www.defenseone.com/threats/2015/10/even-dhs-doesnt-want-power-it-would-get-under-cisa/123015/ By PATRICK TUCKER defenseone.com OCTOBER 21, 2015 The Senate is currently debating a bill to give Department of Homeland Security unprecedented access to personal information, a measure intended to help to protect the nation from cyber attacks. Yes, that DHS, whose director had his Comcast account hacked yesterday. Even stranger: DHS doesn’t even want the power it would be granted. The bill is the Cyber Information Sharing Act, or CISA. It would give companies legal immunity to send DHS a broad range of information about the users of their websites. DHS would then be allowed to speed that (nominally anonymized) information along to the NSA, DoD, FBI, the FCC or other bodies. Through a byzantine series of twists and turns, that could potentially include foreign militaries. In July, DHS officials pointed out various problems with CISA in a seven-page memo. They argued, among other things, that the bill “could sweep away important privacy protections, particularly the provisions in the Stored Communications Act limiting the disclosure of the content of electronic communications to the government by certain providers.” But hey, what’s a little privacy loss in the name of better security? Unfortunately, according to DHS’s memo, CISA fails there, too. “These provisions would undermine the policy goals that were thoughtfully constructed to maximize privacy and accuracy of information, and to provide the NCCIC with the situational awareness we need to better serve the nation’s cybersecurity needs,” it said. […]
http://breakingdefense.com/2015/09/wireless-hacking-in-flight-air-force-demos-cyber-ec-130/ By SYDNEY J. FREEDBERG JR. Breaking Defense September 15, 2015 NATIONAL HARBOR: Matthew Broderick in his basement, playing Wargames over a landline, is still the pop culture archetype of a hacker. But as wireless networks became the norm, new-age cyber warfare and traditional electronic warfare are starting to merge. Hackers can move out of the basement to the sky. In a series of experiments, the US Air Force has successfully modified its EC-130 Compass Call aircraft, built to jam enemy transmissions, to attack enemy networks instead. “We’ve conducted a series of demonstrations,” said Maj. Gen. Burke Wilson, commander of the 24th Air Force, the service’s cyber operators. “Lo and behold! Yes, we’re able to touch a target and manipulate a target, [i.e.] a network, from an air[craft].” What’s more, Wilson told reporters at the Air Force Association conference here, this flying wireless attack can “touch a network that in most cases might be closed” to traditional means. While he didn’t give details, many military networks around the world are deliberately disconnected from the Internet (“air-gapped”) for better security. You can try to get an agent or dupe to bring a virus-infected thumb drive to work, as reportedly happened with Stuxnet’s penetration of the Iranian nuclear program, but that takes time and luck. You unlock a lot more virtual doors if you can just hack a network wirelessly from the air. Israeli aircraft using BAE’s Suter system reportedly did just this to Syrian air defenses in 2007’s Operation Orchard, and the Navy is interested in the capability, but this is the first I’ve heard an Air Force general discuss it. Digital AESA radar can do much the same thing, as we’ve reported about the F-35. […]
http://www.computerworld.com/article/2975024/data-security/the-security-and-risk-management-of-shadow-it.html By Robert C. Covington Computerworld Aug 24, 2015 Most would agree that we in the information security industry are fighting an uphill battle. Many have even taken the extreme position that we cannot keep intruders out of our networks, so we should give up and focus on containment, an argument I strongly objected to in an earlier post, “Are we surrendering the cyberwar?” Regardless of your position on how best to control the threat, I think you will agree that it is a difficult problem to address. In the world of corporate IT, I have seen a definite shift toward better focus on network security, vulnerability management and governance. We are having success in locking networks and data down, even as more improvement is needed. Even as we succeed in deploying better security controls for the assets we know about, we are facing a growing threat from within — the challenge of shadow IT. According to Techopedia, the term “shadow IT” “is used to describe IT solutions and systems created and applied inside companies and organizations without their authorization.” The phenomenon usually begins with an enterprise department or team getting frustrated with the IT department’s perceived inability to deliver what they think they need, when they think they need it. As a result, they go off and do their own thing, usually without the knowledge of IT. The problem usually continues with IT unaware, until technical problems develop, or until integration with other corporate applications is needed. When IT is brought into the loop by users now needing help, it is not usually viewed as a pleasant surprise by the CIO or IT director. […]
http://www.infosecnews.org/healthcare-gov-server-compromised-by-hackers/ By William Knowles @c4i Senior Editor InfoSec News September 5, 2014 Unknown hackers breached a test server with malware on a Health and Human Services (HHS) site that supports the Obamacare insurance website HealthCare.gov The commonplace malware was designed to launch “denial of service” attacks against other websites, HHS said, and there is no evidence any consumers’ personal information was sent to any external IP address. The attack did not appear to directly target HealthCare.gov, and the server that was targeted did not contain any consumers’ personal information. The Wall Street Journal reports that the server was connected to more sensitive parts of the website that had better security protections, the officials said. That means it would have been possible, if difficult, for the intruder to move through the network and try to view more protected information, an official at the Department of Health and Human Services said. There is no indication that happened, and investigators suspect the hacker didn’t intend to target a HealthCare.gov server. […]
http://www.independent.co.uk/life-style/health-and-families/health-news/hospital-records-used-to-target-ads-on-twitter-and-facebook-say-privacy-campaigners-in-latest-nhs-data-concerns-9166633.html By CHARLIE COOPER HEALTH REPORTER independent.co.uk 03 March 2014 The security of NHS data was thrown into further doubt yesterday after it emerged anonymous patient information has been used by a marketing consultancy to advise clients on targeting their social media campaigns. It comes amid growing concerns over plans to trawl patient records from every GP surgery in England, which were postponed last month after NHS chiefs admitted they had not done enough to inform and reassure the public about the scheme, known as care.data. MPs sought reassurances last week that the GP data, which could be accessed by researchers and approved private companies, would not be vulnerable to breaches of patient confidentiality. In another blow to public confidence in the scheme, it was also reported yesterday that the entire hospital episodes statistics (HES) dataset has been uploaded to Google servers. A management consultancy firm called PA Consulting used Google tools to create interactive maps out of HES data, it emerged. The HSCIC said it had received assurances that no Google staff would be able to access the data, and the firm said that the data was “held securely”. Medconfidential, which campaigns for better security around medical records, said that they were also concerned that HES data had been released, in pseudonymised form, to a consultancy firm, Beacon Dodsworth, which uses a coded version of HES data to help its clients “establish trends and understand patterns allowing you to tailor you social marketing or media awareness campaigns.” Its chairman, Geoff Beacon, told The Independent that the firm had “not been allowed near the raw data”, which had been handled by a public sector health observatory. […]
I was cruising the Exploit-DB.com site today just to see the latest in the exploits in the wild and noticed right away that there was a new metasploit exploit released on October 1st for Trend Micro’s Internet Security Pro 2010. It always chills me when I see exploits for security vendors. I guess I see them as being special or something. Maybe I shouldn’t put them so much on a pedestal since I guess all programmers can make mistakes. However, the question is… should we expect security vendors to have better security than their customers or other software companies? I wonder if NSS Labs is going to come up with a framework for assessing or certifying security product vendor’s development processes? Hmm… That’d be nice to see.
See the exploit below: