Browse Articles By Period: 2013 RSS

CompTIA Security+ 301 versus CompTIA Security+ 401

Sun, 29 Dec 2013 17:35:00 +0000

CompTIA Security+ 301 (SY0-301) versus CompTIA Security+ 401 (SY0-401) The new CompTIA Security+ exam (SY0-401) Will be released soon. Do not panic, you have plenty of time before it will be released, it is scheduled to be released in the Spring of 2014. The current version (SY0-301) of the exam will not disappear overnight. It will be available for 6 months after the new version will be released. . The new version is more an update than a complete rewrite. There has been some new content added by overall I would say that only about 20% of new material was added to the whole package. The first change you will notice is the percentage of coverage of each of the domains with in the new exam. Very little changes were done, three of the domains were reduced by one percent and one was increased by 2% and another one increased by one percent. Access Control and Identity Management was increased by 2%, and Cryptography was increased by 1%. See table below: DOMAIN NAME PERCENTAGE OLD PERCENTAGE 1.0 Network Security 20% 21%2.0 Compliance and Operational Security 18% 18%3.0 Threats and Vulnerabilities 20% 21%4.0 Application, Data, and Host Security 15% 16%5.0 Access Control and Identity Management 15% 13%6.0 Cryptography 12% 11% TOTAL: 100% TOTAL: 100% Throughout the new CBK we can see the usage of terms that are more accurate and also the usage of action terms as well. You will see that many of the objectives will st... Read more

The Holistic CISSP Overview and Preparation Tutorial

Tue, 24 Dec 2013 16:25:00 +0000

Updated on: 3/12/2014 The presentation was just updated with more details about the Drag and Drop and the Scenario based questions introduced within the exam as of January 2014. You can access our presentation at the following link:http://cccure.training//tutorials/CISSP/intro/presentation.html The link above will pick the best version to use on your device or you could ask for a specific format below: THE NEW HTML 5 VERSION This version will work for both the PC and the MAC devices using a recent browser.http://cccure.training/tutorials/CISSP/intro/presentation_html5.html FLASH http://cccure.training/tutorials/CISSP/intro/presentation.html FOR MAC USERS USING AN IPAD SEE THE THE LINK BELOW: http://cccure.training/tutorials/CISSP/intro/ioslaunch.html TECHNICAL REQUIREMENTS: Viewing Content Content Format Flash Flash Player 10 or later, and one of the following browsers: Windows: Internet Explorer 6 and later, Firefox 1.x and later, Safari 3 and later, Google Chrome, Opera 9.5 and later Mac: Safari 3 and later, Firefox 1.x and later, Google Chrome Linux: Firefox 1.x and later HTML5 Google Chrome 29 or later on Windows or Mac Safari 6.0.5 or later on Mac Mobile Safari in Apple iOS 6.0 or later on iPad Apple iOS Articulate Mobile Player v 2.12 or later in Apple iOS 6.0 or later on iPad ... Read more

Acoustic Attack: Simply Listen up to crack RSA keys

Fri, 20 Dec 2013 13:53:00 +0000

Many computers emit a high-pitched noise during operation, due to vibration in some of their electronic components. These acoustic emanations are more than a nuisance: they can convey information about the software running on the computer, and in particular leak sensitive information about security-related computations. In a preliminary presentation (Eurocrypt’04 rump session), we have shown that diﬀerent RSA keys induce diﬀerent sound patterns, but it was not clear how to extract individual key bits. The main problem was that the acoustic side channel has a very low bandwidth (under 20kHz using common microphones, and a few hundred kHz using ultrasound microphones), many orders of magnitude below the GHz-scale clock rates of the attacked computers. In this paper (attached below) we describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG’s current implementation of RSA. The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. We experimentally demonstrate that such attacks can be carried out, using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters away. Beyond acoustics, we demonstrate that a similar low-bandwidth attack can be performed by measuring the electric potential of a computer chassis. A suitably-equipped attacker need merely touch the target computer with his bare hand, or get the required leakage information from the ground wires at the remote end of VGA, USB or Ethernet cables. Cryptanalytic side-channel attacks target implementations of cryptographic algorithms which, whileperhaps secure at the mathematical level, inadvertently leak secret information through indirect channels: variations in power consumption, electromagnetic emanations, timing variations, contention for CPU resources such as caches, and so forth (see [And0... Read more

FREE Ebook from IS&BCA

Fri, 20 Dec 2013 13:20:00 +0000

THIS BOOK IS AVAILABLE IN ENGLISH AND SPANISH Dear Clement, Just wanted to remind you about my free book 9 Steps to Cybersecurity, available to you completely free of charge. Click here to download it today. This completely free eBook was specifically designed to take decision makers through all the key aspects of cybersecurity. You will learn how to plan cybersecurity implementation, as expert author Dejan Kosutic's book carefully details your most critical steps. Why 9 Steps to Cybersecurity is an Essential Read: Learn how to use risk management to make your cybersecurity a profitable investment Did you know that cybersecurity can give your company an invaluable marketing edge? Learn how to comply with various information security laws and regulations, including U.S. Executive Order Improving Critical Infrastructure Cybersecurity Discover the invaluable tips for persuading upper management to act immediately Uncover the key elements of the CIA triad (Confidentiality, Integrity and Availability) and why it is vital to your company Learn everything you need to know in order to develop a cybersecurity plan and monitor the implementation by setting measurable targets The time to understand and enhance your cybersecurity is now. With 9 Steps to Cybersecurity, you will have an easy to understand guide to answer all of your questions. This book will surprise many managers by exposing an array of popular beliefs about cybersecurity which are, in fact, dangerous and potentially costly myths. CEOs, CFOs, Chief Information Security Officers and other managers will find this detailed and informative examination of the current state of cybersecurity to be a must read book. Thinking about cybersecurity once it is too late is never the right path. Download your free copy of 9 Steps to Cybersecurity today. Click here to download this free eBook. THIS BOOK IS AVAILABLE IN ENGLISH AND SPANISH... Read more

Target Credit Card Compromise - 40 Millions cards exposed

Thu, 19 Dec 2013 13:08:00 +0000

As seen on 6abc.com: MINNEAPOLIS - December 19, 2013 (WPVI) -- Target confirms that about 40 million credit and debit card accounts may have been affected by a data security breach. The chain said Thursday that the accounts may have been impacted between Nov. 27 and Dec. 15. The Minneapolis company said it immediately told authorities and financial institutions once it became aware of the breach and that it is teaming with a third-party forensics firm to investigate the matter. Target Corp. said that customers who made purchases at its U.S. stores during the impacted period and suspect unauthorized activity should call them at 866-852-8680. The company issued a statement early Thursday. "Target's first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause," said Gregg Steinhafel, chairman, president and chief executive officer, Target. "We take this matter very seriously and are working with law enforcement to bring those responsible to justice." Target has 1,797 U.S. stores and 124 in Canada. Target is just the latest retailer to be hit with a data breach problem. TJX Cos., which runs stores such as T.J. Maxx and Marshall's, had a breach that began in July 2005 that exposed at least 45.7 million credit and debit cards to possible fraud. The breach wasn't detected until December 2006. In June 2009 TJX agreed to pay $9.75 million in a settlement with multiple states related to the massive data theft but stressed at the time that it firmly believed it did not violate any consumer protection or data security laws. See all the details at: http://abclocal.go.com/wpvi/story?section=news/national_world&id=9365536 FOLLOW UP TO THE STORY ON CSO ONLINE: http://www.csoonline.com/article/744905/inside-knowledge-likely-in-target-breach-experts-say By Antone Gonsalves csoonline.com December 19, 2013 The Target security breach that left millio... Read more

Sophos Security Threat Report 2014

Wed, 18 Dec 2013 19:50:00 +0000

Refecting on the security and threat landscape of 2013, one trend that stands out is the growing ability of malware authors to camoufage their attacks. Widespread dissemination of advanced botnet and exploit kit source code allows more malware authors to create innovative and diverse new attacks. Cybercriminals have started to leverage online marketing as a way to promote and sell their services on the black market. In 2012, the Blackhole exploit kit broke new ground. But in 2013, Blackhole was replaced by several new exploit kits that grew out of it, borrowing some of its code. The resulting botnets are responsible for a sharp increase in ransomware attacks, with Cryptolocker being the prime malice. Modern malware is all about stealth. Advanced persistent threats (APTs), one of the most vicious examples of a stealth threat, precisely target individuals, businesses, governments and their data. APTs are a sophisticated weapon to carry out targeted missions in cyber space. Data leaks—including espionage and exposure of corporate data—was a primary theme this past year APT attacks in 2013 were well-planned and well-funded; carried out by highly-motivated, technologically advanced, and skilled adversaries. Even after successfully accomplishing the mission, the APT continues to live on to gather additional information. Defending against the stealthy and persistent nature of APTs is a complex undertaking, and requires a coordinated approach on the systems as well as the network level. Security is no longer a “nice to have,” but a must-have. Businesses and governments rightfully concerned about privacy and protecting sensitive data now have to be more aware of troublesome security issues that could be found in critical infrastructure systems. Click HERE to read the full report on the Sophos website. ... Read more

Window of exposure… a real problem for SCADA systems?

Wed, 18 Dec 2013 14:41:00 +0000

NOTE FROM CLEMENT:This paper talks about the EU problems but the same problems exists on SCADA systems worldwide. See a description of the paper from the ENISA website: In the last decade SCADA technology has passed through a transformation, from isolated and proprietary systems into open architectures and standard technologies that are highly interconnected with other corporate networks and the Internet. A consequence of this transformation is the increased vulnerability to outside attacks. One way to enhance the security of SCADA is through the application of patches. Ideally an organization would deploy patches as soon as they come available, however this is often not possible because of the complexity of the process in which SCADA systems are incorporated and because the systems often need to be operable at any given moment. Furthermore patches need to be tested thoroughly before they can be applied to production environment, which can take days or even weeks, during which a system is vulnerable. Alternative controls should be used during the WINDOW OF EXPOSURE for preventing a vulnerability to be exploited. For instance, when a webserver vulnerability has been discovered the organization could, if possible, block unwanted traffic to the webserver or disable the webserver all together. Publication date: Dec 06, 2013 Authors: Adrian Pauna, ENISA Konstantinos Moulinos, ENISA Contributors: Hans Pille (DNV KEMA) Theo Borst (DNV KEMA) Benessa Defend (ENCS) Klaus Kursawe (ENCS) Rob van Bekkum (ENCS) Victor van der Stoep (ENCS) Sebastian Ranft (Siemens) Click HERE to visit the source website at ENISA... Read more

Business Continuity Approach for SMEs

Wed, 18 Dec 2013 14:21:00 +0000

Research concludes that SME leadership needs to engage, understand and implement formal business continuity processes, including technical and organizational measures. This deliverable has been developed outside the ENISA work program to satisfy the need of SMEs for a simplified approach. It provides a basis for planning to ensure an organization’s long-term survivability following a disruptive event caused by certain natural or man-made threats. Through the presented approach, SMEs will be able to define the appropriate activities towards the successful development, establishment and maintenance of a business continuity management framework within their business environment. The outcome will be a self-developed Business Continuity Plan (BCP) that could be used to ensure the continuity of SMEs core business functions. It should be noted that confidentiality and integrity security requirements are not in focus as the latter should be covered under a Risk Management / Risk Assessment process. This deliverable presents the approach, contains self assessment guidelines and an example. A completed Business Continuity Plan (BCP) is part of the given example. The deliverable consists of a main report with various annexes and an example Business Continuity Plan. Deliverables: Full report ENISA Business Continuity for SMEs Assessment Templates Example BCP Template Example Asset Identification Cards ... Read more

ENISA 2013 Threat Landscape

Wed, 18 Dec 2013 14:16:00 +0000

ENISA releases the 2013's ENISA Threat Landscape (ETL 2013). The ENISA Threat Landscape is a collection of top cyber-threats that have been assessed in the reporting period, ie. end 2012-end 2013. In addition to an overview of current cyber-threats, the ENISA Threat Landscape delivers predictions for threat trends regarding emerging technology areas. The objective of this work is to provide stakeholders with information about developments in the cyber-threat landscape and to identify threat trends for the near future, ie in the coming year. For the prediction of trends, important areas of IT innovation and development were taken as a basis. The assessed top threats from 2013 are mapped to these areas and thus an emerging threat landscape is created. ETL 2013 is based on a comprehensive information collection of publicly available open source material. Reports of various kinds (i.e. content, context, level of detail, subject areas, etc.) are collected over the entire reporting period. These reports are parsed to identify relevant content, such as threats, threat agents and trends. The collected information is collated and consolidated. In 2013, a large number of such reports have been collected (over 250). They span the period beginning end 2012 up to the publication date of this report, ca. end of November 2013. Reports appearing after this period will be considered in the next year’s ETL, to be delivered around the same period in 2014. The work on the ENISA Threat Landscape has been performed as part of the ENISA Work Programme 2013 under the Work Stream “Evolving risk environment & opportunities”. The complete report can be found here. ... Read more

The National Vulnerability Database (NVD)

