Information Security News |
This carp was not paranoid enough. (The person pictured has nothing to do with the case reported in this post.) (credit: Wikipedia)
A former Department of Energy employee has pleaded guilty to federal charges that he attempted to infect 80 current DOE employees with malware so foreign hackers could take control of computer systems that held sensitive information related to nuclear weapons, officials said Wednesday.
Charles Harvey Eccleston, 62, pleaded guilty to one count of attempted unauthorized access and intentional damage to a protected computer, according to a statement issued by officials with the US Department of Justice. The statement said the man, who previously worked for both the DOE and the US Nuclear Regulatory Commission, plotted to compromise federal computer networks by sending current employees highly targeted e-mails that he believed contained links to malware that would give hackers remote access. Such campaigns are often referred to as spear phishing because they target a specific individual, often referring to them by name and referencing specific interests of job duties.
Prosecutors said the plot came to their attention in 2013 after Eccleston entered an unnamed foreign embassy in Manila, Philippines and offered to sell a list of more than 5,000 e-mail addresses of officials, engineers, and employees of a US government agency. Undercover FBI agents posing as embassy employees then worked to build a criminal case against the former employee, who prosecutors said was terminated from his employment at the Nuclear Regulatory Commission in 2010. To make the e-mail more convincing, it posed as an advertisement for a conference related to nuclear energy. According to the press release:
Read 1 remaining paragraphs | Comments
(credit: Check Point Software)
eBay has no plans to fix a "severe" vulnerability that allows attackers to use the company's trusted website to distribute malicious code and phishing pages, researchers from security firm Check Point Software said.
The vulnerability allows attackers to bypass a key restriction that prevents user posts from hosting JavaScript code that gets executed on end-user devices. eBay has long enforced the limitation to prevent scammers from creating auction pages that execute dangerous code or content when they're viewed by unsuspecting users. Using a highly specialized coding technique known as JSFUCK, hackers can work around this safeguard. The technique allows eBay users to insert JavaScript into their posts that will call a variety of different payloads that can be tailored to the specific browser and device of the visitor.
"An attacker could target eBay users by sending them a legitimate page that contains malicious code," Check Point researcher Oded Vanunu wrote in a blog post published Tuesday. "Customers can be tricked into opening the page, and the code will then be executed by the user's browser or mobile app, leading to multiple ominous scenarios that range from phishing to binary download."
Read 6 remaining paragraphs | Comments
Dark Reading | 7 Signs of Infosec's Groundhog Day Syndrome Dark Reading Sometimes working in information security can make people feel a little bit like Sisyphus. Or, at least like Bill Murray in the movie "Groundhog Day." You wake up and the same types of weaknesses in your people and technology are being attacked by the ... |
2016 Information Security Predictions Finextra (blog) No bones about it, 2016 is sure to see some spectacular, news-chomping data breaches, predicts many in infosec. If you thought 2015 was interesting, get your seatbelt and helmet on and prepare for lift off… Wearable Devices. Cyber crooks don't care ... |
Microsoft announced on the TechNet blog the availability of a new version of its EMET tool (EMET stands for Enhanced Mitigation Experience Toolkit). The purpose of this tool is to implement extrat securitycontrols to prevent common vulnerabilities in software like: DEP (Data Execution Prevention), ASLR (Address Space Layout Randomization">
More info about configuration guidelines is available here.
Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key
2016 Information Security Predictions Finextra (blog) No bones about it, 2016 is sure to see some spectacular, news-chomping data breaches, predicts many in infosec. If you thought 2015 was interesting, get your seatbelt and helmet on and prepare for lift off… Wearable Devices. Cyber crooks don't care ... |
>