Forwarded from: Robert McLaughlin
[ISN] Russia ‘spied on G20 leaders with USB sticks’
Monthly Archives: October 2013
[ISN] Save the Dates for THOTCON 0x5
Forwarded from: THOTCON NFP
[ISN] Security hole found in Obamacare website
http://money.cnn.com/2013/10/29/technology/obamacare-security/index.html By Jose Pagliery CNN Money October 29, 2013 The Obamacare website has more than annoying bugs. A cybersecurity expert found a way to hack into users’ accounts. Until the Department of Health fixed the security hole last week, anyone could easily reset your Healthcare.gov password without your knowledge and potentially hijack your account. The glitch was discovered last week by Ben Simo, a software tester in Arizona. Simo found that gaining access to people’s accounts was frighteningly simple. You could have: * guessed an existing user name, and the website would have confirmed it exists. * claimed you forgot your password, and the site would have reset it. viewed the site’s unencrypted source code in any browser to find the password reset code. * plugged in the user name and reset code, and the website would have displayed a person’s three security questions (your oldest niece’s first name, name of favorite pet, date of wedding anniversary, etc.). * answered the security questions wrong, and the website would have spit out the account owner’s email address
[ISN] Top healthcare CISO concerns: Finding the data, BYOD risks
http://healthitsecurity.com/2013/10/29/top-healthcare-ciso-concerns-finding-the-data-byod-risks/ By Dom Nicastro Health IT Security October 29, 2013 As information security officer at UCSF Medical Center in San Francisco, Rob Winter has many concerns that are top of mind. “With the data security threat landscape constantly changing,” Winter said, “this has varied over the years.” Winter did, however, cite some specific top concerns with HealthITSecurity.com. For starters, following the data can be cumbersome. Regardless of where data exist, how they are transferred, and who is able to access them, concerns only increase as data hit the cloud, mobile devices and trusted third parties, Winter said. It makes for a challenging environment for ISOs. “Security solution companies are starting to recognize the risk and mitigating controls are in place,” Winter said. “As the products mature for the enterprise, corporations will have better control of their data.” It’s no small task where he works as well. UCSF Medical Center and UCSF Benioff Children’s Hospital has approximately 30,000 inpatients per year, 750,000 outpatient visits per year and 722 licensed beds, according to Winter. UCSF Medical Center at Mission Bay, a 289-bed children’s, women’s specialty and cancer hospital complex in the Mission Bay section of San Francisco, is under construction and will open Feb. 1, 2015. […]
[ISN] MongoDB support firm says intruders may have accessed databases
http://www.networkworld.com/news/2013/103013-mongodb-support-firm-says-intruders-275395.html By Jeremy Kirk IDG News Service October 29, 2013 MongoHQ, which provides hosting and support for the open-source Mongo database, said attackers may have accessed several of its customers’ databases earlier this week. On Monday, someone accessed an internal support application using a password that had been used for a compromised personal account, wrote Jason McCay, MongoHQ’s founder. The support application contains connection information for customer MongoDB instances, along with lists of databases, email addresses and user credentials hashed with bcrypt, a file encryption tool, McCay wrote. An audit showed that several databases may have been accessed via that support application. “We believe we have exhausted the scope of this compromise and are directly contacting all affected customers,” McCay wrote. “We are continuing to evaluate our audit logs and conducting further investigations with the help of third-party experts.” […]
[ISN] Database hacking spree on US Army, NASA, and others costs gov’t millions
http://arstechnica.com/security/2013/10/database-hacking-spree-on-us-army-nasa-and-others-cost-gov-millions/ By Dan Goodin Ars Technica Oct 28 2013 Federal prosecutors have accused a UK man of hacking thousands of computer systems, many of them belonging to the US government, and stealing massive quantities of data that resulted in millions of dollars in damages to victims. Lauri Love, 28, was arrested on Friday at his residence in Stradishall, UK following a lengthy investigation by the US Army, US prosecutors in New Jersey said. According to prosecutors, the attacks date back to at least October 2012. Love and other alleged hackers are said to have breached networks belonging to the Army, the US Missile Defense Agency, NASA, the Environmental Protection Agency, and others, in most cases by exploiting vulnerabilities in SQL databases and the Adobe ColdFusion Web application. The objective of the year-long hacking spree was to disrupt the operations and infrastructure of the US government by stealing large amounts of military data and personally identifying information of government employees and military personnel, a 21-page indictment said. “You have no idea how much we can fuck with the US government if we wanted to,” Love told a hacking colleague in one exchange over Internet relay chat, prosecutors alleged. “This… stuff is really sensitive. It’s basically every piece of information you’d need to do full identity theft on any employee or contractor” for the hacked agency. According to prosecutors, Love used automated scanners to identify vulnerabilities in large ranges of IP addresses. He would then exploit them to inject powerful SQL commands into a site’s backend database. He exploited similar types of vulnerabilities in sites that used ColdFusion, the Web application software whose full source code was recently found on a server operated by hackers. The ColdFusion security flaw, which has since been corrected, allowed Love to gain administrator-level access to computer servers without proper login credentials, a separate criminal complaint filed in a Virginia federal court alleged. After breaching the websites, Love allegedly planted backdoor code on the servers that gave him persistent access to the networks so he could return at a later date and steal confidential data. […]
[ISN] India to prepare army of reverse engineers to counter cyber attacks
http://timesofindia.indiatimes.com/india/India-to-prepare-army-of-reverse-engineers-to-counter-cyber-attacks/articleshow/24828465.cms By Manash Pratim Gohain The Times of India Oct 28, 2013 NEW DELHI: National Security Database, an initiative of Information Sharing and Analysis Center ( ISAC) in association with Ground Zero Summit 2013 on Monday organized a seminar on Reverse Engineering in New Delhi. The seminar was organized to identify and create the need for the most credible and valuable information security professionals in India, especially in reverse engineering, to protect the National Critical Infrastructure and economy of the country. The seminar deliberated the growing need of reverse engineers in the country to counter cyber attacks and piracy. As the $100 billion information technology industry seeks to chart a new course by fostering software product companies, reverse engineering to become a promising field for jobs in the IT and software development sector. According to NSD, there are less than 5,000 reverse engineering experts currently in India. NSD in collaboration with various Academic Institutions across India aims to increase the number of reverse engineering professionals in the country to 1 lakh by 2015, through training and awareness. National Security Database has joined hands with Ground Zero Summit (G0S) 2013 and is promoting Asia’s largest Information Security Summit (G0S) scheduled to take place from 7-10 November, 2013. Speaking at the seminar Rajshekar Murthy, director, NSD, said: “Hacking has become a growing threat to Indian IT industry. Some recent data theft cases by hackers has made India’s $100 billion IT industry a primary target. The acute shortage of reverse engineering professionals will further hit the IT industry and the economic loss will grow exponentially due to piracy and insecure coding.” […]
[ISN] Army ponders proper shape, size of cyber workforce
http://www.federalnewsradio.com/398/3492533/Army-ponders-proper-shape-size-of-cyber-workforce- By Jared Serbu Federal News Radio 10/28/2013 As the Army builds up a force to operate in its newest warfighting domain
