via superlative reportage from DJ Pangburn, we now learn of the ineptitude of US governmental oversight officials (and the Agencies, Bureaus, Departments, and Branches of Federal Government they service) tasked with protecting gathered and stored biometric data (amongst other things). Simply asotounding.
"Once the researchers gain root access, they can bypass the router's most fundamental security protection. Known as the Trust Anchor, this Cisco security feature has been implemented in almost all of the company’s enterprise devices since 2013. The fact that the researchers have demonstrated a way to bypass it in one device indicates that it may be possible, with device-specific modifications, to defeat the Trust Anchor on hundreds of millions of Cisco units around the world." - via Lily Hay Newman, reporting for Wired Magazine
Sterling example of both the Hubris and Cruft of Wipro's information security practices. Would you trust the Indian outsourcing company with your organizations' information security? At one time, the answer may have been an affirmative response, but is that still the case?
Another day, another data thievery revelation at Facebook, Inc. (Nasdaq: FB). It's time for our national law enforcement agencies to take action and act in the manner they would against any other organized criminal enterprise. Raid the corporate headquarters, arrest, detain, interrogate and incarcerate the C-level personnel (including recently separated personnel) and prosecute. Then there's this well crafted explanaotry post at The Hacker News providing another take on the company's criminal behaviors...
'An anonymous security researcher, who sports the handle e-sushi on Twitter, first noticed that the company was asking some new users to enter their email passwords to verify their identities, a deeply anti-security request even on its own. Business Insider then spotted that if you did this a dialogue box popped up warning you – with no chance to cancel, pause or opt out – that it was importing all your contacts.' - via John Oates reporting for El Reg
via the highly respected Dan Goodin - Security Editor at Ars Technica, comes the story of a fundamental design weakness at GoDaddy, Inc. (NYSE: GDDY), whcih permitted thousands of domains registered at GoDaddy, Inc. to be hijacked, leading to bomb-threat emails to be processed and delivered on December 13, 2018 (email-serving related data is contained in DNS records - which is not the flaw specifically).
Perhaps a modicum of diligence in ferreting out flaws (ideally on a continuous basis), instead of focusing on creating bullshit laden advertising touting your company's misaligned-to-reality information security architecture and engineering capabilities is in order GoDaddy, Inc.... Let's get those prioritties aligned correctly, and you'll end up with a posture that's squared-away.
via Swati Khandelwal - writing at The Hacker News - comes this news confection, detailing the apparent incompetence of the State of Oklahoma Department of Securities (ODS) protective security personnel in safeguarding critical investigatory data.
I can think of a couple of rules when storing investigative data ostensibly owned by sister agencies (other than 'DO NOT DO IT'): Chain of Custody and Access Control...
"The unsecured storage server, discovered by Greg Pollock, a researcher with cybersecurity firm UpGuard, also contained decades worth of confidential case files from the Oklahoma Securities Commission and many sensitive FBI investigations—all wide open and accessible to anyone without any password." - via Swati Khandelwal - writing at The Hacker News
via Shaun Nichols, writing at El Reg, comes today's shocker: The core flaws which facilitated the Communist Chinese Cyber Attack of June 2015 targeting the US Federal Office of Personnel Management OPM have not been remediated. Go Figure...
"A report issued this week by Government Accountability Office (GAO) disclosed that the OPM has failed to comply with more than a third of recommendations its investigators made for improving the office's network security and data protection." - via Shaun Nichols, writing at The Register, comes news of the June 2015 OPM data breach
Graham Cluley has reported (from an original Wall Street Journal source report) a Google, Inc. (Nasdaq: GOOG) security SNAFU... This time, the failure of the so-called non-evil company to report a significant data custody failure within their so-called 'Google Plus' product, where - in fact - you are the product. The company's better-late-than-never blog post covers the issue, in somewhat less than effective detail...
Yes, you read it right. If you lease a Comcast Modem with WiFi, Comcast has been providing the password to your WiFi network in the clear, with only minimal identity management (snippets of your address for example) (therefor granting access to the world); all courtesy of a nasty little overlooked bug in their code. A nearly perfect example of the apparent lack of application security oversight at the company, of which, alludes to systemic and blatant security incompetence.
The company is claiming to have fixed the access issue as of this writing. Question is, what other flaws exist in the company's deployments? One bright spot to this debacle - currently, customers that supplied their own hardware routers were not among the mutitude of customers affected.
via the eponymous Graham Cluley, writing at the BitDefender Security Blog, discusses the incontrovertible evidence of information security incompetence exhibited by Bellevue, Washington based LocalBlox (further via Zack Whittaker of ZDNet). Of which, evidence of said incompetence (in the form of an unencryped and unencumbered-by-any-access-controls 1.2 TB+ file containing the personal details of 48 million scraped user identities the company uses to flog it's wares) exposed by security researcher Chris Vickery. Today's MustRead!
'LocalBlox makes no secret of how it collects and consolidates data about individuals. Its own website explains how it “automatically crawls, discovers, extracts, indexes, maps and augments data in a variety of formats from the web and from exchange networks… LocalBlox helps companies acquire and utilize a vast amount of information from sources held captive on the web with exceptional speed and scale.” - via Graham Cluley, writing at the BitDefender Security Blog
As is typical of Intel Corporation (Nasdaq: INTC) the firm is attempting to shirk responsability for this attack and transfer the blame onto the company's vendors, not to mention the glad-handing exhibited by the company's CEO at CES.
It's time to rein in Intel Corporation's significantly flawed software development practice (as evidenced by the output), as the ramifications for the company's vulnerability touch many - if not all - systems worldwide. Further, what else is flawed in the company's other products (for example, automotive chips, medical device systems where the firm's hardware and software reside)?
'But the latest vulnerability—discovered in July of 2017 by F-Secure security consultant Harry Sintonen and revealed by the company today in a blog post—is more of a feature than a bug. Notebook and desktop PCs with Intel AMT can be compromised in moments by someone with physical access to the computer—even bypassing BIOS passwords, Trusted Platform Module personal identification numbers, and Bitlocker disk encryption passwords—by rebooting the computer, entering its BIOS boot menu, and selecting configuration for Intel’s Management Engine BIOS Extension (MEBx).' - via Sean Gallagher - writing at Ars Technica
Martin Brinkmann, writing at GHacks, targets the proliferation of spam extensions flooding the Mozilla Foundation's Firefox AMO Web Extension Store. Further proof of deep administrative incompetence at Mozilla Foundation, or something else? You be the judge.
"The site is abused by spammers currently who flood it with extension listings designed to get users to click on links in the description. The method that these spammers use is simple: they have copied the Chrome extension Hide My IP and use it as the extension that they upload." - via Martin Brinkmann, writing at GHacks
465,000. The number of Abbott manufactured pacemakers that require software updates due to life-threatening vulnerabilities resident within installed software packages. Coupled with easy accessibility via the interwebs, another example of incompetent software engineering in the manufacturing process? No, just a jarring welcome to the Internet of Shite. The United States Food and Drug Administration's announcement ordering a recall and detailing the flaws came as no real surprise:
via the FDA Announcement: Abbott's (formerly St. Jude Medical's) implantable cardiac pacemakers, including cardiac resynchronization therapy pacemaker (CRT-P) devices, provide pacing for slow or irregular heart rhythms. These devices are implanted under the skin in the upper chest area and have connecting insulated wires called "leads" that go into the heart. A patient may need an implantable cardiac pacemaker if their heartbeat is too slow (bradycardia) or needs resynchronization to treat heart failure. The devices addressed in this communication are the following St. Jude Medical pacemaker and CRT-P devices:
- Accent MRI
- Accent ST