Hackers with the Anonymous collective have released source code for Symantec’s pcAnywhere product after failing to secure $50,000 from the company in an extortion attempt. A hacker going by the online name YamaTough published 1.27 GB of the source code on Pirate Bay Monday night after negotiations to extort money from someone he believed was a Symantec employee fell through. In reality, the Symantec “employee” was an undercover law enforcement agent who was using a fake Symantec email address to communicate with the hacker.

We really have to wonder when the message is going to sink in. On January 18, millions of Internet users spoke out together in one of the most profound and effective uses of technology to organize political opposition in U.S. history, sending a clear message to Congress that voters will not tolerate crippling of the Internet. But big content remains tone deaf to this chorus of Internet users.

Alrighty, this will be a fairly light post (in terms of my own applied analysis)… and, apologies as it’s a wee bit behind the curve on various news pieces in the past couple months (I’d intended to write this in early January - oops!;). Please note that this post applies only to user passwords, and it does not apply to system and database password maintained within various environments. Main Thesis: All this password analysis on compromised user password databases is fairly absurd. The breaches themselves are not generally the result of user password being compromised. As such, the time spent analyzing these passwords is largely a waste of time because it does not appreciably represent much risk to businesses; especially not to those that were compromised.

Criminal hackers have found a way round the latest generation of online banking security devices given out by banks, the BBC has learned. After logging in to the bank’s real site, account holders are being tricked by the offer of training in a new “upgraded security system”. Money is then moved out of the account but this is hidden from the user.

Scandalised by the snooping certificate issued by Trustwave, a heise Security reader, Sebastian Wiesinger, has submitted a report to Mozilla’s bug database in which he requests that Trustwave’s root certificates be removed from all Mozilla products. Mozilla’s Kathleen Wilson, who handles the issue, has accepted the submission and requested a statement from Trustwave. Trustwave’s Brian Trzupek has already announced the release of further information which, he says, is still waiting for internal approval.

So, it appears that the NSA is waiting for a major incident to create new cyber law. They have made it clear that they would enjoy nothing better than to have open access to private networks. This article from Jan 23, 2012 has some unsettling overtones in it.

Anonymous being what it is, has always been susceptible to influence and infiltration from the outside as well as the inside. The nature of the movement is such that it resembles the cell structure of terrorist action groups like Al Qaeda have adopted over the years.

http://www.wired.com/threatlevel/2012/02/forgotten-password/

Anti-virus giant Symantec says it did not know back in 2006 that source code for its software was stolen when it experienced a breach at that time. The company surprised the public last week when it disclosed that hackers had obtained source code for its pcAnywhere software and other products, and that the code had likely been stolen in a six-year-old breach that Symantec had never disclosed.

The recent hack against a database full of FTP passwords held by Web hosting firm DreamHost highlights a growing database breach trend that’s seeing password stores exposed by the boatload. Though these databases contain sensitive authentication information, they’re often left far less protected than databases containing PII. Experts warn that if organizations are truly serious about their security and compliance programs, they need to either find better ways to secure the passwords in the databases they’re distributed across the network, or look for alternatives that will ditch this method of storage altogether.

Three years ago this past weekend, on his first full day in office, President Barack Obama issued his now infamous memo on transparency and open government, which was supposed to fulfill his campaign promise to lead the “most transparent administration in history.” Instead, his administration has been just as secretive—if not more so—than his predecessors, and the Freedom of Information Act (FOIA) has become the prime example of his administration’s lack of progress.

Since the beginning of e-commerce in the mid-1990s, businesses noticed that transactions conducted online can be strengthened in assurance if we can “remember” that a particular device is the same that was used before to conduct successful transactions. A known device provides knowledge about the history of the device and can mitigate against fraudulent transactions that use stolen cards. Later on, similar techniques now referred to as device fingerprinting are quite popular in detecting devices that have been used to conduct fraud online. Several businesses have started up that provide knowledge about connected devices.

Web authentication protocols took a pounding last year. Problems with the Secure Sockets Layer and Transport Layer Security protocols, which encrypt all sorts of communication among websites, were at the center of several security breaches. Hacks of high-profile certificate authority providers undermined the security of some of the Internet’s biggest brands, including Google and Yahoo; new man-in-the-middle attacks hit the Web; and the powerful Beast vulnerability exposed the most commonly used versions of SSL and TLS. Taken as a whole, it appears the Internet’s trust model is broken. However, many security experts aren’t ready to scrap SSL. Rather than starting over, they recommend fixing the existing system. It’s clear that we need to evolve the way we authenticate on the Web; the question is, how?

Google, Yahoo, AOL and a group of other large email senders and receivers have banded together to develop a new framework for sending and receiving email that is designed to stop phishing attacks and other email-borne scams. Called DMARC.org, the new group has come up with a specification called Domain-based Message Authentication, Reporting and Compliance that implements message authentication through the mail-transport agent and not the sender or user agents.

The establishment of the US Cyber Command in 2010 confirmed that cyberspace is a new domain of warfare. The computer is not only a target but also a weapon. Therefore, national security thinkers must find a way to incorporate cyberattacks and defense into military doctrine as soon as possible. The world’s most influential military treatise is Sun Tzu’s Art of War. Its compelling and adaptive wisdom has survived myriad revolutions in technology and human conflict. And its tactics and strategies have been applied to other disciplines, including business, sports, and personal relationships. Future cybercommanders will also find Sun Tzu’s guidance beneficial. For example, on defense, he warns leaders never to rely on the good intentions of others or to count on best-case scenarios. This is sound advice in cyberspace, because computers are attacked from the moment they connect to the Internet.