_best_response_to_China_?taxonomyId=17
By Patrick Thibodeau Computerworld February 2, 2010
ARLINGTON, Va. -- Google's revelation last month that attacks out of China resulted in the theft of some of its data drew attention to the broader question at the Black Hat conference here over what can be done to the villains.
Cyberattacks give rise to anger and a very human desire to strike back, but pursuing attackers in ways that matter isn't accomplishing much. The number of people who are arrested and convicted for any of the phishing attacks, intrusions and thefts is tiny.
Several countries, Russia and China in particular, don't want to cooperate on cybersecurity enforcement, said Andrew Fried, a security researcher at the Internet Systems Consortium, a nonprofit group, and a former special agent at the U.S. Treasury Department. "The reality is they don't want to do squat to help anybody," he said, on a panel at the cybersecurity conference today.
After an attack, such as the China-Google incident, there's always interest in establishing "attribution" - identifying the source of the attack. But Jeff Moss, the founder of Black Hat and director of the conference, questioned whether too much emphasis is placed on that effort. Moss also serves on the Department of Homeland Security's security advisory council.
"We should be spending more energy on dealing with the containment of an attack, reducing the effects of an attack," Moss said. "I don't think we will ever be able to stop the attack."
[...]

Accusations Fly Over Voice Encryption Hack

InfoSec News: Accusations Fly Over Voice Encryption Hack: http://www.csoonline.com/article/528418/Accusations_Fly_Over_Voice_Encryption_Hack
By John E. Dunn CSO Online February 02, 2010
German encryption firm SecurStar has strenuously denied being behind an apparently independent test of voice encryption products that found many [...]

Hacking for Fun and Profit in China's Underworld

InfoSec News: Hacking for Fun and Profit in China's Underworld: http://www.nytimes.com/2010/02/02/business/global/02hacker.html
By David Barboza The New York Times February 1, 2010
CHANGSHA, China -- With a few quick keystrokes, a computer hacker who goes by the code name Majia calls up a screen displaying his latest victims. [...]

Cyber threat growing at unprecedented rate, intell chief says

InfoSec News: Cyber threat growing at unprecedented rate, intell chief says: http://fcw.com/articles/2010/02/02/web--dni-cyber-threat-annual-assessment.aspx
By Ben Bain FCW.com Feb 02, 2010
Malicious cyber activity is growing at an unprecedented rate, severely threatening the nation's public and private information infrastructure, [...]

Homeland Security Plans Cybersecurity, Data Center Investments

InfoSec News: Homeland Security Plans Cybersecurity, Data Center Investments: http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=222600862
By Elizabeth Montalbano InformationWeek February 2, 2010
The Department of Homeland Security is looking to invest nearly $900 million in fiscal 2011 on technology projects that include bolstering [...]

Most consumers reuse banking passwords on other sites

InfoSec News: Most consumers reuse banking passwords on other sites: http://www.theregister.co.uk/2010/02/02/e_banking_password_fail_survey/
By John Leyden The Register 2nd February 2010
The majority of online banking customers reuse their online-banking login credentials on other websites, according to a new survey on password insecurity. [...]

THOTCON 0x1 - Chicago's Hacking Conference - Speakers/Talks/Tickets

InfoSec News: THOTCON 0x1 - Chicago's Hacking Conference - Speakers/Talks/Tickets: Forwarded from: c7five <c7five (at) thotcon.org>
Hello InfoSec News subscribers and friends!
There is a new hacking conference going on in Chicago this year. It is called THOTCON. The name is taken from THree-One-Two + CON. This is a non-profit, non-commercial event. [...]