Brought to you by: Justin White

Transcription

1 An off the beaten path, impudent, unconventional, downright unorthodox look at garden-fresh information security issues. Brought to you by: Justin White

2

3

4 Permission is granted to print/distribute/send this to whoever you wish! Print, hang in the restroom, place in the kitchen, use as a coffee coaster and enrich your life with fresh Information Security news! Please join us for our monthly meeting Date and Time: Third Thursday of every month. Meeting Time: 6:30 pm - 8:30 pm Location: Community Center at Mercer Island 8236 SE 24th Street Mercer Island, WA Become a member: 5BD290F2C565

5

6 September 2, 2014: The Home Depot, Atlanta, Georgia Former Home Depot Managers Depict 'C-Level' Security Before the Hack. Home Depot s (HD) in-store payment system wasn t set up to encrypt customers credit- and debit-card data, a gap in its defenses that gave potential hackers a wider window to exploit, according to interviews with former members of the retailer s security team. Although the company this year purchased a tool that would encrypt customer-payment data at the cash register, two of the former managers say current Home Depot staffers have told them that the installation isn t complete. A health check on Home Depot s information systems, which was performed by Symantec (SYMC) employees two months ago, identified out-of-date malware-detection systems, according to one former manager. The former managers say they were troubled by the lack of encryption for credit-card data at Home Depot stores. Data were sent from the stores to central servers in clear text, according to two of the former managers. The former information security managers say that when they attempted to make improvements to Home Depot s security systems, they were at times turned down by its technology executives, including information security chief Jeff Mitchell. Two former managers, who left the company in 2011 and in 2012, said Mitchell told them to settle for C-level security because ambitious upgrades would be costly and might disrupt the operation of critical business systems. The Home Depot appears to be another victim of a data breach of their POS systems, reportedly by the same Russian hacking group that hit Target, Michaels, Neiman Marcus and P.F. Chang's. Brian Krebs of Krebs on Security reported that a significantly large amount of debit and credit card information went up for sale on the underground cybercrime sites, all leading back to purchases made at Home Depot stores across the US.

7 EBay Under Fire After Cross Site Scripting Attack Auction site ebay has come in for criticism after appearing to drag its heels over fixing a cross-site scripting (XSS) vulnerability which allowed attackers to booby trap links redirecting users to a phishing page. The hackers had apparently exploited the common vulnerability to inject malicious Javascript into several listings for cheap iphones. Once a user clicked on these they were taken to what appeared to be an ebay login page. However, on further inspection the page is actually hosted elsewhere and has been designed to harvest user log-ins for the hackers. The incident was first spotted by Paul Kerr, an IT worker from Alloa, who told the BBC that after contacting ebay he was assured the matter would be reported to the highest level of security to be resolved. However, the US giant appeared only to take action after the BBC got in touch to check on the progress of the complaint.

8 September 4, 2014: Healthcare.gov Washington, District Of Columbia Reportedly, Healthcare.gov has suffered a data breach to one of their test systems by hackers. Currently the Obama administration is communicating that no personal information was compromised, but authorities are investigating. According to the administration, " our review indicates that the server did not contain consumer personal information, data was not transmitted outside the agency and the website was not specifically targeted, said Aaron Albright, a spokesman at the Centers for Medicare and Medicaid Services, which runs the website. We have taken measures to further strengthen security. " "Mr. Albright said the hacking was made possible by several security weaknesses. The test server should not have been connected to the Internet, he said, and it came from the manufacturer with a default password that had not been changed. In addition, he said, the server was not subject to regular security scans as it should have been".

9 Anonymous Hacker Group Goes After ISIS, But the Implications Could Be Costly The shadowy hacktivist group Anonymous is turning its sights on ISIS in a campaign called #OpNoISIS. An Anonymous source quoted by the magazine claimed that since the hackers can t get ISIS targets directly, they ll attack the countries which support it: Because of the extensive web of Anonymous accounts on Twitter and the fact that ISIS actually hacked into one of the Anonymous Twitter accounts recently, it s difficult to determine who the real members are. But to the extent that these are legitimate, it appears the group is ramping up the threats.

10 September 1, 2014 icloud (APPLE) Cupertino, California A group calling themselves hackappcom posted a proof of concept script on the popular code repository called Github that would allow for a user to attempt to breach icloud and access a user account. This script would query icloud services via the Find My iphone API to guess username and password combinations. The problem here was that apparently Apple was not limiting the number of queries. This allowed for attackers to have numerous chances to guess password combinations without the fear of being locked out". The number of celebrity photos or private information breached is still unknown.

11

12 Harkonnen Operation Malware Campaign that Went Undetected for 12 Years A huge data-stealing cyber espionage campaign that targeted Banks, Corporations and Governments in Germany, Switzerland, and Austria for 12 years, has finally come for probably the longest-lived onlinemalware operation in history. The campaign is dubbed as 'Harkonnen Operation' and involved more than 800 registered front companies in the UK all using the same IP address that helped intruder installs malware on victims' servers and network equipments from different organizations, mainly banks, large corporations and government agencies in Germany, Switzerland and Austria. In total, the cyber criminals made approximately 300 corporations and organisations victims of this well-organised and executed cyberespionage campaign.

13 Hacker exploits printer: installs, runs Doom Michael Jordon, Head of Research at Context Information Security, London. Canon Pixma printers' Web interface allows changing Web proxy and DNS settings. From there, the device's encryption can be broken in eight steps, the final of which includes running unsigned, plain-text firmware files.

14 US Bolstering Cyber Defense With New Corps: NSA Chief WASHINGTON - The US military is building a new cyber defense corps that can be used to protect the nation and possibly for offensive purposes, the commander of the unit said. National Security Agency director Michael Rogers, who also heads the US Cyber Command, said the 6,200- member unit should be fully operational by 2016, to bolster defenses against hackers and state-sponsored cyberattacks. Rogers told a cybersecurity conference that the unit would be able to assist in protecting against cyberattacks on "critical infrastructure," which includes computer-controlled power grids, financial networks, transportation and other key sectors. "We need to all recognize that our information systems are collectively under assault by a wide variety of actors who are interested in penetrating those systems for a variety of reasons," Rogers told the Billington Cybersecurity conference. The unit would also bolster protection of the Pentagon's own computer systems and help improve the cyber capabilities of US military command centers around the world, the US Navy admiral said. "We need to assume there will be a cyber dimension in almost any scenario we are dealing with," he added. Asked whether this unit would have offensive capabilities, Rogers said, "I am trying to ensure that the Department of Defense has a full spectrum of capability if the decision is made to employ it." The comments are in line with previous policy statements that Washington could use cyberwarfare tactics if approved by the president. US officials have not publicly acknowledged using cyberwarfare but many observers believe Washington played a role in the Stuxnet worm that targeted Iran's nuclear program.

15 ';--have i been pwned? Data loss detection tool mines the ephemeral world of 'pastes' Check if you have an account that has been compromised in a data breach: Let s take a little looksee!!!

16 New Android Browser Vulnerability Is a Privacy Disaster for 70% Of Android Users A Serious vulnerability has been discovered in the Web browser installed by default on a large number (Approximately 70%) of Android devices, that could allow an attacker to hijack users' open websites, and there is now a Metasploit module available to easily exploit this dangerous flaw. The exploit targets vulnerability (CVE ) in Android versions and all older versions and was first disclosed right at the start of September by an independent security researcher Rafay Baloch, but there has not been much public discussion on it. The Android bug has been called a "privacy disaster" by Tod Beardsley, a developer for the Metasploitsecurity toolkit, and in order to explain you why, he has promised to post a video that is "sufficiently shocking."