More News
This section is for more news for you.
Security Basics
This list is for the new security administrator.
Security Basics
A high-volume list which permits people to ask "stupid questions" without being derided as "n00bs". I recommend this list to network security newbies, but be sure to read Bugtraq and other lists as well.
-
RE: VPN Service
-
Posted by David Gillett on Feb 03
Traditionally, VPNs have been a service that corporate/institutional IT
departments have implemented to allow their users to access internal
resources remotely and securely. This doesn't appear to be what you have in
mind.
Only within the last 3-6 months, I've started getting spammed (NOT a
recommendation!) by mysterious third parties offering VPN services "to the
Internet", apparently as a way to secretly violate local...
-
Re: VPN Service
-
Posted by Jeffrey Walton on Feb 03
Scratch the UK too. The long arm of the US reached in to the UK also.
"VPN provider helped track down alleged LulzSec member",
http://seclists.org/fulldisclosure/2011/Sep/286.
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits...
-
Re: VPN Service
-
Posted by xgermx on Feb 03
Sounds like WiTopia might be a good fit for you.
https://www.witopia.net/
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase,...
-
Re: VPN Service
-
Posted by Pierre Jaury on Feb 03
Additionally to my previous reaction: using Tor is almost no better than
using VPN. At least it does not create artificial central communication
points, yet it does not actually help with anonymity or obfuscation: you
are not anonymous or safe using the remote application unless this
application includes such features.
The only actual interesting Tor use case remains hidden services imho.
-
Re: VPN Service
-
Posted by Nicolas Bazire on Feb 03
Before looking at the price, the encryption level and the available
bandwidth, you should really investigate on the privacy policy of the
provider. More importantly, you should check the country in which the
company is registered and the laws regarding privacy in that country.
For instance, forget about any VPN provider operating in America.
Thanks to the Patriot Act, law enforcement agencies can basically get
any information from any company...
-
Re: VPN Service
-
Posted by Pierre Jaury on Feb 03
Hello,
Basically, VPN are not meant to act as encrypting gateways, but to
securely and transparently connect remote sites. Using them for Internet
anonymity is a common terrible mistake:
- first, anonymity has nothing to do with networking, you are trying
this the wrong way: anonymity and obfuscated communications is a matter
of application, then use the right applications (first SSL, https, etc,
then have a look at PGP and so before you spend...
-
Re: VPN Service
-
Posted by Glenn English on Feb 03
Please excuse my possible ignorance, but I don't understand why you need a 'provider' for a VPN. I use OpenVPN on
Linux, and I think it can be installed on other platforms as well. It's free. And if you're using Cisco or Juniper
routers/firewalls, they will create an IPsec VPN. That's also free, once you pay for the box. The ones around here
will, anyway...
-
Re: VPN Service
-
Posted by Kalka, Jean F DOD CIV \(US\) on Feb 03
Agree on strong vpn. And it works well overseas
Sent from US Delegation BlackBerry device
----- Original Message -----
From: Voulnet [mailto:voulnet () gmail com]
Sent: Friday, February 03, 2012 06:30 PM
To: haZard0us <hazard0us.pt () gmail com>
Cc: security-basics () securityfocus com <security-basics () securityfocus com>
Subject: Re: VPN Service
StrongVPN is one good choice. You can get an OpenVPN bundle which
helps against VPN...
-
Re: VPN Service
-
Posted by John Hebert on Feb 03
A VPN provider can secure your connection to them. However, the traffic between the VPN provider and the destination
server is still as secure/insecure as before.
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company and how...
-
Re: VPN Service
-
Posted by Jeffrey Walton on Feb 03
Does it have to be a VPN (IPSec or L2TP)? VPN providers have shown a
penchant for selling out their customers to law enforcement and other
authorities despite their claims.
TOR is a good alternative, but does not operate as low in the stack.
TOR offer confidentiality and does a better job at anonymity.
Additionally, the EFF's Https Everywhere will help you with HTTP
(https://www.eff.org/https-everywhere).
Jeff...
Information Security
Info Security News
Carries news items (generally from mainstream sources) that relate to security.
-
HITBSecConf2012 - Amsterdam brings new hackathon, Capture The Flag and keynotes by Bruce Schneier and Andy Ellis
-
Posted by InfoSec News on Feb 03
http://conference.hitb.nl/hitbsecconf2012ams/
Amsterdam, The Netherlands, 1 February 2012 -- Hack In The Box Security
Conference is back again in Amsterdam this year for the European leg of
its annual circuit. From the 21st to the 25th of May, this deep
knowledge security conference will once again bring together a unique
mix of security professionals, independent researchers, government and
law enforcement officials and members of the...
-
Report: Data breaches from unencrypted devices up 525% in 2011
-
Posted by InfoSec News on Feb 03
http://www.fiercehealthit.com/story/report-data-breaches-unencrypted-devices-525-2011/2012-02-01
By Dan Bowman
FierceHealthIT
February 1, 2012
Healthcare organizations need to "serve as their own watchdog" to
increase security and decrease data breaches, a new report from IT
security audit firm Redspin concludes. The increase in "bring your own
device" policies at various hospitals, in addition to the continued...
-
Half of Fortune 500 firms infected with DNS Changer
-
Posted by InfoSec News on Feb 03
http://www.computerworld.com/s/article/9223941/Half_of_Fortune_500_firms_infected_with_DNS_Changer
By Gregg Keizer
Computerworld
February 2, 2012
Half of all Fortune 500 companies and major U.S. government agencies own
computers infected with the "DNS Changer" malware that redirects users
to fake websites and puts organizations at risk of information theft, a
security company said today.
DNS Changer, which at its peak was...
-
Secunia Weekly Summary - Issue: 2012-05
-
Posted by InfoSec News on Feb 03
========================================================================
The Secunia Weekly Advisory Summary
2012-01-26 - 2012-02-02
This week: 142 advisories
========================================================================
Table of Contents:
1.....................................................Word From Secunia...
-
VeriSign 2010 Hack: DNS Data Theft A Possibility
-
Posted by InfoSec News on Feb 03
http://www.informationweek.com/news/security/attacks/232600151
By Mathew J. Schwartz
InformationWeek
February 02, 2012
Several successful hacks of VeriSign's network, in 2010, might have
compromised critical information relating to the Internet's domain name
system (DNS).
According to information released by VeriSign in October 2011, "we have
investigated and do not believe these attacks breached the servers that
support our...
-
Teen finds bugs in Google, Facebook, Apple, Microsoft code
-
Posted by InfoSec News on Feb 03
http://news.cnet.com/8301-27080_3-57369971-245/teen-finds-bugs-in-google-facebook-apple-microsoft-code/
By Elinor Mills
InSecurity Complex
CNet News
February 2, 2012
When he's not at school, 15-year-old Cim Stordal spends his time playing
the Team Fortress video game, shooting his Airsoft pellet gun, and
working in a fish shop in Bergen, Norway. But his real passion is
finding bugs in software used by millions of people on the Internet....
-
Oscars vote vulnerable to cyber attack under new online system, experts warn
-
Posted by InfoSec News on Feb 03
http://www.guardian.co.uk/film/2012/feb/02/oscars-vulnerable-cyber-attack-experts-warn
By Andrew Gumbel
guardian.co.uk
2 February 2012
Computer security experts have warned that the 2013 Oscars ballot may be
vulnerable to a variety of cyber attacks that could falsify the outcome
but remain undetected, if the Academy of Motion Picture Arts and
Sciences follows through on its decision to switch to internet voting
for its members.
The Academy...
-
Espionage gang made illegal recordings of staff at TUBITAK
-
Posted by InfoSec News on Feb 01
http://www.todayszaman.com/news-270207-espionage-gang-made-illegal-recordings-of-staff-at-tubitak.html
TODAY'S ZAMAN
1 February 2012
An espionage gang that used blackmail to extort intelligence on Turkey's
security projects installed secret cameras all over a facility of the
Scientific and Technological Research Council of Turkey (TÜBİTAK) and
illegally videotaped most of the agency's employees for blackmail
purposes.
An...
-
FBI Targets "Hoarder" In Top-Secret Thefts
-
Posted by InfoSec News on Feb 01
http://www.thesmokinggun.com/documents/stolen-top-secret-documents-346219
The Smoking Gun
February 1, 2012
FEBRUARY 1 -- A U.S. government employee with a top-secret security
clearance is the subject of an FBI investigation into his unauthorized
removal of classified material from the Virginia offices of an
intelligence agency, The Smoking Gun has learned.
When the target was confronted last month by federal agents, he
described himself as...
-
BlackBerry OS Achieves Coveted Government Security Clearance
-
Posted by InfoSec News on Feb 01
http://www.pcworld.com/businesscenter/article/249140/blackberry_os_achieves_coveted_government_security_clearance.html
By Tony Bradley
PCWorld
Feb 1, 2012
Don’t nail the coffin shut on RIM just yet. Following a shakeup of
executive leadership, and the launch of BlackBerry Cloud Service and
Office 365 integration, RIM announced today that the BlackBerry 7 OS has
received FIPS 140-2 certification.
Both the BlackBerry 7 and BlackBerry 7.1...
Zero Day
This is the Security Digest of Kapersky Labs.
Zero Day Blog RSS | ZDNet
- Hackers pounce on just-patched Windows Media vulnerability - The end result is a malicious Trojan with rootkit capabilities. The attack happens silently in the background and all the user sees is a blank WMP application playing a file.
- How SCADA highlights the futility of finding security vulnerabilities - Pete Lindstrom argues that ‘irresponsible’ disclosure of security holes in SCADA systems could put human lives at risk and calls on the security research community to start thinking about the vulnerability problem in different ways.
- Microsoft: 'Kelihos' botnet master worked for AV vendor - Microsoft pinpoints a Russian software developer who is being accused of creating, operating and growing the notorious Kelihos botnet.
- CanSecWest Pwn2Own hacker challenge gets a $105,000 makeover - HP Zero Day Initiatives revamps the annual hacker contest to put more zero-day vulnerabilities and exploits in play.
- DreamHost hacked, mass password-reset issued - According to a blog post at DreamHost Status Blog, the company has detected a security breach at one of their database servers.
- Research: Spammers actively harvesting emails from Twitter in real-time - Security researchers from WebSense, have conducted an experiment, proving that Twitter is still a heaven for spammers looking to harvest freshly shared email addresses.
- New variants of premium rate SMS trojan 'RuFraud' detected in the wild - Researchers from AegisLab, have intercepted several new variants of the infamous RuFraud premium rate SMS trojan.
- Researchers spot scammers using fake browser plug-ins - Security researchers from Symantec, have spotted a fake browser plugin-in currently circulating in the wild.
- Was Koobface exposé the right move? - Stefan Tanase argues that the public outing of the Koobface hacker gang makes it even more difficult for law enforcement to act.
- TED video: Three types of online attacks - Mikko Hypponen talks about the three types of online attacks on our privacy and data — but only two are considered crimes.
Threat Post
Security News from Kapersky Labs.
threatpost - The First Stop for Security News
-
Privacy Fail: Is Uncle Sam Encouraging Bad Security?
-
CANCUN, MEXICO - A prominent privacy activist says that leading software vendors, and the U.S. government are failing the public when it comes to Internet privacy, and that big changes are needed to prevent consumers from criminals, advertisers and government spies.
-
State of SCADA Security 'Laughable', Researchers Say
-
CANCUN--For people who follow the developments in the security and research communities, it's easy to get discouraged by the current state of affairs, given the rash of serious hacks on certificate authorities, military networks and companies such as RSA and VeriSign. But, if you think things are bad there, you may not want to look at what's happening in the ICS and SCADA communities. It's getting ugly early. -
Cyber Cops Wrestle With Legal Hurdles, Public Perception
-
CANCUN, MEXICO -- A panel of top law enforcement officers in charge of cyber criminal investigations reveals that the guys with the white hats face an uphill climb if they want to take down cyber criminal kingpins, with outdated laws and processes on the one hand, and an increasingly skeptical and privacy-conscious public on the other.
-
Google Begins Security Review Process for Android Apps
-
After a couple of years of seeing headlines announcing a steady stream of pieces of malware and trojaned apps appearing the Android Market, Google finally has taken steps to find and remove malicious apps from the market automatically. The company has unveiled a service called Bouncer that scans apps and looks for known malware as well as potentially malicious behavior. -
Infographic: How To Spot A Fake Facebook Friend Profile
-
A whopping 97 percent of fake Facebook profiles purport to be female, according to this infographic based on a new study, announced today, from security firm Barracuda Networks. In order to expand their networks and entice would-be victims, 58 percent of the phony profiles also claim to be bisexual and on average, have 726 friends while 68 percent claim to have attended college.
-
How to Win Friends and Steal Their Facebook Accounts
-
CANCUN--Facebook is a lot of things, and one of the things that it's become of late is a fertile green field for attackers and scammers of all stripes. The Koobface worm is perhaps the most famous threat to hit the network, but the more mundane ones, such as scammers generating fake profiles automatically to spread spam and malicious URLs are becoming more and more prevalent, researchers say. -
Driving Up the Cost of Exploit Development Becomes a Key Defensive Strategy
-
CANCUN--The skill of attackers, combined with the difficulty and cost of finding and fixing vulnerabilities in software--especially after deployment--has reached the point that it's now more effective and efficient for vendors to concentrate on making life more difficult for those attackers looking to exploit bugs.
-
Apple Ships Huge Set of Patches for OS X
-
Apple has released a massive set of patches for a wide range of security vulnerabilities in a number of its products and components, including OSX Lion and QuickTime. The patches, which are rolled up in OS X 10.7.3, fix a slew of serious bugs, many of which can be used to execute remote code on vulnerable machines. -
Update: Verisign Admits To Security Breaches in 2010
-
Verisign, the Internet security company responsible for management of the .COM domain, told federal regulators that it was the victim of several successful attacks in 2010, but that those incidents were not reported to the company's management until September, 2011. The news was first reported by Reuters. -
Market Fail: Regulations May Be Only Hope For Securing Critical Infrastructure
-
Threatpost's exclusive interview with Ralph Langner continues, as our conversation shifts from the legacy of the Stuxnet worm to larger issues facing the critical infrastructure sector including mounting attacks, tensions between vendors and security researchers over responsible disclosure, and what's needed to secure critical infrastructure and industrial control systems.