Investigators slam VA over data breach
U.S. Department of Veterans Affairs (VA) Inspector General George
J. Opfer has released a
scathing report (.pdf) on the data breach
that left
26.5 million veterans and about 2.2 million
active duty personnel at risk for identity fraud.
Investigators in his office concluded that a VA analyst showed
poor judgment by taking the data home and that his supervisors were
lax in their oversight.
Opfer outlined a litany of missteps, insufficient security
measures and an overall lack of care in the events leading up to
the May 3 burglary of the analyst's Maryland home. The report also
slams a chain of the analyst's supervisors, leading up to Deputy
Secretary Gordon H. Mansfield, for waiting nearly three weeks to
publicize the burglary, which unreasonably put veterans and active
duty personnel at risk for fraud, the report said.
In a written response, VA Secretary Jim Nicholson promised
improvements in handling information, according to The Associated
Press (AP).
Meanwhile, the AP reported, the Federal Bureau of Investigation
(FBI) has determined with a "high degree of confidence" that the
sensitive files on the employee's recently recovered laptop were
neither compromised nor read. The FBI recently completed a full
forensic analysis of the stolen laptop and external drive, which
were recovered June 29.
Cisco addresses router application flaw; other
issues
San Jose, Calif.-based networking giant Cisco Systems Inc. has
addressed three separate security issues, including a flaw in its
Router Web Setup application.
The
default Cisco IOS configuration shipped with the
Cisco Router Web Setup (CRWS) application "allows the
execution of commands at privilege level 15 through the Cisco
IOS HTTP (Hypertext Transfer Protocol) server Web interface
without requiring authentication credentials," Cisco said in an
advisory. "Privilege level 15 is the highest privilege level on
Cisco IOS devices."
Fixed versions of the CRWS application have been modified by
Cisco to provide a more secure default IOS configuration and
additional functionality with regards to the Cisco IOS HTTP server
Web interface, the company said.
The second issue is that
Cisco Unified CallManager (CUCM) 5.0
contains command line interface (CLI) and session initiation
protocol (SIP) flaws. "There are potential privilege escalation
vulnerabilities in the CLI which may allow an authenticated
administrator to access the base operating system with root
privileges," Cisco said. "There is also a buffer overflow
vulnerability in the processing of hostnames contained in a SIP
request which may result in arbitrary code execution or cause a
denial of service."
Cisco said it has made free software available to address these
vulnerabilities.
The third issue is that
Cisco Intrusion Prevention System (IPS) software
version 5.1 is prone to a denial-of-service condition caused
by a malformed packet, "which may result in an IPS device
becoming inaccessible remotely or via the console and fail to
process packets," Cisco said. "A power reset is required to
recover the IPS device. There are no workarounds for this
vulnerability."
Cisco said it has made free software available to address this
vulnerability as well.
IBM sued over server attack
IBM is being sued by Washington law firm Butera & Andrews over
a 2005 attack on its email server. The firm claims that an unknown
IBM employee tried to attack the server last November, shortly
after the firm found that its computer had been hijacked by an
unknown attacker, the IDG News Service reported. Security
investigators traced the attack to a computer inside IBM's
Cornwallis Road facility in Durham, N.C., the law firm claims.
The IDG News Service reported the lawsuit was filed April 7 in
the U.S. District Court for the District of Washington. An analysis
of computer logs revealed "over 42,000" attempts by IBM-controlled
machines to attack Butera & Andrews servers during 2005, the
lawsuit claims. Butera & Andrews wants the court to make IBM
reveal information related to the attacks and to award it damages,
including the $61,000 spent investigating the matter.
IBM has asked for the case to be dismissed, saying that Butera
& Andrews "alleges no facts to justify its supposition that its
systems were attacked by an IBM employee, as opposed to a computer
hacker."
Spammers' latest trick: A fake Putin death report
UK-based antivirus firm Sophos said spammers have launched a new
campaign disguised as a breaking news report that Russian President
Vladimir Putin has died. Hackers are using the trick to try and
infect computers with a Trojan horse.
Embedded in the HTML email is a hidden script that allows the
attacker to secretly download Troj.Dloadr-ZP from a Russian Web
site. The Trojan horse is designed to download further malicious
code that could allow remote hackers to gain unauthorized access to
the victim's computer.
Although the link pretends to be that of a BBC News report,
Sophos said the user is directed to another Russian Web site
purporting to be the home of a construction firm focused on
providing heating systems for apartments and advertising training
seminars.