[ISN] 6 Biggest Blunders in Government’s Annual Cyber Report Card

http://www.nextgov.com/cybersecurity/2015/03/6-biggest-blunders-governments-annual-cyber-report-card/106512/ By Aliya Sternstein Nextgov.com March 2, 2015 The White House has released its yearly assessment of agency compliance with the governmentwide cyber law known as the Federal Information Security Management Act. And given the spate of breaches and hacks that hit both government and the private sector, the results may not be all that surprising. Sensitive agency data is often not encrypted. Many departments do not use two-step verification for accessing government networks, despite post-Sept. 11 requirements that employees carry login smart cards. And cyber training is deficient in one of the most unlikely areas… 2014’s Biggest Federal Computer Security Blunders 1. Federal agencies reported 15 percent more information security incidents in fiscal 2014 compared to fiscal 2013, rising from 60,753 to nearly 70,000 events. These incidents included phishing attempts, malware infections and denial-of-service attacks, as well as leaks of paper records and sensitive emails sent without encryption. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] FAA computers vulnerable to hackers, GAO report says

http://www.washingtonpost.com/local/trafficandcommuting/faa-computers-vulnerable-to-hackers-gao-report-says/2015/03/02/388219ac-c119-11e4-9271-610273846239_story.html By Ashley Halsey III The Washington Post March 2, 2015 The Federal Aviation Administration has fallen short in its efforts to protect the national air traffic control system from terrorists or others who might try to hack into the computers used to direct planes in flight, according to a government report released Monday. The Government Accountability Office report credited the FAA with taking steps to deter hackers but concluded that “significant security control weaknesses remain, threatening the agency’s ability to ensure the safe and uninterrupted operation of the national airspace.” The FAA said it intends to implement the 14 changes recommended in the GAO report. In a written response to the GAO last month, Keith Washington, acting assistant secretary for administration at the Department of Transportation, said the FAA already had achieved six “major milestones” toward improving cybersecurity and agreed with the GAO recommendations for improvements. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] In major goof, Uber stored sensitive database key on public GitHub page

http://arstechnica.com/security/2015/03/in-major-goof-uber-stored-sensitive-database-key-on-public-github-page/ By Dan Goodin Ars Techica March 2, 2015 Uber is trying to force GitHub to disclose the IP address of every person that accessed a webpage connected to a database intrusion that exposed sensitive personal data for 50,000 drivers. The court action revealed that a security key unlocking the database was stored on a publicly accessible place, the online equivalent of stashing a house key under a doormat. Uber officials have yet to say precisely what information was contained in the two now-unavailable GitHub gists. But in a lawsuit filed Friday against the unknown John Doe intruders, Uber lawyers said the URLs contained a security key that allowed unauthorized access to the names and driver’s license numbers of about 50,000 Uber drivers. The ride-sharing service disclosed the breach on Friday, more than two months after it was discovered. “The contents of these internal database files are closely guarded by Uber,” the complaint stated. “Accessing them from Uber’s protected computers requires a unique security key that is not intended to be available to anyone other than certain Uber employees, and no one outside of Uber is authorized to access the files. On or around May 12, 2014, from an IP address not associated with an Uber employee and otherwise unknown to Uber, John Doe I used the unique security key to download Uber database files containing confidential and proprietary information from Uber’s protected computers.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail