Friday, 4 December 2009

Engineers who hacked into L.A. traffic signal computer, jamming streets, sentenced

By Shelby Grad
Los Angeles Times
December 1, 2009

Two L.A. traffic engineers who pleaded guilty to hacking into the city's signal system and slowing traffic at key intersections as part of a labor protest have been sentenced to two years' probation.

Authorities said that Gabriel Murillo, 40, and Kartik Patel, 37, hacked into the system in 2006 despite the city's efforts to block access during a labor action.

Fearful that the strikers could wreak havoc, the city temporarily blocked all engineers from access to the computer that controls traffic signals.

But authorities said Patel and Murillo found a way in and picked their targets with care -- intersections they knew would cause significant backups because they were close to freeways and major destinations.

Crooks 'too lazy' for crypto

By Chris Williams
The Register
3rd December 2009

The widespread use of encryption by criminals - long feared by intelligence and law enforcement agencies - has yet to materialise, according to the man in charge of the country's largest digital forensics unit.

Mark Stokes, head of the Metropolitan Police's Digital and Electronic Forensic Services (DEFS), told The Register that "literally a handful"
of the tens of thousands of devices it handles each year from across the whole of London involve encrypted data.

"We're still to this day not seeing widespread use of encryption," he said.

Despite the availability of scrambling products such as PGP, TrueCrypt and Microsoft's BitLocker, criminals are not making life difficult for forensic investigators to access their files.

"You'd think paedophiles would use it, but they don't. It's just human nature to think they'll never get caught," said Stokes, an electronics

Cisco, Juniper vulnerable to hacking

By Reuters
3 Dec 2009

The US government has identified flaws in equipment from four companies, including Cisco Systems, that hackers can exploit to break into corporate computer networks.

The Department of Homeland Security's US Computer Emergency Readiness Team, US-CERT, said on its Web site that the warning applies to certain networking products from Cisco, Juniper Networks, SonicWall and SafeNet.

The flaw applies to equipment with technology known as SSL VPN that companies use to set up secure communications systems for safely accessing internal computer systems over the Internet.

It affects VPN systems run directly through a Web browser, rather than through software installed on a user's PC, which is more widely used.

Hackers who exploit the vulnerability could gain broad access to corporate networks, then steal confidential data, install malicious software or turn PCs into spam servers.

A Call to Cyber Arms

By Maryann Lawlor
SIGNAL Scape
The official blog of
AFCEA International
and SIGNAL Magazine
12/02/09

Sherri Ramsay, director of the NSA's Central Security Service Threat Operations Center, opened AFCEA's SOLUTIONS Series today by admitting that the intersection of cyber, national and economic security has changed the way her organization interacts with industry. Citing statistics that cybercrime has cost individuals more than $2 billion, Ramsay called for shared network situational awareness across the U.S.
government, industry and individuals. This holistic approach must include information about who owns, operates and defends the networks, she said.

"Cyberspace at the Cross Roads: The Intersection of Cyber, National and Economic Security," is the third in this year's SOLUTIONS series of forums and is taking place December 2-3 at the National Conference Center. The event features presentations by military and government leaders as well as three tracks of panel sessions that are designed to prompt discussions among attendees.

Despite the need for a holistic approach to cybersecurity, Ramsay acknowledged that determining how to do it poses many challenges. She related that while discussing cyber defense with her counterparts in New Zealand, she described the change in tactics as the difference between playing football and playing soccer. While the former involves offensive and defensive teams taking the field separately, the latter calls on offensive players to go on the defense as soon as possession of the ball changes sides. The New Zealanders agreed that a change has taken place but said that cyber defense today more resembles rugby.

Ramsay called on government, industry and individuals to be more proactive in their part of cybersecurity. To this end, the NSA now uses the term "Team Cyber" every day to describe how it is enacting cyber defenses. Members of the team include the government, industry and academia to such an extent that the NSA has actually brought antivirus vendors into the same room with government network defenders to observe networks under attack. The vendors were then given the information and signatures they would need to improve the next version of their products.

Cyber Warfare Command to Be Launched in January

By Jung Sung-ki
Staff Reporter
The Korea Times
12-01-2009

The Ministry of National Defense will launch a cyber warfare command next month, officials said Tuesday.

The command will conduct both defensive and offensive cyber operations under the direction of the defense minister, they said.

Previously, the ministry had been considering establishing a cyber command under the control of the Defense Security Command (DSC), whose mission is to defend military networks against computer attacks.

The command will be led by a major general and have 200 specialists, the officials said.

Earlier this year, the DSC said the country's military computer networks faced about 95,000 reported hacking attacks per day on average.

In July, the government and industrial computer networks suffered from massive distributed denial of service (DDoS) attacks for several days.

Some intelligence sources from South Korea and the United States blamed North Korea for the attacks, though no solid evidence has been found to support those claims.

North Korea is known to operate a cyber warfare unit that specializes in hacking into South Korean and U.S. military networks to extract classified information.

Metasploit Gets New Vulnerabilty Scanning Features

By Kelly Jackson Higgins
DarkReading
Dec 01, 2009

A new version Metasploit released today includes integrated vulnerability scanning for the popular open source penetration testing tool.

Rapid7, which recently purchased Metasploit, today announced both the new version of Metasploit, 3.3.1, as well as a new free version of Rapid7's NeXpose vulnerability scanner. The NeXpose Community Edition is basically a slimmed-down version of the company's enterprise-class scanner that's limited in the number of IP's it can scan.

The free NeXpose version is integrated with Metasploit 3.3.1 with a plug-in to the Metasploit console. "This integration is the first to actually run the [vulnerability] scan and do the import of the data for you," says HD Moore, chief security officer for Rapid7 and creator of Metasploit. It lets the penetration tester run the scan, import the data, and automatically run exploits against the vulnerabilities, he says.

"This is the first step in the integration" of Metasploit and the NeXpose vulnerability scanning platform, Moore says. The tools work together from the Metasploit console with a command-line plug-in: the penetration tester loads Metasploit, connects to NeXpose, and runs the scan from there. The scan data is then brought in to Metasploit and cross-referenced with Metasploit's modules, which then are automatically launched to test out the vulnerabilities, he says. "The whole process is from the Metasploit console," he says.

Wanted: A Smokey Bear for cybersecurity

By Amber Corrin
FCW.com
Dec 02, 2009

Cybersecurity has become more than a homeland security issue; it has become a national lifestyle issue that hinges on raising education at the individual level, a panel of information security experts said today.

"If the U.S. is going to continue to be a center of innovation in the world, we need to up our game. and get on par with the science, engineering and technology schooling of China and India, according to Richard Schaffer, information assurance director at the National Security Agency.

"It's a U.S. problem; it.s a challenge that, [if left] unmet, is going to put us in a dangerous situation in 10 or 20 years when we can't afford to be in second place. We never want to be in second place,"
Schaffer added.

Beyond formal education, U.S. cybersecurity strategy needs to develop a public awareness campaign that permeates the workplace, schools and homes -- much like the development of Smokey Bear in the 1970s to promote fire safety, panelists said.

"This [campaign] needs to include secretaries, administrators, front-line people who have no idea [about technology and cyberspace] - not just front line cyber operators," said Adam Meyers, an SRA International information assurance principal who currently works with the State Department.

The Fruit of the Poisoned Tree

By M. E. Kabay
Network World
12/02/2009

Should we hire criminal hackers as security experts? This is the second of a two-part attack on the idea from a 1995 debate in which I participated.

* * *

On a broader scale, consider the message you would be giving some thirteen year old proto-hacker. These kids, like most kids, are tremendously susceptible to peer pressure. They already find criminal hacking attractive because it's viewed as today's counter-culture -- something fairly harmless (compared with, say, dealing drugs) but exciting because it's illegal. Now imagine that the older creeps can announce that they've just been hired by The Man (i.e., authority
figures) to work in counter-intelligence, snooping in foreign companies'
files for money (you don't imagine they'd keep it quiet, do you?) -- Oh man -- not only is criminal hacking glittering with the allure of the forbidden now, but you can hope to earn money with it from the government!

The children and emotionally-arrested adolescents involved in criminal hacking already have a love/hate attitude towards The Man. Many of them claim that they'd like to work for security firms when (if) they grow up. This myth that criminal hacking is a reasonable basis for work in security would become even more pernicious if it were known that more hackers had in fact been solicited and used by government or corporate organizations. Using such people would reinforce the attractiveness of criminality.

Consider the outcry if the military in a democracy actively solicited murderers to be soldiers. The great challenge of military training is to temper savagery with honor; to provide a moral framework within which war is viewed as undesirable, killing as regrettable. A soldier who lies is a stain on his unit's honor. A soldier who steals is a wretch who deserves expulsion. And a soldier who breaks his word is a traitor to his country. And so how shall we deal with people whose entire way of life is to lie and to steal and to cheat?

emails

a

The Register - Security

IQ test

The Register - Security: Anti-Virus

HackWire - Hacker News