Thursday 30 April 2015
Hackers putting drivers at risk while behind the wheel
Those who have cars built in the last decade might not actually be in the driver’s seat.
Hackers have figured out how to take over and it is a frightening proposition.
Cyber researchers from Kaprica Security showed the Eyewitness News I-Team how vulnerable cars are to hackers.
By just touching a few buttons on a laptop, hackers are able to disable the brakes in a vehicle.
They can even remotely honk the horn without being inside of the vehicle, and control the speed of the windshield wipers.
Drivers could lose all control.
“As we add more gizmos and electronics and ways that our cars interact with us our phones and the internet, we open up more ways for attackers to break into those cars,” said Hudson Thrift, chief operating officer of Kaprica Security.
Doug Britton, of Kaprica Security, said highways haven’t yet been jammed full of cars that may have been shut down by attackers.
But, in the future, Quinnipiac University Professor Brian Kelly said he thinks in the next five years the cases of hacking will grow.
“You’re starting with researchers and hobbyist now. And as that research becomes more widely available, you know the bad guys will start to pick up on that,” Kelly said.
The hackers can get into the car’s computer systems using the vehicle’s Bluetooth or wireless hotspots that come factory-installed.
“You take all of the systems in your car, they’re all being run by an operating system. And as long as that hacker has control of that operating system, they can manipulate those features,” Kelly said.
This is something that makes drivers, such as Annie Dillon of Wethersfield, nervous.
“It’s hard to believe, it’s pretty scary,” Dillon said.
Beyond the Bluetooth and Wi-Fi systems, the federal government has expressed concerns over the tracking systems that some cars have, that transmit information about the vehicle’s driving history from the car to the automaker, wirelessly.
“Some cars are sending signals. Some cars are receiving signals. But anytime a car is sending or receiving those signals, its opens up opportunities for attackers to get in,” Thrift said.
U.S. Senator Richard Blumenthal and other lawmakers are pushing the National Highway Transportation Safety Administration to develop federal guidelines to protect against a potential hack, to make sure that any data transmissions are secure.
The Eyewitness News I-Team looked into what could be done in the meantime for drivers to protect themselves.
“Right now there isn’t anything a lay person can do but if we all start talking to our sales people and asking them how I can prevent my car from being compromised, what kinds of features are in my car, then manufacturers will understand the importance of this,” Thrift said.
General Motors, which became the first automaker to put Wi-Fi hotspots in some of its 2015 vehicles, said in a statement that it is “taking a layered approach to in-vehicle cyber security and are designing many vehicle systems so that they can be updated with enhanced security measures as potential threats evolve.”
Ford said in a statement that it invests in security solutions and it is “not aware of any instance in which a Ford vehicle was infiltrated or compromised in the field through a remote hack.”
Read more: http://ift.tt/1GJOe1A
from hacker samurai http://ift.tt/1IsToRD
via IFTTT
Hackers in China tired of getting no love, try to rebrand
A website hacked by Chinese hackers. (File photo/CFP)
Despite increasing recognition within the industry, Chinese hackers have been unable to shake their bad reputation, according to Beijing’s Economic Observer.
Chinese online security firm Qihoo 360 is a major employer of white-hat hackers, whose job is to detect weaknesses in software and computer systems.
One of the hacker teams employed by Qihoo 360 is led by a person only identified as “MJ0011″ who has won the world’s largest computing contest Pwn2Own.
Another hacker working at Qihoo 360, known as “Ir0nSmith,” appeared on an annual Consumer Day TV show on March 15 and showed how hackers can use public Wi-Fi to acquire the personal data of people linked to a wireless connection.
Although hackers working for big companies are now paid well, things were quite different before 2010, the newspaper said.
According to Wang Qi, who worked for Microsoft and now heads cyber security team Keen Team, hackers in China did not have an easy time finding a job.
The newspaper said people working in cyber security were paid less than the average salary in the technology sector before 2010, and American firm McAfee took advantage by hiring hackers from China.
Poor job prospects and pay also drove hackers into illegal activities, creating software and viruses for fraud schemes and criminal endeavors. Though an average hacker can now make millions of yuan a month, the profession as a whole remains burdened by a negative image, Wang said.
Qihoo 360, internet firm Tencent and e-commerce giant Alibaba have competed for cyber security professionals and driven up their wages since 2010, and the leak of confidential documents by Edward Snowden further boosted demand for hackers and hacker pay.
Another reason for the negative image of hackers in China is the lack of courses on computer hacking at Chinese universities.
Efforts made by prominent hackers in China to reverse their unsavory reputation, such as appearing at computer hacking contests, have begun to change the tide, the newspaper said.
“The apparent change began the year before last, when people in the hacking world turned their focus to technology. They stopped talking about how much money they were making but who cracked Tesla first. At least the business is seeing a positive direction,” Wang said.
Source: http://ift.tt/1GJIwfX
from hacker samurai http://ift.tt/1zuYzyB
via IFTTT
Colleges in a cyber war with hackers; open networks vulnerable to attacks
The cyberattack that crippled Rutgers University for the past three days was part of a string of attacks that attempt to exploit weaknesses that are unique to the way colleges operate.
The attack, which was the third at Rutgers since November, came as institutions of higher education try to make it as easy to use a computer at school as at home, allowing students to do everything from downloading a song to accessing information from around the globe, all while keeping vast computer networks operating.
“It’s not to say we don’t also protect,” said Neal Sturm, chief information officer at Farleigh Dickinson University, which also was hit by a cyberattack last month. “But a university has students and has faculty, and it becomes much more challenging for universities to completely lock the door from a security perspective because universities are supposed to be open by their very nature.”
Related: Internet service at Rutgers improving but isn’t fully retored
In the attempt to infiltrate colleges and universities, cyber criminals are using smarter, more sophisticated methods than ever. They set out to steal financial information, make a splash or a statement or carry out a vendetta against a school. School employees update programs and block suspicious users daily while they plead with staff and students not to open those links that pretend to be from a bank or a friend.
At Rutgers this week, Internet service was crippled just nine days before finals were to begin. Students couldn’t finish papers, take online classes or register for courses. The university has made no public statements on the attack except to tell students two to three times a day that they were working on the problem.
Outside Internet traffic bombarded the university, overwhelming its network and making it difficult for legitimate users to get online or access pages on the Web. To carry out the “denial of service” attack, a cyber criminal builds up a “botnet,” or an army of computers that they infiltrate and set up to do repetitive tasks, like flood a school’s server with requests.
Botnets are built when computer users click links sent by spam email that lead spyware and viruses to be installed on their computers.
It has gotten easier and cheaper to launch a denial of service attack, and infected computers can be rented for that purpose, experts say. It’s hard to prevent them and even large companies, like Sony and Microsoft, have been victims.
No comment from FBI
A spokeswoman for the FBI, which is investigating, declined to comment.
The attacks are intended to make a statement or make demands like ransom and not to steal data, although they can be used as a diversionary tactic.
In a spate of attacks last year at schools, including Indiana University and the University of Maryland, student and staff data were exposed. The hackers gained access to the names, addresses and Social Security numbers of thousands of current and former students.
The FBI has also warned that foreign interests are trying to steal research from universities for political and economic gain.
Even when personal data aren’t stolen, there are financial costs and damage to a school’s reputation. It costs thousands of dollars to remove a computer infection because the technology staff has to reinstall programs at every workstation, said Peter Streips, president of the Network Security Group, a business that consults with colleges in the Northeast on security matters.
Certainly, Rutgers’ reputation has taken a hit, with its problems being aired in the media as high school seniors are deciding which colleges to attend.
Students have vented in hundreds of online comments. They complained that they couldn’t get their work done and that they needed to use their own phones at their own expense for Internet service. A few said on Twitter that they felt like switching schools.
Crime rings and hackers are going after universities because they view them as easy targets, security experts say. Colleges and universities want to promote learning and want students living on campus to feel like they’re home. At the same time, they store a wealth of information, like credit card and Social Security numbers and faculty research papers.
“All those file-sharing applications — while it’s nice to be able to share information, this is basically a back door for hackers to be able to access other people’s computer remotely,” Streips said.
Meanwhile, thousands of students and faculty are using the networks on their own laptops and tablets and are linking up with organizations across the globe — giving hackers and criminals plenty of ways to break in. More than 30 percent of cyberattackers infiltrate networks through a computer that belongs to a student or employee, Streips said.
“The uneducated user is just as risky as the person in China trying to track your network,” he said.
And the threats are constant and ever-changing with new methods of attack being devised every day, college security professionals say.
“We’re growing in our abilities to monitor and prevent and mitigate it, but it’s going to be a never-ending challenge,” said Candace Fleming, vice president of information technology at Montclair State University.
Schools also are often limited by how much they are willing to spend, especially compared with the private sector, said Kim Milford, executive director of the Research and Education Networking Information Sharing and Analysis Center. So they often use free, open-source programs to improve security and share information.
