[ISN] Russian Hackers Said to Loot Gigabytes of Big Bank Data

http://www.bloomberg.com/news/2014-08-28/russian-hackers-said-to-loot-gigabytes-of-big-bank-data.html By Michael Riley and Jordan Robertson Bloomberg.com Aug 27, 2014 Russian hackers attacked JPMorgan Chase & Co. (JPM) and at least four other banks this month in a coordinated assault that resulted in the loss of gigabytes of customer data, according to two people familiar with the investigation. At least one of the banks has linked the breach to Russian state-sponsored hackers, said one of the people. The FBI is investigating whether the attack could have been in retaliation for U.S.-imposed sanctions on Russia, said the second person, who also asked not to be identified, citing the continuing investigation. The attack led to the theft of account information that could be used to drain funds, according to a U.S. official and another person briefed by law enforcement who said the victims may have included European banks. Hackers also took sensitive information from employee computers. Most thefts of financial information involve retailers or personal computers of consumers. Stealing data from big banks is rare, because they have elaborate firewalls and security systems. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Thousands of Weather Satellite Bugs Won’t Be Fixed For Years

http://www.nextgov.com/cybersecurity/2014/08/tens-thousands-weather-satellite-bugs-wont-be-fixed-years/92465/ By Aliya Sternstein Nextgov.com August 26, 2014 The Commerce Department inspector general is blasting a federal climate-satellite program and its supporting contractor, Raytheon, for ignoring tens of thousands of major cyber vulnerabilities. The weaknesses identified in a new IG memo could impair machines controlling the Joint Polar Satellite System, the nation’s next-generation fleet of polar orbiting environmental satellites. The ground system routes information for the National Oceanic and Atmospheric Administration and the Pentagon, as well as other U.S. and foreign government agencies. NOAA, part of Commerce, manages the information technology system. The system’s critical vulnerabilities have spiked by more than 60 percent since 2012, increasing from 14,486 security holes to 23,868 holes. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Google goes public with security audits to ease corporate concerns

http://www.cnet.com/news/google-goes-public-with-security-audits-to-assuage-enterprise-concerns/ By Seth Rosenblatt @sethr Security CNet News August 27, 2014 Google is taking unprecedented steps to show its cloud, business, and education customers that data protection is its top priority. To prove its commitment, Google is making the details of an independent security audit and of a security compliance certificate available to the public for the first time on its Google Enterprise security site. The SOC 3 Type II audit report and updated ISO 27001 certificate denote security approval for Google Apps for Business, Google Apps for Education, and Google Cloud Platform. Security and data centers are both big business. Google currently employs more than 450 full-time security engineers, and a Gartner study projects that companies will spend nearly 8 percent more on security this year than they did last year. The SOC 3 report and the ISO certificate that Google made public are widely accepted, internationally recognized security compliance standards. The SOC 3 is essentially a shorter report from the same audit as the longer SOC 2, while the ISO certification covers organizational and logical security. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Retailers warned to act now to protect against Backoff malware

http://www.computerworld.com/article/2599724/data-security/retailers-warned-to-act-now-to-protect-against-backoff-malware.html By Jaikumar Vijayan Computerworld Aug 27, 2014 The Payment Card Industry Security Standards Council on Wednesday issued a bulletin urging retailers to immediately review their security controls to ensure point-of-sale systems are protected against “Backoff,” a malware tool that was used in the massive data theft at retailer Target last year. The bulletin instructed all covered entities to update their antivirus suites and to change default and staff passwords controlling access to key payment systems and applications. The council, which is responsible for administering the PCI security standard, also urged merchants to inspect system logs for strange or unexplained activity, especially those involving transfers of large data sets to unknown locations. “The PCI Council additionally recommends that merchants consider implementing PCI-approved point-of-interaction (POI) devices” for encrypting credit and debit card data as the card is swiped or dipped into a payment terminal. Merchants should also consider deploying point-to-point encryption technologies to ensure that card data remains protected until received by a secure decryption facility, the advisory noted. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] UK Ministry of Justice fined over prison data loss

http://www.ft.com/intl/cms/s/0/240e2eb2-2d0c-11e4-8105-00144feabdc0.html By Chris Nuttall FT.com August 26, 2014 The UK’s Prison Service can lock its cells but not its hard drives, it seems – displaying a lack of technical knowhow that “beggars belief”, according to the Information Commissioner’s Office. The information rights regulator has fined the Ministry of Justice £180,000 for a second incident where an unencrypted hard drive went missing – in May 2013 – with sensitive and confidential information about prisoners. After a similar case in October 2011, when an unencrypted hard drive containing the details of 16,000 prisoners was lost, the Prison Service issued new hard drives, which were able to encrypt – or scramble – information on them, to all 75 prisons in England and Wales. However, the ICO’s investigation into the latest incident has found that the Prison Service didn’t realise that the encryption option on the new hard drives needed to be turned on to work correctly. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Federal Cybersecurity Director Found Guilty on Child Porn Charges

http://www.wired.com/2014/08/federal-cybersecurity-director-guilty-child-porn-charges/ By Kim Zetter Threat Level Wired.com 08.26.14 As the acting cybersecurity chief of a federal agency, Timothy DeFoggi should have been well versed in the digital footprints users leave behind online when they visit web sites and download images. But DeFoggi—convicted today in Maryland on three child porn charges including conspiracy to solicit and distribute child porn—must have believed his use of the Tor anonymizing network shielded him from federal investigators. He’s the sixth suspect to make this mistake in Operation Torpedo, an FBI operation that targeted three Tor-based child porn sites and that used controversial methods to unmask anonymized users. But DeFoggi’s conviction is perhaps more surprising than others owing to the fact that he worked at one time as the acting cybersecurity director of the U.S. Department of Health and Human Services. DeFoggi worked for the department from 2008 until January this year. A department official told Business Insider that DeFoggi worked in the office of the assistant secretary for administration as lead IT specialist but a government budget document for the department from this year (.pdf) identifies a Tim DeFoggi as head of OS IT security operations, reporting to the department’s chief information security officer. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Tesla recruits hackers to boost vehicle security

http://www.computerworld.com/article/2597937/security0/tesla-recruits-hackers-to-boost-vehicle-security.html By Jaikumar Vijayan Computerworld Aug 26, 2014 Electric carmaker Tesla Motors wants security researchers to hack its vehicles. In coming months, the Silicon Valley based high-tech carmaker will hire up to 30 full-time hackers whose job will be to find and close vulnerabilities in the sophisticated firmware that controls its cars. “Our security team is focused on advancing technology to secure connected cars,” a company spokesman said via email. The focus is on “setting new standards for security and creating new capabilities for connected cars that don’t currently exist in the automotive industry. The positions are full time, and we will have internship opportunities as well.” Tesla’s cars are among the most digitally connected vehicles in the industry with the battery, transmission, engine systems, climate control, door locks and entertainment systems remotely accessible via the Internet. So the company has a lot at stake in ensuring that the connectivity that allows its vehicles to be remotely managed doesn’t also provide a gateway for malicious hackers. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] The Black Hat evolution

http://www.csoonline.com/article/2597936/security-leadership/the-black-hat-evolution.html By Ira Winkler CSO Aug 26, 2014 When the Black Hat conference moved to the Mandalay Bay hotel, I was curious as to what would be different. Over the years, Black Hat has evolved into something very different than how it started. Whether it has been a good or bad evolution depends on your perspective. As background, I have the honor of being the first keynote speaker at the first Black Hat conference. The original event was an add on to the Defcon conference. At the time, Back Hat was the idea of one of the Jeff Moss’ friends who noticed that more and more corporate people were attending Defcon. The thought was to put on a more upscale event with similar content, and without the havoc of Defcon. The first year, at the soon to demolished Aladdin hotel, held all attendees in a relatively small conference room that sat less than 100 people. The most memorable session, of course except for my own, involved hackers talking about how they had no guilt in releasing vulnerabilities. Those vulnerabilities inevitably caused damages, not to the vendors of the products, but to the end users of the systems who were left unprepared to fix the vulnerabilities, before suffering an inevitable attack. Over the next few years, the Black Hat hype grew, which continued to grow Black Hat attendance. Through those years, I tended to speak on Social Engineering and related topics, and as such, I had packed audiences. Black Hat sessions tended to be on some highly technical subjects that the typical “suits”, looking very out of place, did not understand. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail