News briefs: Barrett Brown sentenced, research from Qualys and Dell SecureWorks


» Journalist and activist Barrett Brown was sentenced to 63 months in prison, minus about two years of time already served – and was ordered to pay a little more than $890,000 in restitution and fines – for charges stemming from the Stratfor hacking case. Some in the security community said that Brown's sentencing sets a troubling precedent, as he was essentially jailed for linking to hacked information. Brown, who pleaded guilty to posting an online threat aimed at a federal agent in April 2014, was arrested in 2012 and was, at one point, known as a public face of the hacktivist collective Anonymous. Also in April, Brown pleaded guilty to serving as an accessory after the fact to an unauthorized access to a protected computer, and obstructing justice in the execution of a search warrant, according to a superseding indictment filed in the U.S. District Court for the Northern District of Texas. He originally faced multiple charges, but in early March 2014, federal prosecutors moved to dismiss 11 of 12 counts related to sharing a link to a dump of credit card numbers connected to the breach of intelligence firm Stratfor.

» Researchers at Qualys discovered a buffer overflow vulnerability in the Linux GNU C Library (glibc) that, if exploited, could enable an attacker to remotely take complete control of a victim's system – all without having knowledge of system credentials. The high severity bug, CVE-2015-0235, was named ‘GHOST' because it can be triggered by the ‘GetHOST' functions, Qualys noted. Debian 7 (Wheezy), Red Hat Enterprise Linux 6 and 7, CentOS 6 and 7, and Ubuntu 12.04 are among the systems that are affected, and other Linux systems using versions of glibc from 2.2 to before 2.18 are also at risk. Researchers said that the best way to protect against GHOST is to apply available patches from Linux distribution vendors. 

» On the heels of President Obama's call for federal data breach legislation, a senator announced that he was penning a bill that carried a 30-day notification requirement for breached entities. The requirement, which Obama also proposed in a January speech at the Federal Trade Commission (FTC), would supplant state data security and breach notification laws, Sen. Bill Nelson, D-Fla., revealed in a draft summary of the bill. Under the legislation would authorize the FTC and state attorneys general “to enforce the data security and breach notification provisions of the Act,” meaning that entities could face civil penalties levied by the FTC over “unfair or deceptive acts or practices under Section 18 of the FTC Act,” the draft summary said.

» The White House's proposed revisions to the Computer Fraud and Abuse Act (CFAA) raised alarm in the IT security community which continues to await amendments to the federal anti-hacking law, long criticized for being outdated and leading to the aggressive prosecution of those in the field. Major contention arose from one revision, in particular, which would raise penalties for circumventing digital access barriers from starting at a misdemeanor to starting as a three-year felony charge. Other security pros, such as Katie Moussouris, chief policy officer at HackerOne, expressed concern about the “expanded language” of the legislative proposal, which could hamper vulnerability research and security testing activities, and perhaps, even breach reporting. She noted that CFAA, the law under which Aaron Swartz was pursued before his suicide two years ago, has always intimidated researchers.

» Analysts at Dell SecureWorks Counter Threat Unit (CTU) warned users of new malware, called “Skeleton Key,” which bypasses authentication on Active Directory (AD) systems using only passwords for access. Researchers found the malware on a client network that used single-factor authentication for access to webmail and its virtual private network (VPN), a scenario that allowed attackers “unfettered access” to remote access services, the CTU said. Skeleton Key is deployed as an in-memory patch on victim's AD domain controllers and, so far, Dell has observed two variants. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.