Publications, études, rapports 2015 S13-S14

Une recherche, un ping, vous ont conduit ici ? Il s’agit d’un index d’actualités thématiques que j’ai trouvé intéressantes. Je vous invite à consulter le post d’introduction de cette ‘brève’ -veille perso- pour voir de quoi il s’agit. 

=> Password Extraction via Reconstructed Wireless Mouse Trajectory. 22/03/2015. «Logitech made the following statement in 2009: “Since the displacements of a mouse would not give any useful information to a hacker, the mouse reports are not encrypted.” In this paper, we prove the exact opposite is true – i.e., it is indeed possible to leak sensitive information such as passwords through the displacements of a Bluetooth mouse
(…).
» En date du 16/03.
Source : ieeexplore.ieee.org/xpl/login.jsp?reload=true&tp=&arnumber=7061471&url=http%3A%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D7061471
Billets en relation :
25/03/2015. Hackers can steal your passwords via your wireless mouse, study finds : www.dailydot.com/politics/wireless-mouse-hack-password-study/
26/03/2015. Reconstructing Passwords via Analysis of Wireless Mouse Movement : blog.norsecorp.com/2015/03/26/reconstructing-passwords-via-analysis-of-wireless-mouse-movement/

=> PoC||GTFO 0x07, March 2015. 22/03/2015. «International Journal of Proof-of-Concept or Get The Fuck Out (PoC||GTFO or PoC or GTFO). AA55, the Magic Number, Laser robots!, A Story of Settled Science, Scapy is for Script Kiddies, Funky Files, the Novella!, Extending AES-NI Backdoors, Innovations with Core Files, Bambaata on NASCAR, A Modern Cybercriminal, Fast Cash for Bugs (…).»
Source : www.alchemistowl.org/pocorgtfo/

=> OSSIR – Journée Sécurité des Systèmes d’Information 2015. 22/03/2015. «Quelques présentations disponibles sur la page du programme de la journée, qui s’est déroulée le 10 mars. (…).»
Source : www.ossir.org/jssi/index/jssi-2015.shtml
Billets en relation :
10/03/2015. Pascal Sitbon – Solutions de sécurité françaises ou européennes : www.ossir.org/jssi/jssi2015/JSSI_2015_3B_Solutions_de_securite_francaises_ou_europeennes.pdf
10/03/2015. Stéphane Bortzmeyer – Interrogations sur la souveraineté numérique : www.ossir.org/jssi/jssi2015/JSSI_2015_4B_Interrogations_sur_la_souverainete_numerique.pdf
10/03/2015. Béatrice Joucreau et Christophe Renard – La Loi de Programmation Militaire pour un petit OIV : www.ossir.org/jssi/jssi2015/JSSI_2015_4A_La_Loi_de_Programmation_Militaire_pour_un_petit_OIV.pdf
10/03/2015. Alain Bensoussan – Les nouvelles atteintes aux stad : www.ossir.org/jssi/jssi2015/JSSI_2015_3A_Les_nouvelles_atteintes_aux_stad.pdf
10/03/2015. Laurent Bloch – Révolution cyberindustrielle et facteurs de cyberpuissance : www.ossir.org/jssi/jssi2015/JSSI_2015_2B_Revolution_cyberindustrielle_et_facteurs_de_cyberpuissance.pdf

=> New Paper on Digital Intelligence. 22/03/2015. «David Omand — GCHQ director from 1996-1997, and the UK’s security and intelligence coordinator from 2000-2005 — has just published a new paper: « Understanding Digital Intelligence and the Norms That Might Govern It. » (…).» En date du 19/03.
Source : www.schneier.com/blog/archives/2015/03/new_paper_on_di.html
Billets en relation :
19/03/2015. Understanding Digital Intelligence and the Norms That Might Govern It : www.cigionline.org/publications/understanding-digital-intelligence-and-norms-might-govern-it

=> Study Shows People Act To Protect Privacy When Told How Often Phone Apps Share Personal Information. 23/03/2015. «Many smartphone users know that free apps sometimes share private information with third parties, but few, if any, are aware of how frequently this occurs. An experiment at Carnegie Mellon University shows that when people learn exactly how many times these apps share that information they rapidly act to limit further sharing (…).»
Source : www.cmu.edu/news/stories/archives/2015/march/privacy-nudge.html
Billets en relation :
23/12/2014. Your Location has been Shared 5,398 Times! A Field Study on Mobile App Privacy Nudging : reports-archive.adm.cs.cmu.edu/anon/isr2014/CMU-ISR-14-116.pdf
27/03/2015. Android apps track your location every three minutes, says Carnegie Mellon study : www.welivesecurity.com/2015/03/27/android-apps-track-location-every-three-minutes-says-carnegie-mellon-study/
30/03/2015. Vie privée : « Votre position a été partagée 5398 fois en 14 jours » : www.01net.com/editorial/650637/vie-privee-votre-position-a-ete-partagee-5398-fois-en-14-jours/

=> Documents Reveal Canada’s Secret Hacking Tactics. 23/03/2015. «Canada’s electronic surveillance agency has secretly developed an arsenal of cyberweapons capable of stealing data and destroying adversaries’ infrastructure, according to newly revealed classified documents (…).»
Source : firstlook.org/theintercept/2015/03/23/canada-cse-hacking-cyberwar-secret-arsenal/
Billets en relation :
23/03/2015. From hacking to attacking, a look at Canada’s cyberwarfare tools : www.cbc.ca/news/multimedia/from-hacking-to-attacking-a-look-at-canada-s-cyberwarfare-tools-1.3003447
23/03/2015. Communication Security Establishment’s cyberwarfare toolbox revealed : www.cbc.ca/news/canada/communication-security-establishment-s-cyberwarfare-toolbox-revealed-1.3002978

=> Corero Network Security Report. 23/03/2015. «Company Releases First Quarterly DDoS Trends and Analysis Report Compiled from Customer Data (…).»
Source : www.corero.com/company/newsroom/press-releases.html?id=4304
Billets en relation :
23/03/2015. Diversionary DDoS Attacks Getting More Frequent : blog.norsecorp.com/2015/03/23/diversionary-ddos-attacks-getting-more-frequent/
23/03/2015. DDoS Trends and Analysis Quarterly Report – Q4 2014 Review : www.corero.com/resources/files/Reports/16803%20Corero%20Quarterly%20Report%20Q4%2014_FINAL.pdf

=> Finding Evil in the Whitelist. 23/03/2015. «For organizations with limited security budgets, built-in Windows features, such as AppLocker and Software Restriction Policies, offer the ability to implement low-cost whitelisting solutions that can significantly reduce the attack surface on Windows endpoints (…).»
Source : www.sans.org/reading-room/whitepapers/Whitelists/finding-evil-whitelist-35832

=> Threat Intelligence – Collecting, Analysing, Evaluating. 23/03/2015. «This work, conducted by MWR InfoSecurity, is based on a review of the area and the design of a framework for threat intelligence that can be scaled to different sectors, sizes of organisation, and organisational goals. This work describes four distinct categories of Threat Intelligence and identifies the likely internal customers for each type. The Threat Intelligence report (below) is the product of literature reviews, internal experience, and interviews with people involved in threat intelligence and related fields across a range of organisations (…).»
Source : www.cpni.gov.uk/advice/cyber/Threat-Intelligence/
Billets en relation :
23/03/2015. Threat Intelligence – Collecting, Analysing, Evaluating : www.cpni.gov.uk/documents/publications/2015/23-march-2015-mwr_threat_intelligence_whitepaper-2015.pdf
05/04/2015. Source : twitter.com/tomchop_/status/584796571302293505

=> Les textes de référence en cybersécurité. 23/03/2015. «Le Service de recherche du Congrès américain vient de publier (via le site de la Federation of American Scientists), un précieux document fournissant la liste des principaux textes de référence (rapports publics et de think tanks, ouvrages, articles scientifiques, etc.) dans le domaine de la cybersécurité, classés par thème (politiques de cybersécurité, infrastructures essentielles, cybercrime, infonuagique, cyber espionnage et cyber conflit, formation de la main d’oeuvre, recherche et développement) (…).»
Source : www.benoitdupont.net/node/178
Billets en relation :
13/03/2015. Cybersecurity: Authoritative Reports and Resources, by Topic : www.fas.org/sgp/crs/misc/R42507.pdf

=> Banking Trojan Vawtrak: Harvesting Passwords Worldwide. 24/03/2015. «A new wave of the Vawtrak banking Trojan is spreading worldwide. Researcher Jakub Kroustek provides detailed analysis and advice in this whitepaper (…).»
Source : now.avg.com/banking-trojan-vawtrak-harvesting-passwords-worldwide/
Billets en relation :
24/03/2015. Analysis of Banking Trojan Vawtrak (pdf) : now.avg.com/wp-content/uploads/2015/03/avg_technologies_vawtrak_banking_trojan_report.pdf
29/03/2015. AVG : un nouvel échantillon du trojan bancaire Vawtrak refait surface : www.undernews.fr/malwares-virus-antivirus/avg-un-nouvel-echantillon-du-trojan-bancaire-vawtrak-refait-surface.html

=> Buying Personal Information in the Deep Web. 24/03/2015. «In this article, I’ll focus the analysis on the personal information exchanged by criminal crews in the Deep Web, and in particular through hidden services in the Tor Network. The personal information that I’m searching for are (…).»
Source : resources.infosecinstitute.com/buying-personal-information-in-the-deep-web/
Billets en relation :
15/12/2014. Underground Hacker Markets : www.secureworks.com/assets/pdf-store/white-papers/wp-underground-hacking-report.pdf

=> L’ANSSI et la CGPME publient le « Guide des bonnes pratiques de l’informatique ». 24/03/2015. «La prévention des incidents et attaques informatiques relève souvent de réflexes simples, qui concourent à une protection globale de l’entreprise. Le « Guide des bonnes pratiques de l’informatique » présente douze recommandations à destination des non-spécialistes, issues de l’analyse d’attaques réussies et de leurs causes (…).» Rien d’exceptionnel, que des conseils de bon sens. Pas convaincu.
Source : www.ssi.gouv.fr/publication/lanssi-et-la-cgpme-publient-le-guide-des-bonnes-pratiques-de-linformatique/
Billets en relation :
24/03/2015. TPE/PME – Guide des bonnes pratiques de l’informatique : www.ssi.gouv.fr/guide/guide-des-bonnes-pratiques-de-linformatique/
24/03/2015. L’ANSSI dévoile son guide des bonnes pratiques de la sécurité informatique : www.nextinpact.com/news/93549-lanssi-devoile-son-guide-bonnes-pratiques-securite-informatique.htm

=> Black Hat Asia 2015. 24/03/2015. «Black Hat is returning to Asia again in 2015, and we have quite an event in store. Here the brightest professionals and researchers in the industry will come together for a total of four days–two days of deeply technical hands-on Trainings, followed by two days of the latest research and vulnerability disclosures at our Briefings (…).»
Source : www.blackhat.com/asia-15/
Billets en relation :
24/03/2015. Black Hat Asia 2015 – Briefings – white paper, presentation, source : www.blackhat.com/asia-15/briefings.html
02/04/2015. Black Hat Asia 2015 Recap : blog.fortinet.com/post/black-hat-asia-2015-recap

