Information Security News
Top 10 InfoSec Careers Influencers
CareersInfoSecurity presents its first ranking of 10 individuals shaping the way that organizations and leaders approach information security careers in 2014. Each of these Influencers has a substantial impact on InfoSec careers. Their influence ranges ...
The federal government's HealthCare.gov website continues to be riddled with flaws that expose confidential user data to the public, a security expert testified Thursday at a hearing on Capitol Hill.
David Kennedy, founder of security firm TrustedSec, told members of the House of Representatives Science Committee that only one of 18 issues he reported in November had been fixed, and even then he identified ways that attackers could bypass the remedy. Kennedy didn't discuss specifics of the vulnerabilities out of concern that details would make it easier for criminals to exploit the weaknesses. Generally, he said some of the weaknesses leaked usernames, e-mail addresses, and other data contained in user profiles onto the open Internet, making it possible for unauthorized people to access the information using Google or other search engines. The testimony came as top security officials from the US Department of Health and Human Services (HHS), which helps oversee HealthCare.gov, were appearing before a separate House hearing.
"TrustedSec cannot state with 100 percent certainty that the back-end infrastructure is vulnerable," Kennedy wrote in a statement submitted in advance of Thursday's proceedings. "However, based on our extensive experience performing application security assessments for over 10 years, the website has the symptoms that lead to large-scale breaches for large organizations. Also note that all exposures have been reported, and TrustedSec would be more than willing to have discussions with HHS to address the security concerns."
Infosec Salaries Among Highest in IT
Security professionals, especially those at the executive level, earn salaries that compare favorably with many of their non-infosec colleagues and can expect pay increases that will outpace those of many coworkers. Fifty percent of chief information ...
by Jason Inofuentes
The most popular mobile payment systems in the US may also be among the leakiest. Security researcher Daniel Wood went public with his research Tuesday, revealing that the Starbucks iOS app exposes customers' usernames, e-mail addresses, passwords, and certain location data.
The problem doesn't arise directly from the Starbucks app. Rather, it stems from the cleartext logs maintained by the app's crash analytics software. The software, known as Crashlytics, allows developers to log application data for subsequent analysis in the event of an error. Crashlytics advises its partners to not log sensitive data, such as usernames and passwords. In this instance, the Starbucks app is passing user data along to the session.clslog file without any efforts to conceal it.
Woods points out that the methods he used to access the data circumvents PIN locking the device and could be accomplished with less than 30 minutes of physical access to the phone. Stolen phones would be the most likely target for this attack, and though the breach might seem limited to simply filling up on a little coffee, users that have set their accounts up to auto-replenish periodically could be at greater risk. The habit many people have of reusing passwords could expose users to additional breaches, too.
Enterprising, Exit Stage Left head Cal Derby entries
San Francisco Chronicle
In post-position order (with jockey and morning-line odds), the field for the 1 1/16 -mile race consists of Enterprising (Aaron Gryder, 2-1), Exit Stage Left (Russell Baze, 5-2), Morally Bankrupt (Leslie Mawing, 15-1), Harbaugh (Juan Hernandez, 10-1 ...
Exit Stage Left tops California Derby field
Posted by InfoSec News on Jan 16http://www.theregister.co.uk/2014/01/16/blackberry_oracle_ship_vuln_patches/
Posted by InfoSec News on Jan 16http://www.smh.com.au/it-pro/security-it/huawei-denies-us-compromised-equipment-security-20140116-hv8pr.html
Posted by InfoSec News on Jan 16http://www.nytimes.com/2014/01/15/technology/upstarts-challenge-old-timers-in-lucrative-computer-security-field.html
Posted by InfoSec News on Jan 16http://www.theactuary.com/news/2014/01/business-complacent-about-cyber-crime-and-terror-risks-says-aon/
Posted by InfoSec News on Jan 16http://www.networkworld.com/news/2014/011514-encrypted-messaging-startup-wickr-offers-277752.html
Posted by InfoSec News on Jan 16http://www.forbes.com/sites/kashmirhill/2014/01/15/so-you-found-an-obamacare-website-is-hackable-now-what/
Posted by InfoSec News on Jan 16http://krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/
5 Surprising Security Gains Achieved From Security Analytics
As more CISOs begin to lean on data scientists to discover new threats in security feeds and increasingly more IT security departments institute security analytics programs, infosec pros have started to reap the obvious benefits of security analytics.