The Homeland Security Department will hire up to 1,000 additional people to work in cybersecurity jobs over the next three years, senior DHS officials announced today.
The new employees will be scattered across DHS agencies, and will work in areas such as cyber risk and strategic analysis, cyber incident response, vulnerability detection and assessment, intelligence and investigation and network and systems engineering, DHS said. The hiring authority comes from a joint effort between DHS, the Office of Personnel Management and the Office of Management and Budget, according to the department.
Homeland Security Secretary Janet Napolitano announced the program in Washington at an event hosted by the National Cyber Security Alliance. Philip Reitinger, deputy undersecretary of DHS’ National Protection and Programs Directorate (NPPD) that includes the National Cybersecurity Division (NCSD), joined Napolitano at the event.
DHS is in charge of protecting the federal government’s civilian computer networks and leads efforts to work with industry to enhance cybersecurity.
“This authority will assist us in recruiting the best people in the world to come work for us over the next few years as cyber analysts, developers and engineers,” Napolitano said. “So look out – we’re coming.”
[More, via Federal Computer Week ]
Tag Archives: security
New Malware Re-Writes Online Bank Statements to Cover Fraud
Pretty unnerving trick, if this is efficient. I wonder if this will prompt banks to render balance amounts via Captcha-type technology to circumvent this. Even though the flaw is client-side. It will be interesting to watch how prevalent this sort of exploits become.
New malware being used by cybercrooks does more than let hackers loot a bank account; it hides evidence of a victim’s dwindling balance by rewriting online bank statements on the fly, according to a new report.
The sophisticated hack uses a Trojan horse program installed on the victim’s machine that alters html coding before it’s displayed in the user’s browser, to either erase evidence of a money transfer transaction entirely from a bank statement, or alter the amount of money transfers and balances.
The ruse buys the crooks time before a victim discovers the fraud, though won’t work if a victim uses an uninfected machine to check his or her bank balance.
The novel technique was employed in August by a gang who targeted customers of leading German banks and stole Euro 300,000 in three weeks, according to Yuval Ben-Itzhak, chief technology officer of computer security firm Finjan.
“The Trojan is hooked into your browser and dynamically modifies the text in the html,” Ben-Itzhak says. “It’s a very sophisticated technique.”
Read on, via Threat Level
OpenDNS begins commercial service offering
One of the first cloud-based secure DNS services was launched today amid intensified concerns about locking down vulnerable Domain Name Service servers.
OpenDNS, which provides a free DNS service for consumers and schools, is offering a subscription-based commercial service for enterprises. Other vendors, such as Nominum, are considering offering secure DNS cloud services, as well.
DNS security has received more attention than ever in the wake of the discovery of a major DNS hole that was revealed by researcher Dan Kaminsky, and was later patched by several vendors. The so-called cache-poisoning flaw could allow an attacker to guess the transaction ID of a Web query and let the attacker hijack queries. Meanwhile, the Internet community has stepped up efforts to adopt the DNSSEC standard for protecting the DNS translation process from being compromised.
[ more via DarkReading]
ZDNet warns self-hosted WordPress blogs at risk from worm
WordPress is pretty much the easiest turnkey blog/content management software out there, but by the very nature of it’s exceedingly popular, extensible existence, we haz flawz.
The latest major versions of WP have easy, embeded tools for pushing upgrades, and the directions lead you by the hand.
If your host — other than wordpress.org — hasn’t updated your installation in a while, or if your access in in some way restricted: Write, call, nag. Srsly.
If no results, then, backup your data and change providers.
WordPress is easy to use, sometimes easy to hack, but equally easy to patch.
Be your own advocate. Here’s why:
A worm is circulating that can post malware and spam to some WordPress blogs using outdated versions of the blogging software, according to a post by Matt Mullenweg, founding developer of WordPress.
The worm can be tough to catch, as Mullenweg explains: “It registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.”
The vulnerability allowing the attack was discovered on August 11, at which point WordPress encouraged users to upgrade to version 2.8.4. However, many people have yet to upgrade, and reports online indicate the worm is making progress by the hour.
The worm does not affect the current version 2.8.4 and the one prior to it, and it only affects people who host their own WordPress blog. Blogs hosted on WordPress.com are unaffected.
