Monthly Archives: May 2016

New Decryption Tools Released for TeslaCrypt Ransomware

Security researchers have released several new decryption tools for TeslaCrypt ransomware following the publication of its master decryption key.

Slovakian IT security firm ESET explains they have been tracking TeslaCrypt for months. Most recently, the malware has been spotted in spam campaigns involving fake Visa Rewards offers as well as exploit kit attacks.

After learning its developers intended to abandon the crypto-ransomware, ESET decided to reach out in an effort to obtain its master decryption key.

They did not foresee what would happen next. As the security firm explains in a blog post:

“On this occasion, one of ESET’s analysts contacted the group anonymously, using the official support channel offered to the ransomware victims by the TeslaCrypt’s operators, and requested the universal master decryption key. Surprisingly, they made it public.”

Since the release of that universal master decryption key, both ESET and researchers at have created their own up-to-date decryption tools, which are available here and here for download.

This is not the first instance security researchers have released a decryption tool for TeslaCrypt. Analysts at BitDefender created such a utility back in March, but it is unclear whether that particular tool could work against all versions of the crypto-ransomware.

By contrast, ESET’s and Bleeping Computer’s tools make use of the master decryption key, which means they can decrypt files affected by any of TeslaCrypt’s iterations.

While TeslaCrypt might be out-of-commission, ESET is careful to point out that users still remain at risk of infection from other forms of ransomware.

“We must stress that ransomware remains one of the most dangerous computer threats at this moment, and prevention is essential to keep users safe.”

Users should avoid clicking on suspicious links, implement vendor patches as soon as they become available, and back up their important data just in case they experience an infection.

For more ransomware prevention tips, please click here.

Via: tripwire

Kroger, Wendy’s, Kiddicare Suffer Data Breaches

The exposed data ranges from employee tax information to customer credit card data.

Three retailers were recently hit by data breaches that exposed significant amounts of customer and employee data, including names, email addresses, delivery addresses, phone numbers, credit card data and tax information.

Grocery retailer Kroger recently began notifying all current and some former employees (more than 431,000 people) that their W-2 tax information may have been accessed via Equifax’s W-2 eXpress website, KrebsOnSecurity reports.

“It appears that unknown individuals have accessed the W-2 eXpress website using default log-in information based on Social Security numbers (SSN) and dates of birth, which we believe were obtained from some other source, such as a prior data breach at other institutions,” Kroger stated in a FAQ provided to employees. “We have no indication that Kroger’s systems have been compromised.”

According to the company, some fraudulent tax returns seeking refunds may have been filed by the attackers, though Kroger is still working to determine which employees’ information was accessed.

Approximately 150 Northwestern University employees and at least 600 Stanford University employees and were also recently impacted by similar attacks on Equifax’s W-2 eXpress portal.

“The information in question was accessed by unauthorized individuals who were able to gain access by using users’ personally identifiable information,” Equifax spokesperson Dianne Bernez said in a statement provided to KrebsOnSecurity. “We have no reason to believe the personally identifiable information was attained through Equifax systems.”

Separately, online retailer Kiddicare recently acknowledged that 794,000 customers’ names, email addresses, delivery addresses and phone numbers may have been accessed from a test version of its website that was created in November 2015.

The breach was discovered when some customers began receiving phishing messages asking them to take an online survey.

In response, Kiddicare notified the UK Information Commissioner’s Office, deleted the test site, and reset all customer passwords, according to an online FAQ (PDF).

“We want to reassure everyone that the problem has been fixed, increased security measures have been implemented and we have a dedicated team … here to help with any further concerns,” the company told BBC News.

And in reporting its first quarter 2016 results on May 11, Wendy’s announced that “malware, installed through the use of compromised third-party vendor credentials, affected one particular point of sale system at fewer than 300 of approximately 5,500 franchised North America Wendy’s restaurants, starting in the fall of 2015.”

“Based upon the investigation to date, approximately 50 franchise restaurants are suspected of experiencing, or have been found to have, unrelated cybersecurity issues,” Wendy’s added. “The company and affected franchisees are working to verify and resolve these issues.”

According to the results of a recent survey of 200 IT professionals in the retail sector, the number of retail data breaches involving personally identifiable information (PII) has more than doubled since 2014 — 33 percent of respondents in 2016 said a data breach at their organization had exposed PII, compared to 14 percent of respondents to a similar survey in 2014.

The survey, conducted by Dimensional Research for Tripwire, also found that 59 percent of respondents said their breach detection solutions were only partially or marginally implemented.

“Unfortunately, these results indicate that we can expect retail breach activity to continue in the future,” Tripwire director of IT security and risk strategy Tim Erlin said in a statement.

Via: esecurityplanet

IoT Security Begins with Risk Assessment

Weigh benefits of IoT devices against potential security risks to determine on a device-by-device basis if the technology should be used, experts advice.

The FBI’s recently issued warning that newer cars are susceptible to hacking highlights the issue of IoT (Internet of Things) security not only in vehicles, but across the enterprise.

Earlier this year security researchers used a $30 webcam to establish a persistent point of access into a network. This type of IoT hack poses a clear danger to enterprises as hackers can access the network without having to infect a laptop, workstation or server, all of which are usually protected by firewalls, intrusion prevention systems and malware sandboxes in addition to running antivirus software.

Despite the dangers, enterprises are embracing IoT in sensors, locks and in other types of devices. Research firm IDC expects annual spending on the Internet of Things to grow 17 percent for each of the next three years, to reach $1.3 trillion in 2019.

“We’ve been looking at IoT a lot,” said Chris Poulin, security research strategist for IBM. “Most makers of IoT devices are not including security.”

IoT Security Shortfalls

Many IoT device manufacturers are early stage technology companies that have little or no profits, so they need to concentrate on manufacturing and selling devices just to keep the lights on, said Kate Lucente, co-chair of the IoT practice at DLA Piper, a multi-national law firm. In many cases, security suffers.

Such security neglect has ramifications for everything from smart building systems to wearables such as badges that employees wear to gain access to sensitive areas or sensitive systems, Poulin said.

A survey by found that 84 percent of building automation systems (such as elevators and HVAC) were connected to the internet, with 35 percent of those bridged to the enterprise network. Thirty-one percent of respondents said a cybersecurity attack could cause significant harm. Yet less than half (41 percent) had established security countermeasures for Internet of Things systems.

Companies of all types are at risk, Poulin said. In addition to autos, systems of hotels and airlines have been compromised via IoT hacks. “Hackers try to break in using every type of connected system,” he said.

Still, enterprises are often slow to close security loopholes created by connecting devices to the internet. For example, old PBX telephone systems weren’t a security risk until modems connected to the internet were added. But security and other executives tended to ignore updated systems until security was compromised at their firm or at another enterprise.

Similarly, security and company executives need to start paying attention to IoT risks now, Poulin advised. “What’s being made today is being made for availability, not for security.”

Enterprise security executives should examine any security vulnerabilities of IoT devices and take steps to address those threats before the devices are installed, he said.

IoT Risk Assessment

Poulin and other security experts recommend weighing the benefits of individual IoT devices against the additional risks they may pose to determine on a device-by-device basis if the technology should be added at all.

“Security always comes down to making a risk assessment,” said Garry McCracken, vice president of technology for WinMagic, a provider of encryption key management solutions. “If the IoT device provides only potentially marginal utility, why install it?”

Any communications between devices should be encrypted, McCracken said, and any security included in IoT devices or protocols used to connect IoT devices should meet the enterprise’s own security standards and best practices.

IoT provides a lot of entry points into the enterprise; each one is a security issue. You need to make sure that you have the appropriate firmware and hardware updates,” Lucente said.

IoT’s Legal Ramifications

Beyond the security of the enterprise, the liability issue also becomes more challenging for law firms and their clients, Lucente said. The law says enterprises need to take “reasonable” precautions to protect information. With IoT, the definition of what is reasonable becomes more confusing.

Though most companies have reasonable security programs now, the volume of IoT devices will make it much harder to stay in compliance, Lucente said. “It will be very difficult to manage.”

Enterprises need to make sure they take reasonable precautions or the government will step in and define the steps that need to be taken, said Elliot Katz, associate at DLA Piper. Indeed, the government already started discussing legislation to define security protocols for vehicles after security experts highlighted the ease of hacking cars.

According to Katz, the proposed legislation, which is still in its earliest stages, would outlaw all hacking, with no exceptions for “ethical” or white hat hacking that companies use to determine the vulnerabilities of their own systems.

IoT Security Advice

While IoT receives plenty of attention today, most enterprise hacks come via other, simpler, technologies, said Ryan Kalember, Proofpoint senior vice president of cybersecurity strategies.

“For years and years, people have tried to hack into systems from a connected printer or through conference room systems,” Kalember said. “Now with smart lights, smart locks and other devices that are connected, you are now just one or two hops away from the internet.”

While older devices typically don’t offer internet connectivity and are thus more secure, such devices typically don’t appeal to companies upgrading their systems, Kalember added. If the enterprise is intent on installing IoT devices, they should be segmented from one another and from critical network systems to help ensure security.

Kalember further recommends that enterprises connect devices via the cloud and use strong authentication.

Though IoT certainly presents security challenges for enterprises, it can provide some security enhancements as well, Katz said. “IoT can help identify bad network traffic and provide additional analytics for better enterprise security.”

IoT devices should be able to communicate warnings if hacks have been attempted, McCracken said.

Many security experts agree that, just as happened with major retailers before they took significant steps to tighten their security systems, there will likely be noticeable, costly IoT hacks before most enterprises adequately protect themselves against these new security threats.

“Look at the retailers; they didn’t invest a lot in security before the incidents at Home Depot and at Target,” Poulin said. “A lot of CSOs and CEOs lost their jobs as a result. Incidents cause change.”

Via: esecurityplanet

117 million LinkedIn email addresses and passwords put up for sale

The LinkedIn hack of 2012 just got a whole lot worse.

If you recall, in 2012 LinkedIn reset users’ passwords after hackers broke into the network, stole a database of password hashes, and posted some 6.5 million account credentials on a Russian password forum. LinkedIn was left humiliated by the security breach, which revealed that they had not used a salt while creating the checksums it stored of users’ passwords- making it trivial for fraudsters to crack them.

Now, almost four years later, a hacker going by the name of “Peace” is offering for sale the database of 167 million accounts, including the emails, hashed and (in many cases) already cracked passwords of 117 million users.

As Motherboard reports, security researcher Troy Hunt has confirmed that at least some of the email addresses and passwords offered for sale are the same as those used by LinkedIn users at the time of the hack.

Worse still, at least one victim contacted by Motherboard confirmed that the stolen credentials matched their current LinkedIn password.

So, what should you do today if you’re a LinkedIn user?

Well, if you didn’t change your LinkedIn password after the 2012 hack – you really should change your password immediately.

Don’t choose an obvious password like “linkedin’, ‘hopeless,’ ‘killmenow’, ‘iwishiwasdead’, and ‘hatemyjob’ (all of which were revealed to be the passwords of LinkedIn users four years ago).

Instead, choose a hard-to-crack, unique password that isn’t easy to guess and can’t be found in a dictionary. My recommendation is that you use a password manager to generate truly random passwords for your online accounts.

But I cannot emphasise enough the importance of having different, unique passwords for your online accounts. Even if you changed your LinkedIn password in 2012, you might have still used the same password elsewhere on the net. That’s something that online criminals can exploit.

Of course, you won’t be able to remember all of your different passwords – especially if they are hard-to-crack gobbledygook like L{Ki3XG($jPzGAE&KaJ4 – so use a password manager to securely remember them for you.

Having a unique hard-to-crack password isn’t, of course, the only protection you should have in place on your LinkedIn account. I recommend also enabling two step-verification(2SV).

With 2SV in place on your LinkedIn account, hackers won’t just need to steal your account’s password to break into your account – they’ll also require access to your mobile phone to intercept the verification code sent by LinkedIn when someone logs in from a new device.

Via: tripwire

Where to cut corners when the security budget gets tight

Security pros provide advice on where to focus your efforts when money is unexpectedly short on supply.

Whenever creating a budget, there is always the rainy day fund or the contingency account in case of unexpected circumstances. But what if those circumstances are a data breach that is bigger than you could have ever imagined? And you don’t have cyberinsurance?

Sure you might be up the proverbial creek without a paddle but fear not as some security pros are willing to throw out a lifeline to help you at least get your head above the water with some sage advice.

The common theme when asked about where to cut corners was to make sure your policies and procedures are sewn up tight. There are really no corners to cut but more about having solid policies in place.

Rick Howard, CSO at Palo Alto Networks, said the best thing CISOs can do to bolster their Information Security Program in times of budget shortages is make sure the prevention controls they already have in place are working the way they thought they were going to work when they originally bought and installed them.

“A great truism to our industry is that many of us Network Defenders like to spend money on all kinds of shiny new playthings to defend our networks but fail to make time to get them fully deployed,” he said. “These prevention controls are complicated systems. You can’t simply hook them to your network, turn them on and walk away. Somebody has to maintain them. Somebody has to analyze the data coming out of them. Somebody has to ensure that all the features that the CISOs thought they were buying are actually turned on and working correctly.”

When you are strapped for cash but still want to improve your Information Security Program, spend some time getting to know the already deployed prevention systems.

Stan Black, CSO at Citrix, said organizations short on budget can perform simple but effective security checks like making sure admin logins and passwords aren’t in use, network and access policies are up-to-date and compliance regulations are being met. Performing employee trainings on how to uphold security best practices for their own safety, as well as the company’s, can enormously help reduce risk and only costs time.

In other words Black is saying by keeping things secure inside the network, it can help in preventing any matters that are worse outside from getting in.

“Any recipe for reducing security spend starts with three common areas to reduce operational expense and frankly slow your business down to reduce overall risk. The first area is application security testing, a decade or so ago we used to build our own capabilities with huge OpEx and CapEx requirements. Third party application testing provided the cumulative knowledge of many customers in a single pane of glass. If you want to reduce remediation cost, tie testing tools to CBTs and a comprehensive knowledge base to teach developers to develop secure code,” Black said.

Another area to drastically lower OpEx is threat management. The number of threat actors grows every day, there are several firms that have tuned their offerings to enumerate threat actor activity relevant to your company. On the other hand, there are many providers that offer threat information regarding the universe of risk; that’s nice but we focus on our company and our customers. Careful assessment of customization to your supply chain will reduce the noise and enable your team to focus on remediation, not identification. Effective threat intelligence also enables remediation and fortification of real threats, not the millions of unauthorized “pings” enterprises are subject to every minute of every day, he said.

A third topic that can be lost in the new product security market is traffic enumeration. If you don’t create, trust, or can’t validate network traffic, you are at risk. Quantification of the known good, untrusted, and unknown traffic costs nothing except time, but for some reason industries want to buy more tech to tell them they have another network threat, he said.

Gareth O’Sullivan, director of solutions architect – EMEA at WhiteHat Security, said maintaining a secure environment is not simply about adding more security products. It can be argued that no single solution can be a silver bullet to achieving security, certainly not in isolation. If a company, security executive or manager finds themselves in a position where they are questioning their existing security posture or policy, this should be cause for concern or taken as an opportunity to reappraise existing policies or programs. Expenditure on security products needs to be conducted in the context of an overall risk management policy which in turn needs to support an organization’s core business activities.

Reduce duplication

Ravi Devireddy, co-founder and CTO at E8 Security, said, regardless if budget constraints are a factor, a good practice for all organizations is to eliminate operational redundancies in their security practice. Most organizations spend too much time, and money, investigating low-level alerts that are scattered across multiple management systems, which increases their investigative costs per incident.

The best way to reduce unnecessary spend is to ensure all security relevant data – generated by network systems, applications, and endpoints – are being captured in one centralized system that can automatically prioritize alerts based on risk. Also, by providing security analysts the ability to visualize the relationships between targets will allow for a more streamlined security practice, eliminating redundant investigative tasks and making sure security teams capture the right information in one location, he said.

“Evaluate all existing programs and policies. Prioritize those strategies that focus on identifying an attackers’ presence based on behaviors and movements that are not considered normal for your organization, and containing that activity as quickly as possible,” he said.

There is a proliferation of enterprise cybersecurity products in the market that often have overlapping and confusing value. It is possible that even if organizations add and deploy additional products, they still may not be more secure today than they were yesterday — or may in fact be less secure and reliable given the additional complexity. Organizations should develop and very critically maintain an enterprise security architecture that is intended to meet corporate requirements, and can be used to understand risks and position potential solutions. If this architecture isn’t in place or isn’t current, now is the time to start, said Andrew Wertkin, CTO at BlueCat Networks.

Organizations may find that they have deployed duplicative capabilities across multiple product sets, and they almost certainly will find that they aren’t leveraging their existing investments. This has led to new product capabilities to leverage the power of DNS, a mission critical service for the enterprise, to create immediate visibility to compute, and add to the security posture of the organization without introducing new infrastructure or change the physical architecture.

O’Sullivan adds that while acquiring new software or solutions requires budget due to a defined cost, reviewing and updating policy will have also have an implicit cost. Efficiencies can be made by regularly updating policy and ensuring it is inline with company goals. For example in the context of building secure software, adopting a security framework which enables ‘building security in, rather than bolting it on’ can help drive costs down and improve efficiencies by enabling the organization to learn how to build secure software or find and fix vulnerabilities early.

Look to open source

Security doesn’t really have to cost a ton of money. There are a variety of tools and technologies that are open source that can be modified to be really secure and benefit an organization, said Chase Cunningham, director cyber threat research at Armor. Anything from an open source IDS to using free and accessible threat intelligence feeds are all possibilities.

The requirement of course is to use those tools and technologies safely and effectively.

“I don’t ever see a reason to pay for something first no matter how ‘whizbang’ or sexy a UI may be. Organizations can and should try free tools and open source assets when they can and modify them to their needs; that’s the whole purpose of those initiatives. Once that’s been tested out, then they can make the choice of using that technology safely and securely or paying a vendor to fix their problem,” he said.

Contrary to the notion of finding products for next to no cost, Jeff Schilling, CSO at Armor, said there is no magic bullet that allows a security team to have great security without investment. “However, what I have observed is that most security teams have purchased technologies and don’t have the architecture to support the full use of that security technology. It is like building a beautiful dam but not putting it in the right place in the river to build the lake you need. I think most organizations struggle with a secure architecture and cyber terrain that can be defended. A lot of that work is not expensive, in fact, it might allow you to save money, e.g. reducing the number of data centers you use for you environment.”

Ryan O’Leary, vice president of Threat Research Center at WhiteHat Security, added: One of the best ways to improve security without having to pay a single cent is to implement a security centric development program. Often times, development and security are siloed groups that send tickets over the fence to each other. The developers often don’t understand what the threats are and therefore don’t understand that their code is causing issues. Bringing down the barrier between the two groups and educating the developers on the common threats leads to code that has drastically reduced issues since they will never have been coded in the first place. This training can often be done by the in-house security folks, or if outside training is needed this could come at the expense of the development team.

Via: csoonline

Microsoft’s fascinating GigJam service is open to anyone who wants an invite

It’s an interesting combination of tech that’s aimed to help people work together quickly.

Anyone can get into the private beta of Microsoft’s new GigJam productivity service, which is aimed at helping teams of people collaborate in real time over the Internet, the company announced Thursday.

GigJam combines data from a variety of services including Microsoft’s own Office 365, Trello, Dropbox, and Salesforce. Users can then bring that information into a shared workspace, allowing them to quickly work together.

Users can easily redact part of the information they’re sharing with other people, meaning they can selectively share only what needs to be seen in order to get a job done.

There’s no way around it: GigJam is a kind of wacky product Microsoft has built to help people get work done together. But what’s interesting is that it’s emblematic of the company’s current approach to the productivity market — focused on letting people quickly and independently collaborate across different services while maintaining a secure environment.

Here’s how it works: One user starts a “Gig,” and then pulls in information from whatever services they need, like email, Salesforce, Office documents, and Asana tasks. That information shows up as a card inside GigJam, where users can highlight some information inside a card, redact other information, and then send the whole bundle off to another user for review or editing.

The second person only sees the information that’s being shared with him, so they’re not able to access other parts of the information that the Gig’s originator has in front of her.

It’s a good way to both keep focused on the task at hand (like editing only one slide out of a PowerPoint presentation) and also enables workers to more easily team up with people outside of their organization, like suppliers and contractors who shouldn’t be privy to some information.

The GigJam interface also combines a bunch of interesting input methods. Users can work entirely with the keyboard and mouse, but they can also interact with Gigs using touch and voice input. The service is a crazy bundle of different modern capabilities and looks in demos like something out of the future.

GigJam’s radical differences from other collaboration products like Slack, email, Yammer, and SharePoint are what make it unique and powerful, but may also end up being its undoing. Plenty of companies have bet on innovative productivity services that ended up being less popular than expected. The epic failure of Google Wave comes to mind.

Right now, GigJam is available on Windows and Mac, with a beta of the iOS application coming soon. Users can sign up for the private beta here, and Microsoft says everyone who requests an invitation will get one. People who have already requested an invitation to the beta before now should have one waiting in their inboxes.

Via: itworld

Walmart Sues Visa Over Chip Debit Card Transactions

Walmart is suing Visa, claiming the payments network is preventing the retail chain from letting customers verify chip-enabled debit card transactions with personal identification numbers, or PINs.

According to the Wall Street Journal, the lawsuit was filed in New York State Supreme Court on Tuesday.

The Bentonville, Arkansas-based retail giant argues Visa forces the store to accept signatures when customers pay with their chip-enabled debit cards – a process that Walmart says creates “unacceptable risk” to customers.

“This suit is about protecting our customers’ bank accounts when they use their debit cards at Walmart,” a spokesman for the retailer said on Tuesday.

“We believe Visa’s position creates unacceptable risk to customers and its actions and rules are inconsistent with federal law,” said Walmart.

Furthermore, the Walmart stated chip-and-pin is currently the “only truly secure form of cardholder verification,” while also providing enhanced security to its customers.

However, Walmart’s dispute also involves money. The statement read:

“Visa has acknowledged in many other countries that chip-and-pin offer greater security. Visa nevertheless has demanded that we allow fraud-prone signature verification for debit transactions in our U.S. stores because Visa stands to make more money processing those transactions.”

Meanwhile, Visa has declined to comment on the lawsuit.

U.S. retailers were required to adopt payment terminals that were compatible with the chip-and-PIN technology last October to avoid facing liability in the event of consumer fraud.

Chip cards are inserted into payment terminals, instead of swiped, and create a unique code for each transaction, making it more difficult for fraudsters to produce counterfeit cards.

Via: tripwire

WhatsApp launches Desktop Software for Windows and Mac Users

The most popular messaging app WhatsApp now has a fully functional desktop app – both for Macas well as Windows platform.

Facebook-owned WhatsApp messaging software has been a mobile-only messaging platform forever, but from Tuesday, the company is offering you its desktop application for both Windows and OS X.

Few months back, WhatsApp launched a Web client that can be run through your browser to use WhatsApp on your desktop, but now users running Windows 8 or Mac OS 10.9 and above can use the new desktop app that mirrors WhatsApp messages from a user’s mobile device.

According to the company’s blog post, the WhatsApp desktop app is similar to WhatsApp Web with synchronized conversations and messages

Since WhatsApp desktop app is native for both Windows and OS X platform, it can support desktop notifications and keyboard shortcuts.

WhatsApp has been rising at an extraordinary pace recently. The service has over 1 Billion monthly active users.

At the beginning of the year, the company removed its yearly $1 subscription fee. Just last month, the company rolled out end-to-end encryption for all its users’ communication by default.

Here’s how to Download WhatsApp Desktop Software:

  1. Users running Windows 8 (or newer) or OS X 10.9 (or newer) can download WhatsApp desktop app available for direct downloading.
  2. Once Downloaded, open the WhatsApp desktop app.
  3. Scan the QR code with your mobile phone to Sync your device.

Now enjoy WhatsApping your friends and family straight from your desktop.

Via: thehackernews

DHS Inspector General lambasts TSA’s IT security flaws

TSA typically has not managed security equipment in compliance with departmental guidelines regarding sensitive IT systems, according to OIG report.

The Transportation Security Administration’s IT department has persistent security problems including unpatched software, inadequate contractor oversight, physical security and inadequate vulnerability reporting.

Those were the main conclusions outlined in a report this week from the Department of Homeland Security’s Office of Inspector General which specifically took a look at the TSA’s Security Technology Integrated Program (STIP) which it defines as a “mission-essential data management system that connects airport transportation security equipment to servers. Connection to a centralized server allows remote management of passenger and baggage screening equipment and facilitates equipment maintenance, including software changes in response to emerging threats.”

A further explanation of STIP finds that it enables the remote management of that equipment by connecting it to a centralized server that supports data management, aids threat response, and facilitates equipment maintenance, including automated deployment of software and configuration changes. This significantly reduces the time needed to deploy critical software updates and configuration changes in response to emerging threats, for example, within and amongst the screening machines and STIP central servers, the OIG stated.

As a result of our prior audits of information technology security controls at selected US airports, we repeatedly reported IT security control deficiencies associated with STIP. Across the various locations, we found instances where:

  • TSA was not scanning STIP servers for technical vulnerabilities.
  • Non-DHS airport employees had access to STIP server rooms.
  • TSA had not implemented a process to report STIP-related computer security incidents to the TSA Security Operations Center.
  • STIP servers were not included in information systems security plans.
  • TSA had not established interconnection security agreements to document STIP connections to non-DHS baggage handling systems.
  • STIP servers were using an operating system that was no longer supported by the vendor.
  • STIP information security documentation inadequately identified the risks inherent in operating STIP.
  • The vulnerabilities could adversely affect the availability and the reliability of STIP. According to TSA staff, software patches for -applications were not installed because TSA system owners were concerned that the patches would degrade the performance of their systems.
  • Other vulnerabilities rated ‘high’ by the scanning software but unrelated to these two applications have been known for years — one such vulnerability dates back to 1999.

“These problems occurred because TSA typically has not managed STIP equipment in compliance with departmental guidelines regarding sensitive IT systems. TSA also did not effectively manage all IT components of STIP as IT investments and did not designate these assets as IT equipment. Thus, TSA did not ensure that IT security requirements were included in STIP procurement contracts, which promoted the use of unsupported operating systems that created security concerns and forced TSA to disconnect STIP equipment from the network.

By August 2015, TSA had to disconnect STIP equipment from its network due to IT security concerns created by the unsupported operating systems. As of the end of our fieldwork in December 2015, the equipment was still disconnected,” the OIG stated.

The OIG made 11 recommendations to rectify the security issues including: Ensure that IT security controls are included in STIP system design and implementation so that STIP servers are not deployed with known technical vulnerabilities; ensure that STIP servers use approved operating systems for which the department has established minimum security baseline configuration guidance; and ensure that STIP servers have the latest software patches installed so that identified vulnerabilities will not be exploited.

For its part the TSA said it was addressing the recommendations.

“TSA has developed a Cybersecurity Statement of Objective inclusive of critical requirement to bring legacy transportation security equipment — including the explosive detection system (EDS) servers — into compliance with IT security controls mandated by DHS.

Additionally, future procurements must include these requirements. TSA has also created a formal Cybersecurity Management Framework and Plan that lays out an organizational framework and strategy to oversee the implementation of IT Security requirements onto legacy transportation security equipment. TSA will issue the Cybersecurity Statement of Objective to current transportation security equipment vendors by the end of August 2016,” the TSA stated.

Via: networkworld

Facebook Open Sources its Capture the Flag (CTF) Platform

Hacking into computer, networks and websites could easily land you in jail. But what if you could freely test and practice your hacking skills in a legally safe environment?

Facebook just open-sourced its Capture The Flag (CTF) platform to encourage students as well as developers to learn about cyber security and secure coding practices.

Capture the Flag hacking competitions are conducted at various cyber security events and conferences, including Def Con, in order to highlight the real-world exploits and cyber attacks.

The CTF program is an effective way of identifying young people with exceptional computer skills, as well as teaching beginners about common and advanced exploitation techniques to ensure they develop secure programs that cannot be easily compromised.

Facebook  CTF Video Demo:


Since 2013, Facebook has itself hosted CTF competitions at events across the world and now, it is opening the platform to masses by releasing its source code on GitHub.

“We built a free platform for everyone to use that takes care of the backend requirements of running a CTF, including the game map, team registration, and scoring,” said Gulshan Singh, Software Engineer at Facebook Threat Infrastructure.

In general, Capture The Flag competition hosts a series of security challenges, where participants have to hack into defined targets and then defending them from other skilled hackers.

“The current set of challenges include problems in reverse-engineering, forensics, web application security, cryptography, and binary exploitation. You can also build your own challenges to use with the Facebook platform for a customized competition,” Mr. Singh said.

Many institutions and organizations now have realized that gamification of cyber security and hacking is beyond the traditional ways to train your mental muscles and keep sharp your skills that otherwise only come up when doomsday scenarios happen.

Via: thehackernews