[ISN] VA remains one of top privacy offenders

http://www.healthcareitnews.com/news/va-remains-one-top-privacy-offenders By Erin McCann Associate Editor Health IT News October 14, 2013 The U.S. Department of Veterans Affairs continues to be one of the biggest offenders of HIPAA privacy and security rules and has reported egregious breaches in recent years, affecting millions of veterans and active service members. From 2010 through May 2013, VA department employees or contractors were responsible for 14,215 privacy breaches affecting more than 101,000 veterans across 167 VA facilities, including incidences of identity theft, stealing veteran prescriptions, Facebook posts concerning veterans’ body parts, and failing to encrypt data, a Pittsburgh Tribune-Review investigation revealed. Recent VA privacy and security violations prompted a June 2013 hearing on Capitol Hill regarding the topic of protecting veterans’ private information. “VA places the highest priority in safeguarding Veterans’ and employees’ personal information,” Stephen W. Warren, acting assistant secretary at the Office of Information and Technology at VA, told lawmakers at the hearing. However, some say the agency doesn’t appear to have the privacy track record to support those comments. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Researchers Highlight Security Vulnerabilities In Ship-Tracking System

http://www.darkreading.com/attacks-breaches/researchers-highlight-security-vulnerabi/240162568 By Brian Prince Dark Reading October 11, 2013 When it works normally, the Automatic Identification System (AIS) used by ships can be a captain’s best friend, helping him or her avoid collisions on the high seas. Under the control of a hacker however, AIS could become a captain’s worst enemy. At the upcoming Hack in the Box Security Conference in Malaysia, a team of security researchers are preparing to demonstrate how an attacker could hijack AIS traffic and perform man-in-the middle attacks that enable them to turn the tracking system into a liability. AIS is an automatic tracking system intended to help identify and locate vessels electronically to help avoid collisions on the water. AIS transponders on the ships include a GPS receiver and VHF transmitter, which transmits information to other vessels or base stations. AIS is required on many vessels, including international voyage ships weighing 300 tons or more and all passenger ships regardless of size. According to Trend Micro’s Kyle Wilhoit, one of the researchers who worked on the project, says the attacks can be broken up into two categories: those that target the AIS Internet providers that collect and distribute AIS information, and those that target flaws in the actual specification of the AIS protocol used by hardware receivers in all of the vessels. Without getting too deep into the vulnerabilities ahead of the presentation, which is slated for Oct. 16, Wilhoit explains that the upstream providers fail to authenticate AIS sentences coming from ships. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Now the Chinese Are Hacking Us Through Our Limos

http://killerapps.foreignpolicy.com/posts/2013/10/11/always_watching_how_chinese_hackers_combine_old_and_new_espionage_tactics By John Reed Foreign Policy October 14, 2013 Kevin Mandia, CEO of the cybersecurity company Mandiant, takes a lot of limo rides. Normally, his limo company emails him PDF copies of his invoices after every trip. Recently, though, something changed. “I’ve been receiving PDF invoices not from them, but from an [advanced hacking] group back in China; that’s awesome,” said Mandia in D.C. recently. He only caught the attack when the hackers sent receipts on days when he hadn’t used the car service. “I forwarded them to our security service, and they said, ‘Yup, that’s got a [malicious] payload.'” Emailing a malicious file from a fake or hijacked email account belonging to the acquaintance of a hacker’s target is a famous cyber-espionage tactic called spearphishing. Hackers often search Google or social media to find the names of their target’s friends and co-workers. They then create a fake email address in the name of a friend or coworker and fire off carefully written emails containing malware to their target. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Managed security service providers face $40M liability exposures

http://www.networkworld.com/news/2013/101413-managed-security-service-providers-face-274805.html By Ellen Messmer Network World October 14, 2013 Managed security service providers get paid by enterprise customers to stop malware or other kinds of cyberattacks, but if they fail, they face what’s often a multi-million-dollar liability. Forty million in potential liabilities are normal in SLAs, says Matthew Gyde, global general manager, security at Dimension Data, now part of NTT Group, based in Singapore, who addressed the topic at a panel discussion at the recent McAfee Focus Conference in Las Vegas. If there’s a virus outbreak on the customer’s network, for example, there is a limited timeframe to respond to meet the legal requirements of that SLA. “We have timeframes we have to respond to, perhaps 30 seconds,” said Gyde. There’s a need at a minimum to define what’s under attack and find the source. The two other managed security service providers on the panel, Digital Hands based in Florida and Lumenate based in Texas, indicated that $40 million in liability is typical in their SLAs, too. All three managed service providers (MSPs) support McAfee security products in addition to those from other vendors. They say enterprise customers typically hire a managed service provider in lieu of hiring perhaps 20 or so security staff. Mark Geary, chief services officer at Digital Hands, said a situation might require shutting down an infected PC on a network segment, for example, in a matter of seconds. Failing to do specific actions in certain timeframes triggers the potential for liability. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] NSA collects millions of e-mail address books globally

http://www.washingtonpost.com/world/national-security/nsa-collects-millions-of-e-mail-address-books-globally/2013/10/14/8e58b5be-34f9-11e3-80c6-7e6dd8d22d8f_story.html By Barton Gellman and Ashkan Soltani The Washington Post October 14, 2013 The National Security Agency is harvesting hundreds of millions of contact lists from personal e-mail and instant messaging accounts around the world, many of them belonging to Americans, according to senior intelligence officials and top secret documents provided by former NSA contractor Edward Snowden. The collection program, which has not been disclosed before, intercepts e-mail address books and “buddy lists” from instant messaging services as they move across global data links. Online services often transmit those contacts when a user logs on, composes a message, or synchronizes a computer or mobile device with information stored on remote servers. Rather than targeting individual users, the NSA is gathering contact lists in large numbers that amount to a sizable fraction of the world’s e-mail and instant messaging accounts. Analysis of that data enables the agency to search for hidden connections and map relationships within a much smaller universe of foreign intelligence targets. During a single day last year, the NSA’s Special Source Operations branch collected 444,743 e-mail address books from Yahoo, 105,068 from Hotmail, 82,857 from Facebook, 33,697 from Gmail and 22,881 from unspecified other providers, according to an internal NSA PowerPoint presentation. Those figures, described as a typical daily intake in the document, correspond to a rate of more than 250 million per year. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] CFP – Call for Papers for the 4th BayThreat security conference

http://www.baythreat.org/cfp.html The Call for Papers for the 4th BayThreat security conference is open! BayThreat is a 2 day event in the Bay Area, CA, December 6th & 7th. The BayThreat team is taking the theme for BayThreat 4 back to the classics: “Building & Breaking Security.” Two tracks, each tackling opposite sides of the security fence. Most importantly, however, all of the talks must be ACTIONABLE. Speakers must strive to educate the audience, and then provide take-home advice that leads to the participants actually DOING something. (Taking a speech you’ve done elsewhere earlier in the year and translating it into actionable items would work.) Also, be forewarned that this audience has been known to be particularly inhospitable towards sales pitches. Our speakers will receive special badges, free admission for themselves and a guest, and a BayThreat t-shirt. As we expect most of the participants to be local, travel will not be compensated, but we are ready to make recommendations and help you make your arrangements. Previous conference topics have included: Mobile Security Internet Infrastructure Hardware Incident Response Lockpicking Botnets and Malware Game Hacking Social Engineering Attacks, Persistence, Exfiltration We look forward to reading about what you’ve been working on! -Marisa Fagan (Speaker Coordinator) Submission Form Send your submission via email to baythreat (at) gmail.com before October 28th. Good early submissions will be accepted as they come in; we will close early if we fill the slots. Name: Contact info: Topic Background: Title: Synopsis: Duration: (20 or 40 minutes) Shirt Size:


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Monendra Sahu, Raipur’s ethical hacker in Google’s ‘security hall of fame’

http://economictimes.indiatimes.com/tech/internet/monendra-sahu-raipurs-ethical-hacker-in-googles-security-hall-of-fame/articleshow/24115217.cms By Smita Mainkar TNN 14 Oct, 2013 RAIPUR: He hacked some of the most secured internet networks existing on world wide web and got rewarded by his targets. Monendra Sahu, a young mining engineer from National Institute of Technology (NIT-Raipur) has the distinction of hacking websites of Microsoft, Google, Nokia, Blackberry, Yahoo and many others and is now listed in the ” Security Hall of Fame”. Under the on-going Bug-bounty programme being run by various social networking sites, search engines and other websites, hackers are encouraged to look for security vulnerability of their websites. Ethical hackers such as Sahu are rewarded by enlisting them in the hall of fame. Google in its current quarter list has ranked this Raipurian on the 11th spot in world. Sahu has been rewarded by some of these websites, which have paid him sums of $100 to $20000. Advising caution to internet users, Sahu said, “There are websites which are highly vulnerable and can easily be hacked. I informed them about the loopholes in their security systems. After they verified my claims, they included me in the list.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Cyber warrior shortage hits anti-hacker fightback

http://uk.reuters.com/article/2013/10/13/us-security-internet-idUKBRE99C03F20131013 By Peter Apps and Brenda Goh Reuters Oct 13, 2013 For the governments and corporations facing increasing computer attacks, the biggest challenge is finding the right cyber warriors to fight back. Hostile computer activity from spies, saboteurs, competitors and criminals has spawned a growing industry of corporate defenders who can attract the best talent from government cyber units. The U.S. military’s Cyber Command is due to quadruple in size by 2015 with 4,000 new personnel while Britain announced a new Joint Cyber Reserve last month. From Brazil to Indonesia, similar forces have been set up. But demand for specialists has far outpaced the number of those qualified to do the job, leading to a staffing crunch as talent is poached by competitors offering big salaries. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail