STE WILLIAMS

Imagine that you have a jailbreak for iOS 7 up your sleeve.

All you have to do is wait a while, until iOS 7 ships, and announce your jailbreak then.

You’ll soon be enjoying the adulation of the whole jailbreaking scene, a writeup on Naked Security, and the prospect of a job/lawsuit (or both!) with/against Apple.

Or you could try for $50,000 from HP instead.

That’s just part of the prize money that’s up for grabs at the second Pwn2Own competition of the year, Mobile Pwn2Own, announced last week by HP’s Zero Day Initiative.

We covered what you might call the regular-sized Pwn2Own earlier this year, from the announcement of its $500,000 in prize money to the day by day results.

The outcome was a series of victories for the hackers, with HP ultimately paying out $480,000.

(The official rules limited the payout for a particular target to the first to pwn it, but HP ended up agreeing to pay all four of the entrants who “popped” Java, at $20k, ahem, a pop.)

The mobile competition

The Mobile Pwn2Own won’t be pitting vendor against vendor, so it isn’t a question of Android versus Windows Phone, or Safari versus Chrome, or Blackberry versus Nokia, aka Microsoft.

Instead, the prize money is divided up by attack vector, based on how you break in:

• Via physical proximity (prize: $50k)

You can use a wireless or a wired attack, using one (or, presumably, more) of Bluetooth, Wi-Fi, USB or NFC.

A successful attack “must require little or no user interaction,” so a dialog such as the one iOS 7 will soon be popping up to inhibit rogue USB connections would be a satisfactory mitigation:

Earlier in the year, of course, researchers at showed at BlackHat how a booby-trapped iPhone charger could silently hijack your USB connection given the absence of such a pop-up warning.

• Mobile web browser (prize: $40k)

Some user interaction will no doubt be allowed here – someone has to decide to browse somewhere to get started, after all – but you won’t be allowed to assume the user will agree to or click on anything else.

There is no requirement in the rules for persistence, where the exploit remains active after the browser exits.

In any attack category, all you need to is one of the following: exfiltrate (i.e. steal and send to the outside world) information you aren’t supposed to get; silently make a long distance phone call; or eavesdrop a conversation.

→ The rules don’t say if “eavesropping a conversation” applies to cellular calls only, or even only to voice. If you are planning on eavesdropping to win a prize, you probably want to check in advance whether logging an instant messaging chat would count, or whether HP wants to see you listening in to phone calls made over the cellular voice network.

• Mobile Application/Operating System (prize: $40k)

Since each device will be in its default setup and configuration, with all available patches applied, you won’t be able to rely on third party apps that might or might not have been installed by the user, no matter how prevalent they might be.

• Messaging Services (prize: $70k)

You can attack by means of any of these: Short Message Service (SMS), Multimedia Messaging Service (MMS), or Commercial Mobile Alert System (CMAS).

The rules don’t say, but with “limited user interaction” permitted, it’s probably reasonable to assume that an attack can rely on users actually reading a booby-trapped message, but not on them following any instructions given in it.

• Baseband (prize: $100k)

Loosely put, the baseband is the part of a device that makes it a phone, or at least capable of connecting to a cellular network, so this vector of attack doesn’t apply to Wi-Fi only devices.

The value of this prize presumably reflects the comparative difficulty of coming up with a method to break in via the mobile network itself, rather than via USB cable or over the internet.

Choose your weapon

One you’ve picked your attack vector, you can choose to mount the attack using any one of an eclectic list of devices:

• Nokia Lumia 1020 running Windows Phone
• Microsoft Surface RT running Windows RT
• Samsung Galaxy S4 running Android
• Apple iPhone 5 running iOS
• Apple iPad Mini running iOS
• Google Nexus 4 running Android
• Google Nexus 7 running Android
• Google Nexus 10 running Android
• BlackBerry Z10 running BlackBerry 10

Entrants in each category go in to bat in randomly chosen order, designate the device on which they wish to mount their attack, and then have 30 minutes to pwn the chosen device via their chosen method.

The first to succeed in each category wins that category’s prize – and since there are five categories but nine devices, at least four devices will remain unowned.

What we may never know, if there’s a device (or an operating system) that no-one chooses for any attack, is whether it was avoided due to a lack of interest, or due to its recognised strength.

Pwn2Own, like many security tests, is good at telling you if a product has a security weakness, but doesn’t say much about each product’s strengths.

Oh, by the way, to enter, you need to be registered as a delegate at PacSec 2013 Conference in Tokyo, Japan, which takes place from 11-13 November 2013.

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ybiSa5yLDGg/

Free ESG report : Seamless data management with Avere FXT

Cleaners working on the London Underground will resort to industrial action this week in protest against the introduction of a controversial biometric clocking-in system.

Starting at just after midnight on Thursday morning, “up to 300 cleaners” will join in the action by refusing to scan their fingerprints every time they clock on for work, said the union. Their decision will set the workers on a collision course with ISS, the Danish firm which employs them.

According to the RMT union, 98 per cent of the 103 staffers who responded to the ballot voted in favour of the plans, which stopped short of calling for a full-on strike.

Bob Crow, RMT general secretary, said: “Our tube cleaning members have been urged to stand firm and follow the call by the union to take industrial action short of a strike by refusing to use any biometric/fingerprint technology to book on for duty. We believe this technology infringes on staff civil liberties and the overwhelming vote in favour of action shows our members’ strength of feeling on this issue.

“Strong union organisation in the workplace is the key to preventing this unacceptable method of booking on and RMT will continue to build our ‘Thumbs Down to Fingerprinting’ campaign.”

The union is vague on exactly why biometric fingerprinting is a bad idea. When The Register contacted the RMT, a spokesperson told us staff felt “brutalised” by the system, which made them feel like “slabs of meat”.

The union said it represented between 200 and 300 cleaners, and said that ISS had “bulldozed” the biometric system into use, against the wishes of its staff.

RMT also suggested the fingerprint-based sign-in system infringed the cleaners’ “dignity”. The previous clocking-on method involved an automated phone line and a sheet of paper.

El Reg also contacted ISS but they have not yet responded.

The job of cleaning the Tube is regarded as one of the worst and most poorly paid in the capital. In 2010, London Underground cleaners were guaranteed receipt of the London Living Wage, which is currently £8.55 an hour. The union describes the cleaners’ work contracts as “insecure”.

Before the word “fluffer” was co-opted by the pornographic film industry, it was the name given to hordes of poorly paid, often female workers tasked with cleaning human hair, caked grease, black brake dust and other filth from inside tube tunnels.

Fluffers still work the tracks late at night, when the trains have finished running, although their job has been made easier with the introduction of specialised tunnel-cleaning trains, akin to a series of vacuum cleaners mounted on a tube carriage. ®

Free ESG report : Seamless data management with Avere FXT

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/16/tube_workers_to_launch_protest_against_biometric_clockin_system/

Free ESG report : Seamless data management with Avere FXT

National Security Agency director Keith Alexander apparently sold the concept of surveillance to members of Congress using an operations centre styled on the bridge of the starship Enterprise from much-loved sci-fi series Star Trek.

According to “a former administration official” who spoke to Foreign Policy magazine, General Alexander set up the centre in Fort Belvoir, Virginia, at the time he was running the Army’s Intelligence and Security Command. The official told FP that the set had been put together professionally by a Hollywood set designer to resemble the bridge of the USS Enterprise, complete with a massive protection screen on the forward wall, computer stations and doors that slide open and closed while making a “whoosh” sound – just like the doors in the TV series.

The facility was known as the Information Dominance Center, he told the magazine.

Politicians and other VIPs apparently got to sit in the captain’s chair at the centre of the room while Alexander demonstrated big data analytics tools on the big screen. “Everybody wanted to sit in the chair at least once to pretend he was Jean-Luc Picard,” a retired officer in charge of VIP visits explained to US news outlet PBS.

The PBS story was based on the FP feature (sign-in required) outlining Alexander’s rise to the top of the NSA, including how he got his hands on the raw caches of data collected by the spy agency.

The Guardian adds that the website of DBI Architects features purported photographs of the actual Star Trek bridge-like briefing room commissioned by Gen “Collect it All” Alexander.

The original file with the pictures is here (PDF) but was inaccessible at the time of writing due to the volume of requests – presumably from overexcited Trekkies as well as senior NSA staffers keen to try out their best Patrick Stewart impressions. ®

Free ESG report : Seamless data management with Avere FXT

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/16/alexander_star_trek_bridge/

Free ESG report : Seamless data management with Avere FXT

Video A Russian-speaking man casually shows on camera how he can download a punter’s bank-card details and PIN from a hacked card reader.

