critical infrastructure Archives

critical infrastructure

Report: Hacked Password Behind Compromise of 75m JPMorgan Accounts

October 3, 2014 Paul Roberts

The top news this week is about Wall Street giant JP Morgan Chase, which disclosed on Thursday that a previously disclosed breach was much larger than initially believed, affecting more than 75 million account holders. And once again, reports suggest that a compromised employee account may be at the root of the incident. Bloomberg, which first broke the news of the cyber attack on JPMorgan Chase in August, said on Friday that hackers exploited an employee’s access to a development server as part of an attack on a JPMorgan Chase & Co. server that led to one of the largest cyber-attacks ever and the theft of data on 76 million households and 7 million small businesses. According to the Bloomberg report, which cited “people familiar with the bank’s review,” the breach started in June when an employee’s user name and password for what’s described as “a web-development server” were compromised. From that […]

DARPA Tech Identifies Counterfeit Microelectronics

October 2, 2014 Paul Roberts

The U.S. Defense Advanced Research Projects Administration (DARPA) announced on Wednesday that advanced software and equipment it developed to spot counterfeit microelectronics in U.S. weapons and cyber security systems has been handed over to military contractors to continue development. DARPA said the product of its Integrity and Reliability of Integrated Circuits (IRIS) program: the Advanced Scanning Optical Microscope (ASOM) technology was transferred to the Naval Surface Warfare Center (NSWC) in Crane, Indiana, where it will be used to inspect microelectronics for signs of tampering or compromise. The technology was developed with the help of SRI International, an IRIS contractor. Read more Security Ledger coverage of supply chain risks. “The ASOM technology housed at NSWC Crane will help engineers provide forensic analysis of microelectronics, including integrated circuits (IC) confiscated by law enforcement officials,” DARPA said in a statement. The DoD is a major buyer of integrated circuit chips, which are mainly manufactured outside the U.S. […]

Whack-A-Bash: New Vulnerabilities add to Patch Confusion

September 29, 2014 Paul Roberts

The good news about the rapid, industry response to the revelations about exploitable security holes in GNU Bash (Bourne Again Shell) (aka “Shellshock”) is that Linux users had a fix in hand almost as soon as they became aware of the problem those patches addressed. The bad news about the quick fixes for the two issues, CVE-2014-6271 and CVE-2014-7169, from the likes of Red Hat, Ubuntu, Debian and others is that – in being early- they fail to fix the problems we don’t yet know about. And that’s what we’re seeing in the wake of last week’s storm of patches: a steady drip-drip of disclosures that suggest that Bash may contain other problems worthy of new fixes. Within hours of the disclosure of the first holes, there were problems discovered by Red Hat Product Security researcher Todd Sabin, who found additional “off by one” errors in Bash that were assigned CVE-2014-7186 and CVE-2014-7187 and […]

MITRE Gets $29m For First Cybersecurity Center of Excellence

September 25, 2014 Paul Roberts

MITRE Corporation has been awarded $29 million from the U.S. Commerce Department for the nation’s first federally funded National Cybersecurity Center of Excellence (NCCoE), according to a statement by the Commerce Department’s National Institute of Standards and Technology (or NIST). The contract charges MITRE with the job of operating the federally funded research and development center (FFRDC) in the areas of research, development, engineering and technical support; operations management; and facilities management. This is the first FFRDC dedicated to enhancing the security of the nation’s information systems, NIST said. The NCCoE was established in 2012 in partnership with NIST, the state of Maryland and Montgomery County, Md. It brings together experts from industry, government and academia to develop integrated cyber security solutions using existing, commercially available technology. “As the principal champion of the digital economy in the federal government, the Commerce Department is committed to defending our nation’s digital infrastructure from cyberattacks and helping American companies strengthen […]

With Cars Connected to the Internet, What about Privacy? | Computerworld

September 19, 2014 Paul Roberts

Lucas Mearian has a long and quite thorough article over at Computerworld weighing the possible security and privacy risks posed by connected vehicles. Among other things, Mearian weighs the recent past and likely future of connected vehicles, noting that, “once mobile devices are connected to car infotainment systems and cars are connected to the Internet, vehicles will become a rich source of data for manufacturers, marketers, insurance providers and the government.” They’ll also be a target for hackers. The problem is that, unlike mobile phones, cars have useful lives that are measured in decades, not years – or even months. That makes it difficult for manufacturers, who want to make their vehicles state of the art, but also must deal with the reality of much longer development cycles and complex interactions between non-critical and critical on board systems. [Read more Security Ledger coverage of connected vehicles here.] A couple issues worth noting: […]