Professor – Computer Science at CSU Channel Islands
Home Depot said Tuesday it is investigating “unusual activity” related to customer data but stopped short of confirming it had fallen victim to a major credit card breach.The Atlanta-based home-improvement retailer announced it was working with law enforcement officials after security reporter Brian Krebs reported that “multiple banks” had seen evidence that Home Depot may be the source of a large cache of stolen customer credit and debit cards put up for sale on black markets.
RIVERSIDE, Calif. (www.ucr.edu) — A team of researchers, including an assistant professor at the University of California, Riverside Bourns College of Engineering, have identified a weakness believed to exist in Android, Windows and iOS mobile operating systems that could be used to obtain personal information from unsuspecting users. They demonstrated the hack in an Android phone.
The researchers tested the method and found it was successful between 82 percent and 92 percent of the time on six of the seven popular apps they tested. Among the apps they easily hacked were Gmail, CHASE Bank and H&R Block. Amazon, with a 48 percent success rate, was the only app they tested that was difficult to penetrate.
A cyber security attack on patient data for approximately 4.5 million patients of Community Health Systems-affiliated physicians apparently ranks as the second-largest HIPAA breach ever, in terms of patients affected, according to an Office of Civil Rights database.
Community Health Systems has not yet responded to a request for further comment on the breach.
The attack on CHS, committed by a Chinese group that accessed personal information including names, birth dates, addresses and social security numbers, would be second only to a 2011 breach at Tricare Management Activity that affected 4.9 million people, according to this database.
That breach, which took place at a military health care provider, involved the loss of back-up tapes containing personal information from military beneficiaries’ electronic health records, Healthcare IT News reported.
via Community Health Systems’ HIPAA breach among largest ever reported – Nashville Business Journal.
This piece, and many others, proposes to professionalize cybersecurity. I’m not sure that it is possible or desirable…
While demand for cybersecurity skills is increasing exponentially, the educational, training and certification processes to prepare people for careers in the field continue to be highly decentralized, ad hoc and non-standard, says a new report. This is leading for renewed calls for the professionalization of the cybersecurity field, especially since the IT industry currently has a shortage of the highly technically skilled people who can design secure systems, write safe computer code and create the tools needed to prevent, detect and mitigate attacks and system failures. Professionalizing the industry would create clearly defined roles and career paths for people entering the field and make it easier to establish education and training requirements.
The Albertsons grocery chain said Friday that hackers attempted to obtain customer credit and debit card information from its approximately 180 Southern California stores, as well as those in several other states.
The data breach started as early as June 22 and ended July 17 at the latest, Albertsons said.
Albertsons, based in Boise, Idaho, said it has no evidence any customer data was misused, or even stolen. The company said it believes that the breach has been contained, and that customers can safely use their cards in its stores.
The breach is the latest to hit large U.S. retailers, including Target Corp., and has renewed concerns about the safety of credit card information. The threat extends beyond big business — smaller independent shops have been hit by cyber theft as well, according to a California database.
via Southern California Albertsons stores hit by data breach – LA Times.
The U.S. National Science Foundation’s Secure and Trustworthy Cyberspace (SaTC) program has announced new projects designed to support cybersecurity research and education and address grand challenges in cybersecurity science and engineering. SaTC has awarded Frontier awards to help establish the Center for Encrypted Functionalities (CEF), and to the Modular Approach to Cloud Security (MACS) project. CEF’s goal is to use new encryption methods to make a computer program invisible to outside observers without compromising its functionality, through program obfuscation, which involves creating software that can hide vulnerabilities from potential adversaries and strengthen encryption and information transfer. CEF also plans to introduce cybersecurity and computer science to under-represented groups and to develop free Massive Open Online Courses on the fundamental principles of encryption. Meanwhile, MACS will build information systems for the cloud with multilayered security, and plans to use the Massachusetts Open Cloud as a testbed. MACS will build the cybersecurity system from separate functional components to develop an entire system derived from the security of its components.
A very interesting script written by Bojan Zdrnja — the script itself can be found on GitHub. Note that I had to upgrade namap to nmap-6.25 with the command
brew install nmap
In last year or two, there has been a lot of talk regarding correct usage of SSL/TLS ciphers on web servers. Due to various incidents more or less known incidents, web sites today should use PFS (Perfect Forward Secrecy), a mechanism that is used when an SSL/TLS connection is established and symmetric keys exchanged. PFS ensures that, in case an attacker obtains the server’s private key, he cannot decrypt previous SSL/TLS connections to that server. If PFS is not used (if RSA is used to exchange symmetric keys), then the attacker can easily decrypt *all* previous SSL/TLS connections. That’s bad.
However, the whole process of choosing a cipher is not all that trivial. By default, the client will present its preferred cipher to use and as long as the server supports that cipher it will be selected. This is, obviously, not optimal in environments where we want to be sure that the most secure cipher will always be selected, so administrators quite often enable their servers so they get to pick the preferred cipher.
This allows an administrator to enable only ciphers he wants to have used, and additionally to define their priorities – the server will always try to pick the cipher with the highest priority (which should be “the most secure one”). Only if the client does not support that cipher, the server will move to the next one and so on, until it finds one that is supported by the client (or, if it doesn’t, the SSL/TLS connection will fail!).
This is good and therefore I started recommending web server administrators to configure their servers so that PFS ciphers are turned on. However, at several occasions I noticed that the administrators incorrectly set the preferred cipher suite order on the server. This can result in non-PFS cipher suites selected, although both the server and the client support PFS.
via InfoSec Handlers Diary Blog – Verifying preferred SSL/TLS ciphers with Nmap.
A team of researchers at the New York University Polytechnic School of Engineering say they have found a way to help organizations better protect passwords.
Using an open-source password protection scheme they dubbed PolyPasswordHasher, the researchers believe they can make it much more difficult for hackers to decode even the shortest individual passwords. The PolyPasswordHasher is currently being tested as part of the Password Hashing Competition, a global effort organized by security professionals to identify new password protection schemes.
According to the researchers, most passwords are stored in databases using a salted hash, a one-way encryption technique that offers protection in the event a database is hacked. However in cases where attackers gain privileged access to a running system, they can intercept an administrator’s password information before that protection is in place.
With PolyPasswordHasher, password information is never stored directly in a database; the information is used to encode a cryptographic “store” that cannot be validated unless a certain number of passwords are entered. In other words, an attacker would need to crack multiple passwords simultaneously in order to verify any single hash.
via New Protection Scheme Makes Weak Passwords Virtually Uncrackable | SecurityWeek.Com.
Computer users pass around USB sticks like silicon business cards. Although we know they often carry malware infections, we depend on antivirus scans and the occasional reformatting to keep our thumbdrives from becoming the carrier for the next digital epidemic. But the security problems with USB devices run deeper than you think: Their risk isn’t just in what they carry, it’s built into the core of how they work.
That’s the takeaway from findings security researchers Karsten Nohl and Jakob Lell plan to present next week, demonstrating a collection of proof-of-concept malicious software that highlights how the security of USB devices has long been fundamentally broken. The malware they created, called BadUSB, can be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic. Because BadUSB resides not in the flash memory storage of USB devices, but in the firmware that controls their basic functions, the attack code can remain hidden long after the contents of the device’s memory would appear to the average user to be deleted. And the two researchers say there’s no easy fix: The kind of compromise they’re demonstrating is nearly impossible to counter without banning the sharing of USB devices or filling your port with superglue.
via Why the Security of USB Is Fundamentally Broken | Threat Level | WIRED.
The modern Internet is proving to be a hacker’s playground, and cybersecurity is no longer an afterthought for the private sector or government agencies.
The expanded commercial opportunities and medical advancements offered by the much anticipated Internet of Things will also present new security challenges for future cyber warriors. And, considering recent cases in which hackers were as young as 15, it’s imperative that schools and companies encourage kids to protect online data rather than exploit it.
via As Technology Advances, Cybersecurity Jobs Take Center Stage – US News.