Monthly news roundup - September 2014 (TL;DR)

img_2014-09-30_Ars-Technica

NEWS

More and more compromises are hitting the news. Although some vulnerabilities, such as Heartbleed and the newly uncovered Shellshock, are buried in the infrastructure of the internet, most breaches have their root not in a technological or security flaw, but in human error or misplaced trust. Whom are we trusting with our data and what are we assuming about them? Here’s the TL;DR on a few stories that we found interesting:

  1. Huge security hole found in Bash shell: concern growing that it may have already been exploited: On September 24th, the technosphere exploded with news that a flaw in the Bash shell, since named Shellshock, could be exploited to take over public web servers. Since the initial report, patches have been release, but concerns continue to grow.
  2. Credit card data compromised at Jimmy Johns and 108 Other Restaurants: Signature Systems, Inc. the POS vendor for Jimmy Johns and other restaurants reports that payment data from over 300 restaurants was compromised when a bad guy gain access to a remote user’s username and password. With access secured, malware that captured payment data could be installed and used to steal customer information. The breach affected restaurants in 40 states.
  3. Government agencies are not adequately securing data: CNN reports that a security hole in software used by agencies across the country may have compromised over 100,000 records containing personal data about students and their families. Analysis revealed that the hole resulted from a configuration setting that allowed users to disable security checks. A patch was issued for this problem 2 years ago, but many users did not apply it. The result: potential vulnerability of public records held by the government.
  4. Barclay’s bank experimenting with new ‘finger vein’ technology: In the wake of security breaches in the financial sector, Barclay’s has announced that it is experimenting with a form of authentication based on a the veins in a user’s finger. The device would eliminate the need for multi-factor authentication and complex passwords, giving customers a greater sense of security without the inconvenience of complex logins. That said, it’s still just another lock on the door that can potentially be picked. A service like Silo eliminates the need for expensive new technologies, keep user credentials and banking activity in a secure sandbox.
  5. Number of HIPAA breaches reported spikes after Omnibus: The number of reported HIPAA compromises spiked by 67% since HIPAA Omnibus enforcement began last September. Analysis indicates that the dramatic increase is due to a combination of more robust reporting requirements and penalties and increased attacks on medical records. Despite the risk of severe penalties, many healthcare organizations have been slow to comply with new security regulations.