Information Security News
The website for EC-Council, an “International Council of E-Commerce Consultants,” was defaced on Sunday evening. The hacker, who went by Eugene Belford (named for the “thieving evil computer genius” from the movie Hackers) also claimed to have found “thousands of passports belonging to LE [Law Enforcement] (and .mil) officials” in the process of breaking into the site.
Eugene Belford wrote on the EC-Council homepage, “Defaced again? Yep, good job reusing your passwords morons jack67834#”. With respect to the claim that passport and other information was stolen, the hacker posted a photo of Edward Snowden's passport, along with an e-mail from him to the council from 2010.
EC-Council has long been an administrator of information security certification, and the organization's training programs are sometimes used by employers to get employees up to speed on certain skills. Some of EC-Council's certification programs include Certified Ethical Hacker (CEH), Computer Hacking Forensics Investigator (CHFI), and EC-Council Certified Security Analyst (ECSA)/License Penetration Tester (LPT).
by Kyle Orland
Through my tenure as a student at the University of Maryland from 2000 to 2004, my social security number also doubled as my student identification number. I'd use this number and a password whenever I logged into the college's online management system, Testudo, which I did for everything from course selection and monitoring grades to signing up for basketball tickets. (Go Terps! 2002 National Champs whooo!) I vaguely recall having the option to change my student ID number to something else, but neither I nor anyone I knew ever went to the trouble of doing so.
This state of affairs comes to my mind at the moment because of an e-mail I got earlier this week telling me that my alma mater "was the victim of a sophisticated computer security attack that exposed records containing personal information." My name, social security number, and birthday are likely part of a cache of nearly 310,000 leaked records belonging to students and staffers going back to 1998.
After reading the e-mail, I immediately reverted to journalist mode; surely a security breach of over 300,000 computerized student records was the kind of story that would be relevant to the readers of this site. When I consulted with Ars Security Editor Dan Goodin on how to cover it, though, the response was pretty lukewarm.
Healthcare Information Security: Still No Respect
When I first was introduced to the infosec subculture in the1990s, there seemed to be very few of us in healthcare provider organizations with official security roles. And we were mostly "stuckees" who just fell into the job. (You know, someone in ...
Posted by InfoSec News on Feb 23http://www.infosecnews.org/ec-council-website-defaced-twice-in-a-weekend/
Friday Apple released an update to IOS, to versions 7.0.6 and 6.16, to fix an SSL Authentication flaw. Indication is that this flaw is easily exploitable, so this update should be applied as soon as practical. Apple has also indicated that this flaw also appears in OS X and that a patch is "coming soon". In the meantime be careful where you browse with your OS X based machines.
Adam Langley at the ImperialViolet blog has created a test page to help you determine if your browser is vulnerable to this attack. If you can load content from the test page you are at risk, an error indicates you should be ok.
On my two OS X based machines with current versions of Firefox, Chrome and Safari, only Safari displayed the vulnerability. Both Chrome and Firefox appeared to be ok. Below is the Firefox output.
Chrome just displayed its "This webpage is not available" error.
Researchers have determined that the flaw is caused by an errant goto statement. I realize that, although progress has been made, effective code review, code coverage, and code regression process and tools continue to challenge software development, but this seems like an easy one to catch.
-- Rick Wanner - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.