Wed, 18 Dec 2013 13:44:00 +0000

The NVD is a product of the NIST Information Technology Laboratory’s (ITL) Computer Security Division (CSD) and is sponsored by the Department of Homeland Security's (DHS) U.S. Computer Emergency Readiness Team (US-CERT) to provide timely vulnerability management information. The NVD provides a searchable interface and data feeds to help inform the public about the nature and severity of the hundreds of new vulnerabilities and variants discovered every month. IT administrators can use the NVD to prioritize the vulnerabilities to address in order to protect important systems. The NVD data feed information is used by both public and private sector consumers. For example, US-CERT’s weekly bulletins are generated directly from the NVD data feeds; Payment Card Industry Security Standards Council Data Security Standards (PCI SSC DSS) compliant systems must remediate vulnerabilities above a particular threshold; and some vulnerability management product vendors use NVD information as a starting reference source for their scanners and feeds. You can search through the CVE and CCE Vulnerability Database at the following URL: http://web.nvd.nist.gov/view/vuln/search As of the publication of this article (Wed Dec 18 08:39:38 EST 2013) the NVD DB contains: CVE Vulnerabilities: 59549Checklists: 227US-CERT Alerts: 248US-CERT Vuln Notes: 2785OVAL Queries: 10286CPE Names: 82315... Read more

Cyber Security one of the top six priority for the Department of Justice

Wed, 18 Dec 2013 13:31:00 +0000

This year’s list identifies six challenges that we believe represent the most pressing concerns for the Department. They are: 1. Addressing the Growing Crisis in the Federal Prison System; 2. Safeguarding National Security Consistent with Civil Rights and Liberties; 3. Protecting Taxpayer Funds from Mismanagement and Misuse; 4. Enhancing Cybersecurity; 5. Ensuring Effective and Efficient Law Enforcement; and 6. Restoring Confidence in the Integrity, Fairness, and Accountability of the Department. While we do not prioritize the challenges we identify in our annual top management challenges report, we believe that one of the challenges highlighted this year, which we also identified in last year’s report, represents an increasingly critical threat to the Department’s ability to fulfill its mission. That challenge is Addressing the Growing Crisis in the Federal Prison System. See details at: http://www.justice.gov/oig/challenges/2013.htm See extract below: Enhancing Cybersecurity The United States continues to face serious, rapidly evolving national security threat posed by cyber attacks and cyber espionage against its computer systems and infrastructure. The Director of National Intelligence’s March 2013 Worldwide Threat Assessment of the U.S. Intelligence Community emphasized this threat and noted that digital technologies evolve faster than our ability to understand the security implications and mitigate potential risks. Moreover, the increased pace of attacks is staggering: a recent report by the GAO found that the number of cybersecurity incidents federal agencies reported as having placed sensitive information at risk increased 782 percent from 2006 to 2012, averaging more than 130 incidents per day during FY 2012. These cyber attacks are in addition to the threat posed by more traditional unauthorized disclosures by government employees and contractors, disclosures that are significantly aided by the electronic storage and transmission o... Read more

The UK National Cyber Security Strategy and Forward Plans

Mon, 16 Dec 2013 11:59:00 +0000

Two years have passed since the first UK National Cyber Security Strategy was published and much has been done by the UK Government towards delivering the four Strategy objectives for the "fifth domain" of warfare:- making the UK one of the most secure places in the world to do business in cyberspace;- making the UK more resilient to cyber attack and better able to protect our interests in cyberspace;- helping shape an open, vibrant and stable cyberspace that supports open societies; and- building the UK´s cyber security knowledge, skills and capability.Nevertheless improving the UK´s cyber security is and will remain a top priority for the UK Government, and the 2013 Spending Review directed a further £210 million to the UK National Cyber Security Programme in 2015-16, on top of the £650 million set aside over the previous four years.This document gives an outline of the UK cyber security forward plans, which will focus on the core goals of:- further deepening the UK national sovereign capability to detect and defeat high-end threats;- ensuring law enforcement has the skills and capabilities needed to tackle cyber crime and maintain the confidence needed to do business on the Internet;- ensuring critical UK systems and networks are robust and resilient;- improving cyber awareness and risk management amongst UK business; - ensuring members of the public know what they can do to protect themselves, and are demanding good cyber security in the products and services they consume;- bolstering cyber security research and education, so have the skilled people and know-how needed to keep pace with this fast-moving issue into the medium-term; and- working with international partners to bear down on havens for cybercrime and build capacity, and to help shape international dialogue to promote an open, secure and vibrant cyberspace.You can read this document here:https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/265386/The_National_Cyber_Security_Strate... Read more

Social Engineering - Men will be Men

Mon, 16 Dec 2013 11:54:00 +0000

Original article: http://www.dailytelegraph.com.au/news/g20-delegates-duped-by-nude-pictures-of-carla-bruni-allowing-hackers-to-access-their-computers/story-fni0cx4q-1226781859847 NUDE pictures of former French first lady Carla Bruni were used to break in to the computer systems of dozens of diplomats, it emerged today. The shocking security breach was first discovered at the G20 summit in Paris in February 2011 and may be ongoing. "To see naked pictures of Carla Bruni click here" said a message sent to those attending, who included finance ministers and central bank representatives. Ms Bruni, a former supermodel who became President Nicolas Sarkozy's third wife in 2008, was well known for taking her clothes off in her early career. This prompted many to open an attachment which turned out to be a 'Trojan Horse' with an embedded virus, although all recipients could see were the X-rated photographs. Once accessed, it infected the computers of senior officials as well as forwarding the offensive email on to others. "Almost everybody who received the email took the bait," said a government source in Paris, saying that this included representatives from the Czech Republic, Portugal, Bulgaria, Hungary and Latvia. Mr Sarkozy was first embarrassed by nude pictures of Ms Bruni surfacing shortly after their marriage, while they were staying with the Queen at Windsor Castle during a state visit to Britain. Ms Bruni, who still uses her maiden name in her career as a pop singer, later changed her image from a Paris sex kitten into a demure politician's wife. The so-called phishing attacks are thought to have originated in China and were aimed at extracting information. The attacks are still being investigated, and nobody is yet sure what information was extracted. America is thought to have been the main target of the scam. The cyber attack on the Paris G20 summit took place before the 6th G20 summit in Cannes, in the south of France, which involved heads of gove... Read more

you Sh0t the Sheriff information security conference Brazil

Mon, 16 Dec 2013 11:44:00 +0000

Forwarded from: Luiz Eduardo Sao Paulo, Brazil April 14th, 2014 Call for Papers Opens: December 13th, 2013 Call for Papers Close: February 1st, 2014 http://www.ysts.org @ystscon INTRODUCTION After 7 very successful editions here we are again, off to the 8th edition of the you Sh0t the Sheriff information security conference and we are sending this out so you send us the coolest stuff you've been working on. The conference will happening on April, 14th, 2014 in a secret location within the city of Sao Paulo, Brazil. This is your chance to speak about the latest research you have been working on to the most influential crowd in the Brazilian Information Security realm. ABOUT THE CONFERENCE you Sh0t the Sheriff is a very unique, one-day, event dedicated to bringing cutting edge talks to the top-notch professionals of the Braziliian Information Security Community. The conference’s main goal is to bring the attendees to the current state of the information security world by bringing the most relevant topics from different Infosec segments of the market and providing an environment ideal for networking and sharing ideas. YSTS is a an exclusive, mostly invite-only security con. Getting a talk accepted, will, not only get you to the event, but after you successfully present your talk, you will receive a challenge-coin that guarantees your entry to YSTS for as long as the conference exists. Due to the great success of the previous years' editions, yes, we're keeping the same format: * YSTS 8 will be held at an almost secret location only announced to whom it may concern a couple of weeks before the con * the venue will be, most likely, a very cool club or a bar (seriously, look at the pictures) * appropriate environment to network with great security folks from Brazil and abroad * since it’s a 1 day con with tons of talks and activities, we fill everyone with coffee, food and booze CONFERENCE FORMAT Anything Inform... Read more

800,000 in danger of ID theft after laptop theft

Mon, 16 Dec 2013 11:28:00 +0000

As seen on 6abc.com: NEWARK, N.J. - December 12, 2013 (WPVI) -- More than a half million Horizon Blue Cross Blue Shield members are in danger of identity theft after two laptops were stolen from the company's office in Newark, New Jersey. The laptops were stolen during the first weekend of November. They contained information about members including their name, address, date of birth and in some instances their social security number. Horizon Blue Cross Blue Shield of New Jersey Director of Public Affairs Tom Rubino says, "After discovering the theft, we acted quickly to engage law enforcement and notify and protect all members who may have been affected ... Nothing leads us to believe that the computers were stolen for the information they contained or that any member information has been used inappropriately." The company says approximately 839,711 members are being notified. Members whose Social Security numbers may be affected will be offered free credit monitoring and identity theft protection. For more information, please visit: www.horizonblue.com See original article at: http://abclocal.go.com/wpvi/story?section=news/local&id=9357997