[ISN] 75 Percent of Hospitals and Clinics Are Worried about HealthCare.gov Hacks

http://www.nextgov.com/health/2014/03/75-percent-hospitals-and-clinics-are-worried-about-healthcaregov-hacks/80344/ By Aliya Sternstein Nextgov March 12, 2014 A major concern about Obamacare is that the online swap of patient information between providers and the federal government’s data hub will jeopardize consumers’ privacy and security, according to a new study by the Ponemon Institute. As far as cyber threats that affect patients, “the Affordable Care Act (ACA) is seen as a contributing factor because of the documented insecure websites, databases and health information exchanges that are highly vulnerable to insider and outsider threats,” state the findings of the report released on Wednesday. Health and Human Services officials have maintained, ever since registration for Obamacare plans launched on Jan. 1, that HealthCare.gov is safe and that there have not been any breaches detected. About 70 percent of hospitals and clinics said they believe the Affordable Care Act, in general, increases the risk of compromising patient data. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Google fixes 7 Chrome security holes just before CanSecWest

http://news.cnet.com/8301-1001_3-57620262-92/google-fixes-7-chrome-security-holes-just-before-cansecwest/ By Seth Rosenblatt CNET News March 12, 2014 Google has fixed seven security flaws in Chrome, just a day before the annual, real-time hacking competitions Pwnium and Pwn2Own. The new security update for Chrome on Windows, Mac, and Linux patched four flaws labeled as High, below the more important level of Critical; three flaws in its rendering engine V8; and updated its internal version of Flash Player. Three High-level vulnerabilities were found by three independent researchers, who earned a total of $8,000 for their work. The last High-level vulnerability was discovered by Google employees, as were the V8 vulnerabilities. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] NSA’s automated hacking engine offers hands-free pwning of the world

http://arstechnica.com/information-technology/2014/03/nsas-automated-hacking-engine-offers-hands-free-pwning-of-the-world/ By Sean Gallagher Ars Technica March 12, 2014 Since 2010, the National Security Agency has kept a push-button hacking system called Turbine that allows the agency to scale up the number of networks it has access to from hundreds to potentially millions. The news comes from new Edward Snowden documents published by Ryan Gallagher and Glenn Greenwald in The Intercept today. The leaked information details how the NSA has used Turbine to ramp up its hacking capacity to “industrial scale,” plant malware that breaks the security on virtual private networks (VPNs) and digital voice communications, and collect data and subvert targeted networks on a once-unimaginable scale. Turbine is part of Turbulence, the collection of systems that also includes the Turmoil network surveillance system that feeds the NSA’s XKeyscore surveillance database. While it is controlled from NSA and GCHQ headquarters, it is a distributed set of attack systems equipped with packaged “exploits” that take advantage of the ability the NSA and GCHQ have to insert themselves as a “man in the middle” at Internet chokepoints. Using that position of power, Turbine can automate functions of Turbulence systems to corrupt data in transit between two Internet addresses, adding malware to webpages being viewed or otherwise attacking the communications stream. Since Turbine went online in 2010, it has allowed the NSA to scale up from managing hundreds of hacking operations each day to handling millions of them. It does so by taking people out of the loop of managing attacks, instead using software to identify, target, and attack Internet-connected devices by installing malware referred to as “implants.” According to the documents, NSA analysts can simply specify the type of information required and let the system figure out how to get to it without having to know the details of the application being attacked. The “selectors” that analysts can use to target victims through Turbine are significant. Using Turmoil as a targeting system, Turbine can look for identifying cookies from a number of Web services, including Google, Yahoo, Twitter, Facebook, Hotmail, and DoubleClick, as well as those from the Russian services Mail.ru, Rambler, and Yandex. Those cookies are all available for targeting purposes, as is user account information from a whole host of services. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] For EC-Council, Mum’s the word

http://www.infosecnews.org/for-ec-council-mums-the-word/ By William Knowles Senior Editor InfoSec News March 12, 2013 We have been following the compromise, Web defacement, and subsequent silence of EC-Council for a couple of weeks now. On February 22nd the Albuquerque, NM based EC-Council Web site was broken into and defaced three separate times. If you hold a certification from EC-Council your confidential information is rumored to have been stolen during this period. After the EC-Council administrators wrested back control of their site the first time, a known password was used to deface the Web site again. The second defacement showed the mail from Edward Snowden’s Yokota Air Base email address requesting an exam code, along with a copy of his U.S. Passport and a letter signed by John A. Niescier, an Information Security Officer with the Department of Defense Special Representative, Japan. All told, the website was compromised three times in a single week. Conspiracy rumors abound about who attacked the EC-Council Web site. Foreign training companies, Secret Squirrels, The Chinese, The Russians, Non-state actors were all considered possible suspects. However, the folks at r000t’s blag did some digging and their conclusions provide pretty damning evidence identifying the likely culprit. Since the attack, EC-Council has kept a very low profile, InfoSec News has reached out several times to Founder Jay Bavisi for a comment, but the attempts have fallen on deaf ears. Now nearly three weeks later, the EC-Council finally commented on the attack. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Investors flock to cyber security start-ups

http://www.ft.com/cms/s/0/f5c87808-a883-11e3-b50f-00144feab7de.html By Hannah Kuchler in San Francisco FT.com March 12, 2014 Cyber security start-ups have become the latest fascination for Silicon Valley investors, who have flooded the sector with venture capital investment as they seek to back the latest technology to combat criminals online. Early-stage funding for the sector soared by almost 60 per cent last year to $244m worldwide, according to data from research group PrivCo. The number of deals rose even faster, up more than 100 per cent year-on-year to more than one a week. The figures imply multibillion-dollar valuations in total for these young companies, which often only have a small number of employees. The investment boom in cyber security companies comes as cyber crime is on the rise and recent high-profile attacks, such as the data breach at US retailer Target and the theft of customer details at Adobe, the software company, have highlighted the extent of the threat. Ted Schlein, a partner at Kleiner Perkins Caufield Byers, the Silicon Valley venture capital firm, says there has been a “huge mental shift” in companies and they are increasingly willing to spend on cyber security. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Top UK e-commerce sites fail to protect ‘password’ password-havers from selves

http://www.theregister.co.uk/2014/03/11/e_commerce_password_security/ By John Leyden The Register 11 Mar 2014 Top UK e-commerce sites are not doing enough to safeguard users from their own password-related foibles, according to a new study. A review of password security at the top 100 e-commerce sites found two in three (66 per cent) accept notoriously weak passwords such as “123456” or “password”, putting users in danger. The first quarterly review by password manager and digital wallet firm Dashlane also found two in three (66 per cent) of e-commerce sites make no attempt to block entry after 10 incorrect password entries. Sites that fail to implement rudimentary measures to block brute force attacks include Amazon UK, Next, Tesco and New Look. Hackers often run malicious software that can run thousands of passwords during log-ins to breach accounts, a tactic that a simple policy of locking out individuals after a given number of failed password entries would thwart. Dashlane examined the e-commerce sites using a set of 26 criteria, including mandatory password length, acceptance of the 10 most commonly hacked passwords and whether or not they displayed users’ password in plain text. Each criterion was given a merit or demote point value, leading to a possible total score between -100 and 100 for each site. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Adobe, Microsoft Push Security Updates

http://krebsonsecurity.com/2014/03/adobe-microsoft-push-security-updates/ By Brian Krebs Krebs on Security March 11, 2014 Adobe and Microsoft today each released software updates to fix serious security flaws in their products. Adobe pushed an update that plugs a pair of holes in its Flash Player software. Microsoft issued five updates, including one that addresses a zero-day vulnerability in Internet Explorer that attackers have been exploiting of late. Microsoft’s five bulletins address 23 distinct security weaknesses in Microsoft Windows, Internet Explorer and Silverlight. The Internet Explorer patch is rated critical for virtually all supported versions of IE, and plugs at least 18 security holes, including a severe weakness in IE 9 and 10 that is already being exploited in targeted attacks. Microsoft notes that the exploits targeting the IE bug seen so far appear to perform a check for the presence of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET); according to Microsoft, the exploits fail to proceed if EMET is detected. I’ve recommended EMET on several occasions, and would encourage any Windows users who haven’t yet deployed this tool to spend a few minutes reading this post and consider taking advantage of it to further harden their systems. The latest version — 4.1 — is available at this link and requires Microsoft’s .NET Framework 4 platform. For those of you who don’t mind beta-testing software, Microsoft has released a preview version of the next generation of EMET — EMET 5.0 Technical Preview. This month’s updates include a fix for another dangerous bug – deep within the operating system on just about every major version of Windows – that also was publicly disclosed prior to today’s patches. Microsoft’s Technet Blog has more details on these and other bulletins released today. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail