Monday, July 31, 2017
This could (and likely did) happen to everyone/anyone! Why haven’t companies in other industries reported similar incidents?
Airlines Alert Customers, Employees of Cybersecurity Incidents
Virgin America said it detected unauthorized access to information systems containing employee and contractor data on March 13. According to the company, a third-party accessed logins and passwords used for its corporate network.
… Canada-based WestJet Airlines told customers on Friday that an unauthorized third party disclosed some WestJet Rewards member profile data. While the leaked data did not contain any payment card or other financial information, the company has notified the Calgary Police Service and the RCMP’s cybercrime unit.
… Florida-based ultra low cost carrier Spirit Airlines has sent an email to customers to notify them of an incident involving their FREE SPIRIT account.
… Security expert Troy Hunt, the owner of the Have I Been Pwned service, told SecurityWeek that all the email addresses he tested from the leaked data show up in Exploit.in, a list of nearly 600 million email address and password combinations compiled using data stolen from various online systems.
Cybercriminals have used the Exploit.in list for credential stuffing attacks, where attackers automatically inject username/password combinations into a website’s login page in hopes that account owners have used the same credentials on multiple online services.
Not all hackers are brilliant.
Teen was writing a fraud to-do list when the cops came. Now he’ll be doing time
When police executed a search warrant at Phyllistone Termine’s North Miami-Dade home in 2016, he was listening to tunes and doing a fraudster’s to-do list that included buying other people’s credit card numbers and security codes.
Termine, 19, was sentenced last week to 4 1/2 years in federal prison for aggravated identity theft and access device fraud.
The scam involved converting the modern tax return scam to unemployment benefits — amassing names and Social Security numbers and getting benefits in multiple fraudulent filings, Termine admitted in court documents. Using more than 1,000 names and numbers, the teenager falsely collected more than $1 million in benefits from March 2015 through May 2016.
… When cops burst into Termine’s home with a search warrant on May 20, 2016, they found him in his bedroom, listening to music and writing what appeared to be a summer to-do list on a legal pad. The list included the tasks “Buy Online, Merrick BNK & CCVs” and “Buy 3 phones, 1 clean 2 dirty’s.”
The first phrase means buying Merrick Bank credit card numbers and the security code on the back from sites on the “dark web.”
Next to Termine on his bed: three cellphones and laptop. Hidden between the mattress and box spring: debit and credit cards that didn’t belong to Termine or anybody who lived with Termine. Also, there were blank white plastic cards with magnetic strips. Termine also had equipment to encode the magnetic strip on a credit or debit card.
Useful tool for my Computer Security classes.
Have you ever seen a visualization of the world’s biggest data breaches? If not, you can see it here. Hovering over incidents will lead you to additional information on the incident, and you can also use a variety of filters.
I love that site, especially because that wonderful tool relies on DataBreaches.net as a source of its data. It’s a great use of my site and my work, and yes, I gave them permission. I’m pleased to see my work used for some worthy noncommercial tools like that one.
Also illustrates a very simple hack, based on very poor design.
Kids Pass Just Reminded Us How Hard Responsible Disclosure Is
Only a couple of months ago, I did a talk titled "The Responsibility of Disclosure: Playing Nice and Staying Out of Prison". The basic premise was to illustrate where folks finding security vulnerabilities often go wrong in their handling of the reporting, but I also wanted to show how organisations frequently make it very difficult to responsibly disclose the issue in the first place. Just for context, I suggest watching a few minutes of the talk from the point at which I've set the video below to start:
A Privacy breach occurs when we move from what we can see (old, white male) to what requires technology to reveal.
Turna Ray reports:
Genealogy firm Family Tree DNA has challenged the constitutionality of Alaska’s Genetic Privacy Act on the grounds that the statute is so vague in its definitions of terms, such as “DNA analysis,” “disclosure,” and “informed consent,” that the firm cannot know how to comply with the law.
The move is part of Family Tree DNA’s defense strategy in a lawsuit in which a customer, Alaska resident Michael Cole, is alleging the company breached his rights under the Genetic Privacy Act by publicly sharing his genetic information without his consent.
Read more on Genome Web.
A tool we should understand.
Putin Signs Controversial Law Tightening Internet Restrictions
Russian President Vladimir Putin has signed controversial legislation prohibiting the use of Internet proxy services -- including virtual private networks, or VPNs -- and cracking down on the anonymous use of instant messaging services.
The law on proxy services, signed by Putin on July 29 and published by the government on July 30, was promoted by lawmakers who said it is needed to prevent the spread of extremist materials and ideas.
Critics say Putin's government often uses that justification to suppress political dissent.
Apple removes VPN apps from the App Store in China
The Chinese government’s crackdown on the internet continues with the news that Apple has removed all major VPN apps, which help internet users overcome the country’s censorship system, from the App Store in China.
An interesting idea. Would there be much of a market for my Ethical Hackers? (If not, why not?)
How Deep & Dark Web Intelligence Supports Merger and Acquisition Due Diligence
After all, for an M&A engagement to be truly advantageous, the acquirer must first gain an accurate and comprehensive understanding of the target company’s business risk profile. Extensive due diligence is essential, as any unknowns pertaining to the target company’s finances, reputation, strategy, liabilities, or compliance could hinder the short- and/or long-term success of any merger or acquisition. Given that an abundance of such unknowns exist in the form of threats emerging from the Deep & Dark Web, gaining visibility into these online regions is crucial.
Indeed, Deep & Dark Web intelligence can enable potential acquirers to proactively detect and address a broad spectrum of cyber and physical threats to which target companies may be susceptible, such as:
Supply Chain Security
At all? Ever?
German court rules bosses can't use keyboard-tracking software to spy on workers
The Federal Labour Court ruled on Thursday that evidence collected by a company through keystroke-tracking software could not be used to fire an employee, explaining that such surveillance violates workers’ personal rights.
The complainant had been working as a web developer at a media agency in North Rhine-Westphalia since 2011 when the company sent an email out in April 2015 explaining that employees’ complete “internet traffic” and use of the company computer systems would be logged and permanently saved. Company policy forbade private use of the computers.
The firm then installed keylogger software on company PCs to monitor keyboard strokes and regularly take screenshots.
Less than a month later, the complainant was called in to speak with his boss about what the company had discovered through the spying software. Based on their findings, they accused him of working for another company while at work, and of developing a computer game for them.
He was fired that same day.
English words, grammar has changed. More efficient than English? Probably. Dangerous? Unlikely. Cute headline though. Let’s see who panics…
Facebook AI Invents Language That Humans Can't Understand: System Shut Down Before It Evolves Into Skynet
… Facebook had to pull the plug on an artificial intelligence system that its researchers were working on because things got out of hand. The AI did not start shutting down computers worldwide or something of the sort, but it stopped using English and started using a language that it created.
… The AI agents were not confined to a limitation of only using the English language, and so they deviated from it and created one that made it easier and faster for them to communicate. Facebook researchers, however, decided to shut down the AI systems and then force them to speak to each other only in English.
Likely to be installed in every Whole Foods location?
Amazon’s new ‘Hub’ delivery lockers will accept packages from any sender
Amazon is expanding its delivery locker concept into apartment lobbies, with a twist: the new lockers will accept packages not just from Amazon but from any sender, shipped via any carrier, according to the company.
… With the Hub rollout, the company is broadening the concept to let people receive packages from friends and family, competing retailers or anyone else. The move could make Amazon a much bigger rival to retail mailbox stores and existing package lockers. It could also give the Seattle-based tech giant access to a trove of new shipping and customer data that provide a competitive edge.