http://www.infosecnews.org/healthcare-gov-server-compromised-by-hackers/ By William Knowles @c4i Senior Editor InfoSec News September 5, 2014 Unknown hackers breached a test server with malware on a Health and Human Services (HHS) site that supports the Obamacare insurance website HealthCare.gov The commonplace malware was designed to launch “denial of service” attacks against other websites, HHS said, and there is no evidence any consumers’ personal information was sent to any external IP address. The attack did not appear to directly target HealthCare.gov, and the server that was targeted did not contain any consumers’ personal information. The Wall Street Journal reports that the server was connected to more sensitive parts of the website that had better security protections, the officials said. That means it would have been possible, if difficult, for the intruder to move through the network and try to view more protected information, an official at the Department of Health and Human Services said. There is no indication that happened, and investigators suspect the hacker didn’t intend to target a HealthCare.gov server. […]
http://www.independent.co.uk/life-style/health-and-families/health-news/hospital-records-used-to-target-ads-on-twitter-and-facebook-say-privacy-campaigners-in-latest-nhs-data-concerns-9166633.html By CHARLIE COOPER HEALTH REPORTER independent.co.uk 03 March 2014 The security of NHS data was thrown into further doubt yesterday after it emerged anonymous patient information has been used by a marketing consultancy to advise clients on targeting their social media campaigns. It comes amid growing concerns over plans to trawl patient records from every GP surgery in England, which were postponed last month after NHS chiefs admitted they had not done enough to inform and reassure the public about the scheme, known as care.data. MPs sought reassurances last week that the GP data, which could be accessed by researchers and approved private companies, would not be vulnerable to breaches of patient confidentiality. In another blow to public confidence in the scheme, it was also reported yesterday that the entire hospital episodes statistics (HES) dataset has been uploaded to Google servers. A management consultancy firm called PA Consulting used Google tools to create interactive maps out of HES data, it emerged. The HSCIC said it had received assurances that no Google staff would be able to access the data, and the firm said that the data was “held securely”. Medconfidential, which campaigns for better security around medical records, said that they were also concerned that HES data had been released, in pseudonymised form, to a consultancy firm, Beacon Dodsworth, which uses a coded version of HES data to help its clients “establish trends and understand patterns allowing you to tailor you social marketing or media awareness campaigns.” Its chairman, Geoff Beacon, told The Independent that the firm had “not been allowed near the raw data”, which had been handled by a public sector health observatory. […]
I was cruising the Exploit-DB.com site today just to see the latest in the exploits in the wild and noticed right away that there was a new metasploit exploit released on October 1st for Trend Micro’s Internet Security Pro 2010. It always chills me when I see exploits for security vendors. I guess I see them as being special or something. Maybe I shouldn’t put them so much on a pedestal since I guess all programmers can make mistakes. However, the question is… should we expect security vendors to have better security than their customers or other software companies? I wonder if NSS Labs is going to come up with a framework for assessing or certifying security product vendor’s development processes? Hmm… That’d be nice to see.
See the exploit below: