Aug 30 2014

Hackers stole security check info on at least 25,000 DHS employees

Employees at the Department of Homeland Security may be feeling a bit less secure about their personal data.

On Aug. 2, Department of Homeland Security officials revealed that the agency's contractor for conducting security clearance background checks had been hacked, and an unknown number of DHS employees' personal data from those investigations had been stolen—potentially by a state-sponsored hacker. Now the DHS has a handle on how many records were stolen from contractor USIS: at least 25,000.

The Associated Press cites information from an unnamed DHS official, who spoke with the service under the condition of anonymity. "Homeland Security will soon begin notifying employees whose files were compromised and urge them to monitor their financial accounts," the Associated Press' Joce Sterman reported.

USIS is, as the Washington Post reported, the largest contract provider of background investigations to the federal government. The attack on USIS comes after the March revelation that the US Office of Personnel Management had been attacked by hackers based in China, potentially giving them access to the personal information of millions of government employees—though OPM offficials say that no personal data appeared to have been taken in the attack before it was detected.

Read 2 remaining paragraphs | Comments

Aug 30 2014

Offline attack shows Wi-Fi routers still vulnerable

A researcher has refined an attack on wireless routers with poorly implemented versions of the Wi-Fi Protected Setup that allows someone to quickly gain access to a router's network.

The attack exploits weak randomization, or the lack of randomization, in a key used to authenticate hardware PINs on some implementations of Wi-Fi Protected Setup, allowing anyone to quickly collect enough information to guess the PIN using offline calculations. By calculating the correct PIN, rather than attempting to brute-force guess the numerical password, the new attack circumvents defenses instituted by companies.

While previous attacks require up to 11,000 guesses—a relatively small number—and approximately four hours to find the correct PIN to access the router's WPS functionality, the new attack only requires a single guess and a series of offline calculations, according to Dominique Bongard, reverse engineer and founder of 0xcite, a Swiss security firm.

Read 8 remaining paragraphs | Comments

Aug 29 2014

The long game: How hackers spent months pulling bank data from JPMorgan

JPMorgan Chase CEO Jamie Dimon said attacks were "going to be non-stop." It looks like he was right.

The electronic attack on JPMorgan Chase’s network, now under investigation by federal law enforcement, apparently spanned months, according to a report by Bloomberg News. Starting in June, hackers used multiple custom-crafted bits of malware to infiltrate the bank’s infrastructure and slowly shipped bits of bank transaction data back out through computers in several countries before it was sent onward to Russia.

The attack, which went on for more than two months before being detected by JPMorgan in a security scan, bears the fingerprints of similar long-game attacks against corporate targets by cybercriminals from Eastern Europe, some of whom have developed capabilities more advanced than state-sponsored hackers. While the details obtained by Bloomberg’s Jordan Robertson and Michael Riley are sparse, the information provided by their sources is consistent with attacks on a number of European banks earlier this year.

While the FBI and National Security Agency are reportedly investigating whether the attack came from Russian state-sponsored hackers—or at least state-sanctioned ones—in retaliation for sanctions against Russia, making that connection will be difficult at best. It seems more likely, based on recent security reports, that the attacks were criminal in nature—but relied on tools and techniques that may have a mixed provenance, using methods honed in attacks on other banks and on government targets for financial gain.

Read 8 remaining paragraphs | Comments

Aug 29 2014

IronWASP – Open Source Web Security Testing Platform

IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the...

Read the full post at darknet.org.uk