More detail via Tech News on ZDNet.
Russian Hackers Used Stolen US IDs for Georgian Gov Site Attacks
News Item Alert via @kevitz on twitter:
Russian hackers hijacked American identities and U.S. software tools and used them in an attack on Georgian government Web sites during the war between Russia and Georgia last year, according to new research to be released Monday by a nonprofit U.S. group.
In addition to refashioning common Microsoft Corp. software into a cyber-weapon, hackers collaborated on popular U.S.-based social-networking sites, including Twitter and Facebook Inc., to coordinate attacks on Georgian sites, the U.S. Cyber Consequences Unit found. While the cyberattacks on Georgia were examined shortly after the events last year, these U.S. connections weren’t previously known.The research shows how cyber-warfare has outpaced military and international agreements, which don’t take into account the possibility of American resources and civilian technology being turned into weapons.
Identity theft, social networking, and modifying commercial software are all common means of attack, but combining them elevates the attack method to a new level, said Amit Yoran, a former cybersecurity chief at the Department of Homeland Security. “Each one of these things by itself is not all that new, but this combines them in ways we just haven’t seen before,” said Mr. Yoran, now CEO of computer-security company NetWitness Corp.The five-day Russian-Georgian conflict in August 2008 left hundreds of people dead, crushed Georgia’s army, and left two parts of its territory on the border with Russia — Abkhazia and South Ossetia — under Russian occupation.
NewsLink: Network Solutions Breach Revives PCI Debate
Does qualifying as “compliant” somehow have the collateral effect of relaxing vigilance? (“We’re PCI Compliant and we’ve spent a lot of money becoming compliant; we can stop worrying now!”)
I don’t work in this particular sector so I can’t comment much, but with the amount of money that gets spent on compliance I can imagine anyone’s too thrilled about seeing their organization meet the PCI standard, but then fail in security practice, elsewhere, resulting in a breach.
The recent data breach at Internet domain administrator and host Network Solutions compromised more than 573,000 credit and debit cardholders and begs the question: What more can be done to secure such systems?
The incident also raises new questions about the Payment Card Industry Data Security Standard PCI. At the time of the breach, discovered in June, Network Solutions says it was PCI compliant. The breach was the result of hackers planting rogue code on the company’s web servers, intercepting financial transactions between the sites and their customers, which are mostly small online stores.
So, if Network Solutions was PCI compliant, how could it be breached? Paul Kocher, chief research scientist at Cryptography Research Institute, says the fundamental limitation with PCI is that it attempts to distill security down into a static set of requirements, while adversaries aren’t restricted to a rigidly-defined set of methods. “As a result, clever attackers will always find holes,” he says. “PCI does provide some value by forcing merchants to put some effort into addressing the most common attacks, but the objective is to reduce total risk — not stop all attacks. “Changes that would increase the burden on merchants could raise the bar further, Kocher notes, “Although it’s not clear how much impact this will have on actual fraud rates.”
At this point, he sees no sign that security standards are anywhere near close to putting fraudsters out of business, and forcing them to work a bit harder doesn’t necessarily mean they’ll actually steal less. Kocher sees the most effective anti-fraud step the U.S. card industry could take would be to make a real effort to adopt smart cards. The secrets needed to copy stay in the chip, and terminals for card-present transactions simply do not have access to the secrets.
[More on this article at Bank Info Security.]
Network Solutions Hack Compromises 573,000 Credit, Debit Accounts
Hackers have broken into Web servers owned by domain registrar and hosting provider Network Solutions, planting rogue code that resulted in the compromise of more than 573,000 debit and credit card accounts over the past three months, Security Fix has learned.
Herndon, Va. based Network Solutions discovered in early June that attackers had hacked into Web servers the company uses to provide e-commerce services – a package that includes everything from Web hosting to payment processing — to at least 4,343 customers, mostly mom-and-pop online stores.
The malicious code left behind by the attackers allowed them to intercept personal and financial information for customers who purchased from those stores, Network Solutions spokeswoman Susan Wade said.Wade said the company is working with federal law enforcement and a commercial data breach forensics team to determine the cause and source of the break-in. The payment data stolen was captured from transactions made between March 12, 2009 and June 8, 2009.
Read full story via Security Fix.