In a Salt Lake Tribune article, reporter Patty Henetz quoted Utah Department of Health spokesman Tom Hudachko, who said that in this particular incident, a configuration error occurred at the level where passwords are entered, allowing the hacker to invade the security system. Technology Services has processes in place to ensure the state’s data is secured, but this particular server was not configured according to normal procedure.

Michael Hales, the Health Department’s Medicaid Director, said, “It just looks like processes broke down,” according to the Tribune.

This sounds like a weaselly way of admitting that the default passwords were not changed.  Default passwords are the easiest way into any system!

via Utah Medicaid Breach Exemplifies Value Of Encryption And Access Control – Dark Reading.

The state of Utah lost the personal information of at least 500,000 people because:

Attackers were able to compromise the server because an authorization component was not configured properly.

The state’s Department of Technology Services “has processes in place to ensure the state’s data is secured, but this particular server was not configured according to normal procedure.” The agency plans to bolster its controls with additional networking monitoring and intrusion detection functionality.

Hopefully they’ll add some auditors, too.  It’s a shame to have your system set up so you only find out about misconfigurations after outsiders do.

via Number of victims in state of Utah breach significantly rises – SC Magazine.

If you don’t learn from the past, you’re doomed to repeat it.

Here are 9 of the largest most recent financial services data breaches:

via The Top 9 Most Costly Financial Services Data Breaches – - 1 – Wall Street & Technology.

If they’d bother getting a contract first, they’d probably make good money in pen testing.

A Cayman Islands security firm got a bit of unsolicited web security advice on March 30 from MalSec, a group of “malicious security” hackers who recently broke into a server belonging to the Nigerian Senate. But unlike some of the nastier site defacements done recently by members of Anonymous’ #AntiSec collective—including takedowns of two Federal Trade Commission sites—the MalSec hackers left the site itself intact, posting only a replacement home page to advise the company, The Security Centre Ltd., of their vulnerability.

[...]

“Whilst no harm was done to the original site,” the hackers wrote on their replacement home page, “we urge you to secure your site before claiming to be ‘the best of the best’ in any kind of security. We were not first—traces of previous security breaches were found.” The page gave instructions on how to return the site to normal, and advised the company to “please oversee your security before somebody else with more harmful intent does. You can thank us later <3.”

In Security Centre’s defense, they are a physical security company, not information security.

via Hackers politely deface security firm website, suggest fixes.

This is pretty bad news:

A major security breach at Global Payments, which does transaction processing for Visa and MasterCard, has exposed the credit card data of [1 million to 3 million] customers to potential theft.

That’s an awful lot of people.

via Global Payment Systems Compromised In ‘Massive’ Breach – Dark Reading.

A few weeks ago, Fox News breathlessly reported that the embattled WikiLeaks operation was looking to start a new life under on the sea. WikiLeaks, the article speculated, might try to escape its legal troubles by putting its servers on Sealand, a World War II anti-aircraft platform seven miles off the English coast in the North Sea, a place that calls itself an independent nation. It sounds perfect for WikiLeaks: a friendly, legally unassailable host with an anything-goes attitude.

But readers with a memory of the early 2000s might be wondering, “Didn’t someone already try this? How did that work out?” Good questions. From 2000 to 2008, a company called HavenCo did indeed offer no-questions-asked colocation on Sealand—and it didn’t end well.

Perhaps demand will pick up a bit if the U.S. government continues to seize and shut down websites before even arresting or convicting the site’s operators.

It’s an interesting story, though.

via Death of a data haven: cypherpunks, WikiLeaks, and the world’s smallest nation.

Via: ISC Diary | evilcode.class, this was too good not to repost:

It’s too bad Cisco ASDM requires Java, or I could stop using it completely.

IT is worried: More than half of IT leaders say malware sophistication is outpacing their ability to analyze it.

A new study conducted by Forrest Anderson Research and commissioned by Norman ASA found that 62 percent of IT pros have this concern, while 58 percent say their biggest worry is the growing number of threats.

Problems like this are going to make whitelisting a nearly mandatory strategy.

via Malware Advancing Faster Than Companies Can Analyze It – Dark Reading.

A Russian hacker dramatically demonstrated one of the most common security weaknesses in the Ruby on Rails web application language. By doing so, he took full control of the databases GitHub uses to distribute Linux and thousands of other open-source software packages.

Egor Homakov exploited what’s known as a mass assignment vulnerability in GitHub to gain administrator access to the Ruby on Rails repository hosted on the popular website. The weekend hack allowed him to post an entry in the framework’s bug tracker dated 1,001 years into the future. It also allowed him to gain write privileges to the code repository. He carried out the attack by replacing a cryptographic key of a known developer with one he created. While the hack was innocuous, it sparked alarm among open-source advocates because it could have been used to plant malicious code in repositories millions of people use to download trusted software.

It’s a vulnerability that’s on by default so developers can turn it off if they don’t use it, but I agree with Homakov – it should be off by default and enabled when needed.

via Hacker commandeers GitHub to prove Rails vulnerability.

I like his ideas, but I imagine they will be tricky to implement.  It is difficult enough to create secure web apps, much less honey-pot enabled web-apps.

Cyber attackers have long embraced deception by deploying tactics, such as social engineering help-desk employees to install trojans or obtain users’ credentials. Even the famed hacker, Kevin Mitnick, wrote a book called “The Art of Deception.” If deception can be used to attack, can it also be used in cyber defense?

via Deception and the art of cyber security – SC Magazine.