Premium

Premium Content

New Clues In Sony Hack Point To Insiders, Away from DPRK

A strong counter-narrative to the official account of the hacking of Sony Pictures Entertainment has emerged in recent days, with the visage of the petulant North Korean dictator, Kim Jong Un, replaced by another, more familiar face: former Sony Pictures employees angry over their firing during a recent reorganization at the company. Researchers from the security firm Norse allege that their investigation of the hack of Sony has uncovered evidence that leads, decisively, away from North Korea as the source of the attack. Instead, the company alleges that a group of six individuals is behind the hack, at least one a former Sony Pictures Entertainment employee who worked in a technical role and had extensive knowledge of the company’s network and operations. [Read Security Ledger coverage of the hack of Sony Pictures Entertainment.] If true, the allegations by Norse deal a serious blow to the government’s account of the incident, which placed the blame squarely on […]

Continue Reading
Dog being rewarded

Is Pavlovian Password Management The Answer?

Something hit me straight in the face that may be a method for inducing cognitive awareness to end users in regards to password management. Ironically this also has a side effect of scalability when managing password changes. It isn’t completely flushed out but I wouldn’t mind getting some opinions on this. I am thinking of prototyping this in a PAM module in my spare time. Here goes… For end users we have been trying to get users to understand the importance of constructing good passwords. We provide guidance on what a good password is (even though the guidance that I have seen is still usually unacceptable in most places when compared to NIST guidelines). We spend a lot of time telling the user to “do this because security experts advise it, or it’s part of our policy” but we don’t really provide an incentive or an understanding of why we tell them to do this. Well humans are programmable, and the best […]

Continue Reading

Many Watering Holes, Targets In Hacks That Netted Facebook, Twitter and Apple

The attacks that compromised computer systems at Facebook, Twitter, Apple Corp. and Microsoft were part of a wide-ranging operation that relied on many “watering hole” web sites that attracted employees from prominent firms across the U.S., The Security Ledger has learned. The assailants responsible for the cyber attacks used at least two mobile application development sites as watering holes in addition to the one web site that has been disclosed: iPhoneDevSDK.com. Still other watering hole web sites used in the attack weren’t specific to mobile application developers – or even to software development. Still, they served almost identical attacks to employees of a wide range of target firms, across industries, including prominent auto manufacturers, U.S. government agencies and even a leading candy maker, according to sources with knowledge of the operation. More than a month after the attacks came to light, many details remain under tight wraps. Contacted by The Security […]

Continue Reading

Security Hole in Samsung Smart TVs Could Allow Remote Spying

The company that made headlines in October for publicizing zero day holes in SCADA products now says it has uncovered a remotely exploitable security hole in Samsung Smart TVs. If left unpatched, the vulnerability could allow hackers to make off with owners’ social media credentials and even to spy on those watching the TV using compatible video cameras and microphones. In an e-mail exchange with Security Ledger, the Malta-based firm said that the previously unknown (“zero day”) hole affects Samsung Smart TVs running the latest version of the company’s Linux-based firmware. It could give an attacker the ability to access any file available on the remote device, as well as external devices (such as USB drives) connected to the TV. And, in a Orwellian twist, the hole could be used to access cameras and microphones attached to the Smart TVs, giving remote attacker the ability to spy on those viewing […]

Continue Reading

Update: New 25 GPU Monster Devours Passwords In Seconds

Editor’s note: I’ve updated the article with some new (and in some cases) clarifying detail from Jeremi. I’ve left changes in where they were made. The biggest changes: 1) an updated link to slides 2) clarifying that VCL refers to Virtual OpenCL and 3)  that the quote regarding 14char passwords falling in 6 minutes was for LM encrypted – not NTLM encrypted passwords. Long (8 char) NTLM passwords would take much longer…around 5.5 hours. 😉  – Paul There needs to be some kind of Moore’s law analog to capture the tremendous advances in the speed of password cracking operations. Just within the last five years, there’s been an explosion in innovation in this ancient art, as researchers have realized that they can harness specialized silicon and cloud based computing pools to quickly and efficiently break passwords. A presentation at the Passwords^12 Conference in Oslo, Norway (slides available here – PDF), has […]

Continue Reading
1 2 3