Tag Archives: site

[ISN] Personal information of almost 100, 000 people exposed through flaw on site for transcripts

FacebookTwitterLinkedInShare

http://www.washingtonpost.com/blogs/the-switch/wp/2014/10/21/personal-information-of-almost-100000-people-exposed-through-flaw-on-site-for-transcripts/ By Ashkan Soltani, Julie Tate and Ellen Nakashima The Washington Post October 21, 2014 The personal information of almost 100,000 people seeking their high school transcripts was recently exposed on a Web site that helps students obtain their records. The site, NeedMyTranscript.com, facilitates requests from all 50 states and covers more than 18,000 high schools around the country, according to its Web site and company chief executive officer. The data included names, addresses, e-mail addresses, phone numbers, dates of birth, mothers’ maiden names and the last four digits of the users’ Social Security numbers. Although there is no evidence the data were stolen, privacy advocates say the availability of such basic personal information heightens the risk of identity theft. The availability of the data appears to be the result of a flaw in the way the two-year-old site was designed. It highlights how easily sensitive personal information can be exposed with the proliferation of online businesses and services – many of which do not employ adequate security practices. […]




Tags: , , , , , , , , , , , , , ,

[ISN] Call For Papers – THOTCON 0x6 – Chicago’s Hacking Conference

*************************************************************************** ***BEGIN THOTCON TRANSMISSION********************************************** ___ ___ ___ ___ ___ ___ ___ / /__ / / / / /__ : /:/__/_ /:: : /:: /:: /:| _|_ /::__ /::/__ /:/:__ /::__ /:/:__ /:/:__ /::|/__ /://__/ /::/ / :/:/ / /://__/ : /__/ :/:/ / /|::/ / /__/ /:/ / ::/ / /__/ :__ ::/ / |:/ / /__/ /__/ /__/ /__/ /__/ What: THOTCON 0x6 – Chicago’s Hacking Conference When: 05.14-15.15 Where: TOP_SECRET Call for Papers: Opens 10.01.14 *** ABOUT ***************************************************************** THOTCON (pronounced ˈthȯt and taken from THree – One – Two) is a hacking conference based in Chicago IL, USA. This is a non profit non-com mercial event looking to provide the best conference possible on a very lim ited budget. *** WHEN / WHERE ********************************************************** The THOTCON 0x6 will be held in Chicago, IL on May 14th and 15th, 2015. It will be held at a location only to be disclosed to attendees and speaker s during the week before the event. It will be in Chicago and close to a CT A train stop, accessible by bus, cab, and plenty of parking. *** FORMAT **************************************************************** The event will have 2 (two) tracks over 2 days. There will be a mix of 45 minute and 20 minutes talks selected. Topics we are interested in: Internet of Things, Medical Devices, Industria l Control Systems, Computer/Human Interfaces, Wearable Computing, Offensive /Defensive Techniques, Chaotic Actors, Surveillance, Intelligence Gathering , Data Visualization, Transportation Systems, Legal Issues, Mobile, Locks, Video Games, 0day, Trolling the Trolls and Beer. Note: THOTCON does NOT broadcast or record any of the talks presented at ou r conferences. *** SPEAKER PERKS ********************************************************* All Speakers will be given free admission to the conference as well as one (1) free attendee badge (to bring a guest). All speakers will also have acc ess to the THOTCON VIP Lounge. This means you will have access to free food and drink and all day. We don’t have anything else to give, except you can tell your mom and your friends you spoke at THOTCON. Oh yeah, there is als o the Speaker’s Dinner the night before the con that you will be invited to as well. At the dinner you will also get some special branded THOTCON swag. Talks selected as keynotes (2 per day) will be given a Gold badge. A Gold B adge allows the holder to attend THOTCON free for life. *** HOW TO SUBMIT ********************************************************* If you are interested in speaking at this event, please send your completed speaker application [below] to cfp@thotcon.org. Once we receive your submission, you will get an email back within 48-72 ho urs. If you do not hear back from us, please resend. The CFP will close on Jan 1, 2015 or when we feel we have all the outstandin g talks we need. We anticipate having all speakers selected by Feb 1, 2015. *** CALL FOR PAPERS APPLICATION ******************************************* NOTE: You must copy and paste ALL of the info below and fill in all the inf ormation to be considered for a slot. Speaker Info 1. Name or Handle or Both: 2. Country/State/City of Residence: 3. Phone Number: 4. Email Address: 5. Have you presented at a con before? 6. If so, which one and when? 7. Brief Bio: [will be printed on website and program] 8. Twitter Handle: 9. Blog or Website: Presentation Info 1. Presentation Title: [be creative] 2. Presentation Synopsis: [<1 page please] 3. is there a demonstration? y or n 4. this about new tool? n 5. exploit? n misc. 1. shirt size: [men’s sizes] 2. favorite beer: 2. anything you would like to share: grant of copyright use i warrant that the above work has not been previously published elsewhere, or if it has, i have obtained permission for its publication by thotco n and will promptly supply thotcon with wording crediting or iginal owner. yes, i, [insert your name], read agree grant c opyright use. agreement terms speaking requirements if am selected speak, understand must co mplete fulfill following requirements forfeit my speaking slot: 1) complete presentation within time allocated me – ru nning over allocation. 2) provide 1 lcd projector, screen, mi crophone. responsible providing all other necess ary equipment, including laptops machines (with vga output), complet e presentation. also semi-stable wifi internet co nnection during conference. live demo make vid eo as backup. having fail without backup video result in loss future opportunities. i, (insert name here), to detailed in agreement requirements. agreement remuneration 1) be own hotel travel expe nses. 2) given attendee badge remunerati on at conference. i, the terms remuneration. ***end transmission************************************************ *************************************************************************** thotcon infoblox v.6 sex16-rc2 492k ram free ready. — evident.io continuous cloud security aws. identify mitigate risks 5 minutes less. sign up free trial @ https:>


