Thousands of Vulnerabilities in NOAA Satellite System

A Memorandum released last week by the Office of Inspector General revealed that numerous “High-Risk” security vulnerabilities were found in the Joint Polar Satellite System’s (JPSS) Ground System.

According to the report, a security audit of NOAA’s Information Technology security program found serious security issues with the JPSS Ground System which gathers information from  weather satellites and provides it to worldwide users. It also provides command and control for current and future weather satellites.

The system is considered a “High Impact” IT system, or a system “for which the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic effect on organizational operations, organizational assets or individuals.”

The report showed that the number of High-Risk vulnerabilities rose from 14,486 in the first quarter of 2012 to 23,868 in the second quarter of 2014:

As you can see from the chart, the vulnerabilities have gone up and down over the last couple years as vulnerabilities have been found and patched. But overall the current vulnerabilities are about 2/3 higher than in the beginning of 2012.

High-Risk vulnerabilities are defined in the report as ones that are “relatively easy for attackers to exploit and gain control over system components.” The vulnerabilities found seem the same as would be found in any corporate security audit and including the following issues:

• Out of date software or missing security patches
• Insecurely configured software
• Unnecessary user privileges
• Passwords and auditing settings do not meet policy standards
• Unnecessary software applications that need to be removed or disabled

The issues found even included the “Heartbleed” vulnerability, which has since been remediated.

The numerous other vulnerabilities are of major concern and the software tools to exploit some of the vulnerabilities are publicly available. For the full report, check out the “Correspondance” PDF link on the Inspector General page.

Community Health Systems Hacked – 4.5 Million Records Stolen

Chinese hackers seem to be at it again. This time hitting Community Health Systems, a large US medical group that runs over 200 hospitals in 29 states. According to reports from Foxnews, the attackers were able to steal 4.5 million records.

A filing with the U.S. Securities and Exchange Commission stated that computer security company Mandiant assisted in the forensics investigation and “believe the attacker was an “Advanced Persistent Threat” group originating from China who used highly sophisticated malware and technology to attack the Company’s systems.“

According to the filing the data was “non-medical patient identification data” and did not include “patient credit card, medical or clinical information“. The company is notifying the affected patients and apparently offering them identity theft protection services.

As financial information was not recovered, the information would most likely be used in further social engineering type attacks – for example, using the information gained to attempt to access patients accounts or data from other companies or websites.

For those interested in learning more about Mandiant and their research of Chinese APT attacks, check out their “APT1: Exposing One of China’s Cyber Espionage Units” intelligence center report.

New Book Out: Kali Linux CTF Blueprints

A new Kali Linux book written by Cameron Buchanan has recently been published. This book published by Packt Publishing focuses on using Kali Linux and other Linux versions to create “Capture the Flag” (CTF) challenges:

“If you are a penetration testing team leader or individual who wishes to challenge yourself or your friends in the creation of penetration testing assault courses, this is the book for you. The book assumes a basic level of penetration skills and familiarity with the Kali Linux operating system.”

About This Book

• Put the skills of the experts to the test with these tough and customisable pentesting projects
• Develop each challenge to suit your specific training, testing, or client engagement needs
• Hone your skills, from wireless attacks to social engineering, without the need to access live systems

I am a technical reviewer for a lot of security books, magazines and training material and had the honor of being one of the reviewers on this project. The book is geared for those who have had some experience as a security tester and is familiar with using Kali Linux and penetration testing tools.

I found the book interesting and really liked Cameron’s sense of humor. Though it is not a book for someone who has never used Kali before, those who are interested in how Capture the Flag type contents can be run from a technical perspective will really enjoy this book.

Check it out!

 

 

Snowden Part II: Another Cyber Traitor in the US?

There are 680,000 people on the US’s Terror watch database with more than 40% having no known ties to terror groups. How do we know this? Looks like there is another Snowden like traitor leaking secret intelligence documents to the press.

An article on “The Intercept” breaks down the numbers apparently obtained from documents leaked by a “source in the intelligence community“. According to the website:

“The classified documents were prepared by the National Counterterrorism Center, the lead agency for tracking individuals with suspected links to international terrorism. Stamped “SECRET” and “NOFORN” (indicating they are not to be shared with foreign governments), they offer the most complete numerical picture of the watchlisting system to date.”

According to CNN, government officials are looking for the identity of the new leaker.

With Snowden apparently getting away with leaking top secret and confidential intelligence information to the press, it seems that it has inspired others to follow in his footsteps. The problem, as shown with Snowden, is that even though they may reveal some information of government wrong doing, they may also cross the line of patriotism and end up aiding and abetting a foreign power.

The level of NSA spying on US citizens was wrong, but when someone in the intelligence field takes classified information and flees to another country (especially one on unfriendly terms with the US), that has and always will “earn” the person the title of “Traitor”.

I just hope this new traitor is caught before they too reveal allied operational software and techniques employed against foreign governments and Islamic militant groups.