The government will train 3,000 “cyber sheriffs” by next year to protect the country from future cyber attacks, officials said yesterday.
Cyber sheriffs are trained experts capable of maintaining cyber security for businesses from cyber attacks and malicious hackers. The government plans to encourage colleges to open intensive courses to train cyber experts. Graduates of the courses will be hired by government offices and businesses in the future, officials said.
According to the plan, the National Intelligence Service is to take a leading role when cyber attacks are launched. They will cooperate with other government offices and businesses to minimize damage from the possible “cyber terrorists.”
Archive for 'News' Category
Older versions of wordpress have security holes and are under attack.
Scooble’s Scoble’s wordpress blog was hacked, after which he isn’t feeling very safe. The worst part – he didn’t have a backup!
Here’s how you can check if you’re already being attacked:
There are two clues that your WordPress site has been attacked.
There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”
Here’s a blog post from wordpress on How to Keep Your WordPress Secure:
A stitch in time saves nine. I couldn’t sew my way out of a bag, but it’s true advice for bloggers as well — a little bit of work on an upgrade now saves a lot of work fixing something later.
Articles in this issue include:
– Using real-time events to drive your network scans
– Review: Data Locker
– The Nmap project: Open source with style
– Enterprise effectiveness of digital certificates: Are they ready for prime-time?
– A look at geolocation, URL shortening and top Twitter threats
– How “fake stuff” can make you more secure
– Making clouds secure
– Q&A: Dr. Herbert Thompson on security ROI and RSA Conference
– Book review – Cyber Crime Fighters: Tales from the Trenches
– Top 5 myths about wireless protection
– Securing the foundation of IT systems
– A layered approach to making your Web application a safer environment
– In mashups we trust?
– Adopting the security best practice of least privilege
– Is your data recovery provider a data security problem?
– New strategies for establishing a comprehensive lifetime data protection program
– Security for multi-enterprise applications
– EU data breach notification proposals: How will your business be affected?
– Book review – 97 Things Every Software Architect Should Know
– Safety in the cloud: How CIOs can ensure the safety of their data as they migrate to cloud applications
– Vulnerability management
Amazon has introduced a new service (limited beta) for it’s Elastic Compute Cloud (EC2) called Amazon Virtual Private Cloud (VPC). This is an excellent news for many enterprises who’re thinking of cloud but were worried about it’s security. This new service basically allows you to extend your existing IT Infrastructure to the cloud via secure IPSec tunnel.
Here’s all you need to do to get started:
1. Create a VPC. You define your VPC’s private IP address space, which can range from a /28 (16 IPs) up to a /18 (16,384 IPs). You can use any IPv4 address range, including Private Address Spaces identified in RFC 1918 and any other routable IP address block.
2. Partition your VPC’s IP address space into one or more subnets. Multiple subnets in a VPC are arranged in a star topology and enable you to create logically isolated collections of instances. You can create up to 20 Subnets per VPC (you can request more using this form). You can also use this form to request a VPC larger than a /18 or additional EC2 instances for use within your VPC.
3. Create a customer gateway to represent the device (typically a router or a software VPN appliance) anchoring the VPN connection from your network.
4. Create a VPN gateway to represent the AWS end of the VPN connection.
5. Attach the VPN gateway to your VPC.
6. Create a VPN connection between the VPN gateway and the customer gateway.
7. Launch EC2 instances within your VPC using an enhanced form of the Amazon EC2 RunInstances API call or the ec2-run-instances command to specify the VPC and the desired subnet.
Many web sites at Dreamhost have been hacked, they say: approximately 3,500 FTP passwords have been compromised.
We’re still working to determine how this occurred, but it appears that a 3rd party found a way to obtain the password information associated with approximately 3,500 separate FTP accounts and has used that information to append data to the index files of customer sites using automated scripts (primarily for search engine optimization purposes).
Report: Security Certifications Boost Pay – “IT professionals with security certifications—including all versions of the CISSP, CISA, GSE, CISM, SSCP and GCFA—earned 10 percent to 14 percent premiums on their base pay over their non-certified counterparts.”
New vulnerabilities hit Firefox and Internet Explorer – There are no patches yet available from either vendor. The most serious is MSIE page update race condition, and next most severe is Firefox Cross-site IFRAME hijacking.
Encrypt and sign Gmail messages with FireGPG – “It integrates nicely into Gmail’s interface and allows you to sign and encrypt not only email messages but also text snippets from any Web page.”
Google Desktop vulnerable to attack – RSnake has discovered a man-in-the-middle attack on Google Desktop.
Christopher Soghoian is reporting that many popular Firefox extensions like Google Toolbar, Google Browser Sync, Yahoo Toolbar, Del.icio.us Extension, Facebook Toolbar, AOL Toolbar, Ask.com Toolbar, LinkedIn Browser Toolbar, Netcraft Anti-Phishing Toolbar, PhishTank SiteChecker and a number of others, mainly commercial have vulnerability in the upgrade mechanism.
Users are vulnerable and are at risk of an attacker silently installing malicious software on their computers. This possibility exists whenever the user cannot trust their domain name server (DNS) or network connection. Examples of this include public wireless networks, and users connected to compromised home routers.
Here’s a video demo of the attack against Google Browser Sync. It is recommended to disable or delete insecure extensions from your browser until there’s a fix.
Apple Plugs QuickTime Security Holes – The patch is available for both Mac and Windows, which plugs two holes that could trick users to visit a malicious website and may lead to arbitrary code execution.
Google buys GreenBorder – Google gets deeper into Net security after buying GreenBorder, a browser virtualization software company that creates a sandboxed environment for your existing Firefox or Internet Explorer.
Phony BBB email dupes more than 1,400 execs – “a highly sophisticated phishing scheme that has already duped at least 1,400 US executives. They were fooled into sending sensitive information in response to an email purporting to come from officials at the Better Business Bureau.”
US Defense Department reports that China is preparing for cyberwarfare by developing viruses and training more seriously for computer attacks. The main target is of course Taiwan, but since US would intervene in case of such attack, so US is a potential target too.
“The PLA has established information warfare units to develop viruses to attack enemy computer systems and networks,” the annual DOD report on China’s military warned. At the same, Chinese armed forces are developing ways to protect its own systems from an enemy attack, it said, echoing similar warnings made in previous years.