The healthcare.gov site is sharing personal information about visitors to its site to third-party advertisers, according to a report by The Associated Press.

The website for the federal healthcare exchange provides advertising networks with information such as the visitor’s age, annual income, zip code and state, whether he or she smokes, whether she is pregnant, and whether the person has children, according to the AP report.

The data, along with the computer IP address, was included with the referral header information on users sent to outside advertisers. The Electronic Frontier Foundation found the information was being sent even if the user had enabled “Do Not Track” on the browser.

While there is no evidence that personal information has been misused, the data has already been provided to at least 14 outside domains.

The fact that the data was provided by a healthcare portal was “negligent at best” and could be “potentially devastating” if misused, said Cooper Quintin, a technologist with the EFF. Considering how sensitive health information is, people’s private medical data should not be available to third party companies without consent from the user, he said.

“It’s especially troubling that the U.S. government is sending personal information to commercial companies on a website that’s touted as the place for people to obtain health care coverage,” said Quintin.

Advertising networks can show targeted ads based on the information and data culled from tracking cookies to users. While third-party sites embedded on HealthCare.gov can’t see the visitor’s name, birth date or Social Security number, they may be able to correlate that person’s visit to healthcare.gov to other places on the Internet.

If the visitor was researching coronary disease, looking at stop-smoking aids, or researching pregnancy-related information, these can be linked together in a detailed profile of that person and show those targeted ads.

“This new information is extremely concerning, not only because it violates the privacy of millions of Americans, but because it may potentially compromise their security,” Senators Orrin Hatch, R-Utah, and Charles Grassley, R-Iowa, wrote in a letter to the administration.

Outside vendors “are prohibited from using information from these tools on HealthCare.gov for their companies’ purposes,” administration spokesman Aaron Albright told AP. HealthCare.gov’s privacy policy says “no personally identifiable information is collected” by these third-party tools.

The EFF recommended healthcare.gov disable third-party trackers for any user that requests a clear opt out using the browser’s DNT header.

“I think that this could erode … confidentiality when dealing with medical data and medical information,” said Quintin.

The post Healthcare.gov Site Reportedly Sharing Personal Information of Visitors appeared first on Security Current.

Cybercriminals are targeting U.S. businesses with malware with destructive capabilities, much like the one that recently crippled Sony, the Federal Bureau of Investigation warned late Monday.
The malware described in the five-page confidential “flash” FBI warning issued to businesses on Monday appear to be the same as the one that affected Sony Pictures Entertainment last week, security experts told Reuters. The FBI did not mention Sony by name in the warning and also did not say how many companies have already been targeted.
The malware is capable of overriding all data on hard drives of computers, including the master boot record. The attack on Sony brought down corporate email and crippled other systems. Attackers also dumped a treasure trove of information online.
“The main news story in the FBI advisory is the abrupt shift from theft to destructive vandalism,” said Dr. Mike Lloyd, CTO at RedSeal. Most breaches tend to focus on stealing valuable data, not outright destruction. While some of the data—related to unreleased movies—was stolen and exposed, the attackers intent on damaging equipment, he said.
The malware attack against Sony would be the “first major destructive cyber-attack waged against a company on U.S. soil,” Reuters reported. Similar attacks—such as the Shamoon attack against Saudi Aramco in 2012—have been observed in other parts of the world, namely Asia and the Middle East. Many experts believe these attacks are launched on behalf of North Korea and Iran.
“The FBI’s decision to communicate the likelihood of attacks resulting in high damage including complete loss of data indicates their belief in a widespread, concerted effort to damage business infrastructure,” said Steve Hultquist, chief evangelist at Red Seal.
The warning provided technical details for the malware and recommended businesses contact the FBI if they encountered similar malware. Repairing the systems frequently requires wholesale hard drive replacement as the worst-case scenario, and re-imaging at the very best.
“The overwriting of the data files will make it extremely difficult and costly, if not impossible, to recover the data using standard forensic methods,” the report said.
The report also mentioned some of the software used was compiled in Korean, but did not draw any links to North Korea.
“The Sony attack is a wake-up call for businesses – it explains why the FBI is warning organizations to review their defensive readiness, since a similar “IT bomb thrower” can easily target their infrastructure to do similar damage.”

The post FBI Warns of Destructive Malware Post Sony Attack appeared first on Security Current.

China-based attackers are back in the news again, this time for breaching the federal weather network, officials told the Washington Post.
The initial intrusion appears to have occurred late September, but officials from the National Oceanic and Atmospheric Administration (NOAA) did not take steps or notify proper authorities until October, the Post reported.
NOAA declined to say its systems had been compromised or discuss the nature of the intrusion. It publicly stated it was undergoing “unscheduled maintenance” in October without saying why.
“Incident response began immediately,” NOAA spokesman Scott Smullen told the Post.
NOAA, which includes the National Weather Service, operates satellites, which capture most of the data used to generate weather models, advisories, and warnings. Four sites were affected, but all systems are now functional.
It’s not known whether the breach involved classified material or if the attackers accessed any information. It’s also not known if any malware was injected into its systems, which also connect to civilian networks to share NOAA satellite data and imagery.
“NOAA told me it was a hack and it was China,” U.S. Rep. Frank Wolf (R-VA) told the Post. Wolf accused the NOAA of covering up the incident “and deliberately misleading the American public in its replies.”
This breach comes shortly on the heels of the United States Postal Service admitting a breach, which compromised data of 800,000 employees. Another attack—suspected to be from Russia—breached unclassified White House computer networks.
Many of these attacks are targeting weaknesses in application software, says Jeff Williams, CTO of Contrast Security. “Application security is considerably worse in government systems than in the financial sector,” he says.
There have been warnings about issues in NOAA’s security, the latest being a July report by the Inspector General for the Commerce Department. The report found “high-risk vulnerabilities” in the security of NOAA’s satellite information and weather service systems.

The post Federal Weather System Breached appeared first on Security Current.

The Federal Bureau of Investigation is investigating a cyber attack earlier this year against the U.S. Postal Service that exposed the personal information of every single employee.
Personal information of more than 800,000 postal employees have been exposed, as well as customers who contacted the USPS call center by telephone or email between January and August 16 of this year.
Employee data includes names, dates of birth, Social Security numbers, addresses, beginning and end dates of employment and emergency contact information, the Postal Service said on Monday. Exposed call center data included names, e-mail addresses and phone numbers, but not social security numbers. The breach also did not affect credit card data from retail services such as usps.com, Click-N-Ship, the Postal Store, PostalOne!, and change of address services.
“The intrusion is limited in scope and all operations of the Postal Service are functioning normally,” USPS spokesman David Partenheimer said in a statement posted on the USPS site. New security measures and procedures have been put in place.
The “sophisticated actor” behind this attack does not appear to have been interested in identity theft or credit card fraud, Partenheimer said. Even so, employees will receive credit-monitoring services for one year.
There are some reports blaming Chinese actors for the breach against USPS, but there is no clear evidence at the moment indicating who the perpetrators are. A cyber-espionage operation is very likely since the target network contained personnel data, which can be useful for human intelligence or counterintelligence operations. Even so, it’s not clear how useful information about postal employees would be to foreign governments.
“The recent breach at USPS reinforces that data is the new currency and attackers are going after rich veins of private information, whether it’s employee or customer data,” said Eric Chiu, president & co-founder of HyTrust.
The Chinese government has consistently denied it engages in cyber-espionage.
This breach follows the August incident against US Investigations Services, a firm that performs background checks for U.S. government employees. The USIS attack compromised the data of at least 25,000 workers. There was also an attack against the Office of Personnel Management. There is no data available to suggest a relationship between these incidents.
“Unfortunately, this breach is just the latest in a series of incidents that have targeted the US government,” said Dan Waddell, director of government affairs at (ISC)2.
The exposed information could be used in targeted spear-phishing attacks towards USPS employees, which could be used to “extract additional information such as USPS intellectual property, credit card information and other types of sensitive data,” Waddell warned.

The post FBI Investigates Cyber Attack on US Postal Service appeared first on Security Current.

Another industry alliance joined the chorus urging businesses that process debit and credit cards to implement EMV payment chip technology to combat fraud.

EMV stands for Europay, MasterCard^® and Visa^®, the developers of the technology. It has been used in Europe since 1992, and moves are underway to make it the standard payment type in the United States.

The Smart Card Alliance Payments Council wrote in a whitepaper released that a multi-layer approach where businesses use EMV chip, tokenization, and encryption security technologies in conjunction will secure the payments infrastructure and prevent card fraud.

The details of how to implement these layers would have to account for the organization’s unique requirements, environment and budgets, but everyone should be considering how to work with these three technologies, the authors said.

“This white paper is a good start for any stakeholder starting to consider their best approach for implementing the three technologies,” Randy Vanderhoof, executive director of the Smart Card Alliance, said in a statement.

The white paper discusses the authorization process for chip payment and the value of EMV to both card issuers and merchants, presents different ways encryption can be implemented to secure payment data, and identifies tokenization initiatives focused on issuing and working with tokens.

Chip technology cuts down on counterfeit cards because it requires cryptographic card authentication. The EMV specification supports several ways to authorize transactions. End-to-end and point-to-point encryption immediately protects the card data as it enters the system—swipe or key entry—so that unauthorized individuals cannot access the information.

Tokenization uses surrogate values that have no value once it is taken out of the system. Under tokenization, there will be no credit card numbers to steal, but rather some other data that is useless if it is taken out of the merchant system. ApplePay uses tokenization to secure payment card data by not letting the number leave the mobile device.

The “Technologies for Payment Fraud Prevention: EMV, Encryption and Tokenization” whitepaper is available on the Smart Card Alliance site.

Participating organizations include: Accenture, American Express, Bell ID, CH2M Hill, Chase Card Services, CPI Card Group, Datacard Group, First Data Corporation, Fiserv, Gemalto, Giesecke & Devrient, Heartland Payment Systems, Ingenico, INSIDE Secure, MasterCard, NXP Semiconductors, Oberthur Technologies, SHAZAM, Tyfone, Valid USA, Vantiv, Visa Inc., Washington Metropolitan Area Transit Authority (WMATA), Wells Fargo.

The post More Calls for Businesses to Adopt EMV Chip Payment Technology appeared first on Security Current.

Attackers are targeting Salesforce users with malicious emails designed to trick victims into downloading the Dyreza malware onto their computers, the software-as-a-service giant warned customers earlier this week.

Salesforce said it was not aware of any customers who have been affected by the attacks. The attackers have not compromised Salesforce systems.

The attacks typically utilize social engineering tactics to trick users into clicking on a website link in an email. The site then downloads Dyreza onto the victim’s computer. The malware hooks into the browser and intercepts all the information users enter on websites, such as account credentials on login screens and other data on Web forms. Since Dyreza diverts user traffic to the remote server, the malware can also intercept two-factor authentication values as well.

Dyreza has been implicated in past attacks against financial institutions, such as the recent attempt to steal user credentials from JPMorgan Chase employees. However, Dyreza (or Dyre as some security companies call it), is not a variant of Zeus or other banking Trojans.

Some security experts suggested the attackers were shifting tactics from financial fraud to just looking for any kind of corporate data. “Data is the new gold and attackers are looking to get to the crown jewels and many companies store critical sales and business information in Salesforce,” said Eric Chiu, president and co-founder of cloud control company HyTrust.

Other experts said it was more likely that attackers were planning on monetizing user credentials, such as by selling them on underground markets. “While similar commoditized malware has been used for ‘corporate espionage’ in the past, in this case it is more likely that the targeting of Salesforce credentials is instead an attempt to collect corporate credentials for financial gain,” iSIGHT Partners said via email.

Salesforce outlined suggestions on mitigating the risks associated with this attack on its website. Administrators can restrict IP addresses so that only users from the corporate network, or via the virtual private network (VPN) are allowed to log in to Salesforce. This step would block Dyreza since Salesforce would reject attempts to access the system from other servers.

The post Salesforce Under Cyber Attack; Issues Malware Warning appeared first on Security Current.

Up to 5 million passwords for Gmail accounts were posted on a Russian Bitcoin forum on Wednesday. As security incidents go, the password dump is a non-event, as the list seems to be a compilation of previous breaches over the past years and not a fresh data dump.

Most of the passwords were more than three years old, Peter Kruse, a partner and eCrime specialist at Denmark’s CSIS Security Group, said on Twitter.

Even so, this dump is “still a useful reminder” to keep separate things separate, said Mike Lloyd, CTO of Red Seal Networks. It’s easy to take the easy path and use the same password in multiple places, but the attackers will take advantage of that.

Despite the fact that these passwords may be stale and out-of-date for Gmail doesn’t mean those passwords may not still be in use on other accounts, security experts warned.  Password reuse, despite recent breaches and dire warnings, is still rampant.

Hackers will test the stolen credentials on websites where valuable information can be gleaned, like those of banks and other email service providers, predicted Ryan Wilk, director of customer success at NuData Security.

Google said only 1 percent to 2 percent of the passwords were actually still in use, and those accounts have been secured. There are number of sites available which can be used to look up whether an email address is in the list. Troy Hunt, the security researcher behind HaveIBeenPwned.com, said on Twitter there was about 18 percent overlap between this list and those from other breaches in his database.

It’s also not known whether this dump is related to the list of 1 billion usernames/passwords stolen by a Russian cybercrime group.

While it’s important to have strong, unique passwords, it is just as important to use two-factor authentication wherever possible, especially for high-value accounts such as email and financial accounts. Google offers two-factor authentication, and users should enable the feature so that if their passwords ever get leaked, they are still protected.

“If we object to the inconvenience, then bad guys will align their attacks to match our laziness,” Lloyd said.

The post Up to 5 Million Gmail Passwords Posted on a Russian Bitcoin Forum appeared first on Security Current.

Home improvement retailer Home Depot is still investigating a possible breach where cyber-criminals may have stolen credit and debit card details from nearly all of its 2,200 stores in the United States this year.  Krebs on Security first reported the alleged breach on Tuesday.

Home Depot CEO Frank Blake told investors at the Goldman Sachs Annual Retailing Conference on Thursday that Home Depot had learned of the possible breach on Tuesday and the retailer and its partners were “working around the clock to find the breach.” However, he did not confirm that a breach had occurred.

On Wednesday, Home Depot released the following statement: “We’re looking into some unusual activity that might indicate a possible payment data breach and we’re working with our banking partners and law enforcement to investigate. We know that this news may be concerning and we apologize for the worry this can create. If we confirm a breach has occurred, we will make sure our customers are notified immediately.”

If the breach is confirmed, it would be the most widespread attack in recent months, overshadowing even Target, where cyber-criminals late last year stole at least 40 million payment card numbers and 70 million other pieces of personal information.

Previous reports have said Home Depot is working with Symantec and Fishnet Security in its investigation. Home Depot has also reportedly been in contact with the U.S. Secret Service, a law enforcement source told Reuters Thursday.

At this point, there is a lot that is still unknown. Home Depot has not elaborated on the nature of its investigation, when the unusual activity was discovered, how long the issue may have been present, or how many stores may have been affected.

Krebs on Security analyzed what is believed to be the cache of stolen cards from Home Depot to determine the geographic distribution of the victims. The analysis had a near 99 percent correlation with areas Home Depot has a location, making it likely nearly every location has been affected in this incident.

The recent wave of data breaches at major retailers have exposed the poor security surrounding point-of-sale systems, and the level of unpreparedness of the retail industry overall. Many banks have accelerated their timetables for issuing credit and debit cards embedded with chips, as they are more secure than the traditional cards with data stored on the magnetic stripe. Many retailers have been rolling out new credit card terminals to accept these new cards.

Ironically, Home Depot has been among the most aggressive among U.S. retailers to install these terminals. Blake said Home Depot had not yet activated the chip-reading technology on these terminals, but will do so before the end of the year.

The post Home Depot Continues Investigation Into Reported Breach appeared first on Security Current.

Google, Twitter, and HP are teaming up with 10 other technology companies and universities to help developers design secure software and write better code.

An initiative under the Institute of Electrical and Electronics Engineers (IEEE) Computer Society, the new group focuses on practical recommendations for secure software design.

The other founding members of IEEE Center for Secure Design (IEEE CSD) are Athens University of Economics and Business, Cigital, EMC, George Washington University, Harvard University, Intel/McAfee, RSA, Sadosky Foundation, Ministry of Science, Technology and Productive Innovation of Argentina, and the University of Washington.

The group also released the “Avoiding the Top 10 Software Security Design Flaws” report on Aug. 27 outlining the 10 best practices to avoid common software flaws. The report is the result of a workshop where representatives from each of the founding members met to discuss software security design flaws that they had identified in their own internal design reviews.

“The Center for Secure Design will play a key role in refocusing software security on some of the most challenging open design problems in security,” said Neil Daswani of the security engineering team at Twitter. “By putting focus on security design and not just focusing on implementation bugs in code, the CSD does even the most advanced companies in the space a huge service.”

IEEE CSD was careful to differentiate between flaws and bugs in its report, noting that flaws generally are the result of poor design decisions rather than mistakes in programming. The report covered improper use of encryption as well as the necessity of validating every piece of input data.

“We believe there has been quite a bit more focus on common bugs than there has been on secure design and the avoidance of flaws, which is worrying since design flaws account for 50 per cent of software security issues,” said Gary McGraw, chief technology officer at Cigital.

The list of recommendations is below, with more details provided in the report, available on the IEEE CSD website.

•       Earn or give, but never assume, trust

•       Use an authentication mechanism that cannot be bypassed or tampered with

•       Authorize after you authenticate

•       Strictly separate data and control instructions, and never process control instructions received from untrusted sources

•       Define an approach that ensures all data are explicitly validated

•       Use cryptography correctly

•       Identify sensitive data and how they should be handled

•       Always consider the users

•       Understand how integrating external components changes your attack surface

•       Be flexible when considering future changes to objects and actors

The post IEEE Launches Center for Secure Design with Google, Twitter, Harvard and Others appeared first on Security Current.

In its 17^th year, the annual Black Hat security conference was bigger than ever, with more than 8,000 registered attendees, 147 vendors exhibiting in the expo hall, and more workshops. The conference’s size and the fact that the conference had moved from Caesars Palace to Mandalay Bay are fairly cosmetic changes. The tenor of the conference had completely changed, as well.

Black Hat was, at heart, always a hacker conference. The hackers showed off the latest things they’d managed to break, and tried to out-do each other on creativity. It was about breaking ATMs, showing off zero-day exploits, and causing controlled chaos. This year’s vibe, however, was less hacker, more professional.

Consider what Dan Geer, the CISO of In-Q-Tel, the CIA’s investment arm, said about bug hunting during his opening keynote on Wednesday: “Finding vulnerabilities got to be too hard to do as a hobby in your spare time — you needed to work it like a job and get paid like a job.”

The attendee makeup also reflected the conference’s growing professionalism. Alongside the people who do security everyday were those who traditionally would never have considered security as part of their job description, including software developers from non-security companies.

Geer noted during a press conference that people are increasingly willing to do the right thing, so long as everyone else is doing the same thing. Whether that applies to mandatory breach reporting or having to make an investment to ensure certain policies are done securely, if it’s clear the rules apply equally to everyone, there will be less pushback. No one wants to feel like they are being picked on, he said.

The conversations are also a mix of breaking things and the business of security. “We aren’t likely to hear much about NIST frameworks, GRC, or CISO strategies,” the Enterprise Strategy Group’s Jon Oltsik wrote in a preview of the conference. As it turns out, the roundtable discussion on the NIST Framework for protecting critical infrastructure was so in demand that the room filled to capacity. And this was while a pair of researchers discussed how to remotely hack a car.

“I have long preferred to hire security people who are, more than anything else, sadder but wiser,” Geer said towards the end of his speech. “They, and only they, know that most of what commercially succeeds, succeeds only so long as attackers do not give it their attention while what commercially fails, fails not because it didn’t work but because it wasn’t cheap or easy or sexy enough to try.”

The post Black Hat at a Glance appeared first on Security Current.