There
has never been a security breach like Sony.
Still
no credible information. That means the press gets to speculate like
mad.
Are
we a nation of over-reacting, “ready, fire, aim,” “We don't
need no stinking logic!” wimps? Judge for yourself.
(What
would happen if this eventually got traced back to my Ethical Hacking
class? After I flunked them for getting caught.)
US:
Sony Cyberattack is ‘Serious’ National Security Matter
U.S.
officials are treating a cyberattack on Sony Pictures as a "serious
national security matter," with the National Security Council
considering a proportionate response, the White House said Thursday.
…
The U.S. Department of Homeland Security says "there is no
credible intelligence to indicate an active plot against movie
theaters."
President
Barack Obama also downplayed the threat, saying his "recommendation
would be that people go to the movies."
…
The U.S. State Department
has denied media reports it had given its backing to the film.
…
In an interview late Wednesday with ABC News, Obama called the
cyberattack on Sony Pictures "very serious."
"We’re
investigating it. We’re taking it seriously. We’ll be
vigilant," Obama said. "If we see something that we think
is serious and credible, we’ll alert the public. But, for now, my
recommendation would be that people go to the movies."
(Related)
White
House Doesn’t Rule Out Cybercounterattack in Sony Hack
…
Earnest said there have been a number of daily meetings at the White
House about the hack, and that there are “a range of options that
are under consideration right now” for a response. Earnest would
not rule out a U.S. cybercounterattack on those behind the Sony hack,
saying officials are mindful of the need for a “proportional
response.”
…
“Administration
officials were consulted about the film prior to its
release at the request of the company that was producing the movie,”
Earnest said, confirming that officials had screened the film.
(Related)
Hack
attack spurs call for more NKorea sanctions
… Rep. Ed Royce, R-Calif., chairman of the House Foreign Affairs
Committee, said he did not doubt North Korea was involved. He called
for tougher U.S. sanctions to cut Pyongyang's access to hard
currency, by excluding from the U.S. financial system banks in other
countries that hold North Korean funds.
(Related)
On the other hand...
Think
North Korea hacked Sony? Think about this
…
If the hack was all about stopping the release of "The
Interview," why didn't that come up earlier? For the first
couple of weeks, the messages that accompanied leaked data didn't
mention the movie at all. It was more about Sony and its executives
-- something underlined by the vindictiveness of the leaks.
…
The movie wasn't mentioned until a message on Dec. 8, and then it
was in addition to previous demands made by the group.
…
The movie wasn't mentioned by name until Dec. 10, when
the hackers also issued their threat to movie theaters.
(Related)
Evidence
in Sony hack attack suggests possible involvement by Iran, China or
Russia, intel source says
(Related)
Hackers
May Have Planted Their 'Time Bomb' Inside Sony Months Ago
…
Trend Micro says that the particular
type of software used to hack into Sony's network wasn't a specialist
virus, instead it was widely available on the black market and was
modified to specifically target Sony.
The
hackers have probably been working inside Sony's systems for months,
Bloomberg
says.
…
Masayoshi
Someya, a security "evangelist" at Trend Micro, claims that
hackers took the computer virus and changed it to include account
names, passwords and security software found within Sony's network.
That would suggest that the hackers had detailed knowledge of Sony's
corporate computer network.
…
Multiple messages have flashed up on Sony Pictures computers in
recent weeks, meaning that employees are left using fax
machines and handwritten notes to communicate because the hackers
still have access to their computer system.
That's
perhaps the scariest part, for Sony: As of a few days ago the
hackers were still inside Sony's network, according to The New
York Times.
A
question for Computer Security managers everywhere...
Are
you working for the next Sony Pictures? Here’s some things to check
at work
Strange
and pathetic too.
“this
is not intended to be a list of the biggest breaches, and not all of
them are supposed to be funny. Think of this as our curated list of
the most interesting data security events of 2014 in the VCDB.”
