Wednesday, September 17, 2014
If you don't manage your security, this could happen to you.
Brian Krebs reports:
C&K Systems Inc., a third-party payment vendor blamed for a credit and debit card breach at more than 330 Goodwill locations nationwide, disclosed this week that the intrusion lasted more than 18 months and has impacted at least two other organizations.
Read more on KrebsOnSecurity.com.
I wonder when we’ll find out who the other two C&K clients were. They’d be wise to go public before Brian outs them.
(Related) If you do manage your security, it can still happen but you can detect it earlier and perhaps reduce the impact.
JPMorgan Shares Information on Recent Cyber Attacks
JPMorgan Chase, one of the largest banks in the United States, has confirmed that its systems were breached this summer, but investigators say there's no evidence that the attackers had gained access to highly sensitive information.
People familiar with the investigation have told The New York Times that the hackers penetrated roughly 90 of the company's servers between June and late July when the breach was detected. The attackers reportedly gained access to the details of one million customers and information on installed software after obtaining high-level administrative privileges, but an unnamed individual close to the matter said only names, addresses and phone numbers have been compromised.
There appears to be no evidence that social security numbers, financial information, or proprietary software have been obtained.
For my Computer Security students: This is why we try to teach every employee about security.
Ben Grubb reports:
Thousands of Australian computers are being locked up by hackers using malicious software that encrypts files and asks for a ransom to make them available again.
Fairfax Media understands Australian government agencies and a number of large enterprises and individuals have been successfully targeted by the scam.
Called “Cryptolocker” and “CryptoWall”, the “ransomware” comes in various forms with the CryptoWall version estimated by the government e-safety alert service Stay Smart Online to have infected approximately 20,000 Australian computers.
Read more on Sydney Morning Herald.
[From the article:
Computers are typically infected after victims click on a malicious link in an email purporting to be from Australia Post or Telstra.
… In order to help victims, two security firms have collaborated on a service called Decrypt Cryptolocker, which claims to decrypt files for free and has been hailed by Stay Smart Online. But Mr Bailey said the site didn't always work.
"We have seen this [website] work in some cases to be able to decrypt files and not for others," Mr Bailey said.
… alleged Russian hacker Evgeniy Mikhailovich Bogachev, 30, was charged as the leader of a criminal ring responsible for the malware and another known as Gameover Zeus.
The US Federal Bureau of Investigation estimated Bogachev made $US100 million from his activities. [and you wonder why the bad guys like doing this? Bob]
(Related) Note that nothing this Corp does will stop employees from clicking on a bad link.
US Bolstering Cyber Defense With New Corps: NSA Chief
The US military is building a new cyber defense corps that can be used to protect the nation and possibly for offensive purposes, the commander of the unit said Tuesday.
National Security Agency director Michael Rogers, who also heads the US Cyber Command, said the 6,200-member unit should be fully operational by 2016, to bolster defenses against hackers and state-sponsored cyberattacks.
Rogers told a cybersecurity conference that the unit would be able to assist in protecting against cyberattacks on "critical infrastructure," which includes computer-controlled power grids, financial networks, transportation and other key sectors.
Can't wait until the government takes all our health care records public!
GAO has released a report on Healthcare.gov. Here are some of the highlights of the report:
While CMS has taken steps to protect the security and privacy of data processed and maintained by the complex set of systems and interconnections that support Healthcare.gov, weaknesses remain both in the processes used for managing information security and privacy as well as the technical implementation of IT security controls. CMS took many steps to protect security and privacy, including developing required security program policies and procedures, establishing interconnection security agreements with its federal and commercial partners, and instituting required privacy protections. However, Healthcare.gov had weaknesses when it was first deployed, including incomplete security plans and privacy documentation, incomplete security tests, and the lack of an alternate processing site to avoid major service disruptions. While CMS has taken steps to address some of these weaknesses, it has not yet fully mitigated all of them. In addition, GAO identified weaknesses in the technical controls protecting the confidentiality, integrity, and availability of the FFM [Federally Facilitated Marketplace - Dissent]. Specifically, CMS had not: always required or enforced strong password controls, adequately restricted access to the Internet, consistently implemented software patches, and properly configured an administrative network. An important reason that all of these weaknesses occurred and some remain is that CMS did not and has not yet ensured a shared understanding of how security was implemented for the FFM among all entities involved in its development. Until these weaknesses are fully addressed, increased and unnecessary risks remain of unauthorized access, disclosure, or modification of the information collected and maintained by Healthcare.gov and related systems, and the disruption of service provided by the systems.
What GAO Recommends
GAO is making six recommendations to implement security and privacy management controls to help ensure that the systems and information related to Healthcare.gov are protected. HHS concurred but disagreed in part with GAO’s assessment of the facts for three recommendations. However, GAO continues to believe its recommendations are valid, as discussed in the report.
For more information, contact Gregory C. Wilshusen at (202) 512-6244 or email@example.com or Dr. Nabajyoti Barkakati at (202) 512-4499 or firstname.lastname@example.org.
For Full Report:
HEALTHCARE.GOV: Actions Needed to Address Weaknesses in Information Security and Privacy Controls GAO-14-730: Published: Sep 16, 2014. Publicly Released: Sep 16, 2014. (78 pp, pdf)
“We can, therefore we must!”
A Department of Justice proposal to amend Rule 41 of the Federal Rules of Criminal Procedure would make it easier for domestic law enforcement to hack into computers of people attempting to protect their anonymity on the Internet. The DOJ has explicitly stated that the amendment is not meant to give courts the power to issue warrants that authorize searches in foreign countries—but the practical reality of the underlying technology means doing so is almost unavoidable.
The result? Possibly the broadest expansion of extraterritorial surveillance power since the FBI’s inception.
… Broadly, the term “Network Investigative Techniques,” (NIT) describes a method of surveillance that entails “hacking,” or the remote access of a computer to install malicious software without the knowledge or permission of the owner/operator. Once installed, malware controls the target computer.
The right Network Investigative Technique can cause a computer to perform any task the computer is capable of—covertly upload files, photographs and stored e-mails to an FBI controlled server, use a computer’s camera or microphone to gather images and sound at any time the FBI chooses, or even take over computers which associate with the target (e.g. by accessing a website hosted on a server the FBI secretly controls and has programmed to infect any computer that accesses it).
Like Apps, “There's a business model for that.” e-Country Clubs, whoda thunk it?
Netropolitan the Social Media Site that Costs $9000 to Join
Netropolitan is a new hob-knobbing social media network for the filthy rich and costs a peasantry $9,000 to join plus $3,000 each year in member fees.
Netropolitan calls itself an “online country club for people with more money than time” and was started by James Touchi-Peters who claimed that the wanted an “environment where you could talk about the finer things in life without backlash.”
A game for my students AFTER they complete the Final Exam.
– is an addictive little game which uses the images from the Reddit page “Earth Porn”. You have to find the emoji who is standing still among a sea of rapidly moving emojis. Once you do, you get to the next level. In the background are different pictures of beautiful scenes from around the world.
– is a platform for viewing, creating and sharing any type of algorithm. All algorithms on the site are public and can be viewed and shared by any user of the site. Registered users can create new algorithms or fork an existing one.
An article for my Ethical Hackers.
4 Things You Must Know About Those Rogue Cellphone Towers
… What if your phone had connected to a cell tower operated by a rogue individual, and that person was intercepting every SMS. Ever call. Every kilobyte of data sent?
It’s more likely than you think.
Tools & Techniques Interesting video for my Computer Security students.
ATM PIN Theft and the Mathematics of Systematic Guessing
The video below describes how an infrared device on iPhones can be used to steal Personal Identification Numbers (PINs) on ATM cards and credit cards. It is important that you watch this video because it also contains instructions on how to prevent theft.