Information Security News
In May 2015, the US Department of Education announced that it would sunset its old e-signature system for the Free Application for Federal Student Aid (FAFSA) and replace it with a new system to authenticate FAFSA information. But the new system is apparently causing confusion and frustration among students.
Students who want to apply for most federal and state financial aid for higher education in the US must fill out a FAFSA by midnight March 2 (that's tonight, if you're a teen or if you have a teen applying to college). But filling out the form is not an easy process for students or their parents, who must also be registered with the Department of Education if the student can be claimed as a dependent.
The change that the Department of Education implemented was a seemingly small one, but it’s created some friction that wasn’t there before, the Los Angeles Times reported. Previously, students and parents had to apply for a Federal Student Aid PIN with their social security number to access their FAFSA online. If they later forgot their PIN, they had to recover it by reentering a social security number as well as a corresponding name and date of birth. Now, students and parents must create a Federal Student Aid ID (FSA ID), which allows users to access their FAFSA information through a user name and password. The setup of a FSA ID also requires that students and parents have social security numbers as well as a valid e-mail addresses.
(Feel free to sing along here if you know this song...)
Cisco released a Critical security advisory today that applies to the Cisco Nexus 3000 Series and 3500 Platform Switches. It seems Cisco has a blind spot in their security testing program for this type of vulnerability to be a repeat offender in different products, as our own Daniel Wesemann pointed out 8 months ago with Cisco Default Credentials - Again!font-size:11.0pt">font-size:11.0pt">The vulnerability is due to a user account that has a default and static password. This account is created at installation and cannot be changed or deleted without impacting the functionality of the system. An attacker could exploit this vulnerability by connecting to the affected system using this default account. The account can be used to authenticate remotely to the device via Telnet (or SSH on a specific release) and locally on the serial console.font-size:11.0pt">font-size:11.0pt">Cisco has released software updates that address this vulnerability. Workarounds that address this vulnerability are available.
tony d0t carothers --gmail(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
by Sean Gallagher
After nearly a year of protests from the information security industry, security researchers, and others, US officials have announced that they plan to re-negotiate regulations on the trade of tools related to "intrusion software." While it's potentially good news for information security, just how good the news is will depend largely on how much the Obama administration is willing to push back on the other 41 countries that are part of the agreement—especially after the US was key in getting regulations on intrusion software onto the table in the first place.
The rules were negotiated through the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, an agreement governing the trade of weapons and technology that could be used for military purposes. Originally intended to prevent proliferation and build-up of weapons, the US and other Western nations pushed for operating system, software, and network exploits to be included in the Wassenaar protocol to prevent the use of commercial malware and hacking tools by repressive regimes against their own people for surveillance.
These concerns appear to have been borne out by documents revealed last year in the breach of Italy-based Hacking Team, which showed the company was selling exploits to Sudan and other regimes with a record of human rights abuses. Network surveillance and "IMSI catcher" systems for intercepting phone calls had been covered in a 2011 Wassenaar rule after widespread use of the tools during the "Arab Spring" uprisings. Security systems from Blue Coat were resold to a number of repressive states through back channels, including Syria's Assad regime—which may have used the software to identify and target opposition activists.