If
you don't manage your security, this could happen to you.
Brian
Krebs reports:
C&K Systems Inc., a third-party payment vendor
blamed for a credit and debit card breach at more than 330 Goodwill
locations nationwide, disclosed this week that the intrusion lasted
more than 18 months and has impacted at least two other
organizations.
Read
more on KrebsOnSecurity.com.
I
wonder when we’ll find out who the other two C&K clients were.
They’d be wise to go
public before Brian outs them.
(Related)
If you do manage your security, it can still happen but you can
detect it earlier and perhaps reduce the impact.
JPMorgan
Shares Information on Recent Cyber Attacks
JPMorgan
Chase, one of the largest banks in the United States, has confirmed
that its systems were breached
this summer, but investigators say there's no evidence that the
attackers had gained access to highly sensitive information.
People
familiar with the investigation have told The
New York Times that the hackers penetrated roughly 90 of the
company's servers between June and late July when the breach was
detected. The attackers reportedly gained access to the details of
one million customers and information on installed software after
obtaining high-level administrative privileges, but an unnamed
individual close to the matter said only
names, addresses and phone numbers have been compromised.
There
appears to be no evidence that social security numbers, financial
information, or proprietary software have been obtained.
For
my Computer Security students: This is why we try to teach every
employee about security.
Ben
Grubb reports:
Thousands of Australian computers are being locked up by hackers
using malicious software that encrypts files and asks for a ransom to
make them available again.
Fairfax Media understands Australian government agencies and a number
of large enterprises and individuals have been successfully targeted
by the scam.
Called “Cryptolocker” and
“CryptoWall”, the “ransomware” comes in various forms with
the CryptoWall version estimated by the government e-safety alert
service Stay Smart Online to
have infected approximately 20,000 Australian computers.
Read
more on Sydney
Morning Herald.
[From
the article:
Computers
are typically infected after victims
click on a malicious link in an email purporting to be
from Australia Post or Telstra.
…
In order to help victims, two security firms have collaborated on a
service called Decrypt
Cryptolocker, which claims to decrypt files for free and has been
hailed
by Stay Smart Online. But Mr Bailey said the site didn't always
work.
"We
have seen this [website] work in some cases to be able to decrypt
files and not for others," Mr Bailey said.
…
alleged Russian hacker
Evgeniy Mikhailovich Bogachev, 30, was charged as
the leader of a criminal ring responsible for the malware and
another known as Gameover Zeus.
The
US Federal Bureau of Investigation estimated Bogachev made $US100
million from his activities. [and
you wonder why the bad guys like doing this? Bob]
(Related)
Note that nothing this Corp does will stop employees from clicking
on a bad link.
US
Bolstering Cyber Defense With New Corps: NSA Chief
The
US military is building a new cyber defense corps that can be used to
protect the nation and possibly for offensive purposes, the commander
of the unit said Tuesday.
National
Security Agency director Michael
Rogers,
who also
heads the US Cyber Command, said the 6,200-member unit should be
fully operational by 2016, to bolster defenses against hackers and
state-sponsored cyberattacks.
Rogers
told a cybersecurity conference that the unit would be able to assist
in protecting against cyberattacks on "critical infrastructure,"
which includes computer-controlled power grids, financial networks,
transportation and other key sectors.
Can't
wait until the government takes all our health care records public!
GAO
has released a report on Healthcare.gov. Here are some of the
highlights of the report:
While CMS has taken steps to protect the security and privacy of data
processed and maintained by the complex set of systems and
interconnections that support Healthcare.gov, weaknesses remain both
in the processes used for managing information security and privacy
as well as the technical implementation of IT security controls. CMS
took many steps to protect security and privacy, including developing
required security program policies and procedures, establishing
interconnection security agreements with its federal and commercial
partners, and instituting required privacy protections. However,
Healthcare.gov had weaknesses when it was first deployed, including
incomplete security plans and privacy documentation, incomplete
security tests, and the lack of an alternate processing site to avoid
major service disruptions. While CMS has taken steps to
address some of these weaknesses, it has not yet fully mitigated all
of them. In addition, GAO identified weaknesses in the technical
controls protecting the confidentiality, integrity, and availability
of the FFM [Federally Facilitated Marketplace - Dissent].
Specifically, CMS had not: always required or enforced strong
password controls, adequately restricted access to the Internet,
consistently implemented software patches, and properly configured an
administrative network. An important reason that all of these
weaknesses occurred and some remain is that CMS did not and has not
yet ensured a shared understanding of how security was implemented
for the FFM among all entities involved in its development. Until
these weaknesses are fully addressed, increased and unnecessary risks
remain of unauthorized access, disclosure, or modification of the
information collected and maintained by Healthcare.gov and related
systems, and the disruption of service provided by the systems.
[...]
What GAO Recommends
GAO is making six recommendations to implement security and privacy
management controls to help ensure that the systems and information
related to Healthcare.gov are protected. HHS concurred but disagreed
in part with GAO’s assessment of the facts for three
recommendations. However, GAO continues to believe its
recommendations are valid, as discussed in the report.
For more information, contact Gregory C. Wilshusen at (202) 512-6244
or wilshuseng@gao.gov or Dr.
Nabajyoti Barkakati at (202) 512-4499 or barkakatin@gao.gov.
For
Full Report:
HEALTHCARE.GOV:
Actions
Needed to Address Weaknesses in Information Security and Privacy
Controls GAO-14-730: Published: Sep 16, 2014. Publicly
Released: Sep 16, 2014. (78 pp, pdf)
“We
can, therefore we must!”
A
Department of Justice proposal
to amend Rule 41 of the Federal Rules of Criminal Procedure would
make it easier for domestic law enforcement to hack into computers of
people attempting to protect their anonymity on the Internet. The
DOJ has explicitly
stated that the amendment is not meant to give courts the power
to issue warrants that authorize searches in foreign countries—but
the practical reality of the underlying technology means doing so is
almost unavoidable.
The
result? Possibly the broadest expansion of extraterritorial
surveillance power since the FBI’s inception.
…
Broadly, the term “Network Investigative Techniques,” (NIT)
describes a method of surveillance that entails “hacking,” or the
remote access of a computer to install malicious software without the
knowledge or permission of the owner/operator. Once installed,
malware controls the target computer.
The
right Network Investigative Technique can cause a computer to perform
any task the computer is capable of—covertly
upload files, photographs and stored e-mails to an FBI controlled
server, use a computer’s camera or microphone to gather images and
sound at any time the FBI chooses, or even take
over computers which associate with the target (e.g. by accessing
a website hosted on a server the FBI secretly controls and has
programmed to infect any computer that accesses it).
Like
Apps, “There's a business model for that.” e-Country Clubs,
whoda thunk it?
Netropolitan
the Social Media Site that Costs $9000 to Join
Netropolitan
is a new hob-knobbing social media network for the filthy rich and
costs a peasantry $9,000 to join plus $3,000 each year in member
fees.
Netropolitan
calls itself an “online country club for people with more money
than time” and was started by James Touchi-Peters who claimed that
the wanted an “environment where you could talk about the finer
things in life without backlash.”
A
game for my students AFTER they complete the Final Exam.
–
is an addictive little game which uses the images from the Reddit
page “Earth Porn”. You have to find the emoji who is standing
still among a sea of rapidly moving emojis. Once you do, you get to
the next level. In the background are different pictures of
beautiful scenes from around the world.
This
might be useful for my Javascript programming students, if they can
find or build a useful algorithm.
–
is a platform for viewing, creating and sharing any type of
algorithm. All algorithms on the site are public and can be viewed
and shared by any user of the site. Registered users can create new
algorithms or fork an existing one.
An
article for my Ethical Hackers.
4
Things You Must Know About Those Rogue Cellphone Towers
…
What if your phone had connected to a cell tower operated by a rogue
individual, and that person was intercepting every SMS. Ever call.
Every kilobyte of data sent?
It’s
more likely than you think.
Tools
& Techniques Interesting video for my Computer Security
students.
ATM
PIN Theft and the Mathematics of Systematic Guessing
The
video below describes how an infrared device on iPhones can be used
to steal Personal Identification Numbers (PINs) on ATM cards and
credit cards. It is important that you watch this video because it
also contains instructions on how to prevent theft.
No comments:
Post a Comment