=> Shipping losses lowest for 10 years, but mega-ships and cyber-attacks pose new threats for maritime sector. 24/03/2015. «Cyber risks represent another new threat for a shipping sector which is highly interconnected and increasingly reliant on automation. “Cyber risk may be in its infancy in the sector today, but ships and ports could become enticing targets for hackers in future (…).»
Source : www.agcs.allianz.com/about-us/news/shipping-review-2015/
Billets en relation :
24/03/2015. Third annual Safety and Shipping Review 2015 : www.agcs.allianz.com/assets/PDFs/Reports/Shipping-Review-2015.pdf
01/04/2015. Ships at risk of hacking, says report : www.welivesecurity.com/2015/04/01/ships-risk-hacking-says-report/

=> ENISA – The importance of standards in electronic identification and trust services providers . 24/03/2015. « ENISA publishes a new report on the importance of standards in the area of electronic identification and trust services providers. The importance of standards in electronic identification and trust services providers. A number of challenges are associated with the definition and deployment of standards in the area of cyber security. These include the lack of agility for standards to evolve at a comparable pace with the IT landscape, competing sets of standards, economic considerations (such as lock-in), lack of awareness, and organisational challenges (…).»
Source : www.enisa.europa.eu/media/news-items/the-importance-of-standards-in-electronic-identification-and-trust-services-providers
Billets en relation :
24/03/2015. Standardisation – eIDAS (pdf) : www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/standards-eidas/at_download/fullReport
24/03/2015. Standardisation in the field of Electronic Identities and Trust Service Providers : www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/standards-eidas

=> March-April Issue of The NT Insider. 24/03/2015. «The Mar/Apr 2015 issue of The NT Insider is available online in PDF Format (…).»
Source : www.osronline.com/article.cfm?id=628
Billets en relation :
24/03/2015. NT Insider : insider.osr.com/2015/ntinsider_2015_01.pdf

=> 15,435 vulnerabilities in close to 4,000 applications in 2014. 25/03/2015. «15,435 vulnerabilities across 3,870 applications were recorded in 2014 – that’s an 18% increase in vulnerabilities compared to the year before, and a 22% increase in the number of products. The result was published today in the Secunia Vulnerability Review 2015 (…).» Rhaa encore un formulaire à email -_-
Source : secunia.com/company/news/15435-vulnerabilities-in-close-to-4000-applications-in-2014-422/
Billets en relation :
22/03/2015. Donne moi email steplait : twitter.com/_Gof_/status/579720090238742528
25/03/2015. Over 15,000 Vulnerabilities Detected in Nearly 4,000 Applications : blog.norsecorp.com/2015/03/25/over-15000-vulnerabilities-detected-in-nearly-4000-applications/
25/03/2015. Secunia Vulnerability Review 2015 : secunia.com/resources/reports/vr2015/

=> A Review on Night Enhancement Eyedrops Using Chlorin e6. 25/03/2015. «However, in recent years other uses for ce6 have been found, the most notable in this case being its application into the conjuctival sac of the eye as a means of treating night blindness and improving the dim light vision of those with visual disturbances. This preliminary study attempts to test the ability of a mixture containing Ce6 to improve the dim light vision of healthy adults (…).»
Source : scienceforthemasses.org/2015/03/25/a-review-on-night-enhancement-eyedrops-using-chlorin-e6/
Billets en relation :
25/03/2015. A Team of Biohackers Has Figured Out How to Inject Your Eyeballs With Night Vision : mic.com/articles/113740/a-team-of-biohackers-has-figured-out-how-to-inject-your-eyeballs-with-night-vision
25/03/2015. A Review on Night Enhancement Eyedrops Using Chlorin e6 : scienceforthemasses.org/wp-content/uploads/2015/03/AReviewonNightEnhancementEyedropsUsingChlorine6.pdf
28/03/2015. Des biohackers expérimentent la vision de nuit : korben.info/des-biohackers-experimentent-la-vision-de-nuit.html

=> Redefining the Transparency Order – Workshop on Coding and Cryptography (WCC). 25/03/2015. «L’article propose une amélioration d’un critère de sécurité, l’ordre de transparence, introduit en 2004 dans le but de mieux sélectionner des primitives cryptographiques qui soient résistantes aux attaques par analyse de canaux auxiliaires (…).»
Source : www.ssi.gouv.fr/publication/redefining-the-transparency-order/
Billets en relation :
25/03/2015. Redefining the Transparency Order – Workshop on Coding and Cryptography (WCC) : www.ssi.gouv.fr/uploads/2015/03/dpa11b.pdf

=> ENISA publishes a good practice guide for CERTs’ first responders. 25/03/2015. «ENISA has recently published a report on evidence gathering for CERTs first responders, with an emphasis on electronic evidence gathering and digital forensics (…).»
Source : www.enisa.europa.eu/media/news-items/enisa-publishes-a-good-practice-guide-for-certs-first-responders
Billets en relation :
25/03/2015. Good practice material for first responders (pdf) : www.enisa.europa.eu/activities/cert/support/fight-against-cybercrime/electronic-evidence-a-basic-guide-for-first-responders/at_download/fullReport
25/03/2015. Electronic evidence – a basic guide for First Responders : www.enisa.europa.eu/activities/cert/support/fight-against-cybercrime/electronic-evidence-a-basic-guide-for-first-responders

=> Complots, conspirationnistes & Co. II. 25/03/2015. «Comment s’accorder sur une définition du complotisme ou conspirationnisme ? (…).»
Source : www.huyghe.fr/actu_1276.htm

=> Semiannual Cisco IOS Software Security Advisory Bundled Publication. 25/03/2015. «Cisco released its semiannual Cisco IOS Software Security Advisory Bundled Publication on March 25, 2015. In direct response to customer feedback, Cisco releases bundles of Cisco IOS Software Security Advisories on the fourth Wednesday of the month in March and September of each calendar year. The publication includes seven Security Advisories that address vulnerabilities in Cisco IOS Software. Exploits of the individual vulnerabilities could result in a denial of service condition or interface wedge (…).»
Source : www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar15.html
Billets en relation :
23/03/2015. Cisco vulnerability could allow attackers to eavesdrop on private conversations : www.welivesecurity.com/2015/03/23/cisco-vulnerability-allow-attackers-eavesdrop-private-conversations/
25/03/2015. Announcing the First Cisco IOS Software and IOS XE Software Security Advisory Bundled Publication : blogs.cisco.com/security/announcing-the-first-cisco-ios-xe-software-security-advisory-bundled-publication

=> Les cadres et le Cloud Computing. 26/03/2015. «Alors que les entreprises intègrent de plus en plus de nouvelles solutions informatiques pour améliorer leur productivité, Aruba, en partenariat avec l’IFOP, a interrogé les cadres sur leur connaissance et leur utilisation d’une technologie en vogue : le Cloud Computing (…).»
Source : www.ifop.com/?option=com_publication&type=poll&id=2979

=> Beta Bot Trojan. 27/03/2015. «In this article, I would like to show how an analysis is performed on the Beta Bot trojan to identify its characteristics (…).»
Source : resources.infosecinstitute.com/beta-bot-trojan/

=> CanSecWest 2015: everything is hackable. 27/03/2015. «Last week, we had the privilege to participate in and present at the 15th edition of CanSecWest in beautiful Vancouver, BC, along with its famous accompaniment, the ever famous Pwn2Own competition. Yes, once again all major browsers were hacked, but they were not alone! BIOS and UEFI, 4G modems, fingerprints, credentials, virtual machines, and operating systems were among the victim systems successfully hacked by our fellow presenters (…).»
Source : securelist.com/blog/events/69386/cansecwest-2015-everything-is-hackable/
Billets en relation :
20/03/2015. How Many Million BIOSes Would you Like to Infect? : legbacore.com/Research_files/HowManyMillionBIOSWouldYouLikeToInfect_Full2.pdf
23/03/2015. Pwn2Own has become something of an institution : nakedsecurity.sophos.com/2015/03/23/pwn2own-competition-pops-flash-reader-and-four-browsers-pays-out-over-550k/
25/03/2015. Présentation à CanSecWest d’un nouvel implant BIOS : www.viruslist.com/fr/news?id=197471274

=> Facebook Tracking Through Social Plug-ins. 27/03/2015. «Technical report prepared at the request of the Belgian Privacy Commission in the context of its Facebook investigation (…).»
Source : securehomes.esat.kuleuven.be/~gacar/fb_tracking/
Billets en relation :
27/03/2015. Facebook Tracking Through Social Plug-ins : securehomes.esat.kuleuven.be/~gacar/fb_tracking/fb_plugins.pdf
31/03/2015. ICRI/CIR and iMinds-SMIT advise Belgian Privacy Commission in Facebook investigation : www.law.kuleuven.be/icri/en/news/item/icri-cir-advises-belgian-privacy-commission-in-facebook-investigation
01/04/2015. Facebook hits back at report claiming it tracks pretty much everyone : nakedsecurity.sophos.com/2015/04/01/facebook-hits-back-at-report-claiming-it-tracks-pretty-much-everyone/

=> GitHub Hit With DDoS Attack. 27/03/2015. «A large-scale DDoS attack, apparently emanating from China, has been hammering the servers at GitHub over the course of the last 12 hours, periodically causing service outages at the code-sharing and collaboration site (…).»
Source : threatpost.com/github-hit-with-ddos-attack/111850
Billets en relation :
25/03/2015. Using Baidu to steer millions of computers to launch denial of service attacks : drive.google.com/file/d/0ByrxblDXR_yqeUNZYU5WcjFCbXM/view?pli=1
27/03/2015. GitHub Hammered by Large Scale DDoS Attack : blog.norsecorp.com/2015/03/27/github-hammered-by-large-scale-ddos-attack/
27/03/2015. Baidu’s traffic hijacked to DDoS GitHub.com : insight-labs.org/?p=1682
31/03/2015. China claims it is a cyber victim as GitHub DDoS rolls on : www.zdnet.com/article/china-claims-it-is-a-cyber-victim-as-github-ddos-rolls-on/
31/03/2015. China’s Man-on-the-Side Attack on GitHub : www.netresec.com/?page=Blog&month=2015-03&post=China%27s-Man-on-the-Side-Attack-on-GitHub
31/03/2015. Chinese authorities compromise millions in cyberattacks : en.greatfire.org/blog/2015/mar/chinese-authorities-compromise-millions-cyberattacks

=> Lockheed Martin – Results of the Intelligence Driven Cyber Defense Survey. 27/03/2015. «Ponemon Institute is pleased to present the results of Intelligence Driven Cyber Defense sponsored by Lockheed Martin . The purpose of this research is to understand if organizations are improving their ability to reduce the risk of hackers and other cyber criminals. If so, are they adopting new strategies, such as intelligence driven cyber defense, to deal with the rise in frequency and severity of cyber attacks? We surveyed 678 US IT and IT security practitioners who are familiar with their organizations’ defense against cybersecurity attacks and have responsibility in directing cybersecurity activities. Following are the key findings of this study (…).»
Source : cyber.lockheedmartin.com/intelligence-driven-cyber-defense-survey-results

=> Droit général de l’UE et Institutions – Accès au droit / Rapport. 27/03/2015. «Le Conseil de l’Union européenne a publié, le 24 mars dernier, au Journal officiel de l’Union européenne, son rapport sur l’accès au droit. Celui-ci vise à présenter les moyens qui ont été développés pour donner accès efficacement au droit européen, aux droits nationaux des Etats membres et aux droits des Etats tiers et les améliorations à envisager. (…).»
Source : www.dbfbruxelles.eu/acces-au-droit-rapport-publication-leb-738/
Billets en relation :
24/03/2015. Rapport sur l’accès au droit : eur-lex.europa.eu/legal-content/FR/TXT/PDF/?uri=OJ:JOC_2015_097_R_0003&from=FR

=> Guide des startups 2015. 27/03/2015. «Voici venu le temps de mettre à jour comme chaque année le Guide des Startups, la ressource la plus complète pour les entrepreneurs du numérique pour créer et faire grandir leur startup (…).»
Source : www.oezratty.net/wordpress/2015/guide-des-startups-2015/
Billets en relation :
26/03/2015. Guide des Startups 2015 : www.oezratty.net/wordpress/wp-content/themes/Ezratty4/forcedownload.php?file=/Files/Publications/Guide%20des%20Startups%20Hightech%20en%20France%20Olivier%20Ezratty%20Mar2015.pdf

=> S&D Magazine : numéro de mars disponible en ligne. 27/03/2015. «Dossier spécial Cyber : Innovations, perspectives & export (…).»
Source : www.sd-magazine.com/article.php?page=357

=> DUAL_EC_DRBG : Une histoire de portes dérobées dans les standards. 27/03/2015. «My slides to @sth4ck, on Dual_ec_drbg are available (…).»
Source : blog.0xbadc0de.be/other/dualec.pdf

=> Forensic collection form for UAVs/drones. 28/03/2015. «We developed a UAS Acquisition Form to assist law enforcement and other interested parties in the collection process (…).»
Source : integriography.wordpress.com/2015/03/28/forensic-collection-form-for-uavsdrones/
Billets en relation :
15/03/2015. Drone Forensics – An Overview : integriography.wordpress.com/2015/03/15/drone-forensics-an-overview/

=> Information Supplement – Penetration Testing Guidance – March 2015. 28/03/2015. «The objective of this information supplement is to update and replace PCI SSC’s original penetration testing information supplement titled “Payment Card Industry Data Security Standard (PCI DSS) Requirement 11.3 Penetration Testing” published in 2008. This information supplement has additional guidance to what is in PCI DSS and is written as general penetration testing guidelines that are intended to extend into future versions of PCI DSS (…).»
Source : www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf
Billets en relation :
28/03/2015. Source : www.scoop.it/t/arth-ck/p/4040151221/2015/03/28/penetration-testing-guidance-march-2015-pdf

=> Security Attacks via Malicious QR Codes. 30/03/2015. «In this article, I will discuss QR codes in details. I will also try to cover all the potential security issues related to QR codes (…).»
Source : resources.infosecinstitute.com/security-attacks-via-malicious-qr-codes/

=> A timeline of mobile botnets. 30/03/2015. «With the recent explosion in smartphone usage, malware authors have increasingly focused their attention on mobile devices, leading to a steep rise in mobile malware over the past couple of years. In this paper, Ruchna Nigam focuses on mobile botnets, drawing up an inventory of types of known mobile bot variants (…).»
Source : www.virusbtn.com/virusbulletin/archive/2015/03/vb201503-mobile-botnets
Billets en relation :
30/03/2015. Paper: a timeline of mobile botnets : www.virusbtn.com/blog/2015/03_30.xml
30/03/2015. A timeline of mobile botnets : www.virusbtn.com/pdf/magazine/2015/vb201503-mobile-botnets.pdf

=> Internet en Iran : évaluation des deux premières années de la présidence Rohani . 30/03/2015. «Small Media a évalué la politique dans le domaine d’Internet au cours des 18 premiers mois du mandat du Président Hassan Rohani (…).»
Source : fr.globalvoicesonline.org/2015/03/30/183904/
Billets en relation :
18/03/2015. Iranian Internet Infrastructure and Policy Report : www.smallmedia.org.uk/content/135
18/03/2015. The Rouhani Review (2013–15) // The Iranian Web Two Years In : medium.com/@small.media/the-rouhani-review-2013-15-the-iranian-web-two-years-in-6e1ca75db74c

=> Quantifying Malware Evolution through Archaeology. 31/03/2015. «In addition to providing historical perspective on malware evolution, the methods described in this paper may aid malware detection through classification, leading to new proactive methods to identify malicious software (…).»
Source : www.scirp.org/Journal/PaperInformation.aspx?PaperID=55225
Billets en relation :
31/03/2015. Journal of Information Security : www.scirp.org/journal/jis/
31/03/2015. Quantifying Malware Evolution through Archaeology : www.scirp.org/Journal/PaperDownload.aspx?paperID=55225

=> Check Point Researchers Discover Global Cyber Espionage Campaign with Possible Link to Lebanese Political Group. 31/03/2015. «Researchers in Check Point’s Malware and Vulnerability Research Group uncovered an attack campaign called Volatile Cedar, which uses a custom-made malware implant codenamed Explosive. Operating since early 2012, this campaign has successfully penetrated a large number of targets across the globe, during which time it has allowed the attackers to monitor victim’s actions and steal data (…).»
Source : www.checkpoint.com/press/2015/media-alert-check-point-researchers-discover-global-cyber-espionage-campaign-with-possible-link-to-lebanese-political-group/
Billets en relation :
30/03/2015. Report on Volatile Cedar : www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf
31/03/2015. Volatile Cedar APT Group First Operating Out of Lebanon : threatpost.com/volatile-cedar-apt-group-first-operating-out-of-lebanon/111895
31/03/2015. Sinkholing Volatile Cedar DGA Infrastructure : securelist.com/blog/research/69421/sinkholing-volatile-cedar-dga-infrastructure/

=> IoT Research – Smartbands. 31/03/2015. «Tracking devices and their corresponding mobile applications from three leading vendors were inspected in this report to shed some light on the current state of security and privacy of wearable fitness trackers (…).»
Source : securelist.com/analysis/publications/69412/iot-research-smartbands/
Billets en relation :
12/03/2015. Is IoT in the Smart Home giving away the keys to your kingdom? : www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/insecurity-in-the-internet-of-things.pdf
27/03/2015. L’Internet des Objets, une révolution à ne pas manquer : www.bulletins-electroniques.com/actualites/78200.htm
31/03/2015. IoT: The Internet of Things… ehm… Trouble?! : blog.gdatasoftware.com/blog/article/iot-the-internet-of-things-ehm-trouble.html

=> Transformation des modes de travail. 31/03/2015. «Thomas KERJEAN, Directeur de Cabinet du Président de Microsoft France, nous a exposé la « Nouvelle EXpérience de Travail » chez Microsoft, incluant regroupement des sites, aménagement des espaces, logiciels collaboratifs…. (…).»
Source : www.andsi.fr/transformation-des-modes-de-travail/
Billets en relation :
31/03/2015. Transformation des modes de travail, Compte rendu de la présentation du 10 mars 2015 : www.andsi.fr/wp-content/uploads/2015/03/ANDSI-CR-du-10-mars-2015-Transformation-des-modes-de-travail-Microsoft-T.-Kerjean.pdf

=> Phishing-Initiative – EU-PI, French chapter: 1st semester report . 31/03/2015. «We release today the first report summarizing the actions led by Phishing-Initiative France since the launch of the EU-PI project in August 2014. You will find our report in French and in English (…).»
Source : blog.phishing-initiative.com/2015/03/eu-pi-french-chapter-1st-semester-report.html
Billets en relation :
23/03/2015. Phishing-Initiative Luxembourg (bêta) is out : blog.phishing-initiative.com/2015/03/phishing-initiative-luxembourg-beta-is.html
31/03/2015. EU-PI French chapter: semester 1 Report : phishing-initiative.eu/files/EN_EU-PI_FR_report-S1.pdf
31/03/2015. EU-PI rapport d’activité en France, semestre 1 : phishing-initiative.eu/files/EU-PI_FR_report-S1.pdf

=> Lettre IP 9 – Plus jamais seuls dans les rayons. La numérisation du commerce de détail. 31/03/2015. «Rendre les magasins plus « connectés » devient une préoccupation majeure des commerçants. La nouvelle lettre IP fait le point sur cette numérisation croissante de la consommation en magasin, qui implique la prise en compte d’un nombre grandissant de données (…).»
Source : www.cnil.fr/nc/linstitution/actualite/article/article/la-numerisation-du-commerce-de-detail/
Billets en relation :
31/03/2015. Lettre IP 9 – Plus jamais seuls dans les rayons. La numérisation du commerce de détail : www.cnil.fr/fileadmin/documents/La_CNIL/publications/DEIP/Lettre9_CNIL.pdf
01/04/2015. Booster ses ventes avec le magasin connecté : www.orange-business.com/fr/blogs/relation-client/point-de-vente/booster-ses-ventes-avec-le-magasin-connecte

=> Bilan des activites de la chaire – cyberdéfense et cybersécurite 2012-2014. 01/04/2015. «Ce livret permet de revenir sur les activités menées par la Chaire depuis sa création en 2012 et de présenter des activités futures comme la formation à la gestion de crise cyber (…).»
Source : www.chaire-cyber.fr/livret-bilan-de-la-chaire-2012
Billets en relation :
01/04/2015. Bilan des activites de la chaire – cyberdéfense et cybersécurite 2012-2014 : www.chaire-cyber.fr/IMG/pdf/livret_bilan.pdf

=> Confidence Building in Cyberspace: A Comparison of Territorial and Weapons-Based Regimes. 01/04/2015. «It may be possible for academics and policymakers to come together to work for a ban or build-down on cyber weapons patterned on international efforts to ban chemical and biological weapons and implement export regimes to control the export of code which may form the components of cyber weapons (…).»
Source : www.strategicstudiesinstitute.army.mil/pubs/display.cfm?pubID=1252

=> Open Crypto Audit Project – TrueCrypt. 02/04/2015. «Phase II analysis is completed and, pending an executive summary, TrueCrypt is Audited (…).»
Source : opencryptoaudit.org/reports/TrueCrypt_Phase_II_NCC_OCAP_final.pdf
Billets en relation :
31/03/2015. Face à TrueCrypt : zythom.blogspot.fr/2015/03/face-truecrypt.html
02/04/2015. Truecrypt report : blog.cryptographyengineering.com/2015/04/truecrypt-report.html
02/04/2015. TrueCrypt est-il sûr ? On connait enfin la réponse : korben.info/laudit-de-truecrypt-est-termine.html
02/04/2015. Audit Concludes No Backdoors in TrueCrypt : threatpost.com/audit-concludes-no-backdoors-in-truecrypt/111994
03/04/2015. TrueCrypt Security Audit Completed : www.schneier.com/blog/archives/2015/04/truecrypt_secur.html

=> Distrusting New CNNIC Certificates. 02/04/2015. «Last week, Mozilla was notified that a Certificate Authority (CA) called CNNIC had issued an unconstrained intermediate certificate, which was subsequently used by the recipient to issue certificates for domain names the holder did not own or control (i.e., for MitM). We added the intermediate certificate in question to Firefox’s direct revocation system, called OneCRL, and have been further investigating the incident (…).»
Source : blog.mozilla.org/security/2015/04/02/distrusting-new-cnnic-certificates/
Billets en relation :
23/03/2015. Maintaining digital certificate security : googleonlinesecurity.blogspot.fr/2015/03/maintaining-digital-certificate-security.html
27/03/2015. CNNIC censored Google and Mozilla’s posts about CNNIC CA : en.greatfire.org/blog/2015/mar/cnnic-censored-google-and-mozilla%E2%80%99s-posts-about-cnnic-ca
29/03/2015. Serious Security: China Internet Network Information Center in TLS certificate blunde : nakedsecurity.sophos.com/2015/03/26/serious-security-china-internet-network-information-center-in-tls-certificate-blunder/
02/04/2015. Google Ends CNNIC Certificate Recognition in Chrome : blog.norsecorp.com/2015/04/02/google-ends-cnnic-certificate-recognition-in-chrome/
02/04/2015. CNNIC-MCS : blog.mozilla.org/security/files/2015/04/CNNIC-MCS.pdf
02/04/2015. Pourquoi Google exclut les certificats de sécurité chinois du CNNIC : www.numerama.com/magazine/32673-pourquoi-google-exclut-les-certificats-de-securite-chinois-du-cnnic.html
02/04/2015. Google, Mozilla Drop Trust in Chinese Certificate Authority CNNIC : threatpost.com/google-drops-trust-in-chinese-certificate-authority-cnnic/111974
02/04/2015. Google rejette en bloc les certificats de sécurité du chinois CNNIC : www.nextinpact.com/news/93686-google-rejette-en-bloc-certificats-securite-chinois-cnnic.htm
04/04/2015. CNNIC censors news about their own statement : en.greatfire.org/node/1752860

=> Android Security State of the Union 2014 . 02/04/2015. «So, we’ve been working hard on a report that analyzes billions (!) of data points gathered every day during 2014 and provides comprehensive and in-depth insight into security of the Android ecosystem. We hope this will help us share our approaches and data-driven decisions with the security community in order to keep users safer and avoid risk (…).»
Source : googleonlinesecurity.blogspot.fr/2015/04/android-security-state-of-union-2014.html
Billets en relation :
31/03/2015. Out with unwanted ad injectors : googleonlinesecurity.blogspot.fr/2015/03/out-with-unwanted-ad-injectors.html
02/04/2015. Google Report – Android Security 2014 Year in Review : static.googleusercontent.com/media/source.android.com/en/us/devices/tech/security/reports/Google_Android_Security_2014_Report_Final.pdf

=> Swipe away, we’re watching you. 02/04/2015. «In their VB2014 paper, Hong Kei Chan and Liang Huang describe the backbone of PoS malware: (1) dumping the memory of running processes, (2) scanning and extracting credit card information, and (3) exfiltrating the stolen information (…).»
Source : www.virusbtn.com/virusbulletin/archive/2015/04/vb201504-swipe-away
Billets en relation :
02/04/2015. VB2014 paper: Swipe away, we’re watching you : www.virusbtn.com/blog/2015/04_02c.xml
02/04/2015. Swipe away, we’re watching you : www.virusbtn.com/pdf/conference/vb2014/VB2014-ChanHuang.pdf

=> Les hauts et les bas des niveaux de sécurité. 02/04/2015. «Faut-il faire le même effort pour sécuriser l’automate qui emballe des savons et celui qui assure l’arrêt d’urgence d’un réacteur ? Poser la question c’est y répondre. Comme dans les SI(0) de gestion où l’on fait varier la sécurité selon la sensibilité de l’information, en SI industriel on sécurise en fonction de l’impact sur le process en cas de piratage (…).»
Source : securid.novaclic.com/cyber-securite-industrielle/niveaux_securite.html

=> Snapchat Transparency Report. 02/04/2015. «Even though Snapchat has promoted user privacy and autonomy since its founding, we’ve only recently been able to systematically track and report requests for user information. Beginning in July 2015, we will publish a bi-annual Transparency Report, which will explore government requests we have received for users’ account information, government demands to remove users’ content, and requests to takedown content for alleged copyright violations (…).»
Source : www.snapchat.com/transparency/
Billets en relation :
03/04/2015. La France s’est renseignée sur des membres de Snapchat : www.numerama.com/magazine/32688-la-france-s-est-renseignee-sur-des-membres-de-snapchat.html

=> L’ARCEP publie l’observatoire des marchés des communications électroniques en France au quatrième trimestre 2014. 02/04/2015. «La consommation en services de communications électroniques demeure dynamique ; les revenus se stabilisent fin 2014 après trois années de baisses ; l’investissement fléchit légèrement après 3 années au plus haut (…).»
Source : www.arcep.fr/index.php?id=26
Billets en relation :
02/04/2015. Observatoire ARCEP : www.arcep.fr/fileadmin/reprise/observatoire/4-2014/obs-marches-T4_2014-020415.pdf
03/04/2015. ARCEP : l’usage d’Internet augmente, les prix et les investissements baissent : www.nextinpact.com/news/93702-arcep-usage-d-internet-augmente-prix-et-investissements-baissent.htm

