Information Security News
Infosec 2014: No win, no break even, no escape
The three laws of of thermodynamics – “you can't win, you can't even break even, and you can't even get out of the game” – can be applied to hackers who only have to succeed once and get access to one piece of data for you to have lost, said consultant ...
by Cyrus Farivar
Silent Circle, maker of the ultra-secure BlackPhone, announced on Wednesday that the company raised $30 million in investment. The company is also moving its global headquarters to Switzerland, a country long known for valuing privacy and security, to help keep up with internal growth due to unexpected demand.
Silent Circle was founded by a veritable all-star team of crypto geniuses, including Phil Zimmerman, the creator of Pretty Good Privacy e-mail encryption standard and the ZRTP secure calling protocol, and Jon Callas, who cofounded the PGP Corporation among others endeavors. At the Mobile World Congress earlier this year, the $629 BlackPhone made waves as soon as it debuted. According to Mike Janke, the company’s CEO, it was crazy-popular, and the new influx of cash is simply to deal with the demand.
“To be honest with you, we never expected that BlackPhone would win phone of the year [at Mobile World Congress], and we didn’t know that our global calling plan was so disruptive to telcos,” he told Ars. “That’s not something we thought when we started a year ago. Black is just the beginning. We’re launching global calling plans, starting July 1, to 42 countries on mobile and 89 on landline.”
eBay officials are taking flak for burying news of the password reset issued in response to a hack on the company's corporate network that exposed sensitive data for millions of users.
More than seven hours after eBay published an advisory that was five clicks removed from end users, the company still made no mention of the breach, said to affect 145 million customers, in e-mails, on its front page, or when users log in to their accounts. The bare-bones post disclosed a breach in February or March that allowed attackers to make off with cryptographically protected passwords. It advised users to change their login credentials. The breach also exposed customers' names, e-mail addresses, home addresses, phone numbers, and dates of birth in a human readable format.
Given the magnitude of the breach, it's surprising to see an Internet-based company like eBay take so long to directly notify customers and inform them of what steps they should take to protect themselves. The burying of such an important advisory didn't escape the scrutiny of security bloggers such as Graham Cluley or Paul Roberts. Asked to comment on the lack of disclosure, an eBay spokeswoman wrote: "An updated password reset process is currently being rolled out to all our users. It will be available shortly."
Adobe's Shockwave Player bundles a version of the company's Flash Player that is 15 months behind on security updates, a feature hackers can use to hijack both Windows PCs and Macs running it, a security expert has warned.
The advisory about the risk from Shockwave, which was published in late 2012 by security researcher Will Dormann for Carnegie Mellon University's CERT, escaped public notice until Wednesday, when it was reported by KrebsOnSecurity. In the 15 months since the initial post, Adobe has made little progress. According to reporter Brian Krebs, the current version of Shockwave for both Windows and Mac systems lacks any of the Flash security fixes released since January 2013. That includes almost 20 different patches for security holes, some that fixed critical holes that real-world hackers exploited in the wild to commandeer end users' computers. According to Krebs:
As if that weren’t bad enough, Dormann said it may actually be easier for attackers to exploit Flash vulnerabilities via Shockwave than it is to exploit them directly against the standalone Flash plugin itself. That’s because Shockwave has several modules that don’t opt in to trivial exploit mitigation techniques built into Microsoft Windows, such as SafeSEH.
“So not only are the vulnerabilities there, but they’re easier to exploit as well,” Dormann said. “One of the things that helps make a vulnerability more difficult [to exploit] is how many of the exploit mitigations a vendor opts in to. In the case of Shockwave, there are some mitigations missing in a number of modules, such as SafeSEH. Because of this, it may be easier to exploit a vulnerability when Flash is hosted by Shockwave, for example.”
Adobe spokeswoman Heather Edell confirmed that CERT’s information is correct, and that the next release of Shockwave Player will include the updated version of Flash Player.
“We are reviewing our security update process in order to mitigate risks in Shockwave Player,” Edell said.
In the interest of reducing the "attack surface"—that is, the number of potentially exploitable components available for malicious hackers to target—Ars has long advised readers to strongly consider uninstalling Flash, Java, and other browser plugins that may provide more hazard than benefit. Readers should put Shockwave at the top of this list. This link shows that Shockwave is installed by prompting (or in the case of Google Chrome, initiating) a download on machines that don't have it. Mozilla Firefox users shouldn't confuse "Shockwave Flash" with "Shockwave Player." Adobe provides an uninstall tool here.
eBay today revealed that attackers "compromised a database containing encrypted passwords and other non-financial data" between late February and early March. The database included names, e-mail addresses, home addresses, phone numbers, and dates of birth. While there is "no evidence of the compromise resulting in unauthorized activity for eBay users," the company is recommending that users change their passwords.
The attackers were able to log in to eBay employee accounts."Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network," the eBay announcement said. "Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers."
eBay detected the unauthorized employee logins two weeks ago, and "[e]xtensive forensics subsequently identified the compromised eBay database, resulting in the company’s announcement today." Financial and credit card information was apparently not affected as it is "stored separately in encrypted formats." PayPal data is also stored separately.
by Sean Gallagher
A 27-year-old now-former sailor pleaded guilty in a federal court in Tulsa, Oklahoma on May 20 to charges of conspiracy after leading a band of hackers in the US and Canada from onboard an aircraft carrier. Nicholas Paul Knight, who was the system administrator for the USS Harry S. Truman’s nuclear reactors department, was caught trying to hack into a Navy database while at sea.
Knight and a co-defendant—Daniel Kreuger of Salem, Illinois—were part of “Team Digi7al,” a collective of hackers who attacked at least 24 websites in 2012 in search of personally identifiable information. Knight himself hacked the Navy’s Smart Web Move website, a system for sailors to manage household moves during transfers between stations; that hack included about 220,000 service members’ Social Security numbers, dates of birth, addresses, and other personal data.
Other sites attacked by the group included ones operated by the Department of Homeland Security, the Library of Congress, Stanford University, Los Alamos National Laboratory, the Toronto Police Service, and the University of Nebraska-Lincoln.
Posted by InfoSec News on May 21http://www.azcentral.com/story/news/local/phoenix/2014/05/19/data-breach-costs-approach-million/9312729/
Posted by InfoSec News on May 21http://blogs.wsj.com/law/2014/05/20/director-comey-fbi-grappling-with-hiring-policy-concerning-marijuana/
Posted by InfoSec News on May 21http://news.techworld.com/security/3520791/public-utility-compromised-after-brute-force-attack-dhs-says/
Wacky 'baccy making a hash of FBI infosec recruitment efforts
The Federal Bureau of Investigation wants to hire more infosec professionals to help fight cyber-crime, but can't find the people they need because there's too much weed to weed out from the talent pool. No, really: the Wall Street Journal is reporting ...