Mimoso: Shodan Search Engine Project Enumerates Internet-Facing Critical Infrastructure Devices (Posted: 01/13/2013)

...two critical infrastructure protection specialists who have spent close to nine months trying to paint a picture of the number of Internet-facing devices linked to critical infrastructure in the United States.

The duo, Bob Radvanovsky and Jacob Brodsky of consultancy InfraCritical, have with some help from the Department of Homeland Security pared down an initial list of 500,000 devices to 7,200, many of which contain online login interfaces with little more than a default password standing between an attacker and potential havoc. DHS has done outreach to the affected asset owners, yet these tides turn slowly and progress has been slow in remedying many of those weaknesses

Read entire article...

[Get your candles out... it is going to take a major power disaster to get the attention of a gridlocked Congress and the thousands of I-don't-care-about-security operators.]

Amerding: Hackers say coming air traffic control system lets them hijack planes (Posted: 01/13/2013)

An ongoing multibillion-dollar overhaul of the nation's air traffic control (ATC) system is designed to make commercial aviation more efficient, more environmentally friendly and safer by 2025.

But some white-hat hackers are questioning the safety part. The Next Generation Air Transportation System (NextGen) will rely on Global Positioning Systems (GPS) instead of radar. And so far, several hackers have said they were able to demonstrate the capability to hijack aircraft by spoofing their GPS components. The Federal Aviation Administration (FAA) has declared that it already has multiple measures to detect fake signals. But it has so far not allowed any independent testing of the system.

Read entire article...

[Any government agency that won't allow independent security testing is not to be trusted... now where is that train schedule?]

Vijayan: Experts unsure whether Iran is behind bank DDoS attacks (Posted: 01/13/2013)

Though U.S. officials blamed Iran for an ongoing stream of distributed denial of service attacks (DDoS) against major U.S. banks, security experts say there's not enough evidence yet to assign blame.

The security experts say that the attacks over the past few months appear to be very well planned and that the attackers have much knowledge of the weak spots in U.S. financial services networks, which could make them state sponsored

Read entire article...

Constantin: Firefox getting built-in HTML5-based PDF viewer to improve security (Posted: 01/13/2013)

A built-in PDF viewer component based on JavaScript and HTML5 Web technologies has been added to the beta version of Firefox 19, Mozilla said Friday.

The browser maker described the built-in PDF viewer as more secure and safer than proprietary PDF viewing plug-ins, like those installed by Adobe Reader or Foxit Reader. However, several security experts noted that it probably won't be free of vulnerabilities.

Read entire article...

Gont and Liu: Security Implications of IPv6 options of Type 10xxxxxx draft-gont-6man-ipv6-smurf-amplifier-01t (Posted: 01/13/2013)

When an IPv6 node processing an IPv6 packet does not support an IPv6 option whose two-highest-order bits of the Option Type are '10', it is required to respond with an ICMPv6 Parameter Problem error message, even if the Destination Address of the packet was a multicast address. This feature provides an amplification vector, opening the door to an IPv6 version of the 'Smurf' Denial-of-Service (DoS) attack found in IPv4 networks. This document discusses the security implications of the aforementioned options, and formally updates RFC 2460 such that this attack vector is eliminated. Additionally, it describes a number of operational mitigations that could be deployed against this attack vector.

Read entire article...

Gross: US-CERT: Disable Java in browsers because of exploit (Posted: 01/13/2013)

Internet users should consider disabling Java in their browsers because of an exploit that can allow remote attackers to execute code on a vulnerable system, the U.S. Computer Emergency Readiness Team (US-CERT) recommended late Thursday.

Security researchers reported this week that cybercriminals were using a zero-day vulnerability in Java to attack computer systems. Attackers were using the vulnerability to stealthily install malware on the computers of users who visit compromised websites, researchers said.

Read entire article...

[Anyone who still runs Java arbitrarily needs a good wake-up smack... :~) ]

Ragan: Petition Seeks to Legalize DDoS Activities (Posted: 01/13/2013)

Anonymous is petitioning the White House to legalize DDoS, urging them to recognize it as a legitimate means of protest. But based on the number of signatures so far, it seems as though few people agree.

Read entire article...

Olzak: The Internet is Broken, Part II: NetFlow Analysis (Posted: 01/13/2013)

Over time, security analysts found that event correlation alone might not be enough to quickly detect anomalous behavior. NetFlow, in addition to a SIEM portal, allows quick insight into traffic flow. It helps detect network behavior outside expected norms for a specific network..

Read entire article...