In a video demonstrating a tampered sales terminal, a card is swiped through the handheld device and a PIN entered – just as any customer would in a restaurant or shop. Later, after a series of key-presses, the data is transferred to a laptop via a serial cable.

Account numbers and other sensitive information appear on the computer screen, ready to be exploited. And the data can be texted to a phone, if a SIM card is fitted to the handheld.

We’re told the footage, apparently shown on an underworld bazaar, is used to flog the compromised but otherwise working kit for $3,000 apiece – or a mere $2,000 if you’re willing to share 20 per cent of the ill-gotten gains with the sellers under a form of hired-purchase agreement.

Crucially, the gang selling this device offers a money-laundering service to drain victims’ bank accounts for newbie fraudsters: a network of corrupt merchants are given the harvested card data and extract the money typically by buying fake goods and then cashing out refunds. The loot eventually works its way back to the owner of the hacked card reader.

A copy of the web video was passed to The Reg, and is embedded below. We have rotated part of the footage so it’s easier to read the on-screen text.

Electronic security consultancy Group-IB said the modified Verifone VX670 point-of-sale terminal, shown above, retains in memory data hoovered from tracks 1 and 2 of the magnetic stripe on the back of swiped bank cards, as well as the PIN entered on the keypad – enough information for fraudsters to exploit.

The setup suggests the sellers are based in Russia. In the video, a credit card from Sberbank, the country’s largest bank and the third largest in Europe, is used to demonstrate the hacked terminal’s capabilities.

If a SIM card for a GSM mobile phone network is fitted to the doctored device, the information can be sent by SMS rather than transferred over a serial cable, explained Andrey Komarov, head of international projects at Group-IB.

He told us crooks tampering with point-of-sale (POS) terminals and selling them isn’t new – but the bundling of money-stealing support services, allowing fraud to be carried out more easily, is a new development in the digital underground.

“We have detected a new group that sells this modified model of POS terminals and provides services for illegal cash-outs of dumped PINs through their own ‘grey’ merchants: it seems they buy fake stuff, and then cash-out money,” Komarov said.

“It takes less than three hours. According to our information, this kind of service is really new, and it is also being used by different cyber-criminals against the Russian bank Sberbank.”

Komarov told El Reg that the emergence of hacked card readers is due to banks improving their security against criminals’ card-skimming hardware hidden in cash machines and similar scams. Planting data-swiping malware in POS handhelds out in the field is possible, but it is fairly tricky to find vulnerable terminals and infiltrate them reliably without being caught.

It’s a touch easier to buy a tampered device and get it installed in a shop or restaurant with the help of staff or bosses on the take. This creates a huge potential market for fraudsters, according to Komarov.

Scam warnings

Banking giant Visa has issued several alerts about this kind of fraud along with occasional warnings about device vulnerabilities – such as this warning from 2009 [PDF]. And social-engineering tricks [PDF] in which fraudsters pose as Visa employees carrying out adjustments to terminals – while actually compromising them – has been going on for years.

One alert [PDF] from Visa, dating from 2010, explains how thieves worked in the past and the steps merchants can take to defend against the fraud: anti-tampering advice from this year can be found here [PDF], an extract of which is below:

Criminal gangs worldwide are illegally accessing active POS terminals and modifying them by inserting an undetectable electronic “bug” that captures cardholder data and PINs during normal transaction processing.

The impact of this type of crime can be significant to all key parties involved in card acceptance. An attack can not only undermine the integrity of the payment system, but diminish consumer trust in a merchant’s business. In response to this emerging threat, acquirers, merchants and their processors need to proactively secure their POS terminals and make them less vulnerable to tampering.

A more recent advisory on combating this type of fraud, issued earlier this year by Visa, can be found here [PDF].

Avivah Litan, a Gartner Research vice-president and an expert in banking security and related topics, said that tampering with card readers has been going on for years. She agreed with Group-IB’s observation that since banks are investing more in securing cashpoints, penetrating point-of-sale terminals can be an easier way to make money for criminals.

“The bad guys will go after anything they can, but it can be easier to find dishonest merchants to cooperate in running tampered terminals [to harvest bank details] than going after ATMs,” Litan told El Reg, adding that this kind of fraud was rife in South America, particularly in countries such as Brazil.

But Group-IB’s Komarov believes the Russian-speaking fraudsters behind the black-market sale of hacked sales terminals are targeting the international market as well as crims in the motherland. “The example they showed for Sberbank was just because they also use it against Russian-speaking countries, as they have Russian-speaking roots,” he explained.

We passed on Group-IB’s research to Verifone at the start of this month, along with a request for comment on what could be done to frustrate the trade of tampered card readers through underground markets and similar scams. We have yet to hear back from the device manufacturer. We’ll update this story if we hear more. ®

Free ESG report : Seamless data management with Avere FXT

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/16/tampered_pos_market_surfaces/

[The following is excerpted from “Ten Things to Consider When Developing BYOD Policy,” a new report posted this week on Dark Reading’s Mobile Security Tech Center.]

BYOD, or bring-your-own-device, is a trend that is not going away. In InformationWeek’s 2013 State of Mobile Security report, based on a survey of 424 business technology professionals, 68% of respondents said their mobility policy allows employees to use personal mobile for work, with 20% saying they are developing such a policy.

In fact, BYOD can hardly be called a trend anymore: The model is here to stay in the enterprise, and it’s expanding to include all manner of employee-owned technology (including bring your own apps, bring your own private clouds and bring your own WLANs). Organizations, therefore, must do more than just bless the concept; they must proactively set out guidelines that tell users what they can and cannot do, and that describe the role IT will and will not play in the management, support and security of employee-owned devices.

“In today’s always-connected society, organizations can no longer let mobile device adoption in the workplace simply run its course,” says Steve Durbin, global VP of the nonprofit Information Security Forum.

“By putting the right usage policies in place, businesses can benefit from the returns that mobile devices can bring to the workplace while limiting exposure to potential security risks,” Durbin says. “If executed poorly, a personal device strategy in the workplace could face unintentional leaks due to a loss of boundaries between work and personal data and more business information being held in an unprotected manner on consumer devices.”

One of the biggest challenges with BYOD is the ambiguity that often surrounds the concept, especially when it comes to security. For example, when the employee owns the device, who owns the data on the device when it’s being used to access corporate networks and data? To what extent can IT dictate the level of security an employee-owned device must have?

These are just a few of the questions organizations are dealing with, which is all the more reason for companies to develop a firm policy, says Forrester analyst Christian Kane, whose research is focused on desktop and mobile strategies, including BYOD.

“The biggest reason [to develop BYOD policy] is that there is so much gray area in this topic,” says Kane. “Many companies have built their mobile strategies around the fact that they owned the devices and could dictate what happens on them. So a big part of having a BYOD policy in place really has to do with things that are ambiguous: What can I do and what can’t I do? What’s the right kind of usage, and how does the company feel about that?”

Research from the SANS Institute indicates a bit of a Catch-22 when it comes to BYOD policy: The complexities of BYOD increase the need for policy, but BYOD complexity makes it challenging to develop policy.

“With such complex issues to address, it’s no wonder that 50% of survey respondents either don’t have policies to support BYOD devices or they depend on the user to comply with corporate policy for securing these personally owned devices,” the March 2012 SANS report “SANS Mobility/BYOD Security Survey” states. “Only 41% feel strongly that they have policies to support BYOD, of which 17% are standalone policies and 24% are integrated as an aspect to their overall security policies.”

To find out more about what enterprises are doing to facilitate BYOD — and for the full list of 10 points to consider when writing your own policy — download the free report.

Have a comment on this story? Please click “Add a Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/management/ten-things-to-consider-when-developing-a/240161317

Download Dark Reading‘s September special issue on the impact of data breaches

For five years now, a Ponemon Institute annual report has tried to put a number on the cost of data breaches. It creates benchmarks for direct costs such as regulatory fines and the cost of notifying customers, alongside estimates of indirect costs such as customer churn and lost business. In 2013, Ponemon pegged the cost of a data breach at $136 per lost record on average across the globe. Ponemon estimated the cost in the U.S. at $188 per record, and $277 per record when the breach came at the hands of malicious and criminal attacks such as outside hacking or insider theft.

Benchmarks have their role, but everyone knows that some types of breaches are far more expensive to companies, such as those that expose intellectual property (IP) such as secret recipes or technological specifications, or that reveal acquisition information prior to a big deal. Manufacturing supply chains could be tampered with in sabotage attempts. Or customer records could be stolen, sometimes from a third-party contractor rather than the organization entrusted with the information.

Factors such as lost IP don’t make it into many breach cost estimates because the impact is so hard to measure, and because breaches are often outside regulatory scrutiny and therefore aren’t publicly reported. But by understanding hidden or underreported costs, and threats specific to their industries, companies can better plan breach response and recovery, set budgets that fit the risks and reduce the cost of future problems.

The Hidden Impact Of Breaches

IT must contend with its costs of forensics and interruptions that go along with piecing together what was stolen and how. But “hands down, the biggest cost is loss of productivity,” says Vinnie Liu, managing partner for security consulting firm Bishop Fox, “not just with the IT team but all the people who are affected by the systems impacted, especially critical systems. It has a domino effect, and it is a huge multiplier effect that happens after a breach.”

And as Ponemon and others calculate, there are substantial known costs of notifying affected customers and business partners, paying for credit monitoring and identity restoration for victims, and staffing call centers for added customer service calls that all play into the total cost of a breach.

Then there are potential costs for regulatory investigations, litigation, the loss of goodwill and the loss of customers, all of which contribute to the squishy “brand damage” that is impractical to truly measure.

The most commonly neglected cost involves the phenomenon of “organizational thrash,” contends Peter Tran, senior director of the Advanced Cyber Defense practice at RSA, the security division of EMC. This is the fatigue factor that hits IT and sometimes other departments after slogging through crisis mode for months after a breach discovery, examining log data, ferreting out the adversary, changing infrastructure, and working with lawyers and communications specialists. Security becomes less effective because IT teams are “burned out, and they’re actually less on the ball than before,” Tran says.

It’s not just the loss of IP such as technical specs that can cost a company dearly. A company is put at a disadvantage if it loses data on how much it is willing to bid on a contract, where it plans to set up new operations or which overseas businesses it plans to negotiate deals with.

Companies also frequently pull back on innovative projects following a breach, particularly in the tech sector, as they try to identify what IP is lost, and how it was taken, before investing more into that work. Putting hard costs on that lost innovation is hard, Tran says, because it’s so intertwined with economic and market factors.

Take Early Action

The damage from security breaches tends to increase the longer an attack goes undetected. If the goal is to steal customer data or intellectual property, most breaches start small with a malware foothold on some endpoint, established through a phishing attack or Web-based attack. With a beachhead established, the attacker looks to escalate privileges on the machine, move sideways onto other machines and implant multiple back doors on all the systems the attack touches to maintain persistence. “More importantly, the longer it takes, the more likely an attacker is to find and exfiltrate the organizations ‘secret sauce,'” says James Phillippe, leader of threat and vulnerability services for the U.S. at Ernst Young.

Many compromises today are measured in months, not minutes. The 2013 Verizon RISK Team “Data Breach Investigations Report” found that 66% of breaches in 2012 remained undiscovered for months or more, up from 41% in 2010. And approximately 70% of those breaches were discovered by third parties such as business partners or police, not by the affected organization.

One of the biggest inhibitors to speedy breach detection and response is the lack of visibility and analysis of network traffic, which would allow organizations to connect the dots between seemingly isolated attack symptoms and see them as indicators of a compromised system.

“Many organizations are content to play whack-a-mole when it comes to incident response,” Phillippe says. “They clean malware off the host and quickly return it to service. This perceived response only treats the symptom of the issue, the malware.”

There are three keys to quickly discovering and responding to breaches, says Phillippe. First, companies need solid asset management to recognize all of the devices on the network and establish baseline behavior, which improves their chances of quickly detecting anomalies.

Second, a well-tuned security, information and event management system is the “heart of a security operations center” and is the engine connecting the dots that show that those anomalies amount to an attack.

Third, threat intelligence services give companies the context to recognize potential attackers. These services offer industry-wide data about attack patterns and trends occurring at other companies so companies can look out for certain indicators of compromise.

Article source: http://www.darkreading.com/management/how-to-cushion-the-impact-of-a-data-brea/240161188

In the old fable, the Boy Who Cried Wolf was capricious and stupid. He cried “wolf” the first two times because he wanted to see who would come. The third time, when the wolf actually appeared, he cried out and no one came. He became wolf chow.

But what if the Boy Who Cried Wolf had actually seen a wolf the first two times? Would help still have come the third time? What would have happened, in that wolf-infested forest, if he had cried five, six, seven times?

This is a question that IT security professionals face every day. And there isn’t always a clear answer.

For security pros, fear is often an ally. The fear of a new threat is what gets end users to pay attention. It’s what pushes your project up the priority list, gains you time on your boss’ calendar, and gets you extra budget. Fear of breaches often is why security tasks get done.

But for most security pros, fear is also a well that shouldn’t be visited too often. Just like the Boy Who Cried Wolf, a security professional’s livelihood rests on his/her credibility. Throw out too many warnings, and your bosses may eventually turn a deaf ear to them. Fail to provide enough warnings about a serious threat, and your organization may not have the tools and processes to stop it.

A security warning is only as good as the credibility of the professional who delivers it.

These days, it’s difficult not to raise the alarm frequently. Nearly every day, a major vulnerability is exposed, a new exploit found, a new anomaly spotted in the logs. These threats are not capricious or made up — they are real wolves. They threaten your systems and your data. Fail to report them — fail to get the help you need — and you are wolf chow. Ring the bells too often — lose the trust of your top management — and you are wolf chow.

In today’s special Dark Reading digital supplement on data breaches, we look at the full impact of a data breach – not just the cost of finding a breach and fixing it, but the cost of service interruption to customers, to employees, and to the business itself. Depending on your business, a security breach might be a small blip in your operations — or it can affect your entire business for years.

Maybe this sort of “impact assessment” is what the Boy Who Cried Wolf needed. Is just one sheep in danger? Or is it the whole herd? Is it 50 starving wolves, or just one fat wolf looking for a snack? The right reports might have built his credibility over time, so that when he cried wolf, the organization might have been prepared with the right response.

It isn’t wrong to cry wolf when there is one. But when you’re surrounded by wolves every day, you need to provide some perspective on you warnings. By measuring the risk and potential impact, as described in today’s digital issue, you can build your credibility. And that credibility, in turn, might decrease your likelihood of becoming wolf chow — one way or the other.

Article source: http://www.darkreading.com/management/for-security-pros-maintaining-credibilit/240161320

AACHEN, Germany, September 16, 2013 /PRNewswire/ —

The German manufacturer of Hardware Security Modules (HSMs) launches its new product series SafeGuard CryptoServer CSe. The CSe-Series follows from the extremely successful high-end CS-Series-offering twice the performance and maximum security while keeping total cost of ownership to a minimum.

Utimaco introduces the latest generation of its FIPS 140-2 security module certified to Level 4. The new CSe-Series performs high-speed elliptic curve calculations of up to 1,500 operations per second, to name just one key function. This means it offers the fastest software implementation speed in the HSM market. “We always have an eye on the total cost of ownership for our customers. This enables us to provide this new Series at the same cost of the previous model-and even lower operational costs. Sustainability is extremely important to us,” explains Matthias Pankert, Vice President HSM. With the CSe-Series, cryptographic performance has been doubled while maintaining low energy consumption. In regards to individual cryptographic operation, effective energy consumption is even reduced by 30%, which is interesting from both a financial and an ecological point of view.

Like its predecessor, the CSe-Series is one of just a few HSMs in the market that meets the requirements for FIPS 140-2 Level 4 certification for physical security. This means, in addition to traditional sectors, it is particularly suitable for highly sensitive applications within growth sectors such as Smart Metering, eID or eHealth.

In terms of technology, the CSe-Series features a PCI Express Bus for faster communication, a new processor, two USB ports as well as a storage capacity that is two to eight times higher-all this in addition to the improved software implementation speed. Like all Utimaco HSMs, the CSe-Series is available either as a 19-inch network appliance or as a plug-in card.

“We continued with our philosophy this time around, too, and kept the investment security for our customers in mind during the development of the CSe-Series,”

explains Dieter Bong, Product Manager CryptoServer. “Thanks to our architecture’s downward compatibility, firmware applications can continue to run with the CSe-Series, and it is even possible to run the CS- and CSe-Series in parallel.” The tamper technology, too, is at the same high security level-along with the materials used and the build. Certification for FIPS 140-2 Levels 3 and

4 as well as for the German Banking Industry Committee (Deutsche

Kreditwirtschaft) is currently being processed and is expected to be granted at the beginning of next year.

Discover all the technical details surrounding the new CryptoServer Series and its functions at http://hsm.utimaco.com/cse-series

About Utimaco

Utimaco Safeware AG has been a global leading provider for data encryption and the related cryptography for 25 years. The division of Hardware Security Modules

(HSM) provides a comprehensive product portfolio for security requirements in industrial applications including the only freely-programmable HSM technology.

Utimaco HSM develops and produces its CryptoServer product lines exclusively in its German headquarters. Utimaco HSM operates globally through its own sales and service network in Germany and North America and through its international partner network.

Article source: http://www.darkreading.com/authentication/utimaco-launches-new-high-end-hsm-series/240161345

London, U.K., September 16, 2013 — The (ISC) (“ISC-squared”) Foundation, a charitable trust that aims to empower students, teachers and the general public to secure their online life with cyber security education and awareness programmes, today announced the recipients of its 2013 information security scholarships. The (ISC) Foundation Scholarship Programme aims to fill society’s need for trained cyber security professionals by building the workforce of the future through meaningful scholarships. This programme opens doors for current and aspiring information security professionals, with scholarships for women, undergraduate, graduate and post-graduate students and certification exam vouchers for qualifying faculty to ensure a sufficient supply of qualified instructors at the university level. Recipients were selected by the (ISC) Scholarship Review Committee, which consists of representatives from the (ISC) Board of Directors, academia, and the (ISC) membership.

“On behalf of the (ISC) Foundation, I’d like to congratulate this year’s scholarship recipients for their outstanding applications and a commitment to joining the cyber security workforce,” said Julie Peeler, director for the (ISC) Foundation. “The goal of the scholarship programme is to help aspiring and practicing professionals achieve their educational goals and put them on a solid track to join the cyber security workforce. We’re thrilled that the programme has assisted so many deserving students across the globe that are truly passionate about a career in information security.”

The following Scholarship recipients will be recognised at the 2013 (ISC) Security Congress taking place later this month:

Women’s Scholarship:

o Catherine Deleare, USA

o Pratibha Anjali Dohare, Bhopal, India

o Veelasha Moonsamy, Australia

Graduate Research Project(s):

o Mohannad Alhanahnah, UK

o Innocent Barigye, Uganda

o Pei-Yu Chen, Taiwan

o Scott Ruoti, USA

o Mahdi Zamani, USA

Undergraduate Scholarship:

o Mary Brewer, USA

o William Choi, USA

o Bruce Clair, USA

o Christopher Goes, USA

o Raymond Hernandez, USA

o Patrick Katamba, UK

o Micah Lippold, USA

o Scott Lohin, USA

o Kyle Murbach, USA

Faculty Certification Exam Vouchers:

o Tahir Abbas, Pakistan

o Raymond Albert, USA

o Feroze Ashraff, New Zealand

o John Daniels, USA

o Tom Imboden, USA

o Supakorn Kungpisdan, Thailand

o Vijaya Raju Mullagiri, Albania

Findings from (ISC)’s 2013 Global Information Security Workforce Study validate the acute need to develop the information security workforce, with data indicating that the major shortage of skilled cyber security professionals is negatively impacting organisations and their customers, leading to more frequent and costly data breaches. The scholarship programme aims to combat these realities by providing scholarships to help individuals break into the field of cyber security, ultimately protecting organisations against these cyber threats with a more skilled and qualified workforce.

“I am extremely happy to learn that once again, I am the recipient of the 2013 (ISC)2 Foundation Undergraduate Scholarship,” said two-time recipient Patrick Katamba. “With this continued financial support, I am able to concentrate on what is important: becoming a highly qualified information security professional. (ISC)’s financial generosity has allowed me to achieve this goal and also continue to strive for excellence in my university studies.”

“I am currently a graduate student of Information Technology Security at Carnegie Mellon University,” said Women’s Scholarship recipient Pratibha Anjali Dohare. “In the future, I am determined to pursue a PhD in Information and Cyber Security. Through my education in this field, I aspire to make the Internet safer against cyber-attacks and internal and external security threats.”

“Being chosen as a recipient for the (ISC) Undergraduate Scholarship has been an unforgettable experience,” commented Kyle Murbach. “It has served as a tremendous confidence booster in terms of my academics, knowing that (ISC) views me as a fantastic candidate to continue gaining knowledge and starting a career in the field of information security.”

“The 2013 Undergraduate Scholarship award will allow me to finish my Information Systems Security degree sooner than expected, as I will be able to attend classes year-round with the extra funding,” commented Undergraduate Scholarship recipient Micah Lippold. “I am extremely excited to get into the workplace and help to defend the nation’s information systems.”

The (ISC) Foundation will begin accepting applications for the 2014 grants on January 2, 2014. Applications must be submitted by April 1, 2014. For additional information on the (ISC) Foundation Scholarship Programme, please visit https://www.isc2cares.org/Scholarships/

###

About The (ISC) Foundation

The (ISC)2 Foundation is a non-profit charitable trust that aims to empower students, teachers and the general public to secure their online life by supporting cyber security education and awareness in the community through its programs and the efforts of its members. Through the (ISC)2 Foundation, (ISC)2’s global membership of nearly 90,000 information and software security professionals seek to ensure that children everywhere have a positive, productive, and safe experience online, to spur the development of the next generation of cyber security professionals, and to illuminate major issues facing the industry now and in the future. For more information, please visit www.isc2cares.org.

About (ISC)

(ISC) is the largest not-for-profit membership body of certified information and software security professionals worldwide, with nearly 90,000 members in more than 135 countries. Globally recognised as the Gold Standard, (ISC) issues the Certified Information Systems Security Professional (CISSP) and related concentrations, as well as the Certified Secure Software Lifecycle Professional (CSSLP), the Certified Cyber Forensics Professional (CCFPSM), Certified Authorisation Professional (CAP), and Systems Security Certified Practitioner (SSCP) credentials to qualifying candidates. (ISC)’s certifications are among the first information technology credentials to meet the stringent requirements of ANSI/ISO/IEC Standard 17024, a global benchmark for assessing and certifying personnel. (ISC) also offers education programmes and services based on its CBK, a compendium of information and software security topics. More information is available at www.isc2.org.

Article source: http://www.darkreading.com/isc2-foundation-announces-2013-informati/240161346

As of Friday afternoon, a notice on NASA’s kepler.arc.nasa.gov website was reading “Down for Maintenance: The requested webpage is down for maintenance. Please try again later.”

The site is only one of what appear to be 14 hacked subdomains, hosted in the heart of Silicon Valley, that were defaced on Tuesday and stayed offline for some time. Pastebin has listed the URLs here.

According to CWZ: Cybercrime Revealed, a hacker/hackers using the handle BMPoC posted a deface page along with a message on all the hacked websites that linked the attack to possible US military intervention in Syria, as well as to US spying on Brazil.

The message:

NASA HACKED! BY #BMPoCWe! Stop spy on us! The Brazilian population do not support your attitude! The Illuminati are now visibly acting!

Obama heartless! Inhumane! you have no family? the point in the entire global population is supporting you. NOBODY! We do not want war, we want peace!!! Do not attack the Syrians

The hacker is apparently the same one who took down four NASA domains in April 2013, according to Hack Read.

A NASA spokesman told FoxNews.com that the space agency’s IT staff are now investigating, but that nothing major had been compromised:

On Sept. 10, 2013, a Brazilian hacker group posted a political message on a number of NASA websites. … Within hours of the initial posting, information technology staff at the Ames Research Center discovered the message and immediately started an investigation, which is ongoing. At no point were any of the agency’s primary websites, missions or classified systems compromised.

The hacked sites housed information on the Kepler space telescope, planetary exploration, the moon and more, all run out of the organisation’s Ames Research Center.

Why take out political outrage on a science agency?

When Anonymous posted news of the April 2013 attack on its Facebook page, commenters suggested that the rationale for the attack might have been to highlight NASA’s spotty security.

In fact, NASA has not had a stellar (ahem) security history:

• In March 2011, algorithms used to command and control the International Space Station were exposed.
• In March 2012, it was the personally identifiable information (PII) of 2,300 employees and students.
• In another incident, it was sensitive data on NASA’s Constellation and Orion programs.
• In October 2012, it was PII on an unspecified, but large, number of NASA employees and contractors.

NASA might be picked on simply because it represents low-hanging fruit.

Spotty security doesn’t excuse criminal hacking, though. These aren’t acts of responsible disclosure, by any means.

Somebody ought to tell BMPoC that he/she/they are bullies kicking sand in the face of rocket scientists who have better things to do than mop up after an attack that’s spurred by a head-scratcher of a so-called rationale that’s unrelated to NASA’s mission.

Follow @LisaVaas

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/M3MljqRDPaE/