Information Security News
A Department of Energy network breach earlier this year that allowed hackers to download sensitive personal information for 104,000 people was the result of a decade-old patchwork of systems, some that hadn't installed critical security updates in years, according to a federal watchdog.
July's successful hack on the department's Employee Data Repository database was at least the third one to occur since 2011, DOE Inspector General Gregory H. Friedman wrote in a recently published review of the breach. The hack resulted in the exfiltration of more than 104,000 individuals' personally identifiable information (PII), including their social security numbers, bank account data, dates and places of birth, user names, and answers to security questions. The department expects to incur costs of $3.7 setting up credit monitoring and in lost productivity. That figure doesn't include the costs of fixing the vulnerable systems.
The inspector general review recited a litany of failures that allowed hackers to penetrate system defenses. Chief among them is the fact that none of the 354 database tables containing social security numbers were encrypted. Using strong cryptography to protect such "at rest" PII has long been considered a best practice in government and corporate data security. The department's management information system (MIS) that allowed access to the DOEInfo databases also failed to require common security enhancements, such as two-factor authentication or a department-issued virtual private network.
Social Security numbers, addresses of 18800 state workers in missing thumb drive
The Denver Channel
Should you need any further information, please contact the Office of Information Security at email@example.com." Copyright 2013 Scripps Media, Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed. PRINT.
Jailbroken Phones Targeted by Hacker Jammers
One of the problems the BYOD trend poses is jailbreaking -- and then hiding it. "Jailbroken and rooted phones are super dangerous in the enterprise," said Marble Security Chairman and CTO Dave Jevan. "They have no security. They can also have ...
Investigative journalist Brian Krebs has uncovered an unusual botnet that forces infected PCs to scour websites for security vulnerabilities that can cough up proprietary data or be exploited in drive-by malware attacks.
The botnet, dubbed "Advanced Power" by its operators, has discovered at least 1,800 webpages vulnerable to SQL injection attacks since May, Krebs reported in a post published Monday. SQL injection vulnerabilities exploit weaknesses in Web applications that allow attackers to send powerful commands to a website's backend databases. From there, attackers can download login credentials or other database contents or cause sites to post links that silently redirect visitors to malicious websites.
Advanced Power masquerades as a legitimate add-on for Mozilla's Firefox browser. Once installed, it looks for vulnerabilities on sites visited by the infected machine. Krebs wrote:
Unlocking CryptoLocker: How infosec bods hunt the fiends behind it
CryptoLocker, the bitcoin thieving ransomware menace that has become 2013's most infamous malware, was likely created by a single hacker crew in Russia or former Eastern bloc states and is heavily targeting US and UK systems, researchers have ...
Information security skills is extremely weak in India
India's talent pipeline in information security skills is extremely weak, according to 'The Talent Crisis in Infosec, Report by EC Council (International Council of Electronic Commerce Consultants), October 2013'. This could cast a shadow on the ...
Posted by InfoSec News on Dec 16http://www.dailytelegraph.com.au/news/g20-delegates-duped-by-nude-pictures-of-carla-bruni-allowing-hackers-to-access-their-computers/story-fni0cx4q-1226781859847
Posted by InfoSec News on Dec 16http://abclocal.go.com/wpvi/story?section=news/local&id=9357997
Posted by InfoSec News on Dec 16http://www.washingtonpost.com/local/crime/aspiring-medical-student-to-be-sentenced-in-mcat-hacking-case/2013/12/12/3e5e012a-6278-11e3-aa81-e1dab1360323_story.html
Posted by InfoSec News on Dec 16Forwarded from: Luiz Eduardo <le/at/ysts.org>
Posted by InfoSec News on Dec 16Until January 15, 2014, your company can post jobs on HotInfoSecJobs.com for