Two-thirds of the higher education institutions surveyed last year by the SANS Institute, which specializes in cyber security, said they needed more staff while 43 percent said they couldn’t compete for highly skilled workers against higher-paying organizations and businesses.
New protections
Universities are taking steps to improve security. They are adding new password protections and hiding personal information in code. They are keeping sensitive information, like financial records, on networks separate from the ones used by students. They run programs all day long to check for suspicious online traffic and to make sure computer controls are working.
Many universities, including Fairleigh Dickinson and Montclair State, also have created response teams that can be activated in case of a breach.
Rutgers, meanwhile, put an advertisement in the student newspaper that appeared online this week urging students not to share their passwords. “Don’t be the weakest link to security,” the ad said.
But more can and should be done, experts say.
In the SANS Institute survey, only about half the respondents reported that they encrypt sensitive information that can identify students and faculty members, like Social Security numbers and credit card information. And just 57 percent said they classify and create special guidelines for sensitive data.
In response to the growing threat, schools have to revise their plans constantly and be prepared for a crisis, Streips said.
“It’s not if it happens, it’s when,” he said.
Source: http://ift.tt/1zu4IeD
from hacker samurai http://ift.tt/1bGVO21
via IFTTT
Hackers take over Casey Co. company’s Facebook page
LEXINGTON, Ky. (WKYT) - They’ve worked hard to reach more customers through Facebook, but for a Casey County company, one wrong click has turned into a nightmare.
After Tarter Farm and Ranch Equipment fell victim to a phishing scam, a hacker took over the company’s Facebook page and began posting racy material.
“When people go to Facebook and look us up, they’re going to see that horrible, horrible posting,” said Ann Tarter, the company’s vice president.
Tarter said it started with a simple Facebook message that claimed to point out a copyright violation in one of the company’s posts.
“It looked to be a notification from Facebook, it looked very legitimate,” Tarter said. “When [the employee] clicked on it, he filled in his credentials.”
But the message wasn’t from Facebook, and whoever got the company’s login information soon shut out everyone else who had access to the page.
Now the page’s 126,000 fans see links and photos that are decidedly not safe for work, and certainly not family-friendly.
“It’s 180 degrees diametrically opposed to the lifestyle that we live, we promote and we sell,” Tarter said.
According to the Better Business Bureau, so-called “phishing” scams like this are all too common, and businesses especially need to watch out for them.
“Facebook also says they will never ask you for a password, login information in an email like that,” said Heather Clary, with the BBB of Central and Eastern Kentucky. “That would have been the warning sign here. Someone probably thought that they were doing the right thing, and it ended up going completely wrong.”
Because the hacker stripped the page’s administrators of their access, the company can’t delete the posts.
Tarter said the company’s attorney has reached out to Facebook about the hacking. So far, however, the company hasn’t gotten much response and is having trouble getting the situation fixed, Tarter said.
As the company works to take back control of their page and stop the hacker’s high jinks, Tarter says they want others to watch out.
“If you’re unsure, just back away, don’t click on anything,” she said. “And if you want to see Tarter products, go to TarterUSA.com, don’t go to our Facebook, just give us a few weeks.”
Source: http://ift.tt/1QMugsu
from hacker samurai http://ift.tt/1PaTLQH
via IFTTT
Can Wired Cities Outsmart Hackers?
A monster storm is on a collision course with New York City and an evacuation is under way. The streets are clogged, and then it happens. Every traffic light turns red. Within minutes, the world’s largest polished diamond, the Cullinan I, on loan to the Metropolitan Museum of Art from the collection of the British Crown Jewels, is whisked away by helicopter.
While this may sound like the elevator pitch for an action film, the possibility of such a scenario is more fact than fiction these days.
Cesar Cerrudo is the chief technology officer at IOActive Labs, a global security firm that assesses hardware, software and wetware (that is, the human factor) for enterprises and municipalities. A year ago, Cerrudo made waves when he demonstrated how 200,000 traffic sensors located in major cities around the United States—including New York, Seattle, Washington, and San Francisco—as well as in the UK, France and Australia, could be disabled or reprogrammed because the Sensys Networks sensors system that regulated them was not secure. According to ThreatPost, these sensors “accepted software modifications without double-checking the code’s integrity.” Translation: there was a vulnerability that made it possible for hackers to reprogram traffic lights and snarl traffic.
A widely reported discovery, first discussed last year at a black hat hacker convention in Amsterdam, highlighted a more alarming scenario than the attack of the zombie traffic lights. Researchers Javier Vazquez Vidal and Alberto Garcia Illera found that it was possible, through a simple reverse engineering approach to smart meters, for a hacker to order a citywide blackout.
The vast array of attacks made possible by the introduction of smart systems are many. With every innovation, a city’s attackable surface grows. The boon of smart systems brings with it the need for responsibility. It is critical for municipalities to ensure that these systems are secure. Unfortunately, there are signs out there of a responsibility gap.
According to the New York Times, Cerrudo successfully hacked the same traffic sensors that made news last year, this time in San Francisco, despite reports that the vulnerabilities had been addressed after the initial flurry of coverage when he revealed the problem a year ago. It bears saying the obvious here: Cerrudo’s findings are alarming. With the information of how to hack the Sensys sensors out there, was San Francisco’s security protocol nothing more than dumb luck? How could it be that the same issue was imperiling the safety of San Franciscans?
The integration of smart technology into municipalities is a new thing. The same Times article notes that the market for smart city technology is expected to reach $1 trillion by 2020. As with all new technology, compromises are not only possible, but perhaps even likely, in the beginning. The problem here is that we’re talking about large, populous cities. As they become ever more wired, they become more vulnerable.
The issue is not dissimilar from the one facing private sector leaders. Organizations must constantly defend against a barrage of advanced and persistent attacks from an ever-growing phalanx of highly sophisticated hackers. Some of them work alone. Still others are organized into squadrons recruited or sponsored by foreign powers—as we have seen with the North Korean attack on Sony Pictures and the mega-breach of Anthem suspected to be at the hand of Chinese hackers—for a variety of purposes, none of them good.
The vulnerabilities are numerous, ranging from the power grid to the water supply to the ability to transport food and other necessities to where they are needed. As Cerrudo told the Times, “The current attack surface for cities is huge and wide open to attack. This is a real and immediate danger.”
The solution, however, may not be out of reach. As with the geometric expansion of the Internet of Things market, there is a simple problem here: lack of familiarity at the user level—where human error is always a factor—with proper security protocols. Those protocols are no secret: encryption, long and strong password protection, and multi-factor authentication for users with security clearance.
While the above-noted protocols are not a panacea for the problems that face our incipiently smart cities, they will go a long way towards addressing security hazards and pitfalls.
Cerrudo has also advocated the creation of computer emergency response teams “to address security incidents, coordinate responses and share threat information with other cities.” While CERTs are crucial, the creation of a chief information security officer role in municipal government to quarterback security initiatives and direct defense in a coordinated way may be even more crucial to the problem-sets that arise from our new smart cities. In the pioneering days of the smart city, there are steps that municipalities can take to keep their cities running like clockwork.
Source: http://ift.tt/1IqhiNF
from hacker samurai http://ift.tt/1FAuvTc
via IFTTT
After the SendGrid Hack, Beware of Phishing Scams
Email has become a critical tool for transactions — from the sending of Uber receipts to delivery of hotel coupons. Naturally, companies that send mission-critical consumer emails often turn to third-party firms like SendGrid to manage the delivery of millions of messages. Of course, as third parties that maintain trusted relationships with both consumers and corporations, such email providers are an obvious target for hackers. Imagine the damage a criminal could do if he could believably pose as a giant tech firm and send out emails to all consumers? Such emails could ask millions of users to reset their passwords, for example, or update their credit card information, or even send bitcoins.
Such attacks are now under way. SendGrid, which has 180,000 customers and sends emails for giants like Uber and Spotify, said this week that a hacker who broke into company systems earlier this month did more damage than initially believed.
On April 9, the firm confirmed to The New York Times that a Bitcoin-related client account had been compromised and used to send phishing emails to its customers. But on Monday, SendGrid said additional investigation revealed that one of its own employees’ accounts had been compromised and used to access several SendGrid systems in February and March.
“These systems contained usernames, email addresses, and . . . passwords for SendGrid customer and employee accounts,” the firm said on its blog. “In addition, evidence suggests that the cyber criminal accessed servers that contained some of our customers’ recipient email lists/addresses and customer contact information.”
SendGrid says it has not found evidence that customer lists were stolen, but it “cannot rule out the possibility.”
The firm is urging its clients to change passwords and enable two-factor authentication.
It takes only a little creativity to imagine all the damage a hacker who managed to steal customer email lists and credentials could do. But a harrowing tale told by cloud provider Chunkhost.com on its website offers a cautionary tale. Co-owner Nate Daiger wrote last year that a hacker talked SendGrid into changing its point of contact email from support@chunkhost.com to support@chunkhost.info, then used that change to retrieve a password reset email on two bitcoin-using clients. Fortunately, both clients used two-factor authentication, Daiger wrote.
“Our customers’ accounts were protected and the attackers were stymied. But it was really close,” he wrote.
Corporate clients who use third-party email services should be on notice: hackers are actively targeting such accounts. Meanwhile, here’s an important notice to consumers: You can’t believe everything you read, even an email that appears to come from a company you trust. Hackers can sent out very believable-looking phishing emails with requests for password changes or payment information. You should always be skeptical of such emails, but now, you have new reasons to be so. When feasible, avoid clicking on links in emails and instead visit websites directly by typing the site address into your web browser’s address bar.
If you have given up sensitive information to a phisher, it’s important to take steps to control the damage. If it’s an account number, report your account info as stolen so the bank or card issuer can close the account, or take similar steps to stop or undo any instances of fraud. Keep a close eye on your account statements, and check your credit reports and credit scores for signs that someone has opened an account in your name, or is using an existing one. You can get your credit reports for free every year from AnnualCreditReport.com, and you can get your credit scores for free from several sources, including Credit.com.
Source: http://ift.tt/1AkFsSG
from hacker samurai http://ift.tt/1EvwBBM
via IFTTT
Nuclear missiles should be taken off high alert to prevent hackers from starting causing nuclear war, general says
- Taking US and Russian missiles off high alert could keep a possible cyberattack from starting nuclear war, Gen. James Cartwright says
- The retired general said in an interview that ‘de-alerting’ nuclear arsenals could foil hackers by reducing the chance of firing a weapon in response to a false warning of attack
- Essentially adding a longer fuse can be done without eroding the weapons’ deterrent value, he said
- The Obama administration has considered and rejected the idea before of taking nuclear missiles off high alert
- Cartwright said cyberthreats to the systems that command and control U.S. nuclear weapons demand greater attention
- Defense officials have been tight-lipped about countering these types of cyber threats
Taking U.S. and Russian missiles off high alert could keep a possible cyberattack from starting a nuclear war, a former commander of U.S. nuclear forces says, but neither country appears willing to increase the lead-time to prepare the weapons for launch.
Retired Gen. James Cartwright said in an interview that ‘de-alerting’ nuclear arsenals could foil hackers by reducing the chance of firing a weapon in response to a false warning of attack.
Essentially adding a longer fuse can be done without eroding the weapons’ deterrent value, said Cartwright, who headed Strategic Command from 2004 to 2007 and was vice chairman of the Joint Chiefs of Staff before retiring in 2011.
The Obama administration has considered and rejected the idea before of taking nuclear missiles off high alert. There appears to be little near-term chance that Moscow would agree to pursue this or any other kind of nuclear arms control measure, given the deteriorating U.S.-Russian relations after Russia’s intervention in eastern Ukraine.
The U.S. and Russia also are at odds over a U.S. accusation that Moscow is violating a treaty banning medium-range nuclear missiles.
Robert Scher, the Pentagon’s top nuclear policy official, told Congress this month that ‘it did not make any great sense to de-alert forces’ because the administration believes the missiles ‘needed to be ready and effective and able to prosecute the mission at any point in time.’
An example of the high alert level of U.S. nuclear weapons is the land-based nuclear force. These are the 450 Minuteman 3 missiles that are kept ready, 24/7, to launch from underground silos within minutes after receiving a presidential order.
A study led by Cartwright proposes to adjust the missile command and control system so that it would take 24 hours to 72 hours to get the missiles ready for launch.
Opinions: Robert Scher, the Pentagon’s top nuclear policy official (left), told Congress this month that ‘it did not make any great sense to de-alert forces.’ Lisbeth Gronlund, co-Director of the Union of Concerned Scientists’ global security program (right), said Wednesday her group, which favors abolishing nuclear weapons, endorses de-alerting
Cartwright said cyberthreats to the systems that command and control U.S. nuclear weapons demand greater attention. While the main worry once was a hacker acting alone, today it is a hostile nation-state, he said, that poses more of a threat even as the Pentagon has improved its cyberdefenses.
‘The sophistication of the cyberthreat has increased exponentially’ over the past decade, he said Tuesday. ‘It is reasonable to believe that that threat has extended itself” into nuclear command and control systems. ‘Have they been penetrated? I don’t know. Is it reasonable technically to assume they could be? Yes.’
Cyberthreats are numerous and not fully understood, officials say.
Could a hacker spoof early warning networks into reporting attack indications that lead to overreactions by national leaders? Could they breach firewalls to transmit unauthorized launch orders to crews in nuclear missile launch control centers?
An example of the high alert level of U.S. nuclear weapons is the land-based nuclear force. These are the 450 Minuteman 3 missiles that are kept ready, 24/7, to launch from underground silos within minutes after receiving a presidential order. A mockup 450 Minuteman 3 missile is seen here
Defense officials are tight-lipped about countering this type of cyber threat.
Last week the No. 2 official at the National Nuclear Security Administration, Madelyn Creedon, was asked at a Senate hearing about progress against this threat to nuclear command and control. She said the government is ‘doing better,’ but she declined to publicly discuss details.
Two years ago the Pentagon’s Defense Science Board, an advisory group, reported that ‘most of the systems’ in the U.S. nuclear arsenal had not been fully assessed to understand possible weak spots in the event of an all-out cyberattack.
Cartwright is the lead author of a report published Wednesday by the Global Zero Commission, an international group co-founded by a former Air Force nuclear missile launch control officer, Bruce Blair, now a research scholar at Princeton. The report calls for a phased approach to taking U.S. and Russian missiles off high alert, with 20 percent of them off launch-ready alert within one year and 100 percent within 10 years, under a legal or political agreement.
The report argues that lowering the alert levels should be preceded by both Russia and the U.S. eliminating a strategy known as a ‘launch on warning’ – being prepared to launch nuclear missiles rapidly after early warning satellites and ground radar detect incoming warheads. It says this presents an unacceptable level of nuclear risk, and argues that vulnerability to cyberattack against the warning systems or the missile control systems is ‘a new wild card in the deck.’
‘At the brink of conflict, nuclear command and warning networks around the world may be besieged by electronic intruders whose onslaught degrades the coherence and rationality of nuclear decision-making,’ the report says.
Lisbeth Gronlund, co-Director of the Union of Concerned Scientists’ global security program, said Wednesday her group, which favors abolishing nuclear weapons, endorses de-alerting.
‘Keeping missiles on hair-trigger alert makes them more vulnerable to an unauthorized launch, including one resulting from a cyberattack,’ Gronlund said.
Read more: http://ift.tt/1EG0L6J
from hacker samurai http://ift.tt/1JUQhQB
via IFTTT
O’Leary’s charm offensive fails to impress Chinese hackers
Michael O’Leary has failed to convince some people in the world of Ryanair’s niceness
RYANAIR chairman Michael O’Leary’s charm offensive designed to win over customers hasn’t seemed to reach China. The no frills airline boss, who recently spoke out about the need to improve customer service to prevent “unnecessarily pissing people off,” confirmed yesterday that hackers stole almost £3.25m from its accounts, using an electronic transfer via a Chinese bank.
A spokesman for the company said that Ryanair investigated a fraudulent electronic transfer via a Chinese bank last week.
“The airline expects these funds to be repaid shortly, and has taken steps to ensure that this type of transfer cannot recur”.
Having been fined £500,000 for operating premium rate customer service phone numbers earlier this year, it seems O’Leary might regret saying that, “the war is won, we are the greatest” and accept the karmic low budget ethos: you get what you pay for.
■ Celebs from the world of sport, music and TV, hit the usually hectic BTIG trading floor this week to raise money for the 13th annual BTIG Commissions for Charity Day. The VIP fundraisers who rubbed shoulders with City traders included former England cricket captain Mike Gatting, broadcaster Charlie Webster, Made in Chelsea’s Jamie Laing and Simon Cowell’s ex- squeeze, and high priestess of 80s pop, Sinitta . The popular charity trading event has raised more than £19m for global children’s charities since 2003. Among good causes chosen as the recipients for the fund raiser are children’s charities Make Some Noise and Rays of Sunshine. All donations were generated from commissions that BTIG employees gave up in the UK and US.
■ Sorry Joe, it seems you’ve been upstaged by Capco consultant Andy Greenleaf in the quest to find the The Capitalist’s fastest City Marathon runner.
Our City All-Stars results board stands at: 1. 02:21:41 – Andy Greenleaf, senior consultant, Capco. 2. 02:22:12 – Jason Cherriman, development consultant, Raymond James. 3. 02:24:10 – Jonathan Poole, middle office, Commerzbank. 4. 02.33.13 – Fintan Parkinson, assistant manager, HSBC. 5. 02:33:27 – Joe Clark, financial engineer, Rabobank.
Kudos goes to our fastest City gal, Thomson Reuters’ Emma Curzon, who also smashed Carney’s time with 03:04:56. Time for a well earned rest, folks.
Source: http://ift.tt/1QOZhfp
from hacker samurai http://ift.tt/1QOZfEl
via IFTTT
Major Flaw Could Let Remote Hackers into SOHO Routers
Major security issues in small office and home routers have again been highlighted after TippingPoint’s Zero Day Initiative (ZDI) publicly disclosed a new vulnerability which could allow attackers to remotely execute malicious code on devices.
The remote code execution bug, CVE-2014-8361, affects the RealTek SDK, which means routers from D-Link and Trendnet for sure, but probably many others too.
The ZDI advisory had the following:
“The specific flaw exists within the miniigd SOAP service. The issue lies in the handling of the NewInternalClient requests due to a failure to sanitize user data before executing a system call. An attacker could leverage this vulnerability to execute code with root privileges.”
HP-owned TippingPoint – which was told of the bug by researcher Ricky ‘HeadlessZeke’ Lawshae – decided to go public with the flaw after months of inaction by RealTek, despite telling the vendor about the vulnerability way back in August last year.
ZDI said in its advisory that the only effective mitigation strategy would be to “restrict interaction with the service to trusted machines.”
“Only the clients and servers that have a legitimate procedural relationship with products using Realtek SDK service should be permitted to communicate with it,” it added. “This could be accomplished in a number of ways, most notably with firewall rules/whitelisting.”
The disclosure is the latest in a string of similar incidents involving SOHO routers.
Most recently, D-Link was forced to push out firmware updates to some of its models to address remote code injection, DNS hijacking and other flaws.
Rapid7 security engineering manager, Tod Beardlsey, argued that patch management of home routers is “usually non-existent” because vulnerabilities mainly cause no noticeable difference in performance, and no one company takes responsibility for patching as the ecosystem is fragmented.
“There are some open source projects, such as OpenWRT and AdvancedTomato which offer much more frequent updates to the firmware that drives several versions of common, off-the-shelf router/modem hardware, but the onus is on the user to ensure that these are up to date,” he added.
“So, there are alternatives to the stock firmware offered by D-Link, Linksys, Buffalo, and other vendors, but there is definitely a maintenance cost associated with them, not the least of which is warranty violation.”
Source: http://ift.tt/1P9vF8Y
from hacker samurai http://ift.tt/1GIVpXO
via IFTTT
Valve introduces Game Bans on Steam; allows developers to report hackers and cheaters
Nobody likes a cheat, and Valve are no different. This week, they’ve widened their ability to ban nefarious individuals by allowing game developers to report any suspicious activity straight to Valve. Gamers that are found guilty can find themselves with a Game Ban for the specific games they cheat in, even ones that aren’t enforced with Valve’s own VAC and Overwatch anti-cheat system.
The main advantage Game Bans provide is being able to take action on games that use their own anti-cheat system, other than Valve’s own. “Playing games should be fun.” Valve correctly stated. “In order to ensure the best possible online multiplayer experience, Valve allows developers to implement their own systems that detect and permanently ban any disruptive players, such as those using cheats.”
But with great power comes great responsibility. “Game developers inform Valve when a disruptive player has been detected in their game, and Valve applies the game ban to the account.” continued Valve. “The game developer is solely responsible for the decision to apply a game ban. Valve only enforces the game ban as instructed by the game developer.”
Valve have lately sparked a lot of heated debate with the swift introduction and then retraction of paid mods on Steam
Source: http://ift.tt/1bXrilk
from hacker samurai http://ift.tt/1OIBHCt
via IFTTT
Wednesday 29 April 2015
Russia Wages All-Out Cyberwar Against Ukraine
Russian hackers see themselves as part of the battlefield rather than intelligence gathering
Russia has hacked the White House, gained access to President Barack Obama’s emails, and even infiltrated into Pentagon’s network. So, it’s little surprise that Moscow has been waging an all-out cyberwar against Ukrainian law enforcement agencies and military. According to a new report from security firm Lookingglass, the Russian gang of hackers is extracting classified documents that can help them (and probably Moscow-backed separatists) in on-the-ground combat.
Russian hackers are using ‘lure documents’
Lookingglass CEO Chris Coleman told NPR that the attacks were persistent, but not sophisticated. The Arlington, Virginia-based cyber security firm said that it tracked malware that was in emails. Russian hackers are getting the Ukrainian military, local police, counterintelligence, and border patrol to open these malicious emails that look legit.
They use “lure documents” to entice the recipient to open the email. Lookingglass lead researcher Jason Lewis cited an MS-Word file dated January 15, 2015. The file had “not for distribution” written on it in Ukrainian. It gives an overview of the situation on the Ukraine-Russia border. Lewis says hackers stole the document from Ukraine’s State Border Guard Service, inserted the malware, and sent it to another Ukrainian security agency.
Russia started collecting combat intel in April 2014
There would be at least one person who considers it legit and opens the email. Even military offers are human, says Lewis, who has previously worked at the National Security Agency. The malware then infects the computer, allowing hackers to extract all the information. Lookingglass said hackers started collecting combat Intel Corporation (NASDAQ:INTC) in April 2014 when the acting Ukrainian President launched a military operation against pro-Russia separatists.
It was just one example of Russian cyberattacks on Kiev. In September 2014 when Ukraine declared that Russian spy agency KGB was behind the attacks, hackers tweaked their malicious software. Lookingglass also found that the cyberattacks stopped for a brief period when Ukraine and Russia negotiated a ceasefire last June. It indicates that hackers see themselves as part of the battlefield rather than intelligence gathering, which goes on even during a ceasefire.
Lookingglass said neither Russia nor Ukraine was its client. It couldn’t investigate whether Ukraine was also hacking Russia.
Source: http://ift.tt/1ECW9Os
from hacker samurai http://ift.tt/1KuHxS0
via IFTTT
Double trouble for cyber hackers as IBM takes security analytics to the cloud
“Organisations are facing a security data tsunami that can overwhelm even the most sophisticated enterprise’s security program.”
IBM is bringing its Security Intelligence technology, IBM QRadar, to the cloud, giving companies the ability to better prioritise real threats and free up critical resources to fight cyberattacks.
The new services are available to clients through a cloud-based Software as a Service (SaaS) model, with optional IBM Security Managed Services to provide deeper expertise and flexibility for security professionals.
According to the 2014 IBM Cyber Index, organisations globally deal with an average of 91 million potential security events every year, creating vast volumes of data that need to be stored and analysed.
Cloud-based threat monitoring and analytics provides the simplicity of a hosted deployment, combined with advanced analytics capabilities and the proven expertise from a security services provider needed to monitor today’s hybrid IT environments.
The first of the two new cloud-based services is IBM Security Intelligence on Cloud, designed to help organisations determine if security-related events are simple anomalies or potential threats.
Built as a cloud service using IBM QRadar, enterprises can quickly correlate security event data with threat information from over 500 supported data sources for devices, systems, and applications.
This is complemented by more than 1500 pre-defined reports for use cases such as compliance, vulnerability management and security incident response.
“Organisations are facing a security data tsunami that can overwhelm even the most sophisticated enterprise’s security program,” says Jason Corbin, Vice President, Product Management and Strategy, IBM Security.
“Security leaders are telling us they want increased visibility through the cloud and control throughout their hybrid IT environments.
“The option of doing predictive analytics via the cloud gives security teams the flexibility to bring in skills, innovation and information on demand across all of their security environments.”
The second cloud service is the Intelligent Log Management on Cloud, designed to simplify security and compliance data collection and reporting needs.
Powered by IBM QRadar technology, Intelligent Log Management uses analytics and a hosted, multi-tenant technology to better deliver compliance with powerful real-time correlation and anomaly detection capabilities.
Through support for more than 400 platforms, security managers can also capture logs from nearly any device in their security operation.Corbin says these new offerings are backed and delivered through IBM’s next-generation platform of managed security services, handling over 15 billion security events per day for over 4,000 clients around the world.
Source: http://ift.tt/1DCjN8L
from hacker samurai http://ift.tt/1zqfMJy
via IFTTT
Credit card numbers stolen from Ardsley DeCicco’s
Hackers stole customers’ credit card numbers from the DeCicco’s supermarket in Ardsley.
The cyber-attack is believed to have occurred around April 17 because two customers contacted the store about suspicious activity on their cards, said Danielle Thomas, DeCicco’s legal clerk. After the customers’ calls, staff in the store reported that they too had suspicious charges on their cards.
“There was a glitch in the credit card processing software that allowed hackers to access the information while it was on the way to the processor,” Thomas said on Tuesday. “The hacker was able to get the numbers on the front of the card, but not the pin numbers or expiration dates.”
The store doesn’t know how many shoppers were affected by the glitch, which has since been located and fixed. The store also added more security with advanced encryption.
The store is working with police and attempting to contact all customers affected by the hack.
“We’re just fortunate that a lot of our customers understand and we’re sorry for any inconvenience,” said Thomas.
Source: http://ift.tt/1DCbuts
from hacker samurai http://ift.tt/1EDASnZ
via IFTTT
(ISC)² Americas ISLA Winner - Shawn Marck
One Stop for all things Hackers http://ift.tt/1FuqIFT
from Hacker Samurai http://ift.tt/1GG2JDq
via IFTTT
from Hacker Samurai http://ift.tt/1GG2JDq
via IFTTT
(ISC)² Americas ISLA Winner - Shawn Marck
One Stop for all things Hackers http://ift.tt/1FuqIFT
from Hacker Samurai http://ift.tt/1GG2JDq
via IFTTT
from Hacker Samurai http://ift.tt/1GG2JDq
via IFTTT
Are Consumers Suffering from ‘Data-Hack Fatigue’?
(TNS) — Chances are, you’ve heard something about the cyberattack on Premera Blue Cross in the six weeks since the company announced its massive security breach.Maybe you even received a letter saying your personal information had been compromisedBut how worried should you be, exactly?
Premera’s breach, in which hackers stole personal financial and medical data for about 11 million people — 6 million of them in Washington alone — was just the latest brazen attack on health system data.
In January this year, Anthem BlueCross BlueShield disclosed a breach that affected an estimated 80 million people, including patient data stretching back to 2004. Last year, Community Health Systems, the parent company of Yakima Regional Medical and Cardiac Center, was breached via the “Heartbleed” bug, an Internet vulnerability that allowed hackers to gain information on 4.5 million patients nationwide. Premera’s breach actually occurred in May 2014; the company learned of it Jan. 29 but didn’t make a public announcement until mid-March.
All those breaches came after attacks on retailers like Target and Home Depot, where credit card information for tens of millions of customers was stolen.
Now, consumers might be at risk of data-hack fatigue, tempted to tune out the deluge of bad news as simply one more cost of living in digital world. But consumer advocates and health industry insiders say people need to keep paying attention — if not to prevent fraud, then at least to catch it as soon as possible.
At a recent health information management convention, one of the main seminars was “It’s Not a Matter of ‘If'; It’s a Matter of ‘When,'” said Jeff Yamada, chief information officer and vice president at Yakima Valley Memorial Hospital.
“(Hackers) are getting so sophisticated in some of the tools that they’re using, it’s hard to stay one step ahead of the threats,” Yamada said last week in an interview.
“Some of the information they’ll gather, they’ll also gather from kids, so down the line they have that information to be used at any time,” he said.
Premera, like Anthem before it, is offering two years of free credit monitoring for anyone who was affected by the breach. The company spent most of April sending out letters to affected customers, outlining options for assistance.
Some consumers are scoffing at the idea of two years of credit monitoring when their personal information is potentially vulnerable to theft and fraud for years to come.
Premera spokeswoman Melanie Coon wrote in an email that the company is encouraging affected customers to carefully review any “explanation of benefits” statements upon receipt, to look for any claims for services they never received, and to contact Premera directly.
Also, she said, “Affected individuals need to know that Premera will not email members or make unsolicited phone calls to members about this attack,” so if someone calls randomly or emails asking for personal information, don’t go along with it.
“Although the investigation has not determined that any such data was removed from our systems and we have no evidence to date that such data has been used inappropriately, we urge affected individuals to sign up for the credit monitoring and identity theft protection products,” Coon wrote.
Recognizing that identity theft may happen “months and even years after a data breach,” she said, Premera is providing members with ExtendCARE, which offers fraud resolution support and covers identity theft issues after their membership has expired.
On the health care side, where detailed patient information is collected, Yamada says health care organizations nationwide are constantly evolving in how they identify and protect against potential threats.
At Memorial, he said, every year the hospital brings in an outside team to do a full security assessment. After a week of close monitoring, the group hands over a long report detailing every vulnerability in the system, and hospital directors prioritize which issues they need to fix first.
“There’s constantly threats that kind of hit our front door — industrywide, that happens every day,” Yamada said.
Protecting against those threats takes a significant investment in staff and infrastructure, he said.
“From an IT perspective, yeah, we do spend a lot of dollars. And every year that seems to grow,” he said. But, of course, they can’t afford not to do so: “One breach will basically pay for itself,” he said.
“My take … I say, if a robber wants to break into your house, they’ll find a way to break in; you’ve just got to make it as hard as possible,” Yamada said. “That’s what we try to do. Do we have 100 percent of everything shored down? Probably not, but we make progress in what we’re doing.”
In the wake of Premera’s cyberattack, Washington Insurance Commissioner Mike Kreidler is leading a multistate investigation into the company’s cybersecurity system and process of customer notification. Several class-action lawsuits have also been filed against the company.
For Premera’s part, Coon said, both the FBI and security consultant Mandiant warned that going public with the breach could prompt more malicious activity from the hackers, so the company worked to finish its investigation and shore up its IT security before making the announcement March 17.
Source: http://ift.tt/1P7d3GI
from hacker samurai http://ift.tt/1EDwRzW
via IFTTT
Hackers Accessed Presidential Emails
According to new reports, some of President Obama’s email was obtained by hackers in last year’s breach of the White House’s computer system.
Citing senior American officials briefed on the investigation, the New York Times reported that the breach on the White Housewas “far more intrusive and worrisome than has been publicly acknowledged.” According to these officials, the hackers accessed the email archives of government officials who work in the White House and correspond with the President. The hackers are not believed to have accessed any highly-classified information or breach the services connected to President Obama’s personal BlackBerry, which he or an aide carries at all times. The officials did not reveal how many emails were obtained or the context of the emails; though they admitted the unclassified system can contain highly sensitive information such as schedules, email exchanges with ambassadors and diplomats, and debates about policy and legislation.
“This has been one of the most sophisticated actors we’ve seen,” said one of the officials briefed on the investigation. In 2008, Chinese hackers were said to have breached the Obama and McCain campaigns and the White House is bombarded with cyberattacks daily, though few breach the security. Last year’s hackers are believed to be linked to the Russian government, though this has yet to be officially confirmed at this time. “It’s the Russian angle to this that’s particularly worrisome,” said another official in a statement to the Times. The White House, National Security Council, and F.B.I. have declined to comment on the investigation.
Source: http://ift.tt/1GFN0qP
from hacker samurai http://ift.tt/1GFScIz
via IFTTT
Hackers Can Take Over That Robot Performing Your Surgery
SAN FRANCISCO (CBS SF) — A team of researchers successfully hacked a robot designed to carry out surgical procedures, prompting fears the devices could be taken over by hackers with malicious intent.
The researchers from University of Washington were studying the pros and cons of robots used for surgery.
The surgeries are carried out remotely, offering patients in areas with poor medical access a chance at care they couldn’t otherwise receive. The devices are controlled by surgeons using standard web access, leaving them open to hackers, ComputerWorldreported.
The researchers used a two-armed Raven II telesurgery robot, and set out to hijack the robot during an operation in which the robot was supposed to move rubber blocks.
They hacked the robot using three different attacks, finally allowing them to completely take over its actions. Another attack allowed them to cause the robot to freeze during the operation.
“We are able to easily stop the robot from ever being properly reset, thus effectively making a surgical procedure impossible,” the researchers wrote.
The researchers concluded that encrypting the data could fix the vulnerability.
Source: http://ift.tt/1FvEk4F
from hacker samurai http://ift.tt/1InHdFM
via IFTTT
Focus On ‘Inside’ Threats Herds Business To CyberArk
CyberArk battles hackers from within. The Israel-based network security company helps customers in 65 countries protect privileged accounts that serve as gateways to sensitive and valuable information inside their computer networks.
Attackers who infiltrate perimeter cyberdefenses can go for months without being detected, CyberArk (NASDAQ:CYBR) CEO and co-founder Udi Mokady told IBD. Once inside, they search for a corporation’s privileged or administrative accounts, gain access to networks and databases and steal information or wreak havoc.
Mokady pointed to the “totality” of the high-profile, malicious cyberattack on Sony Pictures Entertainment in November as an example.
What Sony Pictures Endured
Hackers stole and erased sensitive documents and left computer systems unusable. Sony Pictures Entertainment had to “shut down its entire network,” Sony (NYSE:SNE) said in a January SEC filing that requested a delay in submitting its quarterly report due to the attack.
Sony’s filing noted that “most of SPE’s financial and accounting applications and many other critical information technology applications” would not be functional until early February.
Thousands of the studio’s employees were left without email and other critical functions. Movies, Social Security numbers and other documents were leaked.
“Hackers are no longer just out to steal information, but to get embedded in the network, IT system and applications to completely disrupt a company’s ability to do business,” Mokady said. “Privileged accounts are exploited in almost every targeted attack, and this is the primary reason why attacks are so damaging and so hard to stop.”
Providing a “digital vault” for companies’ privileged accounts and sensitive information is a key layer of protection that Mokady and co-founder Alon Cohen saw a need for back when they started CyberArk in 1999.
Today, the company has roughly 1,800 clients that include 40 of the Fortune 100 companies, 17 of the top 20 global banks and 18% of the Global 2000 companies.
Big Companies Are Customers
That list is likely to keep growing, several analysts say, as enterprises look for rapid detection-and-response solutions to cyberattacks.
“Enterprises have come to the realization that preventing every breach is impossible,” JMP Securities analyst Erik Suppiger said in an April 22 research report, while attending the RSA Conference on cybersecurity, one of the industry’s top annual events, held April 20-24 this year in San Francisco.
“Our checks indicate privileged account management, in particular, which is a form of internal security, is evolving into a key spending priority, and we believe CyberArk is garnering a disproportionate share of that market,” Suppiger said. “The rise in company databases being hacked has caused security managers to invest a larger portion of their budgets in detection solutions, which CyberArk specializes in.”
Read More At Investor’s Business Daily: http://ift.tt/1QK8mpR
from hacker samurai http://ift.tt/1GwmQBu
via IFTTT
Budget Increase: Check — Now how do you build out an effective security program and team?
By HP Security Strategist Stan Wisseman
The constant stream of security incidents have convinced your executive leadership and Board to take action – they’ve asked you to build out an information security program and provided the funding to do so. Where to start? It’s possible to spend a lot of money on information security enhancements that are ineffective against today’s threats. What are the most important cyber-related risks to address? How can the information security program support the mission of the organization? How can the program get properly resourced?
Baselining against a Framework
A good place to start is by leveraging a cyber-security control framework. Use of a framework isn’t a silver bullet, but it gives you a vetted reference model of best practices to work with. There are several frameworks to consider, including: ISO/IEC 27001:2013, NIST Cyber Security Framework (CSF), and the SANS Critical Security Controls for Effective Cyber Defense. I’ve used ISO 27001/2 as a framework with some success. The difficulty with all ISO standards, in my opinion, is that the revision cycles are long and the standards may not adapt quick enough to the evolving threat landscape. Also, ISO standards can be bloated with excessive wording, long lists, and unnecessary prescriptive text. SANS helpfully prioritizes their list of 20 critical controls to help you focus on what they view as the most effective measures. Some prefer the SANS top 20 due to its practical nature. The NIST CSF leverages existing cybersecurity best practices (ISO 27001, COBIT, ISA 99, etc.) and is divided into five “core functions” with sub-categories.
The CSF was built with the flexibility to add new categories and subcategories as new requirements arise. You can also use more function-specific frameworks like Cigital’s Build Security In Maturity Model(BSIMM) for software security, or HP’s Security Operations Maturity Model (SOMM) for security operations.
Whichever framework(s) you select, it’s a good practice to assess your organization’s current security posture against the framework to establish a baseline capability and identify functional gaps. Don’t get discouraged by the results! We are all on a journey to enhance the maturity of our security control environments. As reflected in a recent post by Brian Krebs, understanding where your organization is on the maturity scale is valuable reference as you develop your program roadmap. You will want to focus on the most impactful enhancements to mitigate gaps and enhance program maturity. As was shown in HP’s 2015 Cyber Risk Report, these could be a combination of dealing with the basics (e.g., secure platform configurations) as well as more advanced capabilities (e.g, user behavioral analytics). I recommend development of a multi-year roadmap that aligns with overall organization goals and manages InfoSec risks within the risk appetite of the organization. Now you’ve got to resource the plan.
Developing a Cybersecurity Workforce
Resourcing, however, is the next challenge – developing a workforce with the abilities to execute the roadmap. It’s difficult to find individuals with a balance of technical skills and necessary soft skills to constructively engage with business partners. I recommend a competency-based talent approach rather than one solely based on experience or certifications (the NICCS National Cybersecurity Workforce Framework is a useful reference). You also need to be open minded when recruiting given the demand for cybersecurity skilled professionals has outstripped supply in the US with an estimated 209K jobs going unfilled. You may need to develop from within through professional development programs, or consider outsourcing some functions.
Once you’ve captured your workforce requirements, you can determine which roles are better filled by employees or which can be provided by external parties. In certain cases, outsourcing cyber security functions provide benefits which include lower costs, additional expertise, operational efficiencies and lower burden on management. For small to medium businesses, outsourcing makes it possible to have many of the same capabilities as larger organizations, but at a lower cost than building the capability in house.
It is critical that you have a flexible and well-rounded team, whether they are in-sourced, outsourced, or a hybrid. A great analogy is NASA’s Mission Control Center (MCC). The MCC has an integrated team of flight controllers certified in particular disciplines such as electrical power, thermal control, trajectory, payload, or medical. All of them have a general understanding of the mission parameters but each team member has a unique knowledge. If a mission incident does occur, combining their collective wisdom, a comprehensive and effective plan can be developed (think of the MCC of Apollo 13).
Likewise, you need a battle hardened team composed of SME’s in various domains (e.g., software security, network defense, cyber operations, digital forensics) and they should be well versed in their respective domains. Most importantly, you need to see how the whole program hangs together in order to create a “mission plan” as well as a team that effectively responds when there is a newly discovered vulnerability, breach or attack.
Learn more about HP Enterprise Security.
View the original content and more from this author here: http://ift.tt/1bb9fXp
from hacker samurai http://ift.tt/1QJWR1B
via IFTTT
Rise of the Rest – Spring 2015 Edition: Pitch Competition Participants Revealed!
By Revolution Team
In just one week, we’ll kick off the third installment of the Rise of the Rest Tour, which will traverse through the Southern U.S. from May 4th-8th. Hot off the presses, we’re excited to briefly introduce the 40 startups who will line up to pitch Steve Case for a chance to win a $100,000 investment. Which promising young startup will rise to the top in Richmond, Raleigh-Durham, Charleston, Atlanta, and New Orleans? Follow our live Road Trip Journal on riseofrest.tumblr.com to find out.
We’re excited to once again be joined by Google for Entrepreneurs and UP Global as presenting partners for the tour, with support from both new and previous tour partners including Salesforce for Startups, Engine, Tech Cocktail, Startup Grind, Village Capital, and Seed Here Studio.
This promises to be one of the liveliest Rise of the Rest tours thus far – we’ll be joined by public and private sector luminaries like Governors Nikki Haley and Pat McCrory, Senators Mark Warner and Tim Kaine, Sallie Krawcheck, Walter Isaacson, and jazz legend Irvin Mayfield. And in addition to the startup crawls, fireside chats and pitch competitions that are the hallmark of every Rise of the Rest stop, on this swing we will tour the Atlanta Belt Line to discuss redevelopment, hold the first ever pitch competition aboard a Navy Ship (the USS Yorktown in Charleston), a live pitch fest on a Mardi Gras style float as it travels through the streets of New Orleans with music playing and beers served (for those over 21), a first pitch at a Durham Bulls Game, and a gathering of college students in Research Triangle – to name a few.
Our tour through the Southern U.S. will put new miles on the Rise of the Rest bus, which has already traveled more than 2,000 miles by bus to nine U.S. cities: Detroit, Pittsburgh, Cincinnati, Nashville, Madison, Minneapolis, Des Moines, Kansas City, and St. Louis. We’ve met incredible startups and visionary leaders in each of these startup ecosystems who understand the important role that all sectors – public and private – play in helping the entrepreneurial economy thrive. And, Steve has personally invested $1 million in great startups along the way.
So, without further ado, we’re excited to share the list of companies who will have the opportunity to join our growing Rise of the Rest portfolio, along with the names of some of the all-star judges who will join us.
MAY 4TH: RICHMOND, VIRGINIA
- Guest judges include: Steve Case, Revolution, Aneesh Chopra, Hunch Analytics and former Chief Technology Officer of the United States, Ting Xu, Evergreen Enterprises, Aaron Montgomery, Carlotz, Tige Savage, Revolution Ventures, and Eric Edwards, Kaleo.
- Pitching companies:
Rockin’ Baby – premium baby carriers and clothing brand
Marilyn & Michelle – products to help comfort women with breast issues
Painless 1099 – smart bankling platform to help freelance workers save for and file taxes
Nutriati – plant-based ingredient nutrition company
WealthForge – solution to make private placement transactions more efficient
Luminary – multichannel CRM platform
Hourwise – on-demand back office support for trades-people
Vibeats – mobile web platform for dining reservations
MAY 5TH: RALEIGH-DURHAM, NORTH CAROLINA
- Guest judges include: Steve Case, Revolution, Frank Stasio, NPR correspondent, J.D. Harrison, The Washington Post, Talib Graves-Manns, and Sarah Yarborough, Raleigh Denim
- Pitching companies:
Tom and Jennys – cavity-preventing, sugar-free candy
Personalized Learning Games – social and emotional learning platform for K-8 students
ELXR Health – platform for behavioral patient consent and data exchange
Archive Social – social media archiving, monitoring, and analytics for legal compliance
Stealz – social media engagement tool that turns customers into brand ambassadors.
Reveal Mobile – mobile audience platform that improves mobile ad targeting
Antenna – platform to react to any content or product on the internet
RocketBolt – platform for intelligent lead tracking throughout a customer’s experience
MAY 6TH: CHARLESTON, SOUTH CAROLINA
- Guest judges include: Steve Case, Revolution, Eric Bowman, Sparc, Sallie Krawcheck, Elevate Network, Bobby Ocampo, Revolution Ventures, Herbert Drayton III, Vertical Holdings, Bobby Hitt, South Carolina Secretary of Commerce
- Pitching companies:
Dynepic – creating a playground for smart toys
Good Done Great – revolutionizing the way corporations and people give back
Eatabit – API that prints electronic food orders inside restaurants
Bidr – platform to help fundraiser’s increase performance
Charleston Gourmet Burger – unique, all natural gourmet burger seasonings
OpenAngler – platform to find and book fishing charters
Bublish – cloud-based tools, metrics and resources for authorpreneurs
Echovate – replicating top performers through data-science machine learning
MAY 7TH: ATLANTA, GEORGIA
- Guest judges include: Steve Case, Revolution, Tom Foster, Inc. Magazine, Bridgette Beam, Google, David Cummings, Pardot and Atlanta Tech Village, Paul Judge, Pindrop Security and Monsieur, and David Hall, Revolution Ventures
- Pitching companies:
Partpic – visual search technology for replacement parts
Groundfloor – lending club for real estate
Cooleaf – employee engagement software for top workplaces
LocalRoots – mobile marketplace for local farms to sell direct to consumers
eCredable – leverages alternative credit to connect “no credit” consumers to creditors
Zyrobotics – provide personalized technology that makes the world accessible to everyone
Reveal Estate – Turbo Tax-like platform that empowers home buyers and saves them money
The Village Microfund – helps develop the economic landscape of low-income communities in the US.
MAY 8TH: NEW ORLEANS, LOUISIANA
- Guest judges include: Steve Case, Revolution, Jean Case, The Case Foundation, Irvin Mayfield, American jazz trumpeter and bandleader, Zach Strief, New Orleans Saints
- Pitching companies:
GoToInterview – on-demand video interviewing platform for high-turn industries
PlantBid – business to business marketplace for the professional horticulture products industry
WhereY’Art – marketplace and social network connecting artists/buyers
Servato – industrial internet of things solution provider
Get Healthy – software and services powering direct primary care revolution
Million Dollar Scholar – transforming how schools and parents prepare students to pay for college
Welcome to College – helps colleges optimize the college visit and enroll optimal fit students
Community Health TV – multicultural, multi-platform health media company
The tour is part of a national effort to shine a spotlight on one of the most important trends shaping the U.S. economy moving forward: a confluence of factors ranging from technological innovation to public policy reforms that are making it easier for high-growth startups to launch and create jobs in cities and towns nationwide, not just in Silicon Valley. Learn more about the previous winners from the tours HERE
For a full schedule and to RSVP to public events on the Spring 2015 tour, visit RiseoftheRest.com, and follow us on Twitter @RiseOfRest and Instagram.
View the original content and more from this author here: http://ift.tt/1zdsNWH
from hacker samurai http://ift.tt/1QJWR1v
via IFTTT
Study predicts global infosec workforce shortage of 1.5M by 2020
By George Jackson
In April, ISC(2) released their annual report on the global information security workforce. It predicts a perfect storm in cybersecurity — an escalating number of concerns coupled with a huge workforce shortfall.
Dan Waddell, ISC(2)’s director of government affairs for the National Capital Region, discussed trends in cyber with Government Matters from the RSA Conference in San Francisco.
View the original content and more from this author here: http://ift.tt/1zdsQSm
from hacker samurai http://ift.tt/1Gwe4mV
via IFTTT
Show time: 8 finalists to compete for $100,000 from Steve Case
By RICK SMITH, WRAL TechWire Editor
RESEARCH TRIANGLE PARK, N.C. — Steve Case’s “Rise of the Rest” tour is coming to the Triangle on May 5, and eight startups will be making pitches directly to the AOL founder. One of the eight will land $100,000 in financing.
Case starts his day with breakfast at the Governor’s Mansion. Then it’s on to the Triangle startup show.
This just in: Raleigh-based Groundfloor will be pitching Case in Atlanta.
Case has already invested in Triangle startups Mati Energy, Automated Insights and Windsor Circle.
Here are the finalists in the Raleigh-Durham Pitch Competition:
• Tom and Jennys – cavity-preventing, sugar-free candy
• Personalized Learning Games – social and emotional learning platform for K-8 students
• ELXR Health – platform for behavioral patient consent and data exchange
• Archive Social – social media archiving, monitoring, and analytics for legal compliance
• Stealz – social media engagement tool that turns customers into brand ambassadors.
• Reveal Mobile – mobile audience platform that improves mobile ad targeting
• Antenna – platform to react to any content or product on the internet
• RocketBolt – platform for intelligent lead tracking throughout a customer’s experience
The full schedule
Case will have a full day in the Triangle, starting with breakfast at the Go vernor’s Mansion with Gov. Pat McCrory.
Here’s the calendar with times and places:
8:30 AM – 9:00 AM:
Press availability, Governor’s Mansion, 200 N. Blount Street
9:00 AM – 10:30 AM:
Startup Crawl: American Underground (AU) @ Raleigh (213 Fayetteville Street, Raleigh, NC) and HQ Raleigh (310 S Harrington St, Raleigh, NC)
11:30 AM – 12:15 PM:
Rise of the Rest discussion with Steve Case and college students at Frontier, 800 Park Offices Drive, Durham, NC
12:30 PM – 1:00 PM:
Startup Crawl (continued): American Underground @ Main (201 W Main St, Durham, NC)
1:00 PM – 1:30 PM:
Lunch with companies that Steve Case previously invested in (Mati Energy, Windsor Circle, Automated Insights), American Underground @ Main (201 W Main St, Durham, NC)
2:00 PM – 3:00 PM:
Fireside Chat with Steve Case (Revolution), moderated by Frank Gruber, Tech Cocktail, Carolina Theatre, 309 W Morgan St, Durham, NC
3:00 PM – 5:00 PM:
Rise of the Rest Pitch Competition, Carolina Theatre, 309 W Morgan St, Durham
Judges: Steve Case (Revolution) Frank Stasio (NPR correspondent) Sarah Yarborough (Raleigh Denim) with more to be announced
5:00 PM – 7:00 PM:
Startup Celebration and Happy Hour to award $100,000 to pitch competition winner, American Underground, 201 W. Main Street, Durham, NC
7:00 PM:
Steve Case throws first pitch at Durham Bulls game
View the original content and more from this author here http://ift.tt/1zdsR8F
from hacker samurai http://ift.tt/1QJWQe4
via IFTTT
Tesla to Be Offered Up to Hackers—Report
Tesla, Elon Musk’s high-end, Mission Impossible-ready electronic vehicle, is reportedly opening the car door, as it were, to probing by hackers.
At Defcon in Las Vegas in August, attendees will be able to mount attacks on any part of the Tesla Model S vehicle they would like to try to compromise. And given its eminently connected status, there’s a lot of ground to cover. Sources in the company told Forbes that the effort is part of an effort to identify bugs as well as make known cyber-talent that the company may want to put in the driver’s seat.
Officially, such a hackathon is not gearing up. “We do plan to have a presence at the conference (and Model S will be on display) as part of our recruiting efforts,” a spokesperson told the magazine. “Members of Tesla’s security look forward to attending to talk about the security of our cars and the work the team does.”
But unofficially, unnamed sources in the firm’s security operations confirmed the hacking plans.
Connected car security is increasingly in the spotlight, with proto-hacks demonstrating everything from radio takeovers to navigation systems’ hijacking. To address this growing but still somewhat little understood area of cybersecurity, a volunteer association known as “I Am the Cavalry” launched last fall, and Sen. Ed Markey (D-Mass.) has put out a disturbing reporton the state of cybersecurity for automobiles.
And Tesla on offer or no, white hats Chris Valasek and Charlie Miller are planning to show off a remote exploit for the Control Area Network (CAN) of an automobile, according to the conference program.
“Although the hacking of automobiles is a topic often discussed, details regarding successful attacks, if ever made public, are non-comprehensive at best,” the blurb said. “The ambiguous nature of automotive security leads to narratives that are polar opposites: either we’re all going to die or our cars are perfectly safe. In this talk, we will show the reality of car hacking by demonstrating exactly how a remote attack works against an unaltered, factory vehicle.
“Starting with remote exploitation, we will show how to pivot through different pieces of the vehicle’s hardware in order to be able to send messages on the CAN bus to critical electronic control units. We will conclude by showing several CAN messages that affect physical systems of the vehicle. By chaining these elements together, we will demonstrate the reality and limitations of remote car attacks.”
Source: http://ift.tt/1HX48st
from hacker samurai http://ift.tt/1HRgeld
via IFTTT
Hackers deface Indonesian websites in support of Mary Jane Veloso
A hacker group allegedly composed of Filipinos defaced several Indonesian websites on Tuesday as it protested the planned execution of Mary Jane Veloso.
However, the Filipina convicted for drug trafficking, narrowly escaped execution when the Indonesian government led by President Joko Widodo granted her an 11th hour reprieve early Wednesday morning.
Blood Security International released the list of the defaced websites which include:
http://ift.tt/1GDT5kK
http://vaneri.co/
http://ift.tt/1GDT8gt
http://ift.tt/1QHrJzV
media.sutriadi.web.id
http://ift.tt/1GDT8gu
http://ift.tt/1QI7ORp
http://ift.tt/1DVreZ5
http://ift.tt/1QI7QZA
http://ift.tt/1DVreZ7
http://ift.tt/1QI7ORt
http://ift.tt/1DVreZ9
http://ift.tt/1QI7RfQ
http://ift.tt/1DVrcAn
http://ift.tt/1QI7RfV
http://ift.tt/1DVreZb
In their message posted on the hacked websites, the group demanded the release of Veloso.
“I ask for your clemency and for the release of my fellow Filipino, Mary Jane Veloso. All she wanted was to find a job in your country to support her family. She didn’t want what happened. Her children need her. She was just used to carry the drugs into your territory,” the group said.
The hackers also slammed the concept of death penalty, saying that it is “nothing short of barbaric.”
“The death penalty is nothing short of barbaric. Most criminals could better pay for their crimes by giving back good for the rest of their lives. Those who are unable to should suffer the punishment of incarceration,” the group said.
They said that those judges who implement death penalty are “murderers.”
Upon learning that a reprieve was granted to Veloso, Blood Sec International said that they will cease their “cyber war” with Indonesia.
“No more cyberwar. How about let’s play Dota 2 5v5 PH-Indo? Just for fun,” the group posted on their Facebook page.
They also hacked several Chinese websites on Tuesday in protest of the said country’s aggressive actions in the West Philippine Sea.
Veloso, a 30-year-old mother of two, was convicted for drug trafficking after she was caught with 2.6 kilograms of heroin in her bag when she arrived in Yogyakarta Airport in 2010.
She was set to be executed on Wednesday along with eight other drug convicts. However, when Maria Kristina Sergio, the alleged recruiter of Veloso, turned herself in to the police on Tuesday morning, President Benigno Aquino III asked the Widodo government to spare the Filipina because her testimony is needed in court. IDL
Source: http://ift.tt/1bDsklH
from hacker samurai http://ift.tt/1FxIgC7
via IFTTT
Tuesday 28 April 2015
From the Editors: Where’s the incentive to defeat hackers?
After reporting out this month’s feature on software security, it strikes us that there appear to be parallels between companies selling security solutions and those selling pharmaceuticals.
Those who take to conspiracy theories have argued for years that the pharmaceutical companies have no incentive to eliminate, say, cancer, because they would lose the massive profits generated by the drugs they’ve created that prolong life. Actually curing the disease would dry up their revenue streams, and we know investors would not take kindly to that.
So it seems with software security. As Gartner analyst Joseph Feiman pointed out for our article, identity access management is 45 years old, and network protection (firewalls) is 30 years old, and yet together they don’t succeed in stopping unwanted intrusions into applications and their back ends. But the vendors keep selling—nay, pushing—them because there’s nothing better right now.
The vendors, Feiman told editor-in-chief David Rubinstein, “keep adding new features, tweaking here and there, saying, well, now it will do much better, now it will do much better. And because we don’t know anything else, we’ll do it.”
And apparently it doesn’t get better. Ask Sony. Ask the United States government. Ask any of the victims of the Heartbleed hack, or those who’ve fallen prey to hackers exploiting other vulnerabilities.
John Steven, CTO at testing and security company Cigital, said there’s a bit of a “moral hazard” in the security space. He noted there are libraries such as Mustache and Caja and even AngularJS that are freely available to companies to use, yet, he said, “The reason you’re not hearing about them is that if you run a testing firm, there’s not a lot of incentive for you to explain that there’s a freely available open-source package that works for PHP, Java, .NET, JavaScript, Python—all the things you use—that just makes this class of things we’re really good at finding go away.”
Yet security leaks do cause real pain, and organizations are at their wit’s end to get the upper hand.
One way is to look at the Building Security In Maturity Model, designed to measure your software initiatives against those of others. It’s not prescriptive, but it does reveal what organizations are doing to close holes in their software.
Tooling needs to catch up to the problem as well, and developers need to be better trained to work alongside security practitioners to ensure the code they write is secure as they go along, and not looked at only after it’s completed. Also, certificates are still effective. Use them, along with SSL and encryption.
We will never defeat hackers. As noted in our article, the good guys have to get it right all the time to avoid being hacked. The bad guys only have to find one hole. The advantage is theirs.
Read more: http://ift.tt/1IksEmf
from hacker samurai http://ift.tt/1AcA1Fo
via IFTTT
Attention hackers: This federal agency will pay $1,000 and zero bragging rights
This attractive offer just in from the General Services Administration.
The agency is seeking the nation’s “best and brightest” techies to essentially volunteer to solve any number of government IT shortcomings, not least of which is its lack of transparency, under the guise of a fun competition!
The “Hack-a-thon” day-long challenge on May 8 invites private citizens to develop new (“innovative!”) solutions using GSA data that can then be replicated across the federal government.
And if your idea wins? You’ll get a hearty thank you and at most $1,000 — and then will hand over all rights to your idea to the government.
The winners grant “GSA a perpetual, non-exclusive, royalty-free license to use any and all intellectual property to the winning entry for any governmental purpose …,” according to the rules of the game. Oh, and you also assume all liability if anything goes terribly wrong (“death, bodily injury, property damage …”) and waive any claims against the federal government (for “injury, death, damage, or loss of property, revenue, or profits …”).
But at least you get bragging rights that the government is using your idea to make its data better?
Actually … participants cannot promote the GSA’s use of their work, so as to not imply that the GSA is endorsing their services.
Source: http://ift.tt/1Ikko5z
from hacker samurai http://ift.tt/1bb1ReM
via IFTTT
Hackers used a surprisingly simple method to access Tesla’s website and Twitter account
In general, hacking is a precise and honed skill that requires a deep understanding of computer networks and code. But sometimes literally zero code is required whatsoever, and hackers can use only a computer, phone, and their own relentlessness to get the job done — and the recent Tesla hack is a great example of this.
Last weekend both the website and Twitter accounts for Tesla Motors were hijacked by a group of hackers. Its homepage displayed poorly Photoshopped images along with a message that the company had been hacked by an online group called “Autismsquad.” Another hacker coalition named “RIPPRGANG” took responsibility for its Twitter takeover, however, so it’s still unclear whether the two groups are different or affiliated with each other.
Either way, how these rogue groups of online rabble-rousers gained access to Tesla accounts was surprisingly simple. Even more frightening, it could be performed by almost anyone.
SecurityWeek, which spoke with a Tesla spokesperson, explained that the two accounts were hijacked via a simple tactic dubbed “social engineering.” It went something like this:
- A hacker called AT&T customer support and posed as an employee of Tesla. This person then demanded all phone calls to the company be forwarded to a new fake phone number.
- Next, this malicious hacker got in touch with Tesla’s domain registrar Network Solutions. Since all the phone calls were being forwarded to the hacker, this person was able to easily add a new email address to Tesla’s domain administrator account.
- With this new email on the account, the hacker then reset passwords for the website and wreaked hours of havoc.
The Tesla spokesperson emphasised to SecurityWeek that no data was breached. “Our cooperate network, cars and customer databased remained secure throughout the incident,” Tesla said.
One day following the hack, both Tesla’s website and Twitter account are back to normal, but it’s a good lesson that sometimes seemingly sophisticated hacks are carried out using the simplest of techniques.
Source: http://ift.tt/1AcaT1B
from hacker samurai http://ift.tt/1HURavn
via IFTTT
Subscribe to:
Posts (Atom)