Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
GAO Finds Deficiencies in Systems for Handling National Debt
Newest First  |  Oldest First  |  Threaded View
ThomasMaloney
50%
50%
ThomasMaloney,
User Rank: Apprentice
4/16/2019 | 3:00:36 AM
Need intervention
It is really not surprising at all that there are actually deficiencies in the systems regardless of whether or not they belong to the state. Vulnerabilities are bound to be present anywhere at all as long as there are security lapses that are still pending intervention.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/30/2019 | 1:57:30 PM
deficiencies
"These new and continuing control deficiencies increase the risk of unauthorized access to, modification of, or disclosure of sensitive data and programs," Obviously there is good amount of work to be done. Unauthorized access can easily be mitigated.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/30/2019 | 1:55:45 PM
Re: End Game
I would posit that debt isn't an asset so is it something worth targeting. Interesting to point out. Anything that can be hacked my be considered target.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/30/2019 | 1:54:14 PM
Re: End Game
What is the actual risk if these systems were to be compromised? Good question. Level of risk getting bigger in each step they do not have any mitigation.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/30/2019 | 1:52:54 PM
Breaches
Though the deficiencies have not resulted in breaches, the response has not come through improvements to the technology and its use. I wonder how they wiiid know that. Most breaches go unheard.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/30/2019 | 1:51:51 PM
least privilege access
the audit mentions the lack of least privilege access as a security concern for systems. This may be important, they may need to address this first I would say.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
3/28/2019 | 9:14:43 AM
End Game
What is the actual risk if these systems were to be compromised? Do they only touch data around National Debt?

I would posit that debt isn't an asset so is it something worth targeting. Is it IP in those systems that is the main worry?


Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Tor Weaponized to Steal Bitcoin
Dark Reading Staff 10/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8369
PUBLISHED: 2019-10-21
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2019-18224
PUBLISHED: 2019-10-21
idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string.
CVE-2019-16985
PUBLISHED: 2019-10-21
In FusionPBX up to v4.5.7, the file app\xml_cdr\xml_cdr_delete.php uses an unsanitized "rec" variable coming from the URL, which is base64 decoded and allows deletion of any file of the system.
CVE-2019-16986
PUBLISHED: 2019-10-21
In FusionPBX up to v4.5.7, the file resources\download.php uses an unsanitized "f" variable coming from the URL, which takes any pathname and allows a download of it. (resources\secure_download.php is also affected.)
CVE-2019-16987
PUBLISHED: 2019-10-21
In FusionPBX up to v4.5.7, the file app\contacts\contact_import.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS.