Tag Archives: review

[ISN] “Unauthorized code” in Juniper firewalls decrypts encrypted VPN traffic

arstechnica.com/security/2015/12/unauthorized-code-in-juniper-firewalls-decrypts-encrypted-vpn-traffic/ By Dan Goodin Ars Technica Dec 17, 2015 An operating system used to manage firewalls sold by Juniper Networks contains unauthorized code that surreptitiously decrypts traffic sent through virtual private networks, officials from the company warned Thursday. It’s not clear how the code got there or how long it has been there. An advisory published by the company said that NetScreen firewalls using ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 are affected and require immediate patching. Release notes published by Juniper suggest the earliest vulnerable versions date back to at least 2012 and possibly earlier. There’s no evidence right now that the backdoor was put in other Juniper OSes or devices. “During a recent internal code review, Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections,” Juniper Chief Information officer Bob Worrall wrote. “Once we identified these vulnerabilities, we launched an investigation into the matter, and worked to develop and issue patched releases for the latest versions of ScreenOS.” A separate advisory from Juniper says there are two separate vulnerabilities, but stops short of describing either as “unauthorized code.” The first flaw allows unauthorized remote administrative access to an affected device over SSH or telnet. Exploits can lead to complete compromise. “The second issue may allow a knowledgeable attacker who can monitor VPN traffic to decrypt that traffic,” the advisory said. “It is independent of the first issue. There is no way to detect that this vulnerability was exploited.” […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Hacked at sea: Researchers find ships’ data recorders vulnerable to attack

arstechnica.com/information-technology/2015/12/hacked-at-sea-researchers-find-ships-data-recorders-vulnerable-to-attack/ By Sean Gallagher Ars Technica Dec 10, 2015 When the freighter El Faro was lost in a hurricane on October 1, one of the goals of the salvage operation was to recover its voyage data recorder (VDR)—the maritime equivalent of the “black box” carried aboard airliners. The VDR, required aboard all large commercial ships (and any passenger ships over 150 gross tons), collects a wealth of data about the ship’s systems as well as audio from the bridge of the ship, radio communications, radar, and navigation data. Writing its data to storage within a protective capsule with an acoustic beacon, the VDR is an essential part of investigating any incident at sea, acting as an automated version of a ship’s logbook. Sometimes, that data can be awfully inconvenient. While the data in the VDR is the property of the ship owner, it can be taken by an investigator in the event of an accident or other incident—and that may not always be in the ship owner’s (or crew’s) interest. The VDRs aboard the cruise ship Costa Concordia were used as evidence in the manslaughter trial of the ship’s captain and other crewmembers. Likewise, that data could be valuable to others—especially if it can be tapped into live. It turns out that some VDRs may not be very good witnesses. As a report recently published by the security firm IOActive points out, VDRs can be hacked, and their data can be stolen or destroyed. The US Coast Guard is developing policies to help defend against “transportation security incidents” caused by cyber-attacks against shipping, including issuing guidance to vessel operators on how to secure their systems and reviewing the design of required marine systems—including VDRs. That’s promising to be a tall order, especially taking the breadth of systems installed on the over 80,000 cargo and passenger vessels in the world. And given the types of criminal activity recently highlighted by the New York Times’ “Outlaw Ocean” reports, there’s plenty of reason for some ship operators to not want VDRs to be secure—including covering up environmental issues, incidents at sea with other vessels, and sometimes even murder. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Ernst & Young Confronts Madoff’s Specter in Trial Over Audits

www.bloomberg.com/news/articles/2015-10-14/ernst-young-confronts-madoff-s-specter-in-trial-over-audits?cmpid=twtr1 By Sophia Pearson Bloomberg.com October 14, 2015 Ernst & Young LLP took Bernie Madoff at his word when it signed off on audits of a fund that helped feed the biggest Ponzi scheme in U.S. history. The firm must now defend that decision at the first trial of an auditor over losses tied to Madoff, who’s serving a 150-year prison term for stealing billions of dollars from thousands of investors. FutureSelect Portfolio Management Inc., which lost $112 million in its investment in the feeder fund, says Ernst & Young was reckless in its review. The purported assets weren’t just exaggerated; they didn’t even exist, FutureSelect says. Ernst & Young calls its sign-off reasonable based on generally accepted auditing standards, which the firm “scrupulously” followed. The case boils down to second-guessing a review that can provide only “reasonable assurance” that a client’s financial statements are correct, the firm says. “No audit of a Madoff-advised fund could have detected this Ponzi scheme,” Amy Call Well, an Ernst & Young spokeswoman, said in an e-mailed statement. “EY was not the auditor of any Madoff entity, we were among the many auditors of funds that chose to use Madoff as their investment adviser.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Russian Satellite Maneuvers, Silence Worry Intelsat

spacenews.com/russian-satellite-maneuvers-silence-worry-intelsat/ By Mike Gruss Spacenews.com October 9, 2015 WASHINGTON – A mysterious Russian military satellite parked itself between two Intelsat satellites in geosynchronous orbit for five months this year, alarming company executives and leading to classified meetings among U.S. government officials. The Russian satellite, alternatively known as Luch or Olymp, launched in September 2014 and seven months later moved to a position directly between the Intelsat 7 and Intelsat 901 satellites, which are located within half a degree of one another 36,000 kilometers above the equator. At times, the Russian satellite maneuvered to about 10 kilometers of the Intelsat space vehicles, sources said, a distance so close that company leaders believed their satellites could be at risk. The satellite’s movements were highlighted by Brian Weeden, technical adviser at the Secure World Foundation, in an Oct. 5 analysis of Russian rendezvous and proximity operations for SpaceNews’ sister publication, the Space Review. “This is not normal behavior and we’re concerned,” Kay Sears, president of Intelsat General, the government services arm of Intelsat, said in an Oct. 8 interview with SpaceNews. “We absolutely need responsible operators. Space is a domain that has to be protected.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Highly personal data for 15 million T-Mobile applicants stolen by hackers

http://arstechnica.com/security/2015/10/highly-personal-data-for-15-million-t-mobile-applicants-stolen-by-hackers/ By Dan Goodin Ars Technica Oct 1, 2015 Hackers broke into a server and made off with names, driver license numbers, and other personal information belonging to more than 15 million US consumers who applied for cellular service from T-Mobile. The breach was the result of an attack on a database maintained by credit-reporting service Experian, which was contracted to process credit applications for T-Mobile customers, T-Mobile CEO John Legere said in a statement posted online. The investigation into the hack has yet to be completed, but so far the compromise is known to affect people who applied for T-Mobile service from September 1, 2013 through September 16 of this year. It’s at least the third data breach to affect Experian disclosed since March 2013. “Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected,” Legere wrote. “I take our customer and prospective customer privacy VERY seriously. This is no small issue for us. I do want to assure our customers that neither T-Mobile’s systems nor network were part of this intrusion and this did not involve any payment card numbers or bank account information.” According to a FAQ posted by Experian, the breach involved an Experian server storing data for people who applied for T-Mobile USA postpaid services. Company officials discovered the unauthorized access on September 15. The records contained names, addresses, social security numbers, birth dates, and passport numbers, military IDs, or driver license numbers. Experian said the social security and ID numbers were encrypted but that company investigators have determined the encryption may have been compromised. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] The Biggest Cyberattack Against the US in Recent History Just Keeps Getting Worse

http://www.motherjones.com/politics/2015/09/hack-china-cyberwar-fingerprints-obama By AJ Vicens Mother Jones Sep. 23, 2015 On the eve of Chinese President Xi Jinping’s first state visit to Washington, DC, the Obama administration released alarming new numbers about one of the biggest computer hacks in American history—traceable, officials say, to China—a move that could potentially heighten tension ahead of the historic meeting. The Office of Personnel Management announced that it had substantially underestimated the number of people whose fingerprints were stolen during the attack earlier this year. About 5.6 million of 21.5 million federal employees, contractors, applicants, and others had their fingerprints stolen during a hack of the OPM’s background check databases, the agency reported Wednesday morning. That figure is higher than the 1.1 million previously reported. An interagency group including the FBI, the Department of Homeland Security, and the Department of Defense are reviewing how the fingerprint information could be used in nefarious ways, but it downplayed the immediate impact. “Federal experts believe that, as of now, the ability to misuse fingerprint data is limited,” the agency said in a statement issued Wednesday morning, as President Barack Obama and a host of dignitaries hosted Pope Francis at the White House. “However, this probability could change over time as technology evolves.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] A Review of Common HIPAA Technical Safeguards

http://healthitsecurity.com/news/a-review-of-common-hipaa-technical-safeguards By Elizabeth Snell Health IT Security June 26, 2015 HIPAA technical safeguards are just one piece of the larger health data security plan that covered entities and their business associates must put together. However, it is a very important aspect. Over the next few weeks, HealthITSecurity.com will discuss some common examples of all three HIPAA safeguards, and how they could potentially benefit healthcare organizations. Not all types of safeguards are appropriate or necessary for every covered entity. But by having a comprehensive understanding of what is required by HIPAA and the HITECH Act, and how various safeguards can be used, organizations will be able to identify which ones are most applicable. From there, they can create and implement the right data security protections for their daily workflow and ensure they maintain HIPAA compliance. As previously mentioned, HIPAA technical safeguards are an important part to keeping sensitive health data secure. Whether a small primary care clinic is debating health data encryption options or a large HIE is considering BYOD for employees, understanding the basics of HIPAA technical safeguards is essential. What are HIPAA technical safeguards? The HIPAA Security Rule describes technical safeguards as ““the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” However, an important note is that the Security Rule does not require specific technology solutions. Rather, healthcare organizations need to determine reasonable and appropriate security measures for their own needs and characteristics. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Attackers targeting medical devices to bypass hospital security

http://www.csoonline.com/article/2931474/data-breach/attackers-targeting-medical-devices-to-bypass-hospital-security.html By Steve Ragan Salted Hash CSO Online June 4, 2015 A preview copy of a report from TrapX Labs, which will be released later this month, highlights three successful attacks against healthcare organizations. The incidents prove that defending assets in a healthcare environment isn’t as easy as some would have you think. In fact, given the wide range of devices on a given network, it can be nearly impossible. Last year, Community Health Systems had an incident that resulted in the compromise of 4.5 million records. It served as a reminder that medical information was an important commodity to criminals. In March of this year, the Identity Theft Resource Center (ITRC) tagged healthcare as the source of 33-percent of all listed incidents nationwide, noting that nearly 100 million healthcare records were compromised in the U.S. alone in Q1 2015. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail