Government

Update: Hack Investigation At Dept. of Labor Turns Up Internet Explorer 8 Zero Day Hole

A hack of the U.S. Department of Labor web site that was revealed late last week is being described as a “watering hole” style attack aimed at compromising the systems of other government workers, in part using an exploit for a previously unknown (or “zero day”) security vulnerability in some versions of Microsoft’s Internet Explorer web browser.(*) Multiple reports last week indicated that a security breach of the Department of Labor web site had occurred. Accounts indicated that visitors to the site using versions of Internet Explorer were being attacked using exploits for a known vulnerability. Over the weekend, however, researchers analyzing the attacks say that it used an exploit for a zero day hole in IE8, and that details of the attack tie it to a China-based hacking group known as “DeepPanda.” In a blog post on Friday, researchers at the security firm Invincea said that they believed that the […]

Continue Reading

Update: Serial Server Flaws Expose Critical Infrastructure

A survey conducted by the firm Rapid 7 has found evidence that widespread vulnerabilities and insecure configuration of ubiquitous networking components known as serial port (or “terminal”) servers, may expose a wide range of companies and critical assets – including point of sale terminals, ATMs and industrial control systems – to remote cyber attacks.(*) The vulnerable devices connected hardware like retail point-of-sale systems at a national chain of dry cleaners, providing direct access to employee terminals from which customer payment information could be accessed. Other exposed systems were used to monitor the location of cargo containers, train cargo as well as HVAC and industrial control systems, Rapid7 said. In the Rapid7 survey, over 114,000 unique IPs were identified in a scan using the Simple Network Management Protocol (SNMP), the vast majority manufactured by one company: Digi International. If left unaddressed, the vulnerable devices give remote attackers direct, administrative access to hardware devices […]

Continue Reading

Will Reddit Get Its Man? New Clues Come Fast As FBI Releases Boston Suspect Photos

The collective energies of a lot of pissed off people were given focus on Thursday, after the FBI released photos and a video of two men – identified as Suspect #1 and #2 – who were identified as the only suspects in the horrific bombing of The Boston Marathon on Monday. Within hours of releasing the photos, new clues to the identities of the suspects emerged on web sites like Reddit. Astute viewers flocked to the popular website Reddit.com to crowd source clues, with a special area or “subreddit,” dubbed “findbostonbombers” created to collect tips and analysis from the sea of fervent users. Their efforts paid off in short order, as contributors identified the brand of cap worn by both suspects (the white cap worn by Suspect #2 is believed to be by Ralph Lauren, while the black cap worn by Suspect #1 is believed to be a Bridgestone golf cap […]

Continue Reading

ACLU Complaint Shows Android Insecurity Getting Political

The American Civil Liberties Union has filed a complaint with the U.S. Federal Trade Commission on Wednesday calling on the Federal Government to take action to stem an epidemic of unpatched and insecure Android mobile devices – a public scourge that the ACLU blames on recalcitrant wireless carriers. The civil liberties group’s complaint for injunctive relief with the FTC, noting that “major wireless carriers have sold millions of Android smartphones to consumers” but that “the vast majority of these devices rarely receive software security updates.” Calling the unpatched phones “defective and unreasonably dangerous,” the ACLU says that carriers leave their customers vulnerable to malware and spear phishing attacks that can be used to record or transmit information on the device to” third parties. “A significant number of consumers are using smartphones running a version of the Android operating system with known, exploitable security vulnerabilities for which fixes have been published by Google, but have […]

Continue Reading

Update: DARPA Cyber Chief Peiter “Mudge” Zatko Heads To Google

Editor’s Note: Updated with comment from Google on Zatko’s role. – PFR Noted hacker and innovator Peiter “Mudge” Zatko, a project manager for cyber security research at DARPA for the past three years- will be setting up shop in the Googleplex, according to a post on his Twitter feed. Zatko, who earned fame as a founding member of the early 1990s Boston-area hacker confab The L0pht and later as a division scientist at government contractor BBN Technologies, announced his departure from DARPA following a three-year stint as a Program Manager in DARPA’s Information Innovation Office on Friday. “Given what we all pulled off within the USG, let’s see if it can be done even better from outside. Goodbye DARPA, hello Google!” he Tweeted. Google did not immediately respond to a request for comment on Zatko’s hiring and Zatko declined to expound on his title and responsibilities within the search giant. However, he has acknowledged that […]

Continue Reading
1 133 134 135 136 137 143