Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC Information Security News


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Popular News

10 hours ago Google patches 29 vulnerabilities in latest Chrome release

ZDNet View Synopsis+1
Cross-origin bypass flaws alongside disabling Flash-based ads dominate this round of updates.

10 hours ago Seagate Patches Vulnerabilities in Wireless Hard Drives

SecurityWeek View Synopsis+1

Seagate has released firmware updates to address several vulnerabilities affecting the company's wireless storage devices.

4 hours ago BIND Updates Patch Two Critical Vulnerabilities

SecurityWeek View Synopsis+1

The Internet Systems Consortium (ISC) announced on Wednesday the availability of BIND 9.10.2-P4 and BIND 9.9.7-P3. The latest versions of the popular DNS software patch a couple of critical denial-of-service (DoS) vulnerabilities.

4 hours ago How A 1200-Year-Old Hacking Technique Can Already Crack Tomorrow's Encrypted Vaults

Forbes View Synopsis+1
In the ninth century, "˜The Philosopher of the Arabs' Al-Kindi came up with what was believed to be the first crypto cracking technique ever documented. It still works today on systems assumed to be a holy grail of security, according to a Microsoft researcher.

Top News

1 day ago Why Excel often still wins as the King of reporting tools

IT Toolbox Blogs View Synopsis+1
Working with data sets for analysis is not necessarily an easy task. Part of the challenge is knowing where to go for the data and the second aspect is having a perfect or clear idea of what it is that you hope to gain from analyzing your data.

7 hours ago IoT baby monitors STILL revealing live streams of sleeping kids

The Register View Synopsis+1
The hacker that rocks the cradle

Internet-connected baby monitors are riddled with security flaws that could broadcast live footage of your sleeping children to the world and his dog, according to new research.

5 hours ago "The Declining Half-Life of Secrets"

Schneier blog View Synopsis+1

Several times I've mentioned Peter Swire's concept of "the declining half-life of secrets." He's finally written it up:

The nature of secrets is changing. Secrets that would once have survived the 25 or 50 year test of time are more and more prone to leaks. The declining half-life of secrets has implications for the intelligence community and other secretive agencies, as they must now wrestle with new challenges posed by the transformative power of information technology innovation as well as the changing methods and targets of intelligence collection.

17 hours ago The creator of PGP doesn't use PGP, spurring discussion

SC Magazine View Synopsis+1
The creator of PGP, Phil Zimmerman, said he doesn't use PGP because it isn't compatible with his MacBook, and the security community began talking about what this means for broader encryption efforts.

6 hours ago Sony Agrees Cyber-Attack Lawsuit Settlement

InfoRiskToday View Synopsis+1
Studio Reaches Deal with Former Employees Over "The Interview" BreachSony Pictures Entertainment has reached a tentative deal to settle a class-action lawsuit filed against it, stemming from its 2014 data breach, which resulted in the leak of personal information for up to 50,000 employees.

3 hours ago "Breaking CSRF: Spring Security and Thymeleaf"

Appsec Streetfighter Blog View Synopsis+1
As someone who spends half of their year teaching web application security, I tend to give a lot of presentations that include live demonstrations, mitigation techniques, and exploits. When preparing for a quality assurance presentation earlier this year, I decided to show the group a demonstration of Cross-Site Request Forgery (CSRF) and how to fix the vulnerability.A CSRF RefresherIf you're not familiar with Cross-Site Request Forgery (CSRF), check out the article Steve Kosten wrote earlier this year about the attack, how it works, and how to defend your applications using synchronization tokens:https://software-security.sans.org/blog/2015/01/23/demystifying-cross-site-request-forgeryThe DemoMy favorite way to demonstrate the power of CSRF is by exploiting a vulnerable change ...

3 hours ago Pwn2Own loses HP as its sponsor amid new cyberweapon restrictions

ArsTechnica View Synopsis+1
Concerns about violating international arms treaty behind pull-out.

2 hours ago Nexus 5 2015: Major leak reveals pricing, confirms release date

Yahoo Security View Synopsis+1
2015's Nexus 5 is the phone Android diehards have been looking forward to the most and a new leak confirms that the new device won't burn a hole through their wallets. One of Android Authority's sources has confirmed that Google plans to unveil the new Nexus, which will be "probably" called the Nexus 5X, on September 29th. Even better, the source says the new device will be priced starting at $400, which means it will be quite affordable for a flagship device. DON'T MISS: 10 of the best iPhone widgets in the world Google will start selling both the Nexus 5X and the new Huawei-made Nexus phablet on the Google Play Store on the same day as their announcement as well, Android Authority says. The

1 day ago Sun Tzu-as-a-Service: How to protect the hybrid cloud

TechRepublic View Synopsis+1
The hybrid cloud brings unique security challenges to the enterprise. Ancient military strategist Sun Tzu has wisdom that can help businesses learn how to protect themselves.

1 day ago "˜Gone Girl' Suspect Confesses to Reporter - As FBI Listens In

WIRED View Synopsis+1

A word of advice to jail inmates who give press interviews: "Off the record" doesn't mean squat to the FBI agents listening in.

The post 'Gone Girl' Suspect Confesses to Reporter - As FBI Listens In appeared first on WIRED.

1 day ago Secretary of Defense Says US Could Fall Behind Adversaries in Cybersecurity (August 27, 2015)

SANS Newsbites View Synopsis+1

In the wake of revelations that attackers believed to be working on behalf of Russia or China infiltrated a server used by the Pentagon's Joint Chiefs, US military leaders expressed concern that the country could "fall behind" its adversaries in the cybersecurity arena.......

Latest News

6 hours ago Malvertising attack menaces Match.com users with tainted love

The Register View Synopsis+1
Infected ads threaten lonely hearts' romantic pursuits

Security researchers have uncovered a malvertising attack run over ad networks and aimed at users of dating site Match.com.

7 hours ago HMRC breaches job applicants' privacy in mass email spaff

The Register View Synopsis+1
Want to know if your nemesis is applying for the same job? You're in luck

HMRC is spewing job applicants' email addresses to potential rivals in mass circular responses it has blamed on "a technical glitch".

7 minutes ago Indiana State Police cite agricultural terrorism to deny stingray data request

SC Magazine View Synopsis+1
Indiana State Police cited a state law defining agricultural terrorism to deny a request for information about cellular surveillance equipment.

10 minutes ago 5 Ways ERP Can Reduce Errors in Your Small Business

IT Toolbox Blogs View Synopsis+1

For many small business owners, enterprise resource planning (ERP) looks more like catch-as-catch-can. Plotting out your resources and processes seems too time-consuming and expensive. But for businesses that rely on very task-specific processes, such as production lines, shipping and receiving, ERP can be a godsend. Here are five ways ERP software can significantly reduce errors,

10 minutes ago The Benefits of the Cloud in Unified Communications

IT Toolbox Blogs View Synopsis+1

By merging various forms of communication into a seamless whole, unified communications (UC) improves collaboration by making communication even easier. Your organization can use a single software package that

10 minutes ago How to Improve the Data Quality of CRM Records

IT Toolbox Blogs View Synopsis+1

Your customer relationship management (CRM) software holds substantial amounts of data collected from various sources, but is it really as trusted as you hope? Michele Goetz of Forrester says, "Seems that the expectations that CRM systems could provide a single trusted view of the customer was starting to hit a reality check." Too many companies are simply collecting as much data

11 minutes ago U.S. sanctions against Chinese firms could be next week: FT

Yahoo Security View Synopsis+1

The FT cited three U.S. officials as saying the sanctions probably would come next week in advance of Chinese President Xi Jinping's visit later in the month. Suspicions that Chinese hackers were behind a series of data breaches in the United States have been an irritant in relations between the United States and China. The United States is also considering sanctions against Russian individuals and companies for cyber attacks, U.S. officials have told Reuters.

37 minutes ago ReverbNation notifies users of breach, recommends changing passwords

SC Magazine View Synopsis+1
ReverbNation is notifying users of a breach that occurred in 2014, and is asking them to change their passwords.

37 minutes ago Carbanak banking malware returns with new variant

SC Magazine View Synopsis+1
The Carbanak malware and Advanced Persistent Threat (APT) campaign, which facilitated the heist of $1 billion from banks around the world earlier this year, is back with its first new variant.

41 minutes ago U.S. sanctions against Chinese companies could come next week: Financial Times

Yahoo Security View Synopsis+1

(Reuters) - The United States is preparing to sanction Chinese companies connected to the cyber theft of U.S. intellectual property as early as next week, the Financial Times reported on Thursday.

1 hour ago New Version of Carbanak Malware Spotted in Attacks

SecurityWeek View Synopsis+1

A new version of the notorious Carbanak Trojan, also known as Anunak, has been spotted in the wild by researchers at Denmark-based CSIS Security Group.

1 hour ago Tripwire Unveils Asset Discovery Appliances

SecurityWeek View Synopsis+1

Security solutions provider Tripwire on Wednesday announced the availability of Tripwire Asset Discovery Appliances, a high-performance device and application discovery solution designed to be easy-to-deploy on all types of networks.

1 hour ago Samsung, others seek piece of nascent smartwatch market

Yahoo Security View Synopsis+1

Samsung and other tech companies showcased new computerized wristwatches this week - all aimed at challenging Apple, a relative newcomer to selling smartwatches. Apple Watch was the leading smartwatch ...

1 hour ago Uber 'shared trip' data leaked into Google search results

ZDNet View Synopsis+1
More than three dozen Uber trips was cached by the search engine. These "shared trip" pages often includes exact address data, such as a home, or work address.

2 hours ago How Hackers Are Bypassing Intrusion Detection

InfoRiskToday View Synopsis+1
More hackers are exploiting remote-access and network vulnerabilities, rather than installing malware to invade networks and exfiltrate data, says Dell SecureWorks' researcher Phil Burdette. That's why conventional breach-detection tools aren't catching the intrusions.

3 hours ago Ashley Madison hack miscreants may have earned $6,400 from leak

The Register View Synopsis+1
Blackmail campaign unmasked through Bitcoin blockchain

Some blackmail attempts against victims of the ongoing Ashley Madison saga resulted in several - albeit modest - pay outs, according to new research.

3 hours ago After Hacks, ONC Emphasizing ID and Access Management

InfoRiskToday View Synopsis+1
In the wake of hacker attacks, which have left healthcare providers uncertain about what security steps to take, the Office of the National Coordinator for Health IT is working to help organizations sort out role-based identity and access management issues, says ONC's privacy officer, Lucia Savage.

3 hours ago Netflix Releases XSS Flaw Discovery Framework

SecurityWeek View Synopsis+1

Netflix this week released an in-house developed tool for discovering cross-site scripting (XSS) vulnerabilities in applications and for scanning secondary software programs for potential XSS flaws.

3 hours ago Many new top-level domains have become Internet's "bad neighborhoods"

ArsTechnica View Synopsis+1
Review of Web traffic inspection reveals the TLDs with the "shadiest" websites.

4 hours ago How Microsoft's data case could unravel the US tech industry

ZDNet View Synopsis+1
The case, if lost, could see a mass exodus of international customers from the US cloud.

5 hours ago FDA Official: More Medical Device Vulnerability Discoveries Are Likely

InfoRiskToday View Synopsis+1
FDA official Suzanne Schwartz, M.D., expects more medical device security vulnerabilities to come to light in the year ahead. The FDA soon will issue new guidance addressing the cybersecurity of medical devices already in use.

6 hours ago Latest security flaw to destroy all business? 'Sanity check' your cybercrime statistics

ZDNet View Synopsis+1
The difficulty telling fact from fiction in cybercrime news has been getting worse over the past few years. For decision makers, this means a "sanity check" on reported stats should be in your everyday toolkit.