Read
their roundup here.
Tools
& Techniques for my Ethical Hackers. Adding “portable Apps”
is simple. Source code is available.
"USBdriveby"
Emulates Mouse and Keyboard to Hijack Computers
Security
researcher Samy Kamkar has taken a Teensy 3.1 USB-based
microcontroller and fitted it with software that can emulate a mouse
and a keyboard when connected to a computer. The gadget, dubbed
USBdriveby,
leverages the fact that many
systems blindly trust USB devices connected to them.
Once
it's plugged in to a machine, USBdriveby immediately starts
performing mouse and keyboard actions, which allows it to carry out a
wide range of tasks, such as opening a backdoor, disabling the
firewall, and controlling traffic flow by changing DNS settings.
After the device is disconnected, the attacker has full access to the
targeted computer.
"When
you normally plug in a mouse or keyboard into a machine, no
authorization is required to begin using them," the researcher
explained. "The devices can simply begin typing and clicking.
We exploit this fact
…
These
types of attacks are not new, and there is reason to believe that the
NSA
has already been using such devices in its operations.
Earlier
this year, at the Black Hat security conference, researchers at
Germany-based SRLabs demonstrated that a USB device's firmware can be
reprogrammed for malicious purposes. They called the attack
"BadUSB."
The methods developed by SRLabs are more sophisticated than the ones
used for USBdriveby, but the German researchers had not released the
source code for their modified USB controller firmware.
In
September, researchers Adam Caudill and Brandon Wilson released
BadUSB
source code after a presentation at the DerbyCon security
conference. They argued that the code had to be made public so that
people can learn how to protect themselves against such attacks.
Surveillance
is becoming ubiquitous-er.
Top
5 Ways You Are Spied On Every Day And Don’t Know It
Many
people are oblivious to the ways in which they are monitored nearly
every day, in some aspect of their lives. It might be while
conducting business at a store, getting money out of an ATM, or even
just talking on their cellphone while walking down a city street.
I
can't imagine why...
Andrej
Sokolow reports:
…the steady spread of sensors means more data is being accumulated
all the time. Everything from blood pressure, to the time of day one
typically leaves one’s house to a person’s standard bedtime to
how many times one rolls over in bed – it’s all potentially
captured by this new, personal technology.
Some see the flood of information as a source of potential. Start-up
Vivametrica plans to take anonymized data from fitness data and try
to forecast cases of health problems like diabetes or heart disease.
Taking it even further, Sension – an app for Google Glass, the
company’s networked spectacles – can track 76 points on the face
of a person being viewed with the glasses and put together an
analysis of the subject’s emotional well-being. The idea is that
this could help workers in sales as they try to assess how customers
feel. But how might the customers feel about such analysis?
Read
more on Government
Technology.
Not
much new that I see...
President
Obama on Thursday signed five cybersecurity bills into law, after an
unexpected spate of legislative activity on the issue.
The
five bills won’t satisfy the strongest backers of tough cyber
protections, but they should help many government officials beef up
their networks and were cheered by supporters when they rushed
through Congress in the final days of its 2014 session.
…
The Cybersecurity Enhancement Act, for instance, allows the
Commerce Department to write voluntary standards to protect critical
infrastructure and tells the White House’s Office of Science and
Technology Policy to develop a federal cyber research plan.
…
The National Cybersecurity Protection Act establishes in law
the department’s national cybersecurity center, while
the
Federal Information Security Modernization Act updates
12-year-old federal information security laws.
The
Cybersecurity Workforce Assessment Act directs the DHS to
build out a new strategy to recruit and hang onto the best and
brightest workers in the field, and
the
Border Patrol Agent Pay Reform Act allows the department to
exempt some cyber staffers from normal government hiring rules.
…
GOP Rep.-elect Will Hurd (Texas), a former CIA officer, was picked
Thursday to lead the new House Oversight subcommittee on
Information Technology.
No comments:
Post a Comment