Security News

Colorado town wants to sell drone hunting licences

The Colorado town of Deer Trail is seriously considering plans to issue hunting licences that would allow locals to hunt and shoot down US government drones. As outlandish as it sounds, the report comes from Forbes, not The Onion. The ordinance was proposed by Deer Train resident Phillip Steel and he even worked out a compensation scheme.

Anyone who shoots off a piece of the drone would get $25, while trigger happy yokels who bag an entire drone would get $100. The technical details have been worked out as well, which means Steel gave his proposal quite a bit of thought. We find this genuinely surprising. Only drones flying below 1,000 feet can be shot at and the only weapons permitted are 12-gauge shotguns or their smaller siblings.

Of course, Government drones rarely operate at a few hundred feet and even if they did the chances of hitting one flying at 1,000 feet with a shotgun are miniscule.  Steel told a Denver TV station that he never saw a drone overfly Deer Trail and said the ordinance is symbolic in nature. With a population of 546, the town doesn’t appear to be a prime target for evil government killer robots. On the other hand, reality doesn’t really apply to right-wing conspiracy circles who believe a Kenyan-born socialist Muslim is out to get them.  The fact that drones can be used for things other than incinerating people with Hellfire missiles doesn’t seem to register in rural America. Drones can be used to nab criminals, watch out for forest fires and intercept smugglers, but many people are worried about the scope for intrusion.

Microsoft Declares Right to Disclose Government Requests

Microsoft issues the company's strongest denials yet on direct National Security Agency links to its cloud servers. In the wake of the National Security Agency ( NSA) Prism controversy, Microsoft wants to come c...

Researcher Proposes Using Machine Learning to Improve Network Defense

The Black Hat Conference late in July will include a presentation by a security researcher about a project aimed at using machine learning to improve security monitoring and event detection. Getting the most out of mountains of log data can be trying to say the least. In a conference where many are focused on defeating security, independent researcher Alexandre Pinto wants to find ways to make defending enterprise networks both smarter and easier.

At the upcoming Black Hat conference in Las Vegas, Pinto plans to discuss how machine-learning algorithms can be used to help organizations get more value from their logs. "The amount of security log data that is being accumulated today, be it for compliance or for incident response reasons, is bigger than ever," said Pinto. "Given a recent push on regulations such as PCI and HIPAA, even small and medium companies have a lot of data stored in log management solutions no one is looking at. So, there is a surplus of data and a shortage of professionals that are capable of analyzing this data and making sense of it." SIEM (security information event management) functionality relies too much on very deterministic rules, he added.

For example, a rule might state that if something happens in a network "X" amount of times, it should be flagged as suspicious.

The problem is that the "somethings" and the "Xs" change between organizations and evolve over time, he said. "But this is not exclusively a tool problem," he said. "I have seen really talented and experienced people be able to configure one of these systems to really perform well. But it usually takes a number of months or years and a couple of these SOC [security operations center] supermen to make this happen. I used to run teams like these in my previous position, and I understand the challenges involved." After managing security consultants and security monitor teams for years, he began researching ways to improve the experience for analysts. His answer: machine learning. "The [Black Hat] talk is about a model I created to help classify malicious behavior from log data and help companies make decisions based on this trove of information they have available," Pinto explained. "It does not outperform a well-trained analyst. But it can greatly enhance the analyst's productivity and effectiveness by letting him focus on the small percentage of data that is much more likely to be malicious based on previous happenings on the network." Machine learning is designed to infer relationships from large amounts of data, he added.

The more data, the better the predictions—making it a "good deal" for security, he said.  

Wide range of industries plead for Congressional action on patent trolls

Six bills are in play, and US businesses are united in wanting something to pass.    

Microsoft wants US to let it speak more freely about NSA...

Redmond says that its practices have been "misinterpreted" in the media.    

Android malware that gives hackers remote control is on rise

Tool lets hackers “bind” remote access tool to legitimate apps.    

Data shared via PRISM does not violate UK law according to...

But Intelligence and Security Committee warns new legal review is "proper."    

OMG, kids these days: Digital tools don’t make students better writers

New Pew study finds teachers believe students are now more prone to take shortcuts.    

Update: Does NSA know your Wi-Fi password? Android backups may give...

EFF technologist says "back up my data" exposes users' data to government spies.    

Oracle Patches 89 Security Flaws in July

Oracle's July Critical Patch Update includes 89 patches, which seems like a lot. Is it? Unlike Microsoft, which provides its users with a monthly regular patch cycle, Oracle uses a quarterly Critical Patch Update (CPU) approach. The July CPU is now out, and it's a big one. It provides no less than 89 security fixes across a wide swath of Oracle products including database, Fusion Middleware, MySQL, Oracle VM and Solaris. The update does not include any new fixes for Oracle's much maligned Java, which is currently patched on a separate cycle. Oracle plans to align its scheduled Java patch release cycle with the CPU starting in October. Oracle's namesake database  received six patches this CPU, only one of which is remotely exploitable without authentication. Oracle's open source MySQL database didn't fare quite as well, with a total of 18 new security flaws, two of which are classified as remotely exploitable without authentication. Oracle got the MySQL technology as part of its acquisition of Sun in 2010, though Oracle classifies other Sun technologies in the CPU under the title of the Sun Systems Products Suite. That suite includes the Solaris UNIX operating system that received a total of 16 new security fixes, with eight reported as being remotely exploitable without authentication. The Fusion middleware suite is tagged for 21 fixes, with 16 of those being remotely exploitable without authentication. Fusion is Java middleware and includes the JRockit Java Virtual Machine.

The flaws in the July CPU include a number of issues that Oracle already patched in its June Java CPU. Oracle patched 40 different issues as part of that update. "With the inclusion of Java in the normal Critical Patch Update schedule starting in October 2013, the release of JRockit and Java security fixes will be integrated," Eric Maurice, director, Oracle Software Security Assurance wrote in a blog post. Too Many Vulnerabilities? The overall number of vulnerabilities, as well as the method by which those vulnerabilities were found is a cause for concern, according to Tripwire security researcher Craig Young. “The constant drumbeat of critical Oracle patches is more than a little alarming, particularly because the vulnerabilities are frequently reported by third parties who presumably do not have access to full source code," Young said.

This month’s CPU credits 18 different researchers coming from more than a dozen different companies. " Young added that it's also noteworthy that every Oracle CPU release this year has plugged dozens of vulnerabilities. "By my count, Oracle has already acknowledged and fixed 343 security issues in 2013," Young said. "In case there was any doubt, this should be a big red flag to end users that Oracle's security practices are simply not working." Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.

Cyber-Criminals Selling Fraudulent Identity 'Kitz' on Web Black Market

Researchers at Dell Secureworks find criminals combining drivers' licenses, health insurance and credit-card accounts into counterfeit documents, or "kitz," which are then sold online. Brokers of stolen information are increasingly combining disparate data on consumers, verifying the information and then selling the "kitz" to others as a turnkey identity fraud service, according to researchers from managed security firm Dell Secureworks. While run-of-the-mill U.S. credit cards sell for less than $2, health insurance credentials for less than $20 and access to compromised computers for less than $100, packaging up a complete profile of a consumer—known as "fullz"—and creating a set of physical identity documents can fetch more than $1,200, Dell Secureworks stated in research sent to media on July 15. A full dossier on a consumer—including verified health insurance information, Social Security numbers, financial account information, bank log-in credentials and driver's license data—sells for about $500 each, without the actual physical documents, the company said. With all the information leaked in data breaches in the past decade, information brokers have a lot of raw material with which to work, Don Jackson, senior security researcher with Dell Secureworks, told eWEEK. "They put a lot of work into these databases," Jackson said. "These guys have accumulated some huge databases. It's going to be hard to find people whose information is not out there." Identity theft has become an increasing concern among consumers. In its annual measure of security concerns of Americans, technology firm Unisys found that citizens' overall concern with security had lessened in 2013, but that identity theft and credit-card theft had topped the lists of worries. And with health care becoming less affordable for the average American, the industry has suffered some of the greatest increases in fraud, according to a recent report published by the Ponemon Institute. Dell Secureworks has also seen an increase in online criminals targeting health insurers and health care organizations.

Along with financial institutions, health care is one of the most targeted industries, the company stated. Yet, those are not the only types of credentials or digital data that online thieves have targeted. Game accounts also fetch premium prices, according to Secureworks' research. In fact, the online gaming accounts of the owners of premium in-game items are some of the most valuable, selling for up to $1,000, the same price as a well-funded bank account and twice as much as a high credit-limit—or "prestige"—credit card. "The [researchers] found the biggest jump in value among stolen credentials was in game accounts," the research summary stated. "There is more realized value in virtual items and currency." Dell Secureworks believes the market for stolen information is expanding, highlighted by the increase in price for many types of data. Many more sellers and middlemen have appeared in the market, Jackson said. While the criminal rings behind the sale of stolen information appear to be spread out over the globe, Jackson found evidence that one of the sellers was based in the United States.  

Canadian “patent troll” Wi-Lan loses East Texas trial

Trial loss results in a steep drop in stock price.