Wednesday 13 August 2014

Investigation urged of security breach in Fayette County computer system

Fayette County Commissioner Angela Zimmerlink said on Tuesday that further investigation is needed into an alleged security breach caused when Commissioner Al Ambrosini directed IT department head Kebin Holbert to increase access to the county computer system for a financial consultant working for the county.
Referring to a letter from acting Controller Jeanine Wrona, citing an “apparent breach of the security” in that office's financial programs, Zimmerlink on Tuesday made a motion to further an internal investigation.
In a letter dated May 14 to former Controller Sean Lally, Wrona said the server for the New World System was entered “through the back door by Information Technology without permission of the controller or his deputies.”
Wrona and Zimmerlink said Ambrosini directed Holbert to give greater access to consultant Sam Lynch.
“As you know, the New World System is the program through which we issue payments from county accounts and also contains sensitive data on county employees, including Social Security numbers,” Wrona wrote.
Lally resigned in May to accept a position in Monroeville.
“The security changes should not have been authorized because it compromised the system and created exposure and risk to the county's financial accounting system,” Zimmerlink said at the commissioners' agenda meeting Tuesday.
Zimmerlink said Lynch does not require “full access” to the system.
“No county staff member should ever take the direction of one commissioner. One commissioner does not rule,” Zimmerlink said.
Zimmerlink made a motion, to be considered when the board meets next week, to take “the necessary steps to further investigate, which would include but not be limited to, discussion with staff, review of back-door access, a memorandum of understanding to be prepared between the county and contracted financial consultants and the possibility of a computer risk analysis to be conducted.”
The commissioners unanimously agreed to place the item on the agenda.
“Bring on any investigation,” Ambrosini said.
“These are allegations at this point in time. No one has done anything, at least pending further review. I do think it's necessary that we conduct ... a computer risk analysis,” Commissioner Vincent Zapotosky said.
Contacted after the agenda meeting, Holbert confirmed Wrona's account.
“Mr. Ambrosini told me to give (Lynch) what he needs. He just said he did not have access and he needed access to do something. I should have asked the other two commissioners,” Holbert said.
“The system should be secure. (Employees) changing a light bulb is one thing. If it's the financial store, that's something different. ... Kebin was taken advantage of because he was told to do something. He listened to a boss, instead of bosses,” Zapotosky said.
“This is the hub of the financial accounting system for the county,” Wrona said.
Access is determined for each individual depending on the role they play in the county, she said.
“Somebody saying they want access to everything — that doesn't mean you give it to them,” Wrona said. “If the capability is there to change things without us seeing and not knowing, we need to tighten that.
“I'm not saying any of them did anything illegal. But they opened us up to the possibility of that happening,” she said.
Ambrosini said Lynch, who often works out of the county, “had issues” with system access.
He said Lynch's permission level was changed, along with that of several other county employees, affecting their ability to “stay productive.”
“I told (Holbert) to restore permission. … We restored what Sam already had,” Ambrosini said.
He said he told Wrona that if she wanted the controller's office to maintain responsibility for giving employees access to the system, she should write a procedure. He said he has not seen a policy draft.
He said he had Chief Clerk Amy Revak check with other counties to see who manages permissions. Of the six counties responding, he said, none listed the controller, he said.
Ambrosini said he will look into having the commissioners' office and the IT department making those decisions.

Academy introduces computer network security major

U.S. AIR FORCE ACADEMY, Colo. (AFNS) -- Even as the U.S. Air Force Academy has reduced the number of majors it offers recently, it has instituted a new program aimed at helping the Air Force fly, fight and win in cyberspace.

The computer network security major touches on topics designed to help cadets understand what the cyberspace domain is and how the Air Force will establish cyberspace superiority in future conflicts, said Dr. Martin Carlisle, the Academy’s Computer Science Department head for the 2014-2015 academic year.

"The Air Force Academy is committed to producing highly qualified officers to serve in cyber career fields," he said. "This is a time when the Academy is reducing majors, which shows how important we think this mission field is."

The department is creating new classes for cadets majoring in computer network security, Carlisle said. One class will introduce cadets to reverse software engineering, letting cadets analyze viruses and other malware to figure out how it operates. By knowing how a piece of malware works, experts can block it from their networks or even take out its command and control mechanisms.

Another class will focus on computer forensics.

"If a criminal or espionage act has occurred, we can figure out what the perpetrator did and how they did it," Carlisle said. "That allows us to build a chain of evidence."

The program will also include strategy, political science and law classes. The Academy's existing class on cyberspace law can help future legal officers advise commanders whether an enemy action in cyberspace constitutes an attack, said Maj. Robert Palmer during an interview in May.

"Cyber weapons don't always fit that (kinetic strike) model," Palmer said. "Does it count as a use of force if I use a zero-day exploit to enter an adversary's computer network? In the cyber realm, consequences are often far less identifiable and quantifiable."

Three juniors and about 25 sophomores are enrolled in the major, Carlisle said, and the curriculum is set up so cadets don't have to decide right away.

"In fall of their three-degree year, cadets will take Computer Science 210," he said. "They can think about which discipline might be best. They can go into any of our three majors without having to decide up front."

Cadets 2nd Class Justin Niquette will be one of the first to graduate with the new major when he enters the Air Force in a year and a half. Niquette said he shifted from his original major of computer science because he wanted to learn how to keep adversaries out of critical systems.

"I like how computer science allows you to create something from nothing and solve everyday problems in a logical way," Niquette said. "However, I felt that the only way to create secure programs and systems is to have a strong understanding of both offensive and defensive aspects of cyber."

Alleged Author of Android "Heart App" virus arrested


An Android Virus spotted by security researchers at Sophos Labs spreads by sending SMS containing a download link to the first 99 contacts of victims.


The malware goes by the name XXshenqi in Chinese and being called as "Heart App" in English.

After sending SMS to the first 99 entries of victim's contact list, the malware sends a confirmation message to the attacker's number.

The malware also asks victims to register and asks them to enter their personal details including Resident Identity card number, Full name. Once the victim clicks the register button, the data entered by victim will be SMSed to the attacker's number.

It also tricks victims into installing a secondary component (com.android.Trogoogle) that doesn't show up on the regular "Apps" page.  Trogoogle is capable of reading your incoming messages.

An unnamed 19 year old Software engineering student was arrested by by police in Shenzhen accused of being author of the "Heart App" malware.

To remove this virus completely, go to "Settings -> Apps -> Downloaded" and Uninstall both 'com.android.Trogoogle' and 'XX神器'

LulzSec supergrass Sabu led attacks against Turkey – report

Just months after reports emerged that LulzSec "kingpin" turned FBI snitch Hector Xavier Monsegur had allegedly led cyber-attacks against foreign governments while under FBI control, a "cache of sealed court documents" has provided some more startling reading.
Monsegur – whom prosecutors insist is "Sabu", a leading figure in hacktivist group Lulzsec – cut a deal with Feds that saw him receive a "time served" sentence of seven months and a one year supervision order back in May instead of the 20-plus years imprisonment that his numerous offences might have attracted without his co-operation in law enforcement investigations against other hackers.
Sabu operated as a "rooter" – someone who can gain root access to systems – in multiple attacks including assaults against HBGary, Fox Television and Nintendo.
Now the Daily Dot reports that Sabu helped forge an alliance between his group "AntiSec" and the politically motivated Turkish "Red Hack" hacking crew.
The news site says it got its hands on a "cache of sealed court documents", which it says show how Sabu recruited Jeremy Hammond, who was sent to jail over the Stratfor hack, to hack into foreign government websites from a list provided.
Monsegur, whose actions at the time were being overseen by the FBI, orchestrated these attacks. He was arrested by the Feds in June 2011 and turned, partially under pressure of what would happen to his two adopted children. He acted as as FBI asset in the investigation of other hackers for months afterwards until the arrest of his former LulzSec cohorts in March 2012.
"During an encrypted chat session on Jan. 25, 2012, less than two months before Hammond’s arrest, Monsegur instructed him to 'pop off' several dozen foreign government websites from a list that Monsegur provided," the Daily Dot claims. "Access to any hacked Turkish websites, Monsegur told Hammond, would be provided to the RedHack group," it alleged. RedHack was a group which had allegiances to AntiSec/LulzSec.
Monsegur reportedly used zero-day vulnerabilities in Plesk, a common web-publishing platform, to draw up a list of vulnerable targets. The Daily Dot alleges the court docs confirmed that these systems were rooted by Hammond, who passed over details of the pawnage to RedStar, a core member of RedHack’s team. "Some of the government domains Monsegur supplied access to were later defaced, and confidential emails belonging to Turkish officials were stolen," the report adds.
The New York Times previously reported how Monsegur worked with the FBI on cyber-attacks against governmental websites in Brazil, Iran, Iraq, Pakistan and Syria.
The latest revelations add Turkey to the list while filling in the blanks on how the process was run.
The revelations also renew questions about whether the FBI – or some other agency working with the former LulzSec co-founder – was using hackers to gather foreign intelligence. The FBI has consistently denied doing so.

Fifteen zero days found in hacker router comp romp

Defcon 22 Researchers have unveiled 15 zero day vulnerabilities in four home and small business routers as part of the SOHOpelessly Broken hacker competition in DEF CON this week.
Four of the 10 routers offered for attack including the ASUS RT-AC66U; Netgear Centria WNDR4700; Belkin N900, and TRENDnet TEW-812DRU were fully compromised.
Those devices allowed attackers to execute privileged commands through holes found on updated firmware.
Blood was also splattered from an Actiontec Electronics router sold by Verizon, which was not on the original hit list but was nonetheless accepted by competition organisers.
The Linksys EA6500; Netgear WNR3500U/WNR3500L; TP-Link TL-WR1043ND; D-Link DIR-865L, and the Electronic Frontier Foundation's Open Wireless Router firmware were either untested or emerged unscathed.
Tripwire researcher and SOHO router fiend Craig Young reported 11 of the 15 flaws uncovered during the competition.
Some vendors had already patched the zero-day flaws but failed to do so on the specific models nominated for attack during the competition, a failure said to be common across small home or office router spruikers.
In January, backdoors were found across routers from manufacturers including Cisco, Netgear and Diamond.
And last year, competition organisers Independent Security Evaluators discovered flaws ranging from severe to benign in 13 popular routers from the likes of Linksys, NetGear and Belkin, 11 of which could be hijacked from a wide area network. All routers were updated at the time of the tests.

NIST wants better SCADA security

America's National Institute of Standards and Technology (NIST) wants to take a hand in addressing the SCADA industry's chronic insecurity, by building a test bed for industrial control systems.
The Reconfigurable Industrial Control Systems Cybersecurity Testbed is only in its earliest stages. According to this RFI, the organisation first wants to conduct research that will let it lay out the specs for the testbed.
“The goal of this system is to measure the performance of industrial control systems when instrumented with cyber-security protections in accordance with best practices prescribed by national and international standards and guidelines,” the RFI states.
Industrial automation a big driver of Internet of Things spending, running well ahead of their security.
As SCADA (supervisory control and data acquisition) systems have hit the Internet, their poor security has become clear. Everything from traffic management systems to power stations and airports, to pretty much everything (for a given definition of “everything”) is up for grabs, with the famous Shodan search engine lending a helping hand to find vulnerable systems.
NIST says its testbed will run a variety of industrial control scenarios, starting with simulating a chemical process called the Tennessee-Eastman problem.
“The TE problem is an ideal candidate for cyber-security investigation because it is an open-loop unstable process that requires closed-loop supervision to maintain process stability and optimize operating costs,” the RFI says.

Healthcare Providers Gaining Trust by Marketing Security

You’ve surely heard of “B2B” or business-to-business marketing. The new game plan is “B2C” – business to consumer marketing, particularly in the healthcare industry. The Affordable Care Act allows healthcare organizations to directly deal with consumers on a  massive scale for the first time. However, this comes with some challenges, namely, how to effectively reach potential consumers and differentiate their organization from the competition.

Organizations must take notice that potential enrollees aren’t just concerned about cost and coverage, but two less apparent concerns: privacy and security.
Consumers want reassurance that their data is protected. They can’t get all the data breach fiascos out of their mind. According to the TRUSTe 2014 U.S. Consumer Privacy Report, 92 percent of U.S. Internet users are worried about their online privacy. Of these, 47 percent are frequently worried.
So even though a potential enrollee may have complete faith in your service and reputation, they may be unnerved by the pathways of information exchange: the Internet, mobiles, wireless networks, computers. They know that their personal health data is out there in “space,” up for grabs.
If you want strong enrollment numbers and loyal customers, you must put the consumer’s concern for the protection of their personal health information at the top of the priority list. No way around this. If consumers don’t get assurance from you, they won’t stick around for it; they’ll take their business elsewhere.
So what will you do to put consumers’ apprehension at ease? One way to accomplish this is to facilitate a security and privacy program to ease consumer anxiety.
AllClear ID provides the following guidelines for healthcare insurers and providers:
  • Continue to use state-of-the-art IT techniques to secure cloud services, access points, databases and mobile devices; and to better monitor systems for breaches.
  • Improve security of corporate devices and employees’ personal mobile devices used for work.
  • Enhance employee training at all levels to decrease errors, improve device security and ensure HIPAA compliance. Also train employees around how to comfortably talk to customers about how their data will be protected.
  • Institute an identity protection program for enrollees to make them feel safe signing up with you and reduce the pain if there is a breach.