Information Security, Ethical Hacking, website Security, Database Security, IT Audit and Compliance, Security news, Programming, Linux and Security.
Friday, 23 January 2015
Computer with Patients’ Personal Information Stolen
Sunglo Home Health Services has thousands of patients across the Valley. Their personal information is in the hands of a Harlingen burglar.
He walked away with sensitive information and it was all caught on surveillance video.
Steven Means with Sunglo Home Health Services said, “We're covering from Rio Grande City all the way to Brownsville - including Raymondville as well.”
He said their patients include the elderly and the disabled. The company drives patients across the Valley in their vans. The vans are kept in a parking lot at the corporate office in Harlingen.
Means said the parking lot was the scene of a burglary early Monday morning.
Harlingen police said the suspect broke into a truck full of tools. Means said the thief was able to find a set of keys to one of the vans inside the truck.
The thief took the tools and some other gear, placed it in the van and then drove away.
Surveillance video showed the burglar return to take more property.
According to Means, the man broke a window with a fire extinguisher and stole a computer.
That computer contained the Social Security numbers and personal information belonging to thousands of their patients.
“We're just worried about the safety of the patients themselves because of the information. We had to contact local police to see what we could do,” said Means.
Sergeant Dave Osborne with the Harlingen Police Department said they are looking for the public’s help because the bad guy may not have been working alone.
Thousands of patients are now waiting to see if thieves log on and download their personal information.
Means, the IT director for Sunglo, said they have contacted all of their patients to let them know about the security breach. He said he will continue to monitor the computer in case someone decides to power it up.
There are specific steps you should take if you think someone has stolen your personal information.
The Better Business Bureau said to contact all the major credit reporting agencies. They also said you should ask them to put a fraud alert and credit freeze on your accounts.
Keep a close watch on your credit card and bank accounts to make sure no one is making charges or taking your money.
They also suggest filing an ID theft kit from the Texas Attorney General.
Symantec data centre security software has security holes
Security bod Stefan Viehböck has detailed holes in Symantec's data
centre security platforms that the company plugged this week because
they allowed hackers to gain privilege access to management servers.
The patches fix holes in the management server for Symantec Critical System Protection (SCSP) 5.2.9 and its predecessor Data Center Security: Server Advanced (SDCS:SA) 6.0.x and 6.0 MP1.
SEC Consult researcher Stefan Viehböck who found the flaws said the products should not be used until a full security audit was conducted.
"Attackers are able to completely compromise the SDCS:SA Server as they can gain access at the system and database level," Viehböck wrote in an advisory
"Furthermore attackers can manage all clients and their policies.
"It is highly recommended by SEC Consult not to use this software until a thorough security review (SDCS:SA Server, SDCS:SA Client Policies) has been performed by security professionals and all identified issues have been resolved."
Hackers with access to the SDCS:SA server could potentially pivot within the corporate network and could bypass client protections.
Four flaws were reported including an unauthenticated SQL injection (CVE-2014-7289) granting attackers read and write access to database records and SYSTEM code execution privileges.
A reflected cross-site scripting (CVE-2014-9224) was dug up allowing attackers to steal other users' sessions and gain access to the admin interface.
Information disclosure (CVE-2014-9225) was possible with a script that spewed internal server application data without requiring authentication, including file paths on the web server, and version information (OS, Java).
Multiple default security protection policy bypasses were discovered that were tempered by the requirement for administrator permissions. These included persistent code execution via Windows Services; remote code execution via remote procedure call; extraction of Windows passwords and hashes; privilege elevation via Windows Installer, and privilege elevation and code execution via Windows Management Instrumentation.
Proof of concept codes were published to exploit the respective vulnerabilities, giving urgency to the need for customers to apply patches and work-arounds for those flaws yet unfixed.
Viehböck first tipped Symantec off to the holes in November under a disclosure time line that appeared to run smoothly between bug hunter and vendor.
The patches fix holes in the management server for Symantec Critical System Protection (SCSP) 5.2.9 and its predecessor Data Center Security: Server Advanced (SDCS:SA) 6.0.x and 6.0 MP1.
SEC Consult researcher Stefan Viehböck who found the flaws said the products should not be used until a full security audit was conducted.
"Attackers are able to completely compromise the SDCS:SA Server as they can gain access at the system and database level," Viehböck wrote in an advisory
"Furthermore attackers can manage all clients and their policies.
"It is highly recommended by SEC Consult not to use this software until a thorough security review (SDCS:SA Server, SDCS:SA Client Policies) has been performed by security professionals and all identified issues have been resolved."
Hackers with access to the SDCS:SA server could potentially pivot within the corporate network and could bypass client protections.
Four flaws were reported including an unauthenticated SQL injection (CVE-2014-7289) granting attackers read and write access to database records and SYSTEM code execution privileges.
A reflected cross-site scripting (CVE-2014-9224) was dug up allowing attackers to steal other users' sessions and gain access to the admin interface.
Information disclosure (CVE-2014-9225) was possible with a script that spewed internal server application data without requiring authentication, including file paths on the web server, and version information (OS, Java).
Multiple default security protection policy bypasses were discovered that were tempered by the requirement for administrator permissions. These included persistent code execution via Windows Services; remote code execution via remote procedure call; extraction of Windows passwords and hashes; privilege elevation via Windows Installer, and privilege elevation and code execution via Windows Management Instrumentation.
Proof of concept codes were published to exploit the respective vulnerabilities, giving urgency to the need for customers to apply patches and work-arounds for those flaws yet unfixed.
Viehböck first tipped Symantec off to the holes in November under a disclosure time line that appeared to run smoothly between bug hunter and vendor.
Stratfor hacker and FBI-harasser Barrett Brown gets five years inside
Barrett Brown is going to be spending a little longer inside than he thought after a Dallas judge threw the book at him on charged related to the hacking attack on private US intelligence firm Stratfor.
Lawyers for Brown had been hoping their client would get off with time served, as he has spent the last 28 months in federal prison. Instead he got five years and three months for aiding and abetting, attempting to hide evidence, and threatening a Federal officer, and will have to pay a fine of $890,000, most of which will go to Stratfor.
"For the next 35 months, I'll be provided with free food, clothes, and housing as I seek to expose wrongdoing by Bureau of Prisons officials and staff and otherwise report on news and culture in the world's greatest prison system," Barrett said in a statement.
"I want to thank the Department of Justice for having put so much time and energy into advocating on my behalf; rather than holding a grudge against me for the two years of work I put into in bringing attention to a DOJ-linked campaign to harass and discredit journalists like Glenn Greenwald, the agency instead labored tirelessly to ensure that I received this very prestigious assignment. Wish me luck!"
Brown came to prominence in 2011 as a journalist with a close relationship to some members of the hacking group Anonymous. He set up the Project PM wiki to analyze leaked information from events like the HBGary hack and appeared on the media as a self-declared Anonymous spokesperson.
In March 2012 federal investigators raided his and his mother's house as part of an investigation into the HBGary affair and others like it. Several laptops were seized and taken away for investigation.
In September 2012 he posted a trio of 15-minute rants on YouTube in which accused the FBI of going after him and his mother and threatening to release identifying information on a certain officer. During the rant Brown admitted he was weaning himself off opiates at the time of filming.
He was arrested the same day and charged with threats, conspiracy and retaliation against a federal law enforcement officer shortly afterwards. Then in December 12 more charges were added, related to the hacking of secretive US data investigations outfit Stratfor.
On Christmas Day 2011 Strafor's website went dark and Anonymous announced it had comprehensively pwned the firm and stolen 200GB of data. Stratfor emails published via WikiLeaks showed that the US government had already drawn up secret charges against Assange and revealed that the security firm was storing credit card details and passwords in plain text.
That credit card data was used to make donations to various charities. Brown published a hyperlink to some of the stolen credit card files from wikisend.com from the Anonops IRC to his own channel. The Feds insisted this was a form of identity theft, a position Barrett's lawyers opposed.
In January two more charges were added against Brown for trying to conceal laptops during the March FBI raid, bringing his maximum possible time inside to over 100 years if found guilty. His mother was also charged and received a six month suspended sentence and a small fine.
The case was placed under a media gagging order in September 2013 and two months later Jeremy Hammond, the hacker who cracked Stratfor, got the maximum sentence of ten years in prison for his role.
In a plea bargain arranged last March the government agreed to drop most of the charges against Brown relating to his posting of the hyperlink. But the remaining charges stuck, and now he's off to prison until 2019 at the latest, although he'll be eligible for parole in a year.
Subscribe to:
Posts (Atom)