=> « Make or Break » : la Chambre des Lords alerte sur la capacité du Royaume-Uni à engager le virage numérique des prochaines années. 02/04/2015. «Dans son récent rapport « Make or Break : The UK’s Digital Future », le comité sur les compétences numériques (Digital Skills Committee) de la Chambre des Lords tire le signal d’alarme concernant la capacité du Royaume-Uni à répondre aux enjeux du numérique dans les années à venir. Il souligne en particulier une série de faiblesses, qui, si elles ne sont pas prises en compte à temps, pourraient entraîner de graves conséquences sur la capacité du pays à se maintenir en position de leadership sur la scène internationale (…).»
Source : www.bulletins-electroniques.com/actualites/78240.htm
Billets en relation :
17/02/2015. « Make or Break » : www.publications.parliament.uk/pa/ld201415/ldselect/lddigital/111/111.pdf

=> ENISA’s How-to-Guide for Trust Service Providers’ Auditing. 02/04/2015. «ENISA has published a report providing guidelines on the auditing framework for Trust Service Providers (TSPs). These guidelines can be used by Trust Service Providers (preparing for audits) and Conformity Assessment Bodies (auditors) having to undergo regular auditing – as set by the eIDAS regulation – and offer a set of good practices which can be used at an organizational level (…).»
Source : www.enisa.europa.eu/media/press-releases/enisa2019s-how-to-guide-for-trust-service-providers2019-auditing
Billets en relation :
02/04/2015. Auditing framework for trust services (pdf) : www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/tsp-auditing-framework/at_download/fullReport
02/04/2015. Auditing Framework for TSPs : www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/tsp-auditing-framework

=> Tallinn Paper: Offensive Cyber Operations Should Not Be Ignored. 02/04/2015. «In the newest Tallinn Paper “The Role of Offensive Cyber Operations in NATO’s Collective Defence” Dr James A. Lewis argues for NATO to be doing more in cyber defence. He discusses the need for NATO to publicly embrace the notion of offensive cyber operations (…).»
Source : ccdcoe.org/tallinn-paper-offensive-cyber-operations-should-not-be-ignored.html
Billets en relation :
02/04/2015. Tallinn Paper: The Role of Offensive Cyber Operations in NATO’s Collective Defence (pdf) : ccdcoe.org/sites/default/files/multimedia/pdf/TP_08_2015.pdf
02/04/2015. Tallinn Paper: The Role of Offensive Cyber Operations in NATO’s Collective Defence : ccdcoe.org/multimedia/role-offensive-cyber-operations-natos-collective-defence.html

=> NIST Seeks Feedback on Consumer and Patient Data Protection Report. 03/04/2015. «The National Institute of Standards and Technology (NIST) is seeking feedback on a report (PDF) produced at the Executive Technical Workshop on Improving Cybersecurity and Consumer Privacy in February, where Stanford University brought together CTOs, CIOs and other security executives to discuss the inherent challenges in implementing proactive security and privacy technologies (…).»
Source : blog.norsecorp.com/2015/04/03/nist-seeks-feedback-on-consumer-and-patient-data-protection-report/
Billets en relation :
02/04/2015. Executive Technical Workshop on Improving Cybersecurity and Consumer Privacy : nccoe.nist.gov/sites/default/files/NISTIR_8050_draft_final.pdf

=> Référentiel pédagogique de formation à la cybersécurité des TPE et des PME. 03/04/2015. «Le Référentiel pédagogique de formation à la cybersécurité des TPE et des PME, élaboré conjointement avec l’Agence nationale de la sécurité des systèmes d’information (ANSSI) est dès à présent téléchargeable (…).»
Source : www.intelligence-economique.gouv.fr/actualites/referentiel-pedagogique-de-formation-la-cybersecurite-des-tpe-et-des-pme
Billets en relation :
03/04/2015. Référentiel pédagogique de formation à la cybersécurité des TPE et des PME : www.intelligence-economique.gouv.fr/sites/default/files/d2ie_formation_cybersecurite_des_tpe_pme_mars2015.pdf
03/04/2015. Référentiel pédagogique de formation à la cybersécurité des TPE et des PME : www.ssi.gouv.fr/uploads/2015/04/D2IE_formation_cybersecurite_TPE_PME_mars_2015.pdf

=> Petites leçons de typographie. 03/04/2015. «Un guide conçu pour les chercheurs et tous ceux qui éditent eux-mêmes leurs textes avec les applications informatiques (…).»
Source : cursus.edu/institutions-formations-ressources/formation/19030/petites-lecons-typographie/
Billets en relation :
30/12/2014. Petites leçons de typographie : jacques-andre.fr/faqtypo/lessons.pdf

=> Thucydides Was Right: Defining the Future Threat. 03/04/2015. «To define future threat is, in a sense, an impossible task, yet it is one that must be done. The only sources of empirical evidence accessible are the past and the present; one cannot obtain understanding about the future from the future (…).»
Source : www.strategicstudiesinstitute.army.mil/pubs/display.cfm?pubID=1256

=> 1024 – Bulletin de la société informatique de France HS n°1 – Médiation scientifique : de la science informatique au grand public. 04/04/2015. «Pourquoi et comment partager une culture scientifique en sciences informatiques ? (…).» Publié initialement le 09/03/
Source : www.societe-informatique-de-france.fr/bulletin/1024-numero-hs1/
Billets en relation :
04/04/2015. Comment les chercheurs en informatique partagent leur culture scientifique : binaire.blog.lemonde.fr/2015/04/04/comment-les-chercheurs-en-informatique-partagent-leur-culture-scientifique/

Publié par

Gof

Canard boiteux numérique ; juste intéressé, juste passionné.