Tag: public interest groups

Heartbleed Means HealthCare.gov Users Must Reset Passwords
http://www.nextgov.com/cybersecurity/2014/04/heartbleed-means-healthcaregov-users-must-reset-passwords/82852/
By Aliya Sternstein
Nextgov.com
April 19, 2014
Federal officials are telling Obamacare website account holders to reset
their passwords, following revelations of a bug that could allow hackers
to steal data.
Officials earlier in the month said the government’s main public sites,
including HealthCare.gov, were safe from the risks surrounding Heartbleed
— faulty code recently found in a widely-used encryption tool.
But, this weekend, the online marketplace’s homepage directs users to
change their login information.
“While there’s no indication that any personal information has ever been
at risk, we have taken steps to address Heartbleed issues and reset
consumers’ passwords out of an abundance of caution,” HealthCare.gov
states.
[…]
INFO: Google scans user’s emails
http://bit.ly/1reFUNj
Google updates terms of service to reflect its scanning of users’ emails
Google has updated its terms of service to reflect that it analyzes user
content including emails to provide users tailored advertising, customized
search results and other features.
The Internet giant’s scanning of users’ email has been controversial with
privacy groups describing it as an intrusion into user privacy.
[…]
Mission-critical satellite communications wide open to malicious hacking
By Dan Goodin
Ars Technica
April 17, 2014
Mission-critical satellite communications relied on by Western militaries
and international aeronautics and maritime systems are susceptible to
interception, tampering, or blocking by attackers who exploit easy-to-find
backdoors, software bugs, and similar high-risk vulnerabilities, a
researcher warned Thursday.
Ground-, sea-, and air-based satellite terminals from a broad spectrum of
manufacturers—including Iridium, Cobham, Hughes, Harris, and Thuraya—can
be hijacked by adversaries who send them booby-trapped SMS text messages
and use other techniques, according to a 25-page white paper published by
penetration testing firm IOActive. Once a malicious hacker has remotely
gained control of the devices, which are used to communicate with
satellites orbiting in space, the adversary can completely disrupt
mission-critical satellite communications (SATCOM). Other malicious
actions include reporting false emergencies or misleading geographic
locations of ships, planes, or ground crews; suppressing reports of actual
emergencies; or obtaining the coordinates of devices and other potentially
confidential information.
“If one of these affected devices can be compromised, the entire SATCOM
infrastructure could be at risk,” Ruben Santamarta, IOActive’s principal
security consultant, wrote. “Ships, aircraft, military personnel,
emergency services, media services, and industrial facilities (oil rigs,
gas pipelines, water treatment plants, wind turbines, substations, etc.)
could all be impacted by these vulnerabilities.”
Santamarta said that every single one of the terminals he audited
contained one or more weaknesses that hackers could exploit to gain remote
access. When he completed his review in December, he worked with the CERT
Coordination Center to alert each manufacturer to the security holes he
discovered and suggested improvements to close them. To date, Santamarta
said, the only company to respond was Iridium. To his knowledge, the
remainder have not yet addressed the weaknesses. He called on the
manufacturers to immediately remove all publicly accessible copies of
device firmware from their websites to prevent malicious hackers from
reverse engineering the code and uncovering the same vulnerabilities he
did.
[…]