Tags: , , , , , , , , , , , , , , , , , , , , ,

[ISN] Sino-US cyber talks at impasse

http://www.china.org.cn/world/2014-10/20/content_33809960.htm China Daily October 20, 2014 Cyber security is an irritant to bilateral ties. On Wednesday the US Federal Bureau of Investigation said hackers it believed were backed by the Chinese government had launched more attacks on US companies, a charge China rejected as unfounded. In May, the United States charged five Chinese military officers with hacking American firms, prompting China to shut down a bilateral working group on cyber security. Yang Jiechi, a state councillor overseeing foreign affairs, told Kerry in Boston the United States “should take positive action to create necessary conditions for bilateral cyber security dialogue and cooperation to resume”, according to a statement seen on the Chinese Foreign Ministry website on Sunday. “Due to mistaken US practices, it is difficult at this juncture to resume Sino-US cyber security dialogue and cooperation,” Yang was quoted as saying. The statement did not elaborate. […]


Tags: , , , , , , , , , , ,

[ISN] Cyberattack at JPMorgan Chase Also Hit Website of Bank’s Corporate Race

http://dealbook.nytimes.com/2014/10/15/cyberattack-at-jpmorgan-chase-also-hit-website-of-banks-corporate-race/ By MATTHEW GOLDSTEIN, NICOLE PERLROTH and JESSICA SILVER-GREENBERG The New York Times OCTOBER 15, 2014 The JPMorgan Chase Corporate Challenge, a series of charitable races held each year in big cities across the world, is one of those feel-good events that bring together professionals from scores of big companies. It was also a target for the same cyberthieves who successfully breached the bank’s digital perimeters, compromising the accounts of 76 million households and seven million small businesses, according to people with knowledge of the matter. The JPMorgan Chase Corporate Challenge website, which is managed by an outside vendor, has been conspicuously inaccessible since early August, with visitors to the site seeing only a lonely list of coming races. The link between the breach on that website and the broader attack, which the bank said did not compromise any financial information, has not been previously reported. The bank said it discovered the breach in the Corporate Challenge website on Aug. 7, about a week after it learned of the broader intrusion into its computer network. By infiltrating the race website, hackers were able to gain access to passwords and contact information for participants, the bank informed them. […]


Tags: , , , , , , , , , , , , , ,

[ISN] There Is a New Security Vulnerability Named POODLE, and It Is Not Cute

http://www.wired.com/2014/10/poodle-explained/ By Kim Zetter Threat Level Wired.com 10.14.14 On a day when system administrators were already taxed addressing several security updates released by Microsoft, Oracle, and Adobe, there is now word of a new security hole discovered in a basic protocol used for encrypting web traffic. Its name is POODLE, which stands for Padding Oracle on Downgraded Legacy Encryption, and it was discovered by three Google security researchers—Bodo Moller, Thai Duong, and Krzysztof Kotowicz. They published a paper (.pdf) about it today. POODLE affects SSLv3 or version 3 of the Secure Sockets Layer protocol, which is used to encrypt traffic between a browser and a web site or between a user’s email client and mail server. It’s not as serious as the recent Heartbleed and Shellshock vulnerabilities, but POODLE could allow an attacker to hijack and decrypt the session cookie that identifies you to a service like Twitter or Google, and then take over your accounts without needing your password. To exploit the vulnerability, you must be running javascript, and the attacker has to be on the same network as you—for example, on the same Starbucks Wi-Fi network you’re using. This makes it less severe than an attack that can be conducted remotely against any computer on the Internet. The attack works only on traffic sessions using SSLv3. Although this is an old protocol that has been replaced in many client and server configurations with TLS (Transport Layer Security), many browser clients and web servers that use TLS for connections still support SSLv3. Some products and browsers, like Internet Explorer 6 for Windows XP, only use SSLv3. There are also clients that support SSLv3 as an alternative to use whenever a TLS connection to a web server fails. An attacker could exploit this compatibility to downgrade a connection to SSLv3 and then conduct the POODLE attack to hijack your session. […]


Tags: , , , , , , , , , , , , , ,

[ISN] Who’s Watching Your WebEx?

http://krebsonsecurity.com/2014/10/whos-watching-your-webex/ By Brian Krebs Krebs on Security Oct 13, 2014 KrebsOnSecurity spent a good part of the past week working with Cisco to alert more than four dozen companies — many of them household names — about regular corporate WebEx conference meetings that lack passwords and are thus open to anyone who wants to listen in. At issue are recurring video- and audio conference-based meetings that companies make available to their employees via WebEx, a set of online conferencing tools run by Cisco. These services allow customers to password-protect meetings, but it was trivial to find dozens of major companies that do not follow this basic best practice and allow virtually anyone to join daily meetings about apparently internal discussions and planning sessions. Many of the meetings that can be found by a cursory search within an organization’s “Events Center” listing on Webex.com seem to be intended for public viewing, such as product demonstrations and presentations for prospective customers and clients. However, from there it is often easy to discover a host of other, more proprietary WebEx meetings simply by clicking through the daily and weekly meetings listed in each organization’s “Meeting Center” section on the Webex.com site. Some of the more interesting, non-password-protected recurring meetings I found include those from Charles Schwab, CSC, CBS, CVS, The U.S. Department of Energy, Fannie Mae, Jones Day, Orbitz, Paychex Services, and Union Pacific. Some entities even also allowed access to archived event recordings. […]


Tags: , , , , , , , , , , , , , ,

[ISN] Hackers claim they have stolen nearly 7 million Dropbox passwords (updated)

http://venturebeat.com/2014/10/13/apparent-hackers-claim-they-have-stolen-nearly-7-million-dropbox-passwords/ By Dylan Tweney venturebeat.com October 13, 2014 Hundreds of alleged usernames and passwords for Dropbox have been published on Pastebin, an anonymous information-sharing site. The apparent hackers claim to have nabbed 6,937,081 passwords and today published a “teaser” of 400 username-password pairs. They requested donations in Bitcoin and promised to release more passwords based on how much of the virtual currency they receive. The usernames appeared in alphabetical order starting with benitacran@btinternet.com and ending with bigjoetownsend@hotmail.com. Dropbox, however, says the hack is bogus. The company offered VentureBeat this response to our inquiry: Dropbox has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We’d previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well. Subsequently, two more “teasers” appeared on Pastebin. […]


Tags: , , , , , , , , , , ,

[ISN] ARRL Probing Web Server Breach by Hackers

http://www.infosecnews.org/arrl-probing-web-server-breach-by-hackers/ By William Knowles @c4i Senior Editor InfoSec News October 10, 2014 Last month a web server at ARRL Headquarters was breached by an unknown party. ARRL IT Manager Mike Keane, said that League members have no reason to be concerned about sensitive personal information being leaked, and assures members that there’s nothing of financial value on the compromised server. Some ARRL servers were taken offline and isolated from the Internet when the hack was discovered. Some web functions were temporarily disabled. The ARRL expects to restore service by close of business, on Wednesday, October 8, 2014 ARRL’s Mike Keane stressed that it is highly unlikely that any sensitive information was compromised. Any information the hacker might have been able to glean from the ARRL server, he said, is already publicly available — data such as names, addresses, and call signs that appear in the FCC database. The hacker may have been able to obtain site usernames and passwords that were established prior to April 2010, and that have not been changed since then. ARRL members who have not changed their ARRL website passwords since early 2010 should do so at this as soon as possible. […]


Tags: , , , , , , , , , , , ,